FRR OSPF + route map + ACL = no routes being redistributed



  • Hi guys, after the upgrade I cannot get FRR to suppress routes. The updater created an imported ACL and route map from my "Do not redistribute" list but if I use the generated route map and ACL then no routes get redistributed. My ACL has two deny source entries with an allow else source entry at the end. My route map is set to allow and references this ACL. If I disable this route map and ACL in OSPF global then I am back to all routes being redistributed. I'm running a single OSPF area over two OpenVPN tunnels and I don't want my WAN addresses being redistributed over the OpenVPN links. Any help would be greatly appreciated. Thanks.


  • Rebel Alliance Developer Netgate

    You'll need to be much more specific. Show the routing table, screenshots of the FRR config screens, contents of the zebra and ospfd config files, FRR status output that shows what it's doing, etc.

    Something must be different on the new version in your config compared to the old one.



  • Hi @jimp.

    My topology:
    ospf.jpg

    My route map:rm.png

    My ACL: acl.png
    Zebra.conf

    ##################### DO NOT EDIT THIS FILE! ######################
    ###################################################################
    # This file was created by an automatic configuration generator.  #
    # The contents of this file will be overwritten without warning!  #
    ###################################################################
    password ****
    log syslog
    
    # Access Lists
    access-list 10 deny 96.78.149.24 0.0.0.7
    access-list 10 deny 108.211.142.80 0.0.0.7
    access-list 10 permit any
    access-list 10 remark 
    
    # Route Maps
    route-map DNR permit 10
      set metric 200
      set metric-type type-1
    
    # Accept Filters
    ip prefix-list ACCEPTFILTER deny 10.64.70.0/30
    ip prefix-list ACCEPTFILTER deny 10.64.70.1/32
    ip prefix-list ACCEPTFILTER deny 10.64.71.0/30
    ip prefix-list ACCEPTFILTER deny 10.64.71.1/32
    ip prefix-list ACCEPTFILTER permit any
    route-map ACCEPTFILTER permit 10
     match ip address prefix-list ACCEPTFILTER
    ip protocol ospf route-map ACCEPTFILTER
    

    ospfd.conf:

    ##################### DO NOT EDIT THIS FILE! ######################
    ###################################################################
    # This file was created by an automatic configuration generator.  #
    # The contents of this file will be overwritten without warning!  #
    ###################################################################
    password ****
    log syslog
    interface ovpns1
      ip ospf network point-to-point
      ip ospf cost 5
      ip ospf authentication message-digest
      ip ospf message-digest-key 1 md5 ****
      ip ospf area 0.0.0.0
    interface ovpns3
      ip ospf network point-to-point
      ip ospf cost 10
      ip ospf authentication message-digest
      ip ospf message-digest-key 1 md5 ****
      ip ospf area 0.0.0.0
    
    router ospf
      ospf router-id 172.16.0.1
      area 0.0.0.0 shortcut default
      area 0.0.0.0 authentication message-digest
      redistribute connected route-map DNR metric 200 metric-type 1
      distribute-list 10 out connected
      ospf abr-type cisco
    


  • If I disable the route map but leave the ACL, the ACL seems to have no effect. if I leave the route map with the ACL, no routes get advertised.



  • Crap. I just noticed a typo in my visio diagram. pfsense 1 is acting as the openvpn server over 2 different WAN interfaces:ospf.jpg



  • Oh and here is the web config page for FRR OSPF settings:pfSense.home.zerodaymasters.co - Services_ FRR_ OSPF_ OSPF Settings.png


  • Rebel Alliance Developer Netgate

    I don't see anything in your route map that is matching anything, only setting the metric. Or is the config above from a time you removed the ACL from the route map?

    Also I don't see the route table info/zebra status/ospf status that would show for sure what is being sent/received from the peers.



  • @jimp The route map missing the ACL is a leftover from me trying make things work. Here is the route map with the ACL in place: pfSense.home.zerodaymasters.co - Services_ FRR_ Global Settings_ Edit_ Route Maps.png

    OSPF settings: pfSense.home.zerodaymasters.co - Services_ FRR_ OSPF_ OSPF Settings (1).png

    Zebra.conf

    ##################### DO NOT EDIT THIS FILE! ######################
    ###################################################################
    # This file was created by an automatic configuration generator.  #
    # The contents of this file will be overwritten without warning!  #
    ###################################################################
    password ****
    log syslog
    
    # Access Lists
    access-list 10 deny 96.78.149.24 0.0.0.7
    access-list 10 deny 108.211.142.80 0.0.0.7
    access-list 10 permit any
    access-list 10 remark 
    
    # Route Maps
    route-map DNR permit 10
      match ip address 10
      set metric 200
      set metric-type type-1
    
    # Accept Filters
    ip prefix-list ACCEPTFILTER deny 10.64.70.0/30
    ip prefix-list ACCEPTFILTER deny 10.64.70.1/32
    ip prefix-list ACCEPTFILTER deny 10.64.71.0/30
    ip prefix-list ACCEPTFILTER deny 10.64.71.1/32
    ip prefix-list ACCEPTFILTER permit any
    route-map ACCEPTFILTER permit 10
     match ip address prefix-list ACCEPTFILTER
    ip protocol ospf route-map ACCEPTFILTER
    

    ospfd.conf

    ##################### DO NOT EDIT THIS FILE! ######################
    ###################################################################
    # This file was created by an automatic configuration generator.  #
    # The contents of this file will be overwritten without warning!  #
    ###################################################################
    password ****
    log syslog
    interface ovpns1
      ip ospf network point-to-point
      ip ospf cost 5
      ip ospf authentication message-digest
      ip ospf message-digest-key 1 md5 ****
      ip ospf area 0.0.0.0
    interface ovpns3
      ip ospf network point-to-point
      ip ospf cost 10
      ip ospf authentication message-digest
      ip ospf message-digest-key 1 md5 ****
      ip ospf area 0.0.0.0
    
    router ospf
      ospf router-id 172.16.0.1
      area 0.0.0.0 shortcut default
      area 0.0.0.0 authentication message-digest
      redistribute connected route-map DNR metric 200 metric-type 1
      distribute-list 10 out connected
      ospf abr-type cisco
    

    Zebra routes

    Codes: K - kernel route, C - connected, S - static, R - RIP,
           O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
           T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
           F - PBR,
           > - selected route, * - FIB route
    
    K>* 0.0.0.0/0 [0/0] via 96.78.149.30, bce0, 00:09:11
    K>* 1.1.1.1/32 [0/0] via 108.211.142.86, bce1, 00:09:11
    K>* 8.8.8.8/32 [0/0] via 96.78.149.30, bce0, 00:09:11
    C>* 10.0.0.0/26 is directly connected, cxl0.10, 00:09:11
    K * 10.0.5.0/24 [0/0] via 10.0.5.2 inactive, 00:09:11
    C>* 10.0.5.0/24 is directly connected, ovpns2, 00:09:11
    K * 10.0.6.0/24 [0/0] via 10.0.6.2 inactive, 00:09:11
    C>* 10.0.6.0/24 is directly connected, ovpns6, 00:09:11
    O>* 10.0.8.0/24 [110/205] via 10.64.70.2, ovpns1 onlink, 00:09:00
    C>* 10.1.0.0/23 is directly connected, cxl0.54, 00:09:11
    C>* 10.1.10.0/24 is directly connected, bce0, 00:09:11
    C>* 10.2.0.0/24 is directly connected, cxl0.20, 00:09:11
    C>* 10.4.0.0/24 is directly connected, cxl0.99, 00:09:11
    C>* 10.4.1.0/30 is directly connected, cxl0.99, 00:09:11
    C>* 10.4.1.4/30 is directly connected, cxl0.99, 00:09:11
    C>* 10.6.0.0/24 is directly connected, bce2, 00:09:11
    C>* 10.6.1.0/30 is directly connected, bce2, 00:09:11
    C>* 10.6.1.4/30 is directly connected, bce2, 00:09:11
    O   10.64.70.1/32 [110/205] via 10.64.70.2, ovpns1 inactive onlink, 00:09:00
    C>* 10.64.70.2/32 is directly connected, ovpns1, 00:09:11
    O   10.64.71.1/32 [110/205] via 10.64.70.2, ovpns1 inactive onlink, 00:09:00
    C>* 10.64.71.2/32 is directly connected, ovpns3, 00:09:11
    C>* 10.64.73.0/30 is directly connected, ipsec3000, 00:09:11
    C>* 10.99.99.1/32 is directly connected, cxl0.50, 00:09:11
    K>* 64.62.134.130/32 [0/0] via 96.78.149.30, bce0, 00:09:11
    O>* 67.180.160.0/22 [110/205] via 10.64.70.2, ovpns1 onlink, 00:09:00
    K>* 68.185.85.2/32 [0/0] via 96.78.149.30, bce0, 00:09:11
    K>* 71.92.250.42/32 [0/0] via 96.78.149.30, bce0, 00:09:11
    K>* 72.52.104.74/32 [0/0] via 108.211.142.86, bce1, 00:09:11
    C * 96.78.149.24/29 is directly connected, bce0, 00:09:11
    C * 96.78.149.24/29 is directly connected, bce0, 00:09:11
    C * 96.78.149.24/29 is directly connected, bce0, 00:09:11
    C * 96.78.149.24/29 is directly connected, bce0, 00:09:11
    C>* 96.78.149.24/29 is directly connected, bce0, 00:09:11
    C * 108.211.142.80/29 is directly connected, bce1, 00:09:11
    C * 108.211.142.80/29 is directly connected, bce1, 00:09:11
    C * 108.211.142.80/29 is directly connected, bce1, 00:09:11
    C * 108.211.142.80/29 is directly connected, bce1, 00:09:11
    C>* 108.211.142.80/29 is directly connected, bce1, 00:09:11
    C>* 172.16.0.0/23 is directly connected, cxl0.50, 00:09:11
    O>* 172.17.0.0/24 [110/205] via 10.64.70.2, ovpns1 onlink, 00:09:00
    O>* 172.17.1.0/24 [110/205] via 10.64.70.2, ovpns1 onlink, 00:09:00
    C>* 172.30.250.0/24 is directly connected, em0, 00:09:11
    C>* 192.168.1.0/24 is directly connected, bce1, 00:09:11
    K>* 192.168.10.0/24 [0/0] via 10.64.73.2, ipsec3000, 00:09:11
    

    OSPF routes:

    ============ OSPF network routing table ============
    
    ============ OSPF router routing table =============
    R    172.17.0.1            [5] area: 0.0.0.0, ASBR
                               via 10.64.70.2, ovpns1
    
    ============ OSPF external routing table ===========
    N E1 10.0.8.0/24           [205] tag: 0
                               via 10.64.70.2, ovpns1
    N E1 10.64.70.1/32         [205] tag: 0
                               via 10.64.70.2, ovpns1
    N E1 10.64.71.1/32         [205] tag: 0
                               via 10.64.70.2, ovpns1
    N E1 67.180.160.0/22       [205] tag: 0
                               via 10.64.70.2, ovpns1
    N E1 172.17.0.0/24         [205] tag: 0
                               via 10.64.70.2, ovpns1
    N E1 172.17.1.0/24         [205] tag: 0
                               via 10.64.70.2, ovpns1
    
    


  • Hi I am facing same issue.

    ip prefix-list ADMIN_VPN_PL seq 10 permit 192.168.27.0/24 
    ip prefix-list ADMIN_VPN_PL description 
    
    # Route Maps
    route-map REDIS_CONNECTED_RM permit 10
      match ip address prefix-list ADMIN_VPN_PL
    
    # Accept Filters
    ip prefix-list ACCEPTFILTER permit any
    route-map ACCEPTFILTER permit 10
     match ip address prefix-list ACCEPTFILTER
    ip protocol ospf route-map ACCEPTFILTER
    

    FRR ospfd.conf

    interface em1
      ip ospf network broadcast
      ip ospf area 0.0.0.0
    interface ovpns1
      ip ospf network broadcast
      ip ospf area 0.0.0.0
    
    router ospf
      ospf router-id 192.168.20.4
      redistribute connected route-map REDIS_CONNECTED_RM metric 200 metric-type 1
      ospf abr-type cisco
      passive-interface ovpns1
    
    pfSense.localdomain# show route-map 
    ZEBRA:
    route-map ACCEPTFILTER, permit, sequence 10
      Match clauses:
        ip address prefix-list ACCEPTFILTER
      Set clauses:
      Call clause:
      Action:
        Exit routemap
    ZEBRA:
    route-map REDIS_CONNECTED_RM, permit, sequence 10
      Match clauses:
        ip address prefix-list ADMIN_VPN_PL
      Set clauses:
      Call clause:
      Action:
        Exit routemap
    pfSense.localdomai
    
    pfSense.localdomain# show ip route 
    Codes: K - kernel route, C - connected, S - static, R - RIP,
           O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
           T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
           F - PBR,
           > - selected route, * - FIB route
    
    ....
    O>* 192.168.23.0/24 [110/101] via 192.168.20.3, em1, 00:01:49
    O>* 192.168.24.0/24 [110/101] via 192.168.20.3, em1, 00:01:49
    O>* 192.168.25.0/24 [110/1602] via 192.168.20.2, em1, 00:01:49
    K * 192.168.27.0/24 [0/0] via 192.168.27.2 inactive, 00:01:49
    C>* 192.168.27.0/24 is directly connected, ovpns1, 00:01:49
    O>* 192.168.27.1/32 [110/10] is directly connected, ovpns1, 00:01:49
    ....
    

    My goal is to advertise subnet, that is being used for Open VPN. I cannot find any straightforward solution. Now I try to redistribute the exact one subnet from directly connected networks. Without route-map all routes are redistributed just fine. With the route-map nothing is being redistributed.

    Any ideas? Thanks.


  • Rebel Alliance Developer Netgate

    I found a bug here, and a fix will be coming along shortly.
    https://redmine.pfsense.org/issues/9640


  • Rebel Alliance Developer Netgate

    If you are on CE or Factory 2.4.4-p3, the new package is up now. CE snapshots will have it whenever the next new build happens. Factory snapshots will get the new version a little later, there are some changes we need to make to accommodate the 2019Q3 ports branch merge yet.



  • Thanks @jimp. The new package is working as expected.



  • I also confirm. Package update solves the problem. Thanks @jimp.


Log in to reply