RIP Routing Questions
clahti last edited by
I have two pfsense boxes serviing as multiple openvpn servers. Each server has five running instances for a total of 10 virtual subnets. We are also pushing routes from connected clients that serve as gateways to remote networks behind the OVPN tunnel interface. OVPN clients can round-robin connect to any of the 10 listed OVPN servers below, then via the tunnel talk to hosts on the LAN network 10.1.1.0/24. For example:
OVPN server #01:
-WAN address 126.96.36.199/24 -LAN network 10.1.1.0/24 -LAN address 10.1.1.1 -OVPN virtual network #01 10.11.1.0/24 -OVPN virtual gateway #01 10.11.1.1 -OVPN virtual network #02 10.11.2.0/24 -OVPN virtual gateway #02 10.11.2.1 -OVPN virtual network #03 10.11.3.0/24 -OVPN virtual gateway #03 10.11.3.1 -OVPN virtual network #04 10.11.4.0/24 -OVPN virtual gateway #04 10.11.4.1 -OVPN virtual network #05 10.11.5.0/24 -OVPN virtual gateway #06 10.11.5.1
OVPN server #02:
-WAN address 188.8.131.52/24 -LAN network 10.1.1.0/24 -LAN address 10.1.1.2 -OVPN virtual network #01 10.12.1.0/24 -OVPN virtual gateway #01 10.12.1.1 -OVPN virtual network #02 10.12.2.0/24 -OVPN virtual gateway #02 10.12.2.1 -OVPN virtual network #03 10.12.3.0/24 -OVPN virtual gateway #03 10.12.3.1 -OVPN virtual network #04 10.12.4.0/24 -OVPN virtual gateway #04 10.12.4.1 -OVPN virtual network #05 10.12.5.0/24 -OVPN virtual gateway #06 10.12.5.1
Typical OVPN client that connects picks OVPN server1 randomly
-WAN address 184.108.40.206 -LAN network 10.20.1.0/24 -LAN address 10.20.1.1 -OVPN virtual IP 10.12.1.10/24 -OVPN virtual gateway #01 10.12.1.1
All is good so far. Now comes challenges:
- Challenge #01: hosts on LAN need reverse routes to the 10.11.* and 10.12* networks.
- Challenge #02: hosts on the LAN need reverse routes to the trusted networks behind OVPN clients, example 10.20.1.0/24 sits behind 10.12.1.10.
Partial Solution: Rather than maintain static routes, RIPv1 to the rescue. Install routed on pfsense and enable for the LAN interface. Then install RIP on target hosts that need to know about these networks, works as expected. NOTE, I need to only advertise routes from these boxen, I do not want to receive routes. This is accomplished by putting no_ripv1_in in /etc/gateways. This edit does not survive a reboot, and without this each pfsense server receives routes from the each other and both get fubar'd. The good news is RIP and OVPN push-route actually solves issue #02. There is another issue with the introduction of RIP, this sends route information of the OVPN server WAN interfaces, so for example the following RIP routes appear on hosts receiving RIP information:
220.127.116.11/24 -> 10.1.1.1 18.104.22.168/24 -> 10.1.1.2
Question #01: how do I set no_ripv1_in in /etc/gateways to survive a reboot?
Question #02: how do I remove the WAN routes from RIP advertised routing table on OVPN servers? I do not want downstream RIP recipients to use the OVPN servers for routes to WAN, rather use their default interface.
Sorry for the long post, but I am almost there :).