FRR6 filter connected routes to be distributed into OSPF



  • My setup is fairly simple, pfSense firewall is doing OSPF with a bunch of Cisco Catalyst L3 switches. There is a transit network between the firewall and the switches, and only that is part of Area 0 on the pfSense. OSPF is a single-area setup for start. Connected networks are set up to be advertised into OSPF.

    What happens now, OSPF works fine, and the firewall advertises all of its connected networks.
    My problem is, that i want the firewall to announce its OpenVPN client range only. As much as i was able to find out, there is a simple way for doing this, by applying an ACL with the "distribute-list" feature. I tried many versions of this ACL, but none of them is working, despite any effort, all connected networks of the firewall are seen on the LAN L3 switch. The config is the following (copied from the webgui: Services / FRR Status / FRR Configuration / Configuration):

    FRR zebra.conf


    password xxxxx
    log syslog

    #Access Lists
    access-list testacl permit 10.1.2.0/24
    access-list testacl deny any
    access-list testacl remark ACL to match local OpenVPN client subnets

    #Accept Filters
    ip prefix-list ACCEPTFILTER permit any
    route-map ACCEPTFILTER permit 10
    match ip address prefix-list ACCEPTFILTER
    ip protocol ospf route-map ACCEPTFILTER


    FRR ospfd.conf

    password xxxxx
    log syslog
    interface em1.yyyyy
    ip ospf authentication message-digest
    ip ospf message-digest-key 1 md5 xxxx
    ip ospf area 0.0.0.0

    router ospf
    ospf router-id z.z.z.z
    area 0.0.0.0 authentication message-digest
    redistribute connected
    distribute-list testacl out connected
    ospf abr-type cisco


    Did i misunderstood something?


  • Rebel Alliance Developer Netgate

    distribute-list is a filter used to control which routes are distributed from the specified source. All you've done there is told it to only distribute 10.1.2.0/24 out of the list of all connected networks. If 10.1.2.0/24 is not a connected network, then it distributes nothing.

    The problem is most likely that there is no entry in the routing table for the OpenVPN client tunnel network subnet. No route in the table means nothing to distribute.

    What you need is likely either one of two things:

    1. Add a static route in the global zebra settings pointing 10.1.2.0/24 to localhost or something similar, and then set OSPF to redistribute static routes.
      -or-
    2. Setup pfSense as an ABR with your non-backbone interfaces on pfSense in another area (e.g. 0.0.0.1), and then setup a route summarization for the new area which includes 10.1.2.0/24 in a range as a summary route. OSPF will happily send a summary route even if it's not in the routing table. If all of your local networks are in a range you can use that instead, like 10.1.0.0/16.


  • Hi and thanks for getting back !

    My issue is, that there are too many connected networks advertised by FRR. The Ovpn subnet is a directly connected subnet, and its advertised (as an external route i think because on the fw only the transfernet is part of area 0).

    What i would like to achieve, and failed with it so far, is that prevent other routes than the vpn client subnet is, to be included in the advertisements.

    regards,
    Peter



  • Meanwhile i tried your 2nd suggested workaround, and after a while i got it to work.

    What have i done?

    • turned off redistribution of connected networks (be careful, you might loose access to the device)
    • under "OSPF Areas", i created Area 1 with the ID of 0.0.0.1
    • entered 10.1.1.0/24 under "Route Summarization" -> "Summary Range" -> "Summary Prefix
      ", this matches the subnet entered to OpenVPN under "Tunnel Settings" -> IPv4 Tunnel Network
    • under "OSPF Interfaces" i set the ovpn interface to be in Area 1
    • marked it as "Interface is Passive", because vpn clients do not need to participate in OSPF
    • and i changed the network type from "Not specified (default)" to "Point - multipoint"

    With this setting, on the LAN side the Catalyst L3 was able to see 10.1.1.0/24 advertised from the FW, and only that subnet was advertised. The firewall was able to see all advertised routes from LAN from the beginning (after auth and a few basic thing was set up).

    If i left the interface type on default or set it to point-to-point, there was nothing advertised from Area 1 , other types seemingly did the trick. From the working ones i picked P-MP which sounds OK for the VPN clients subnet.

    If i removed the summary from Area 1 config, and the if type was "p-mp" or any of the working iftypes from aboove, there was only a /32 host route announced with the ovpn server address, despite a few clients were connected. The iftypes which yielded no redistribution, still remained silent irregardless of the value of the summary network.