Re: Using ospfd to establish default routes with two outgoing connections (SOLVED)
Stuart Henderson wrote:
On 2009-05-07, carlopmart wrote:
Matthew Dempsky wrote:
On Thu, May 7, 2009 at 1:47 PM, carlopmart wrote:
Which is that sysctl param Stuart??
net.inet.ip.multipath
See http://www.openbsd.org/faq/faq6.html#Multipath
I have setup this param previously ... And I think I have found the problem. I
am using vlan on this OpenBSD box, and I have setup mtu to 1450. Maybe this can
be a problem to use OSPF??
You probably have an error in the logs on both sides telling you that
the MTU mismatches.
Why do you change the MTU? VLANs would be pretty useless if they meant
using different MTU all over the place.
Finnally, I have found my problem: MTU. I have changed mtu on OpenBSD box to
1492 and all works ok.
Many thanks to all.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Using ospfd to establish default routes with two outgoing connections
hi, MTU on ethernet vlan interfaces are also 1500. the vlan tag overhead is handled by the switch and NIC. you do not have to care about that. run tcpdump on all interfaces and look for the ospf hello packets... and can you please post the logs... ? you'r not getting any neighbors with "ospfctl show neig", right? On Fri, May 8, 2009 at 1:34 AM, Stuart Henderson wrote: > On 2009-05-07, carlopmart wrote: > > Matthew Dempsky wrote: > >> On Thu, May 7, 2009 at 1:47 PM, carlopmart > wrote: > >>> Which is that sysctl param Stuart?? > >> > >> net.inet.ip.multipath > >> > >> See http://www.openbsd.org/faq/faq6.html#Multipath > >> > > I have setup this param previously ... And I think I have found the > problem. I > > am using vlan on this OpenBSD box, and I have setup mtu to 1450. Maybe > this can > > be a problem to use OSPF?? > > You probably have an error in the logs on both sides telling you that > the MTU mismatches. > > Why do you change the MTU? VLANs would be pretty useless if they meant > using different MTU all over the place.
Re: Using ospfd to establish default routes with two outgoing connections
On 2009-05-07, carlopmart wrote: > Matthew Dempsky wrote: >> On Thu, May 7, 2009 at 1:47 PM, carlopmart wrote: >>> Which is that sysctl param Stuart?? >> >> net.inet.ip.multipath >> >> See http://www.openbsd.org/faq/faq6.html#Multipath >> > I have setup this param previously ... And I think I have found the problem. > I > am using vlan on this OpenBSD box, and I have setup mtu to 1450. Maybe this > can > be a problem to use OSPF?? You probably have an error in the logs on both sides telling you that the MTU mismatches. Why do you change the MTU? VLANs would be pretty useless if they meant using different MTU all over the place.
Re: Using ospfd to establish default routes with two outgoing connections
Matthew Dempsky wrote:
On Thu, May 7, 2009 at 1:47 PM, carlopmart wrote:
Which is that sysctl param Stuart??
net.inet.ip.multipath
See http://www.openbsd.org/faq/faq6.html#Multipath
I have setup this param previously ... And I think I have found the problem. I
am using vlan on this OpenBSD box, and I have setup mtu to 1450. Maybe this can
be a problem to use OSPF??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Using ospfd to establish default routes with two outgoing connections
On Thu, May 7, 2009 at 1:47 PM, carlopmart wrote: > Which is that sysctl param Stuart?? net.inet.ip.multipath See http://www.openbsd.org/faq/faq6.html#Multipath
Re: Using ospfd to establish default routes with two outgoing connections
Stuart Henderson wrote:
On 2009-05-07, carlopmart wrote:
Stuart Henderson wrote:
On 2009-05-07, carlopmart wrote:
Hi all,
I am trying to establish default routes on an openbsd firewall using ospfd
instead of use multipath+route to param under pf.conf without luck.
My topology is:
Internet --- ExtFw1 |
|
OpenBSDFw - Internal Network
|
Internet --- ExtFw2 |
ExtFw1 and ExtFw2 are commercial products with different versions. I have put
a rule to pass all traffic genereated by OpenBSD on both external firewalls.
ExtFw1 and ExtFw2 are running OSPF and announcing a default route
into it, right??
At this time yes. Extfw are commercial firewalls based on linux and I use quagga
to configure ospf on each one. But, any route is attached to openbsd via ospf ...
Then there's something basic wrong, because the routers aren't
forming adjacencies. Look at the logs everywhere, maybe look at
tcpdump.
OpenOSPFd does support ECMP providing the sysctl is set (otherwise
the kernel won't accept multiple routes to the same prefix with the
same routing priority).
Which is that sysctl param Stuart??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Using ospfd to establish default routes with two outgoing connections
On 2009-05-07, carlopmart wrote: > Stuart Henderson wrote: >> On 2009-05-07, carlopmart wrote: >>> Hi all, >>> >>> I am trying to establish default routes on an openbsd firewall using >>> ospfd >>> instead of use multipath+route to param under pf.conf without luck. >>> >>> My topology is: >>> >>> Internet --- ExtFw1 | >>> | >>> OpenBSDFw - Internal Network >>> | >>> Internet --- ExtFw2 | >>> >>> >>> ExtFw1 and ExtFw2 are commercial products with different versions. I have >>> put >>> a rule to pass all traffic genereated by OpenBSD on both external firewalls. >> >> >> ExtFw1 and ExtFw2 are running OSPF and announcing a default route >> into it, right?? >> > > At this time yes. Extfw are commercial firewalls based on linux and I use > quagga > to configure ospf on each one. But, any route is attached to openbsd via ospf > ... > Then there's something basic wrong, because the routers aren't forming adjacencies. Look at the logs everywhere, maybe look at tcpdump. OpenOSPFd does support ECMP providing the sysctl is set (otherwise the kernel won't accept multiple routes to the same prefix with the same routing priority).
Re: Using ospfd to establish default routes with two outgoing connections
Marco Fretz wrote:
Hi,
I'm not 100% clear if i got you right. but if I'm right you have to do the
"redistribute default" on your 2 external firewalls. because the openbsd box
needs the default route (to the internet) not the other way round...
ExtFw has (static?) route to the ISP. OpenBSDFw gets default route
dynamically via OSPF from ExtFw1 or from ExtFw2. that's it.
are ExtFw1, ExtFw2 and OpenBSDFw on the same subnet?
generally you have to run ospf on all 3 boxes. on ExtFw1 set metric lower
than on ExtFw2 so OpenBSDFw will use the default route from ExtFw1 as long
ExtFw1 is available and ospf adj are established.
ospf redistribution means that the local router will announce prefix
0.0.0.0/0 pointing to the address of the interface where the LSA is sent
out...
is that what you'r looking for?
greets
Marco
Extfw1 and Extfw2 are on different subnets:
- ExtFw1: 172.16.34.0/30
- ExtFw2: 172.16.55.0/30
OpenBSD connects to both subnets using two different interfaces.
And yes, both external firewalls has a static default route.
What I am trying to do is to load balance outgoing connections like
ifstated+multipath+ route to round robin on pf.conf does. But reading more
accurately about using OSPF I think that ospf only provides active/passive
default routes. Am I correct???
On Thu, May 7, 2009 at 3:40 PM, carlopmart wrote:
Stuart Henderson wrote:
On 2009-05-07, carlopmart wrote:
Hi all,
I am trying to establish default routes on an openbsd firewall using
ospfd instead of use multipath+route to param under pf.conf without luck.
My topology is:
Internet --- ExtFw1 |
|
OpenBSDFw - Internal Network
|
Internet --- ExtFw2 |
ExtFw1 and ExtFw2 are commercial products with different versions. I
have put a rule to pass all traffic genereated by OpenBSD on both external
firewalls.
ExtFw1 and ExtFw2 are running OSPF and announcing a default route
into it, right??
At this time yes. Extfw are commercial firewalls based on linux and I use
quagga to configure ospf on each one. But, any route is attached to openbsd
via ospf ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Using ospfd to establish default routes with two outgoing connections
Hi,
I'm not 100% clear if i got you right. but if I'm right you have to do the
"redistribute default" on your 2 external firewalls. because the openbsd box
needs the default route (to the internet) not the other way round...
ExtFw has (static?) route to the ISP. OpenBSDFw gets default route
dynamically via OSPF from ExtFw1 or from ExtFw2. that's it.
are ExtFw1, ExtFw2 and OpenBSDFw on the same subnet?
generally you have to run ospf on all 3 boxes. on ExtFw1 set metric lower
than on ExtFw2 so OpenBSDFw will use the default route from ExtFw1 as long
ExtFw1 is available and ospf adj are established.
ospf redistribution means that the local router will announce prefix
0.0.0.0/0 pointing to the address of the interface where the LSA is sent
out...
is that what you'r looking for?
greets
Marco
On Thu, May 7, 2009 at 3:40 PM, carlopmart wrote:
> Stuart Henderson wrote:
>
>> On 2009-05-07, carlopmart wrote:
>>
>>> Hi all,
>>>
>>> I am trying to establish default routes on an openbsd firewall using
>>> ospfd instead of use multipath+route to param under pf.conf without luck.
>>>
>>> My topology is:
>>>
>>> Internet --- ExtFw1 |
>>> |
>>> OpenBSDFw - Internal Network
>>> |
>>> Internet --- ExtFw2 |
>>>
>>>
>>> ExtFw1 and ExtFw2 are commercial products with different versions. I
>>> have put a rule to pass all traffic genereated by OpenBSD on both external
>>> firewalls.
>>>
>>
>>
>> ExtFw1 and ExtFw2 are running OSPF and announcing a default route
>> into it, right??
>>
>>
> At this time yes. Extfw are commercial firewalls based on linux and I use
> quagga to configure ospf on each one. But, any route is attached to openbsd
> via ospf ...
>
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
Re: Using ospfd to establish default routes with two outgoing connections
Stuart Henderson wrote:
On 2009-05-07, carlopmart wrote:
Hi all,
I am trying to establish default routes on an openbsd firewall using ospfd
instead of use multipath+route to param under pf.conf without luck.
My topology is:
Internet --- ExtFw1 |
|
OpenBSDFw - Internal Network
|
Internet --- ExtFw2 |
ExtFw1 and ExtFw2 are commercial products with different versions. I have put
a rule to pass all traffic genereated by OpenBSD on both external firewalls.
ExtFw1 and ExtFw2 are running OSPF and announcing a default route
into it, right??
At this time yes. Extfw are commercial firewalls based on linux and I use quagga
to configure ospf on each one. But, any route is attached to openbsd via ospf ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: Using ospfd to establish default routes with two outgoing connections
On 2009-05-07, carlopmart wrote:
> Hi all,
>
> I am trying to establish default routes on an openbsd firewall using ospfd
> instead of use multipath+route to param under pf.conf without luck.
>
> My topology is:
>
> Internet --- ExtFw1 |
> |
> OpenBSDFw - Internal Network
> |
> Internet --- ExtFw2 |
>
>
> ExtFw1 and ExtFw2 are commercial products with different versions. I have
> put
> a rule to pass all traffic genereated by OpenBSD on both external firewalls.
ExtFw1 and ExtFw2 are running OSPF and announcing a default route
into it, right??
>
> My interfaces config are:
>
> em0: flags=8843 mtu 1500
> lladdr 00:50:56:29:f2:2c
> priority: 0
> media: Ethernet autoselect (1000baseT full-duplex,master)
> status: active
> inet 172.25.50.1 netmask 0xffe0 broadcast 172.25.50.31
> inet6 fe80::250:56ff:fe29:f22c%em0 prefixlen 64 scopeid 0x1
> em1: flags=8843 mtu 1500
> lladdr 00:50:56:0f:7b:b0
> priority: 0
> media: Ethernet autoselect (1000baseT full-duplex,master)
> status: active
> inet6 fe80::250:56ff:fe0f:7bb0%em1 prefixlen 64 scopeid 0x2
> enc0: flags=0<> mtu 1536
> priority: 0
> vlan15: flags=8843 mtu 1500
> lladdr 00:50:56:0f:7b:b0
> description: Management Interface
> priority: 0
> vlan: 15 priority: 0 parent interface: em1
> groups: vlan
> inet6 fe80::250:56ff:fe0f:7bb0%vlan15 prefixlen 64 scopeid 0x5
> inet 172.25.65.1 netmask 0xfff0 broadcast 172.25.65.15
> vlan25: flags=8843 mtu 1500
> lladdr 00:50:56:0f:7b:b0
> description: VPN Interface
> priority: 0
> vlan: 25 priority: 0 parent interface: em1
> groups: vlan
> inet6 fe80::250:56ff:fe0f:7bb0%vlan25 prefixlen 64 scopeid 0x6
> inet 172.25.85.1 netmask 0xfff8 broadcast 172.25.85.7
> vlan35: flags=8843 mtu 1496
> lladdr 00:50:56:0f:7b:b0
> description: Primary Outgoing Interface
> priority: 0
> vlan: 35 priority: 0 parent interface: em1
> groups: vlan egress
> inet6 fe80::250:56ff:fe0f:7bb0%vlan35 prefixlen 64 scopeid 0x7
> inet 192.168.100.66 netmask 0xfffc broadcast 192.168.100.67
> vlan45: flags=8843 mtu 1496
> lladdr 00:50:56:0f:7b:b0
> description: Secondary Outgoing Interface
> priority: 0
> vlan: 45 priority: 0 parent interface: em1
> groups: vlan
> inet6 fe80::250:56ff:fe0f:7bb0%vlan45 prefixlen 64 scopeid 0x8
> inet 10.10.10.201 netmask 0xfff8 broadcast 10.10.10.207
> pflog0: flags=141 mtu 33204
> priority: 0
> groups: pflog
>
>
> My ospfd.conf:
>
> router-id 192.168.100.66
> fib-update yes
> redistribute connected
> redistribute default
>
> area 0.0.0.0 {
> auth-type none
> interface vlan35
> interface vlan45 { metric 20 }
> }
>
> Output of "ospctl show database" command is:
>
> Router Link States (Area 0.0.0.0)
>
> Link ID Adv Router Age Seq# Checksum
> 192.168.100.66 192.168.100.66 641 0x8001 0x3bdc
>
> Type-5 AS External Link States
>
> Link ID Adv Router Age Seq# Checksum
> 0.0.0.0 192.168.100.66 641 0x8001 0x11cf
> 172.25.50.0 192.168.100.66 641 0x8001 0x3ccb
> 172.25.65.0 192.168.100.66 641 0x8001 0xf6f1
> 172.25.85.0 192.168.100.66 641 0x8001 0x4a82
>
>
>
> Output of "ospctl show n" command is:
>
> r...@obsdintfw:~# ospfctl show n
> ID Pri StateDeadTime Address Iface Uptime
>
> r...@obsdintfw:~#
>
>
> Output of "ospctl show r" command is:
>
> r...@obsdfwint:~# ospfctl show r
> Destination Nexthop Path TypeType CostUptime
>
> r...@obsdfwint:~#
>
> Is this configuration correct? Why can't I establish my default routes with
> multipath using ospfd? Or I am wrong and only I can use multipath+route to
> with
> pf.conf??
>
> Many thanks.
Re: Using ospfd to establish default routes with two outgoing connections
carlopmart wrote:
Hi all,
I am trying to establish default routes on an openbsd firewall using
ospfd instead of use multipath+route to param under pf.conf without luck.
My topology is:
Internet --- ExtFw1 |
|
OpenBSDFw - Internal Network
|
Internet --- ExtFw2 |
ExtFw1 and ExtFw2 are commercial products with different versions. I
have put a rule to pass all traffic genereated by OpenBSD on both
external firewalls.
My interfaces config are:
em0: flags=8843 mtu 1500
lladdr 00:50:56:29:f2:2c
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 172.25.50.1 netmask 0xffe0 broadcast 172.25.50.31
inet6 fe80::250:56ff:fe29:f22c%em0 prefixlen 64 scopeid 0x1
em1: flags=8843 mtu 1500
lladdr 00:50:56:0f:7b:b0
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet6 fe80::250:56ff:fe0f:7bb0%em1 prefixlen 64 scopeid 0x2
enc0: flags=0<> mtu 1536
priority: 0
vlan15: flags=8843 mtu 1500
lladdr 00:50:56:0f:7b:b0
description: Management Interface
priority: 0
vlan: 15 priority: 0 parent interface: em1
groups: vlan
inet6 fe80::250:56ff:fe0f:7bb0%vlan15 prefixlen 64 scopeid 0x5
inet 172.25.65.1 netmask 0xfff0 broadcast 172.25.65.15
vlan25: flags=8843 mtu 1500
lladdr 00:50:56:0f:7b:b0
description: VPN Interface
priority: 0
vlan: 25 priority: 0 parent interface: em1
groups: vlan
inet6 fe80::250:56ff:fe0f:7bb0%vlan25 prefixlen 64 scopeid 0x6
inet 172.25.85.1 netmask 0xfff8 broadcast 172.25.85.7
vlan35: flags=8843 mtu 1496
lladdr 00:50:56:0f:7b:b0
description: Primary Outgoing Interface
priority: 0
vlan: 35 priority: 0 parent interface: em1
groups: vlan egress
inet6 fe80::250:56ff:fe0f:7bb0%vlan35 prefixlen 64 scopeid 0x7
inet 192.168.100.66 netmask 0xfffc broadcast 192.168.100.67
vlan45: flags=8843 mtu 1496
lladdr 00:50:56:0f:7b:b0
description: Secondary Outgoing Interface
priority: 0
vlan: 45 priority: 0 parent interface: em1
groups: vlan
inet6 fe80::250:56ff:fe0f:7bb0%vlan45 prefixlen 64 scopeid 0x8
inet 10.10.10.201 netmask 0xfff8 broadcast 10.10.10.207
pflog0: flags=141 mtu 33204
priority: 0
groups: pflog
My ospfd.conf:
router-id 192.168.100.66
fib-update yes
redistribute connected
redistribute default
area 0.0.0.0 {
auth-type none
interface vlan35
interface vlan45 { metric 20 }
}
Output of "ospctl show database" command is:
Router Link States (Area 0.0.0.0)
Link ID Adv Router Age Seq# Checksum
192.168.100.66 192.168.100.66 641 0x8001 0x3bdc
Type-5 AS External Link States
Link ID Adv Router Age Seq# Checksum
0.0.0.0 192.168.100.66 641 0x8001 0x11cf
172.25.50.0 192.168.100.66 641 0x8001 0x3ccb
172.25.65.0 192.168.100.66 641 0x8001 0xf6f1
172.25.85.0 192.168.100.66 641 0x8001 0x4a82
Output of "ospctl show n" command is:
r...@obsdintfw:~# ospfctl show n
ID Pri StateDeadTime Address Iface Uptime
r...@obsdintfw:~#
Output of "ospctl show r" command is:
r...@obsdfwint:~# ospfctl show r
Destination Nexthop Path TypeType Cost
Uptime
r...@obsdfwint:~#
Is this configuration correct? Why can't I establish my default routes
with multipath using ospfd? Or I am wrong and only I can use
multipath+route to with pf.conf??
Many thanks.
Sorry I forgot to mention OpenBSD version: 4.5
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
