Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC vti adjacent /30 subnets cause routing problems with VPN traffic

    Scheduled Pinned Locked Moved
    FRR
    1
    1
    164
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • nzkiwi68N
      nzkiwi68
      last edited by

      pfSense 2.4.4-p3 & FRR 0.6.3_1

      Site A - pfSense HA cluster SG-4860
      Site B - pfSense HA cluster GX-1537

      Site A, wan1 & wan2
      Site B, wan1 & wan2

      SiteA vti interfaces
      wan1 vti 172.31.80.1 /30
      wan2 vti 172.31.80.5 /30

      SiteB vti interfaces
      wan1 vti 172.31.80.2 /30
      wan2 vti 172.31.80.6 /30

      I want to prefer SiteA wan2 to SiteB wan2, so inside FRR under;
      Services > FRR> OSPF> OSPF Interfaces
      I simply weight the wan1 vti interface with cost 100 at both SiteA and SiteB end.

      Job done, right?
      What happens is lots of traffic gets lost, a ping from siteA to siteB mostly works, but is losing lots of traffic. There's absolutely nothing wrong with SiteA wan2 nor SiteB wan2.

      In the end, all I did was this;

      Make each of the vti interfaces /30 under a different /24.

      SiteA vti interfaces
      wan1 vti 172.31.81.1 /30
      wan2 vti 172.31.82.1 /30

      SiteB vti interfaces
      wan1 vti 172.31.81.2 /30
      wan2 vti 172.31.82.2 /30

      I wonder if there's some obscure routing bug going on if you use two adjacent /30 subnets with vti interfaces?
      Perhaps somewhere in the code it accidentally assumes /24 incorrectly.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post