pfSense not honoring OSPF routes from FRR

DigitalTony · Jan 1, 2020, 5:53 PM

Hi:
pfSense knows about OSPF routes from FRR, but it won't return WAN traffic there.
steps:
I Installed FRR
Configured LAN interface for area 0.0.0.0
pfsense has established a neighbor relationship with the router on the LAN interface
I can see OSPF routes from this OSPF neighbor in zebra routing table and also when typing netstat -rn.
pfSense can ping hosts on those advertiesed subnets
But hosts on those subnets cannot receive WAN return traffic
But when I put static routes to those subnets in pfSense, those hosts can now get WAN return traffic
(I also had to set up the neighboring router as a gateway in pfSense to get this to work)
Now those subnets show as both OSPF and kernel routes in pfSense

Should pfSense honor OSPF routes by default, or is there some additional configuration required?

Thank you!

Derelict · Jan 1, 2020, 6:52 PM

The pfSense firewall software knows about static routes because they are in the configuration. It can, therefore, automatically add them as sources in Outbound NAT.

You will have to manually add Firewall > NAT, Outbound entries for the inside subnets for OSPF routes. I recommend setting Hybrid mode there.

It might be enough to just make a network alias called RFC1918 and add the following:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

You can then use that alias as the source network for a hybrid NAT entry.

DigitalTony · Jan 1, 2020, 7:57 PM

Thank you! That was the missing piece.
I did create an alias for RFC1918 subnets, but it wouldn't allow me to use it in the NAT config.
It was no big deal to create 3 separate NAT rules for those internal networks.

Question: Now that my NATting and OSPF routing is working, do I still need to neighboring router to be configured as a gateway?

Thanks.

Derelict · Jan 1, 2020, 8:46 PM

You need the neighbor gateway entry as a target for static routes. You should not need it for OSPF routes.

Derelict · Jan 1, 2020, 8:48 PM

Not sure what's up with using an alias as a source for outbound NAT there. Works fine here. It is a little weird but you just need to start typing the alias name in the source network field and it should work.

DigitalTony · Jan 1, 2020, 8:54 PM

Great! Thank you on both accounts. I disabled the gateway, and we're still operational. :-)
And I didn't realize you could just start typing names in the network box.... From the GUI, it sure looks like it wants a network address.
But now the alias is in use.

Thanks again, and Happy New Year!