OSPF Database routes Redistributed into BGP

shon · Mar 11, 2023, 5:49 PM

Hello all,

I'm running pfsense 2.6.0 CE edition, with the FFR package installed.

Each firewall has the following specs:

Firewall A:
WAN/em0: 192.168.1.22/24
LAN/em1: 172.16.1.1/24
OPT1/em2: 172.17.1.1/24
OPT2/em3: 172.18.1.1/24

BGP: AS 9990
BGP: OSPF Redistribution: IPv4
BGP: Networks to Distribute NONE
BGP: Route MAP NONE

OSPF AREA 0 => OPT2: 172.18.1.0/24
OSPF Database:

============ OSPF network routing table ============
N 172.18.1.0/24 [100] area: 0.0.0.0
directly attached to em3

============ OSPF router routing table =============

============ OSPF external routing table ===========

Firewall B:
WAN/em0: 192.168.1.23/24
LAN/em1: 10.10.10.1/24
OPT1/em2: 10.10.11.1/24
OPT2/em3: 10.10.12.1/24

BGP: AS 9991
BGP OSPF Redistribution: IPv4
BGP: Networks to Distribute NONE
BGP: Route MAP NONE

OSPF AREA 0 => OPT2: 10.10.12.0/24
OSPF Database:

============ OSPF network routing table ============
N 10.10.12.0/24 [100] area: 0.0.0.0
directly attached to em3

============ OSPF router routing table =============

============ OSPF external routing table ===========

I'm under the impression that the routes listed in the OSPF database should inject inself into the BGP RIB and advertise 172.18.1.0/24 to firewall B from firewall A via BGP, and advertise 10.10.12.0/24 to firewall A from firewall B via BGP.

If I add any subnet to 'Networks to Distribute' under BGP, it will advertise the subnet without a problem. I've also tried Redistribute Local connected networks, and redistribute FRR static routes, and redistribute Kernel routing table/pfsense Static routes without any luck to advertise 172.18.1.0/24(firewall A) , and 10.10.12.0/24 (firewall B)

I'm thinking the OSPF Routes => Injected into BGP database RIB => Advertise

Thanks!

michmoor · Mar 11, 2023, 6:21 PM

@shon can you provide better output of your configs?
Log into pfsense via ssh
at the command prompt type in

vtysh

From there type in

 sh running-config

Paste that here.

shon · Mar 11, 2023, 6:27 PM

@michmoor

Firewall A:

2.6.0-RELEASE][admin@pfSense0.lab.lan]/root: vtysh

Hello, this is FRRouting (version 7.5.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

pfSense0.lab.lan# sh running-config
Building configuration...

Current configuration:
!
frr version 7.5.1
frr defaults traditional
hostname pfSense0.lab.lan
log syslog
service integrated-vtysh-config
!
password 123
!
ip router-id 10.10.10.1
!
interface em3
 ip ospf area 0
!
router bgp 9990
 bgp router-id 172.16.1.1
 bgp log-neighbor-changes
 no bgp network import-check
 neighbor 192.168.1.23 remote-as 9991
 neighbor 192.168.1.23 description pfsense1
 neighbor 192.168.1.23 update-source 192.168.1.22
 !
 address-family ipv4 unicast
  redistribute ospf route-map allow-all
  no neighbor 192.168.1.23 send-community
  neighbor 192.168.1.23 route-map allow-all in
  neighbor 192.168.1.23 route-map allow-all out
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute ospf6 route-map allow-all
  neighbor 192.168.1.23 activate
  no neighbor 192.168.1.23 send-community
  neighbor 192.168.1.23 route-map allow-all in
  neighbor 192.168.1.23 route-map allow-all out
 exit-address-family
!
router ospf
 ospf router-id 10.10.10.1
 log-adjacency-changes detail
 neighbor 10.10.12.1
!
route-map allow-all permit 100
!
line vty
!
end
pfSense0.lab.lan#

Firewall B:

[2.6.0-RELEASE][admin@pfSense1.lab.lan]/root: vtysh

Hello, this is FRRouting (version 7.5.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

pfSense1.lab.lan# sh running-config 
Building configuration...

Current configuration:
!
frr version 7.5.1
frr defaults traditional
hostname pfSense1.lab.lan
log syslog
service integrated-vtysh-config
!
password 123
!
ip router-id 10.10.10.1
!
interface em3
 ip ospf area 0
!
router bgp 9991
 bgp router-id 10.10.10.1
 bgp log-neighbor-changes
 no bgp network import-check
 neighbor 192.168.1.22 remote-as 9990
 neighbor 192.168.1.22 description pfsense0
 neighbor 192.168.1.22 update-source 192.168.1.23
 !
 address-family ipv4 unicast
  redistribute ospf route-map allow-all
  no neighbor 192.168.1.22 send-community
  neighbor 192.168.1.22 route-map allow-all in
  neighbor 192.168.1.22 route-map allow-all out
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute ospf6 route-map allow-all
  neighbor 192.168.1.22 activate
  no neighbor 192.168.1.22 send-community
  neighbor 192.168.1.22 route-map allow-all in
  neighbor 192.168.1.22 route-map allow-all out
 exit-address-family
!
router ospf
 ospf router-id 172.16.1.1
 log-adjacency-changes detail
 neighbor 172.18.1.1
!
route-map allow-all permit 100
 set weight 1000
!
line vty
!
end