IPv6 - FRR OSPF6 keeps crashing
I am not sure as to whether there are known issues with FRR OSPF6.
The daemon comes up after being configured, pfSense shows up as a neighbor (in the Init status) on other routers but then disappears. Clicking on status takes a long time to return and eventually sates that ospf6d is not running.
Note that clicking on "Status/All" sometimes shows the IPv6 routes from the neighbors (before crashing).
3 routers in the OSPF area + pfSense
2 routers with a priority of 1 (DR and BDR) + 1 other router with a priority of 0 + pfSense with a priority of 0.
All the routers have a /64 public IPv6 address (even though it's technically not necessary).
The Firewall is set to allow traffic from fe80::/10 and from the WAN net.
The config is below (I masked part of the ip addresses).
ipv6 ospf6 priority 0
interface em0 area 0.0.4.175
redistribute connected route-map DNR6
area 0.0.4.175 range 2a00:xxxx:xxxx:1199::/64 cost 1
area 0.0.4.175 export-list dnr6-list
ipv6 prefix-list dnr6-list permit any
route-map DNR6 permit 10
match ipv6 address prefix-list dnr6-list
Note that OSPF (IPv4) works fine with the same routers.
ospf6d doesn't technically crash... But eventually uses the whole memory of the VM (4GB in this case). Disabling OSPF6 and rebooting goes back to a normal CPU and memory utilization.
I am narrowing down the problem.
After trying different combinations, it looks like the issue is linked to the number of routers or to one of the routers pfSense/FRR was connected to.
I did shut down all but one of the interfaces of the routers in area 1199 (0.0.4.175). In other words, pfSense has now only one neighbor left in that area.
And with that setup, it works!
The remaining router (ABR connected to Area 0) is a Cisco device.
Hopefully the issue is linked to one of the routers and not to the number of routers.
I'll continue to investigate.
----Side note: disabling OSPF6 doesn't shut down the service. It has to be done manually!
What version of pfSense are you running?
I'm curious if the version of FRR on pfSense 2.4.4 snapshots would behave better here. pfSense 2.4.3-p1 has FRR 3.0.3, and 2.4.4 has FRR 5.0.1.
It looks like some work is still required to improve OSPF6.
On the other hand, I managed to get pfSense to somewhat run in an area with 4 different routers: 1DR (Cisco), 1BDR (Vyos) and 2 Priority 0 routers (another VyOS and pfSense).
Now, I can consistently crash pfSense when I swap the BDR with a Cisco device. Note that the 2 Cisco routers run different IOS versions.
When swapping pfSense with a third Cisco device, everything works!
When I mentioned somewhat, it's because the routing table ends up being incomplete on all but one router and on the ABR:
I still can't explain why the last device to boot (or to start OSPFv3) get all the OE1 and OE2 routing entries from the DR (Cisco - which is also the ABR) while these entries immediately disappear from the other routers.
When I reboot one of the other routers, that router is the only one getting the entries (that includes pfSense).
Note that the ABR is setup with default-information originate parameter and that the area is a normal area.
-OSPF6 doesn't stop when disabled
-Range directive should only be added to the configuration when the router is an ABR
-Prefix-list and route-map need to be implemented in the UI
-An IPv6 seems required on the interface enabled for OSPF6. This is normally not required as it can be done via the link-local address.
I am mostly using version 2.4.3-p1.
I recently upgraded one router to 2.4.4. The issue was still present when connecting with the 2 Cisco routers (DR and BDR). So there is definitively some incompatibility there!
I'll test the disappearing routes next...
I'll first start with:
pfSense 2.4.3 (priority 0), pfSense 2.4.4 (priority 0), DR Cisco (priority 1).
Note that the Cisco device is one of our core backbone device (so, the number of routes/updates is similar to a real production environment).
All pfSense routers have valid IPv6 addresses (and some also have valid IPv4 ones) and are reachable remotely if needed.
Status of 2.4.4...
I still loose routes when combining 2.4.3 with 2.4.4 and Cisco.
But the good news is that it's not the case anymore with the following configurations:
1-pfSense 2.4.4 (priority 0), pfSense 2.4.4 (priority 0), DR Cisco (priority 1)
2-pfSense 2.4.4 (priority 0), BDR pfSense 2.4.4 (priority 1), DR Cisco (priority 1)
In addition, both pfSense devices have the following setting: redistribute connected route-map DNR6
1-After the upgrade to 2.4.4, connected interfaces are not redistributed anymore. As a workaround, disabling/enabling the interface sometimes works! And when not, it has to be re-created!
2-In order to have pfSense act as the BDR (the way we typically need it), it has to redistribute a default route to other routers in the area. At a minimum, the option "default-information originate" should be available on the UI with ideally the possibility to also select "always". When configured this way for both the DR and BDR, 2 default routes will end up on all the routers.