Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OSPF Issues

    Scheduled Pinned Locked Moved FRR
    7 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jlauzer
      last edited by Derelict

      Hi All, I'm new to Pfsense and having a hard time getting OSPF to work. My Edgerouter currently has 3 peers and works fine. I added pfsense into the mix in a virtual machine to play with it before actually purchasing a box. I am using wireguard for the tunnel and I am able to connect into my Edgerouter just fine. When I turn on OSPF I can see through tcpdump that the pfsense machine is sending a hello command and it is receiving the hello command from the edgerouter via the tunnel. However, on the Edgerouter I am not seeing the pfsense hello. The strange this is when I check the box "Interface is Passive" I start receicing packets from pfsense with this message :" ICMP 224.0.0.5 protocol 89 unreachable, length 72" This message actually shows up in both boxes when watching tcpdump.

      I don't think this is a firewall issue if the packet is getting through. Perhaps I have a configuration issue? Because the edgerouter hello is being received I am seeing it in pfsense as a neighbor but in the state: "Init/DROther"

      Any tips/hints on what I should look at? Or what I could post here to help with diagnostics?

      Edgerouter= 10.0.14.1
      pfsense= 10.0.14.2

      Here is the tcpdump from the Edgerouter on the tunnel:

      20:10:05.344223 IP 10.0.14.1 > 224.0.0.5: OSPFv2, Hello, length 44
      20:10:15.344948 IP 10.0.14.1 > 224.0.0.5: OSPFv2, Hello, length 44
      20:10:26.358763 IP 10.0.14.1 > 224.0.0.5: OSPFv2, Hello, length 44
      
      

      Here is the tcpdump on the pfsense:

      06:15:26.434033 IP 10.0.14.1 > 224.0.0.5: OSPFv2, Hello, length 44
      06:15:29.680191 IP 10.0.14.2 > 224.0.0.5: OSPFv2, Hello, length 48
      06:15:35.434739 IP 10.0.14.1 > 224.0.0.5: OSPFv2, Hello, length 44
      06:15:39.697732 IP 10.0.14.2 > 224.0.0.5: OSPFv2, Hello, length 48
      
      

      Quick grab of tcpdump on the edgrouter when Interface is Passive is turned on in pfsense:

      20:18:56.457455 IP 10.0.14.1 > 224.0.0.5: OSPFv2, Hello, length 44
      20:19:05.458259 IP 10.0.14.1 > 224.0.0.5: OSPFv2, Hello, length 44
      20:19:05.459432 IP 10.0.14.2 > 10.0.14.1: ICMP 224.0.0.5 protocol 89 unreachable, length 72
      20:19:16.458821 IP 10.0.14.1 > 224.0.0.5: OSPFv2, Hello, length 44
      20:19:16.459662 IP 10.0.14.2 > 10.0.14.1: ICMP 224.0.0.5 protocol 89 unreachable, length 72
      
      
      P 1 Reply Last reply Reply Quote 0
      • P
        pete35 @jlauzer
        last edited by

        @jlauzer
        Did you check all the MTU sizes in your configurations?
        If there is a MTU mismatch, there may be such side effects.

        <a href="https://carsonlam.ca">bintang88</a>
        <a href="https://carsonlam.ca">slot88</a>

        J 1 Reply Last reply Reply Quote 0
        • J
          jlauzer @pete35
          last edited by

          @pete35 I had both sides set to 1420. I tried changing both to 1500 but same results. Is the only place to change MTU in INTERFACES>>WIREGUARD? I don't think FRR sets it at all, correct?

          J 1 Reply Last reply Reply Quote 0
          • J
            jlauzer @jlauzer
            last edited by

            I created a new virtual pfsense and only configured the bare minimum needed to get the internet working, the wireguard, tunnel and then installation of FRR. After the rebuild I have the same problem. I must be missing a setting in pfsense that allows the hello packet to travel over the tunnel. All other traffic will flow just fine. Anyone have thoughts on what I might need to configure additionally?

            J 1 Reply Last reply Reply Quote 0
            • J
              jlauzer @jlauzer
              last edited by jlauzer

              It appears this might be a Wireguard/pfsense bug. I came across this link, it appears the kernel is dropping multicast over the wireguard interface. If someone else is actually doing this (FRR OSPF over Wireguard), let me know. But I might be dead in the water until this bug is fixed...

              https://redmine.pfsense.org/issues/11498

              P 2 Replies Last reply Reply Quote 0
              • P
                pete35 @jlauzer
                last edited by

                @jlauzer

                Could you switch over from Wireguard to Openvpn or Ipsec (vti)?

                <a href="https://carsonlam.ca">bintang88</a>
                <a href="https://carsonlam.ca">slot88</a>

                1 Reply Last reply Reply Quote 0
                • P
                  pete35 @jlauzer
                  last edited by pete35

                  @jlauzer

                  https://www.netgate.com/blog/wireguard-removed-from-pfsense-ce-and-pfsense-plus-software.html

                  https://www.netgate.com/blog/painful-lessons-learned-in-security-and-community.html

                  <a href="https://carsonlam.ca">bintang88</a>
                  <a href="https://carsonlam.ca">slot88</a>

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.