zebra Route Filtering

Musashi · May 14, 2024, 1:23 PM

Hi,

I have installed FRR package but i can't find the option for zebra route filtering in the web GUI.
https://docs.frrouting.org/en/latest/zebra.html#zebra-route-filtering

it's look like "ip protocol ospf route-map" in frr.conf

i want filtreing OSPF in entry.

My conf on linux looks like that :

frr version 7.5.1
frr defaults traditional
hostname rtr-test
log syslog informational
no ipv6 forwarding
service integrated-vtysh-config
!

....
....
router ospf
 redistribute connected route-map imt
 redistribute static route-map imt
!
ip prefix-list IMT seq 1 permit x.x.x.0/22
ip prefix-list IMT seq 2 permit x.x.x.x/22
ip prefix-list IMT seq 3 permit x.x.36.0/22
ip prefix-list PRIV seq 1 permit x.0.0.0/8 ge 8
ip prefix-list PRIV seq 3 permit x.x.0.0/16 ge 16
ip prefix-list PRIV seq 2 permit x.x.0.0/12 ge 12
ip prefix-list WIFIUPS seq 1 permit x.x.x.0/20
ip prefix-list EDUROAMINT seq 1 permit x.x.48.0/20
ip prefix-list EDUROAMEXT seq 1 permit x.x.x.0/19
!
route-map imt permit 3
 match ip address prefix-list IMT
!
route-map in permit 1
 match ip address prefix-list WIFIUPS
!
route-map in permit 2
 match ip address prefix-list EDUROAMINT
!
route-map in permit 3
 match ip address prefix-list EDUROAMEXT
!
route-map in deny 10
 match ip address prefix-list PRIV
!
route-map in permit 20
!
ip protocol ospf route-map in
!
line vty
!

michmoor · May 14, 2024, 2:41 PM

@Musashi
Lets define what you are specifically wanting to do here.
Do you want to filter OSPF routes? Considering OSPF routers all in the same Area require the same LSDB you can only filter routes (LSAs) as they enter an area or leave an area so basically the router needs to be an ABR.
You are redistributing connected routes to go into the OSPF process so you are an ASBR but still the routes will live in the OSPF area as Type 5 lsa's which you could still filter but as i mentioned above you need to have a multi-area type of design.

Do you have that design now?

Musashi · May 15, 2024, 7:57 AM

@michmoor

we have (access) only one area

The goal is to filter IPs coming from OSPF corresponding to a specific route-map called IN (with permits and denies) to bring them back into the kernel.

michmoor · May 15, 2024, 2:32 PM

@Musashi
So the routes exist already in OSPF?
You are importing connected and static routes but passing them through a filter (route-map)
So whats the problem exactly?

gamba · May 16, 2024, 7:08 AM

@michmoor

I am a coworker of @Musashi, we are hosted on a campus.

Our OSPF router is currently on linux, and we use

ip protocol ospf route_map …

to filter incoming OSFP route, accepting only IP addresses matching our network and IP from private networks used for wifi networks.

We don't find how to specify ip protocol ospf route_map in the pfsense web interface. Is it possible ?

Sorry if we are unclear, we are clearly out of our comfort zone when dealing with ospf stuff.

michmoor · May 16, 2024, 5:57 PM

@gamba said in zebra Route Filtering:

o filter incoming OSFP route,

im a bit confused as to what you are trying to do here.
you can only filter ospf routes (LSAs) as they leave an Area or come into an Area.
But you only have acess to only one area? So this means your network is connected to the backbone area and you are in a non-backbone area, yes?
If so, filter at your ABR

gamba · May 17, 2024, 6:16 AM

@michmoor

Some routes already exist in OSPF, and we provide others by redistributing stating/connected routes.

Some routes received by OSPF (private networks) clash with internal routing in our network.
We have to filter those route out and not consider them.

For instance, we use 172.31.0.0/16 internally, and this network is also received through OSPF.

We actually do this filtering at the zebra level with ip protocol ospf route_map ….
But we can't find the option in the pfsense gui for frr to do that.

I hope this clarifies our problem.

gamba · May 17, 2024, 7:24 AM

@michmoor

You are right : our router is an ASBR in a non backbone area.
We have to filter some routes that we reveive from OSPF, and we have no control on the ABR in the zone.

michmoor · May 17, 2024, 8:56 PM

@gamba
There are a couple of design decisions that you will need to make in the future regarding your set up If you have IP overlap we wont discuss all of them for your problem but you should be aware of it so i shall mention it below.

If you want to limit the amount of OSPF advertisements into your Area (non-backbone) then highly recommend making it a stub. Considering you are redistributing routes into your Area as you have an ASBR then i recommend NSSA totally stubby. In this way you will not see any external routes from the backbone AND you will not receive inter-area routes. you will get a default route injected into your Area only which should suffice for your routing needs outside the ospf area.

That should simplify the routing quite a bit within your area. You will not see the conflicting prefixes from the backbone as your area only knows about the intra-area routes and a default route from the ABR. External destinations injected into your area will be by your ASBR in which case routing to those external areas is handled all within your Area.
edit: Just to make sure I'm expanding on this clearly. Even though within your non-backbone area you never seen IP overlap issues the backbone area still sees your area routes as that is the nature of OSPF flooding inter-area. Thats why its critical to filter your routes on the ABR - egress your area. All of this is not ideal and the long term solution should be BGP as i outlined below.

The other design decision is to break up these OSPF areas with BGP. You run eBGP between you and the other site. Run OSPF within the LAN(assuming its larger enough to warrant that). In this way, BGP being a policy-driven protocol more so then a routing one, you are able to control what gets announced by you and the benefit of steering traffic the way you want it.

That said, as i mentioned, you can only filter routes into an Area or routes leaving an area. Thats it.
Create your route-maps in pfsense by going to Services > FRRGlobal Settings > Route Maps
Then apply that route-map on your ASBR or your ABR under
Services > FRR> OSPF> edit Areas

gamba · May 18, 2024, 7:40 AM

@michmoor
You are perfectly correct on the ospf side, but we have no liberty to change the ospf topology, or even to add a zone.

Furthermore, we need some of the routes provided by ospf.
Zebra is an adequate choice to filter incoming routes, we alreday do that.

Our question remains : how to to ip protocol ospf route_map XXX in the frr gui in pfsense, that is all :-)

michmoor · May 18, 2024, 2:44 PM

@gamba I answered it above ….

gamba · May 19, 2024, 7:11 AM

@michmoor Perfect, thank you very much.

Musashi · May 21, 2024, 7:39 AM

@michmoor thanks for your time