OSPF Issues
-
Hi All, I'm new to Pfsense and having a hard time getting OSPF to work. My Edgerouter currently has 3 peers and works fine. I added pfsense into the mix in a virtual machine to play with it before actually purchasing a box. I am using wireguard for the tunnel and I am able to connect into my Edgerouter just fine. When I turn on OSPF I can see through tcpdump that the pfsense machine is sending a hello command and it is receiving the hello command from the edgerouter via the tunnel. However, on the Edgerouter I am not seeing the pfsense hello. The strange this is when I check the box "Interface is Passive" I start receicing packets from pfsense with this message :" ICMP 224.0.0.5 protocol 89 unreachable, length 72" This message actually shows up in both boxes when watching tcpdump.
I don't think this is a firewall issue if the packet is getting through. Perhaps I have a configuration issue? Because the edgerouter hello is being received I am seeing it in pfsense as a neighbor but in the state: "Init/DROther"
Any tips/hints on what I should look at? Or what I could post here to help with diagnostics?
Edgerouter= 10.0.14.1
pfsense= 10.0.14.2Here is the tcpdump from the Edgerouter on the tunnel:
20:10:05.344223 IP 10.0.14.1 > 224.0.0.5: OSPFv2, Hello, length 44 20:10:15.344948 IP 10.0.14.1 > 224.0.0.5: OSPFv2, Hello, length 44 20:10:26.358763 IP 10.0.14.1 > 224.0.0.5: OSPFv2, Hello, length 44Here is the tcpdump on the pfsense:
06:15:26.434033 IP 10.0.14.1 > 224.0.0.5: OSPFv2, Hello, length 44 06:15:29.680191 IP 10.0.14.2 > 224.0.0.5: OSPFv2, Hello, length 48 06:15:35.434739 IP 10.0.14.1 > 224.0.0.5: OSPFv2, Hello, length 44 06:15:39.697732 IP 10.0.14.2 > 224.0.0.5: OSPFv2, Hello, length 48Quick grab of tcpdump on the edgrouter when Interface is Passive is turned on in pfsense:
20:18:56.457455 IP 10.0.14.1 > 224.0.0.5: OSPFv2, Hello, length 44 20:19:05.458259 IP 10.0.14.1 > 224.0.0.5: OSPFv2, Hello, length 44 20:19:05.459432 IP 10.0.14.2 > 10.0.14.1: ICMP 224.0.0.5 protocol 89 unreachable, length 72 20:19:16.458821 IP 10.0.14.1 > 224.0.0.5: OSPFv2, Hello, length 44 20:19:16.459662 IP 10.0.14.2 > 10.0.14.1: ICMP 224.0.0.5 protocol 89 unreachable, length 72 -
@jlauzer
Did you check all the MTU sizes in your configurations?
If there is a MTU mismatch, there may be such side effects. -
@pete35 I had both sides set to 1420. I tried changing both to 1500 but same results. Is the only place to change MTU in INTERFACES>>WIREGUARD? I don't think FRR sets it at all, correct?
-
I created a new virtual pfsense and only configured the bare minimum needed to get the internet working, the wireguard, tunnel and then installation of FRR. After the rebuild I have the same problem. I must be missing a setting in pfsense that allows the hello packet to travel over the tunnel. All other traffic will flow just fine. Anyone have thoughts on what I might need to configure additionally?
-
It appears this might be a Wireguard/pfsense bug. I came across this link, it appears the kernel is dropping multicast over the wireguard interface. If someone else is actually doing this (FRR OSPF over Wireguard), let me know. But I might be dead in the water until this bug is fixed...
https://redmine.pfsense.org/issues/11498
-
Could you switch over from Wireguard to Openvpn or Ipsec (vti)?
-
https://www.netgate.com/blog/wireguard-removed-from-pfsense-ce-and-pfsense-plus-software.html
https://www.netgate.com/blog/painful-lessons-learned-in-security-and-community.html