Quagga OSPF + OpenVPN [Solved]
-
A cross-post of sorts (apologies if there's a x-post function on the forums, I couldn't find it).
Context: https://forum.pfsense.org/index.php?topic=106497.0
I'd love a bit of guidance on getting this working. Currently, configured as in the linked thread, along with the suggestion to use topology subnet.
Do I need to configure loopback interfaces for the Router IDs? Do I need to assign the OpenVPN tunnel as an OPT interface? Am I missing something else?
Running version 2.2.6 - the information below is for Site 1.
OSPF General
OSPF Routing Process, Router ID: 0.0.0.1
Supports only single TOS (TOS0) routes
This implementation conforms to RFC2328
RFC1583Compatibility flag is disabled
OpaqueCapability flag is disabled
Initial SPF scheduling delay 200 millisec(s)
Minimum hold time between consecutive SPFs 1000 millisec(s)
Maximum hold time between consecutive SPFs 10000 millisec(s)
Hold time multiplier is currently 1
SPF algorithm last executed 10h12m46s ago
SPF timer is inactive
Refresh timer 10 secs
Number of external LSA 0. Checksum Sum 0x00000000
Number of opaque AS LSA 0. Checksum Sum 0x00000000
Number of areas attached to this router: 1
All adjacency changes are loggedArea ID: 0.0.0.0 (Backbone)
Number of interfaces in this area: Total: 10, Active: 10
Number of fully adjacent neighbors in this area: 0
Area has no authentication
SPF algorithm executed 1 times
Number of LSA 1
Number of router LSA 1. Checksum Sum 0x00000d41
Number of network LSA 0. Checksum Sum 0x00000000
Number of summary LSA 0. Checksum Sum 0x00000000
Number of ASBR summary LSA 0. Checksum Sum 0x00000000
Number of NSSA LSA 0. Checksum Sum 0x00000000
Number of opaque link LSA 0. Checksum Sum 0x00000000
Number of opaque area LSA 0. Checksum Sum 0x00000000OSPF Neighbours
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmLOSPF Database
OSPF Router with ID (0.0.0.1)Router Link States (Area 0.0.0.0)
Link ID ADV Router Age Seq# CkSum Link count
0.0.0.1 0.0.0.1 809 0x8000001f 0x0d41 10OSPF Routes
============ OSPF network routing table ============
N 10.0.0.0/29 [10] area: 0.0.0.0
directly attached to igb1
N 172.31.0.2/32 [10] area: 0.0.0.0
directly attached to ovpns15
N 172.31.0.10/32 [10] area: 0.0.0.0
directly attached to ovpns17
N 172.31.0.14/32 [10] area: 0.0.0.0
directly attached to ovpns18
N 172.31.0.18/32 [10] area: 0.0.0.0
directly attached to ovpns19
N 172.31.0.22/32 [10] area: 0.0.0.0
directly attached to ovpns20
N 172.31.0.26/32 [10] area: 0.0.0.0
directly attached to ovpns21
N 172.31.0.30/32 [10] area: 0.0.0.0
directly attached to ovpns22
N 172.31.0.34/32 [10] area: 0.0.0.0
directly attached to ovpns23
N 172.31.0.38/32 [10] area: 0.0.0.0
directly attached to ovpns24============ OSPF router routing table =============
============ OSPF external routing table ===========
Zebra Routes
Omitted due to size - let me know if needed!OSPF Interfaces
Omitted due to size - let me know if needed!OSPF configuration (raw)
This file was created by the pfSense package manager. Do not edit!
password *******************
log syslog
interface ovpns16
ip ospf cost 10
ip ospf authentication-key **********
interface igb1router ospf
ospf router-id 0.0.0.1
log-adjacency-changes detail
passive-interface igb1
network 172.0.0.0/11 area 0.0.0.0
network 10.0.0.0/29 area 0.0.0.0Zebra Configuration (raw)
This file was created by the pfSense package manager. Do not edit!
password *******************
log syslog
ip prefix-list ACCEPTFILTER deny 172.0.0.0/11
ip prefix-list ACCEPTFILTER permit any
route-map ACCEPTFILTER permit 10
match ip address prefix-list ACCEPTFILTER
ip protocol ospf route-map ACCEPTFILTERNote: There is only one physical interface attached to OSPF at the moment, which is the pfSense management network. Site 4 router has a VLAN attached to OSPF, but the rest of the configuration is the same.
-
172.0.0.0/11 - indistinguishable tunnel networks of the OpenVPN servers?
What is OpenVPN - Sever Mode? In case of 'Peer to Peer ( Shared Key )', you don't need topology subnet - it breaks routing -
172.0.0.0/11 - indistinguishable tunnel networks of the OpenVPN servers?
Good spot. Any idea how that might have come about?
There are several /30 subnets for OpenVPN, starting at 172.31.0.0/30 and currently ending at 172.31.0.80/30.Yes, there are multiple server instances in Peer to Peer (shared key) TUN mode - two per site (two WAN connections). Subnets for the OpenVPN networks are specified at both the server and client side, and they do manage to assign themselves unique IPs in this; if I manually add a route at each side for one of the tunnels, traffic can pass.
I have removed the topology subnet configuration line.
There are also some remote access OpenVPN instances set up for road warriors, using RADIUS auth and certificates, but these reside in a different subnet and aren't given to OSPF as interfaces.
Thanks for your reply, by the way - I appreciate it!
-
Good spot. Any idea how that might have come about?
The 172.0.0.0/11 probably comes from ACCEPTFILTER, however check the ovpns16 tunnel network mask.
Remove filters, fill in 'Master Password', 'Router ID' and 'Area' in the Quagga OSPFd > Global Settings, leaving other fields blank. Select an interface, fill in 'Area' (set 'Interface is Passive' in case of stub network interface, i. e. LAN) in the Quagga OSPFd > Interface Settings. Leave other fields blank. Test it -
Thanks for that! Just made those changes, unfortunately, Zebra now won't start.
I'm going to reboot both ends tonight, once the sites are unstaffed. Fingers crossed! I'll post back here in a few hours.
I did check the ovpns net mask - it's definitely /30, in webconfigurator and in the config.xml.
Assuming the ACCEPTFILTER directive is the cause of this issue, is there any other way to exclude the OpenVPN subnets being pushed by OSPF? I've seen a couple of posts here and on Reddit that suggest that this can cause OpenVPN to fail restarting if the daemon crashes, as the routes are already in place at both ends.
This might not be true / may not still be a problem. -
I do not filter OpenVPN networks and have no issues so far. I've attached screenshots of simple but working setings you may want to start with
192.168.102.0/24 --- pfSenese1(OpenVPN server) 198.51.100.2 <-- INTERNET <-- 203.0.113.2 pfSense2(OpenVPN client) --- 192.168.103.0/24
 -
Many, many thanks for that! It's up and running now.
After removing the ACCEPTFILTER and rebooting at both ends, the OpenVPN subnet was listed correctly and traffic now moves over the tunnel as you'd expect.
Gonna start on the other sites shortly :)
Thanks again!
-
ajrg,
It would be interesting to see how you made out with the other sites. If you can post back that would be great!
Also, do you just have 1 WAN at the sites? We are working on a project now and every site has multi WAN (with carp) and we are looking to use OpenVPN/Quagga.Hope all goes well for you.
vito
-
It's been fine - I've been bringing the other sites into the OSPF scope through the day. No issues at all.
We have a total of four sites, with a fifth coming in a few weeks;
Site 1: Two-node CARP, with three WAN connections (2x fibre, 1x LTE - this site is in an area where one ISP has an effective monopoly so both fibres are with the same ISP)
Sites 2, 3 and 4: Single node, two WAN connections
Site 5: Two-node CARP, with thee WAN connections (1x WiMax, 1x fibre, 1x LTE - similar single ISP situation, but at least with two different connection methods)I'll post back once site 5 is working, but I don't see any reason why we'd have issues running another CARP node. I've tested CARP failover and failback, and multi-WAN failover and failback at all sites. It all works brilliantly with default timer settings, though I suppose you could reduce the timers if you needed faster OSPF response, probably at the expense of CPU usage/bandwidth.