Basic OSPF Issue

Ralph 0

Hi,
Brand new to pfSense/Netgate. So I apologize in advance if I've done something dumb. We are attempting to connect our new Netgate with our Meraki network. We've enabled OSPF in the Meraki and are advertising our routes. We are using FRR & have enabled OSPF. Super simple configuration, single area (0), using the Netgate as our default gateway (higher throughput than the Merakis without breaking the bank). We're advertising all private subnets from the Meraki (all our VPN traffic to users and remote sites) and the default gateway (Internet) from the pfSense. I see the 2 have established a full peering relationship. I also see that the netgate shows the routes in the router database, but it doesn't actually show in the route table. Any help would be greatly appreciated.

heper

@ralph-0

are you sure ospf is configured correctly? (on both ends)
perhaps you could post screenshots of your configuration&status in pfsense

Ralph 0

@heper Thanks for the reply. Here's some shots of the netgate:
OSPF Routing Process, Router ID: 10.1.4.2
Supports only single TOS (TOS0) routes
This implementation conforms to RFC2328
RFC1583Compatibility flag is disabled
OpaqueCapability flag is disabled
Initial SPF scheduling delay 0 millisec(s)
Minimum hold time between consecutive SPFs 50 millisec(s)
Maximum hold time between consecutive SPFs 5000 millisec(s)
Hold time multiplier is currently 1
SPF algorithm last executed 1d10h36m ago
Last SPF duration 19 usecs
SPF timer is inactive
LSA minimum interval 5000 msecs
LSA minimum arrival 1000 msecs
Write Multiplier set to 20
Refresh timer 10 secs
This router is an ASBR (injecting external routing information)
Number of external LSA 4. Checksum Sum 0x0001e4d4
Number of opaque AS LSA 0. Checksum Sum 0x00000000
Number of areas attached to this router: 1
Area ID: 0.0.0.0 (Backbone)
Number of interfaces in this area: Total: 1, Active: 1
Number of fully adjacent neighbors in this area: 1
Area has no authentication
SPF algorithm executed 5 times
Number of LSA 3
Number of router LSA 2. Checksum Sum 0x0001296d
Number of network LSA 1. Checksum Sum 0x000058ad
Number of summary LSA 0. Checksum Sum 0x00000000
Number of ASBR summary LSA 0. Checksum Sum 0x00000000
Number of NSSA LSA 0. Checksum Sum 0x00000000
Number of opaque link LSA 0. Checksum Sum 0x00000000
Number of opaque area LSA 0. Checksum Sum 0x00000000

Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
10.1.4.1 1 Full/DROther 29.982s 10.1.4.1 lagg0.4091:10.1.4.2 0 0 0

============ OSPF network routing table ============
N 10.1.4.0/24 [5] area: 0.0.0.0
directly attached to lagg0.4091

============ OSPF router routing table =============

============ OSPF external routing table ===========

OSPF Router with ID (10.1.4.2)

            Router Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Link count
10.1.4.1 10.1.4.1 395 0x80000116 0x9664 1
10.1.4.2 10.1.4.2 1010 0x8000004b 0x9309 2

            Net Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum
10.1.4.1 10.1.4.1 398 0x80000113 0x58ad

            AS External Link States

Link ID ADV Router Age Seq# CkSum Route
0.0.0.0 10.1.4.2 870 0x80000049 0x2c43 E2 0.0.0.0/0 [0x0]
10.255.255.255 10.1.4.1 373 0x80000112 0xb7b7 E2 10.0.0.0/8 [0x0]
172.16.0.0 10.1.4.1 373 0x80000112 0x7853 E2 172.16.0.0/12 [0x0]
192.168.255.255 10.1.4.1 373 0x80000112 0x8887 E2 192.168.0.0/16 [0x0]

Unfortunately Meraki wants to hide the details from it's users for OSPF details. So i'm afraid I can't see any status information natively in their box. However, heres the settings:
OSPF Enabled
Areas ID Name Type
0 BackboneNormal
3 interfaces

Switch [Sorting up] Interface VLAN IP Subnet OSPF Area ID Area Name Cost Passive
SLO Core Stack (stack) FCNI-VOICE 40 10.1.100.1 10.1.100.0/24 Disabled
SLO Core Stack (stack) OSFP_Netgate 4091 10.1.4.1 10.1.4.0/24 Enabled 0 Backbone 1 No
SLO Core Stack (stack) FCNI-Data 21 192.168.10.1 192.168.10.0/24 Disabled

4 static routes

Name Subnet Next hop Advertised? Priority
SLO Core Stack (stack) Private_192.168.0.0 192.168.0.0/16 192.168.10.2 Yes Overrides OSPF route
SLO Core Stack (stack) Private_172.16.0.0 172.16.0.0/12 192.168.10.2 Yes Overrides OSPF route
SLO Core Stack (stack) Private_10.0.0.0 10.0.0.0/8 192.168.10.2 Yes Overrides OSPF route
SLO Core Stack (stack) Default route 0.0.0.0/0 192.168.10.2 No OSPF routes preferred
Hello timer
10 seconds
Dead timer
40 seconds

heper

@ralph-0

on your pfsense side, the routes aren't being pulled in from meraki:

============ OSPF network routing table ============
N 10.1.4.0/24 [5] area: 0.0.0.0
directly attached to lagg0.4091

^^^ should be populated with all the subnets that meraki is supposed to advertise

i don't own any meraki gear, but it appears on the meraki side the area is set to '0' instead of '0.0.0.0' ??

afaik, area id's should match exactly

Ralph 0

@heper Thanks for the help. Turns out if you turn on 'point to point' in the interface options Meraki freaks out and doesn't work. So changed it back to default and now routes are showing up. SO thats good. However, it now looks like packets are not being NAT'ed or routed out the pfsense. I can see traffic going into the LAN on the Netgate but no packets going out.

Any help you can provide would be very much appreciated. I took a stab at configuring some NAT mapping rules but I could totally be making it worse. The Source traffic is NOT directly connected to the Netgate (192.168.0.0/16 various subnets). So there is no locally connected networks to the LAN except the single /30 between the Netgate and the Meraki switch that are doing the OSPF.

Ralph 0

@heper Nevermind, got it figured out. I had to add mess with the Firewall rules on the LAN side and change some Mappings on the WAN side to accommodate for the fact that none of the subnets we're trying to route/NAT were local to the netgate.