Hi,
I'm testing ospf on openBSD 5.1 on a lab before sending firewalls in
production and I'm actually having a problem with ospfd that I do not
understand. I already work with ospfd on openBSD 4.7 and 4.9 and
I'm wondering if you could help me with my problem.
I have 2 firewalls connected to each other.
FW1 vr0 --------- FW2 vr0
Both routers are communicating together via ospf and exchanging
informations. The only problem is that routing tables on each routers
are not updated or ospf does not seam to exchange routes with each
others.
Here is the information of each firewall.
-----------------
FW1 :
-----------------
vr0 : 10.10.10.1/24
vr2 : 192.168.0.1/24
pf.conf
------------------------
#### Macros ####
# Interfaces #
ext_if = "vr0"
int_if = "vr2"
loopback_if = "lo0"
# Networks #
int_net = $int_if:network
#### Tables ####
table <bruteforce> persist
#### Options ####
set skip on $loopback_if
#### Queueing ####
#### Rules ####
# Block bruteforcers
block quick from <bruteforce>
# Default policy
block log all
# Antispoofing
antispoof log quick for $ext_if
# FTP Proxy
anchor "ftp-proxy/*"
match out on $ext_if inet proto { icmp, udp, tcp } from !$ext_if to any
nat-to ($ext_if)
pass quick on $int_if proto ospf
pass quick on $ext_if proto ospf
# External interface
pass in on $ext_if inet proto tcp from any to $ext_if port 22 keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flu
sh global)
pass in on $ext_if inet proto icmp from any to any
pass out on $ext_if inet proto { icmp, udp, tcp } from any to any
# Internal interface
pass in on $int_if inet proto { icmp, udp, tcp } from $int_net to any
pass out on $int_if inet proto { icmp, udp, tcp } from $int_if to $int_net
ospfd.conf
----------------------
#macros
md1="r72oc9Elk4t3IFU"
md2="r5GZm1jqkk185c0"
ext_if="vr0"
int_if="vr2"
router-id 192.168.0.1
# areas
area 0.0.0.0 {
auth-type crypt
auth-md 1 $md1
auth-md 2 $md2
auth-md-keyid 1
#local link
interface $ext_if
interface $int_if
}
sysctl.conf
------------------------
# $OpenBSD: sysctl.conf,v 1.52 2011/06/24 19:47:48 naddy Exp $
#
# This file contains a list of sysctl options the user wants set at
# boot time. See sysctl(3) and sysctl(8) for more information on
# the many available variables.
#
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4
packets
#net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4
multicast packets
#net.inet.ip.multipath=1 # 1=Enable IP multipath routing
#net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects
#net.inet6.icmp6.rediraccept=1 # 1=Accept IPv6 ICMP redirects (for hosts)
#net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6
packets
#net.inet6.ip6.mforwarding=1 # 1=Permit forwarding (routing) of IPv6
multicast packets
#net.inet6.ip6.multipath=1 # 1=Enable IPv6 multipath routing
#net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding
must be 0)
#net.inet.tcp.rfc1323=0 # 0=Disable TCP RFC1323 extensions (for
if tcp is slow)
#net.inet.tcp.rfc3390=0 # 0=Disable RFC3390 for TCP window
increasing
#net.inet.esp.enable=0 # 0=Disable the ESP IPsec protocol
#net.inet.ah.enable=0 # 0=Disable the AH IPsec protocol
#net.inet.esp.udpencap=0 # 0=Disable ESP-in-UDP encapsulation
#net.inet.ipcomp.enable=1 # 1=Enable the IPCOMP protocol
#net.inet.etherip.allow=1 # 1=Enable the Ethernet-over-IP protocol
#net.inet.tcp.ecn=1 # 1=Enable the TCP ECN extension
#net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
#net.inet.carp.log=3 # log level of carp(4) info, default 2
#ddb.panic=0 # 0=Do not drop into ddb on a kernel panic
#ddb.console=1 # 1=Permit entry of ddb from the console
#fs.posix.setuid=0 # 0=Traditional BSD chown() semantics
#vm.swapencrypt.enable=0 # 0=Do not encrypt pages that go to swap
#vfs.nfs.iothreads=4 # Number of nfsio kernel threads
#net.inet.ip.mtudisc=0 # 0=Disable tcp mtu discovery
#kern.usercrypto=1 # 1=Enable userland use of /dev/crypto
#kern.userasymcrypto=1 # 1=Permit userland to do asymmetric crypto
#kern.splassert=2 # 2=Enable with verbose error messages
#kern.nosuidcoredump=2 # 2=Put suid coredumps in /var/crash
#kern.watchdog.period=32 # >0=Enable hardware watchdog(4) timer
if available
#kern.watchdog.auto=0 # 0=Disable automatic watchdog(4)
retriggering
#kern.pool_debug=0 # 0=Disable pool corruption checks (faster)
#hw.allowpowerdown=0 # 0=Disable power button shutdown
#machdep.allowaperture=2 # See xf86(4)
#machdep.apmhalt=1 # 1=powerdown hack, try if halt -p
doesn't work
#machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a
nice halt
#machdep.lidsuspend=1 # laptop lid closes cause a suspend
#machdep.userldt=1 # allow userland programs to play with ldt,
# required by some ports
#kern.emul.aout=1 # enable running dynamic OpenBSD a.out bins
#kern.emul.linux=1 # enable running Linux binaries
dmesg
-----------------------
OpenBSD 5.1-stable (FLASHRD) #2: Fri Sep 14 15:08:34 EDT 2012
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD"
586-class) 499 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
real mem = 267976704 (255MB)
avail mem = 250191872 (238MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/05/08, BIOS32 rev. 0 @ 0xfd088
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe0000/0xa800
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10,
address 00:0d:b9:26:64:78
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11,
address 00:0d:b9:26:64:79
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 15,
address 00:0d:b9:26:64:7a
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3,
32-bit 3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <SanDisk SDCFH-004G>
wd0: 1-sector PIO, LBA48, 3815MB, 7813120 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 12,
version 1.0, legacy support
ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 12
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
cannot support dma lance devices
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
mtrr: K6-family MTRR support (2 registers)
nvram: invalid checksum
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on rd0a swap on rd0b dump on rd0b
clock: unknown CMOS layout
ospfctl show nei
------------------------
ID Pri State DeadTime Address Iface Uptime
192.168.1.1 1 FULL/DR 00:00:35 10.10.10.2 vr0 00:00:10
ospfctl show rib
------------------------
Destination Nexthop Path Type Type Cost Uptime
10.10.10.0/24 10.10.10.1 Intra-Area Network 10 00:00:16
ospfctl show fib
------------------------
flags: * = valid, O = OSPF, C = Connected, S = Static
Flags Prio Destination Nexthop
*C 4 10.10.10.0/24 link#1
*O 32 10.10.10.0/24 10.10.10.1
*C 0 127.0.0.0/8 link#0
*S 8 127.0.0.0/8 127.0.0.1
* 4 127.0.0.1/32 127.0.0.1
C 4 192.168.0.0/24 link#3
*S 8 224.0.0.0/4 127.0.0.1
I also tried "redistribute 192.168.0.0/24" and "redistribute connected"
and it is not working.
----------------------
FW2 :
----------------------
vr0 : 10.10.10.2/24
vr2 : 192.168.1.1
pf.conf
---------------------
#### Macros ####
# Interfaces #
ext_if = "vr0"
int_if = "vr2"
loopback_if = "lo0"
# Networks #
int_net = $int_if:network
#### Tables ####
table <bruteforce> persist
#### Options ####
set skip on $loopback_if
#### Queueing ####
#### Rules ####
# Block bruteforcers
block quick from <bruteforce>
# Default policy
block log all
# Antispoofing
antispoof log quick for $ext_if
# FTP Proxy
anchor "ftp-proxy/*"
match out on $ext_if inet proto { icmp, udp, tcp } from !$ext_if to any
nat-to ($ext_if)
# Allow OSPF
pass quick on $int_if proto ospf
pass quick on $ext_if proto ospf
# External interface
pass in on $ext_if inet proto tcp from any to $ext_if port 22 keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flu
sh global)
pass in on $ext_if inet proto icmp from any to any
pass out on $ext_if inet proto { icmp, udp, tcp } from any to any
# Internal interface
pass in on $int_if inet proto { icmp, udp, tcp } from $int_net to any
pass out on $int_if inet proto icmp from $int_if to $int_net
ospfd.conf
--------------------------
#macros
md1="r72oc9Elk4t3IFU"
md2="r5GZm1jqkk185c0"
ext_if="vr0"
int_if="vr2"
router-id 192.168.1.1
# areas
area 0.0.0.0 {
auth-type crypt
auth-md 1 $md1
auth-md 2 $md2
auth-md-keyid 1
#local link
interface $ext_if
interface $int_if
}
sysctl.conf
----------------------
# $OpenBSD: sysctl.conf,v 1.52 2011/06/24 19:47:48 naddy Exp $
#
# This file contains a list of sysctl options the user wants set at
# boot time. See sysctl(3) and sysctl(8) for more information on
# the many available variables.
#
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4
packets
#net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4
multicast packets
#net.inet.ip.multipath=1 # 1=Enable IP multipath routing
#net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects
#net.inet6.icmp6.rediraccept=1 # 1=Accept IPv6 ICMP redirects (for hosts)
#net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6
packets
#net.inet6.ip6.mforwarding=1 # 1=Permit forwarding (routing) of IPv6
multicast packets
#net.inet6.ip6.multipath=1 # 1=Enable IPv6 multipath routing
#net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding
must be 0)
#net.inet.tcp.rfc1323=0 # 0=Disable TCP RFC1323 extensions (for
if tcp is slow)
#net.inet.tcp.rfc3390=0 # 0=Disable RFC3390 for TCP window
increasing
#net.inet.esp.enable=0 # 0=Disable the ESP IPsec protocol
#net.inet.ah.enable=0 # 0=Disable the AH IPsec protocol
#net.inet.esp.udpencap=0 # 0=Disable ESP-in-UDP encapsulation
#net.inet.ipcomp.enable=1 # 1=Enable the IPCOMP protocol
#net.inet.etherip.allow=1 # 1=Enable the Ethernet-over-IP protocol
#net.inet.tcp.ecn=1 # 1=Enable the TCP ECN extension
#net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
#net.inet.carp.log=3 # log level of carp(4) info, default 2
#ddb.panic=0 # 0=Do not drop into ddb on a kernel panic
#ddb.console=1 # 1=Permit entry of ddb from the console
#fs.posix.setuid=0 # 0=Traditional BSD chown() semantics
#vm.swapencrypt.enable=0 # 0=Do not encrypt pages that go to swap
#vfs.nfs.iothreads=4 # Number of nfsio kernel threads
#net.inet.ip.mtudisc=0 # 0=Disable tcp mtu discovery
#kern.usercrypto=1 # 1=Enable userland use of /dev/crypto
#kern.userasymcrypto=1 # 1=Permit userland to do asymmetric crypto
#kern.splassert=2 # 2=Enable with verbose error messages
#kern.nosuidcoredump=2 # 2=Put suid coredumps in /var/crash
#kern.watchdog.period=32 # >0=Enable hardware watchdog(4) timer
if available
#kern.watchdog.auto=0 # 0=Disable automatic watchdog(4)
retriggering
#kern.pool_debug=0 # 0=Disable pool corruption checks (faster)
#hw.allowpowerdown=0 # 0=Disable power button shutdown
#machdep.allowaperture=2 # See xf86(4)
#machdep.apmhalt=1 # 1=powerdown hack, try if halt -p
doesn't work
#machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a
nice halt
#machdep.lidsuspend=1 # laptop lid closes cause a suspend
#machdep.userldt=1 # allow userland programs to play with ldt,
# required by some ports
#kern.emul.aout=1 # enable running dynamic OpenBSD a.out bins
#kern.emul.linux=1 # enable running Linux binaries
dmesg
--------------------------
OpenBSD 5.1-stable (FLASHRD) #2: Fri Sep 14 15:08:34 EDT 2012
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD"
586-class) 499 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
real mem = 267976704 (255MB)
avail mem = 250191872 (238MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/05/08, BIOS32 rev. 0 @ 0xfd088
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe0000/0xa800
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10,
address 00:0d:b9:26:64:94
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11,
address 00:0d:b9:26:64:95
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 15,
address 00:0d:b9:26:64:96
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3,
32-bit 3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <SanDisk SDCFH-004G>
wd0: 1-sector PIO, LBA48, 3815MB, 7813120 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 12,
version 1.0, legacy support
ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 12
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
cannot support dma lance devices
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
mtrr: K6-family MTRR support (2 registers)
nvram: invalid checksum
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on rd0a swap on rd0b dump on rd0b
clock: unknown CMOS layout
ospfctl show nei
---------------------------
ID Pri State DeadTime Address Iface Uptime
192.168.0.1 1 FULL/BCKUP 00:00:33 10.10.10.1 vr0 00:04:56
ospfctl show rib
---------------------------
Destination Nexthop Path Type Type Cost Uptime
10.10.10.0/24 10.10.10.2 Intra-Area Network 10 00:05:40
ospfctl show fib
---------------------------
flags: * = valid, O = OSPF, C = Connected, S = Static
Flags Prio Destination Nexthop
*C 4 10.10.10.0/24 link#1
*O 32 10.10.10.0/24 10.10.10.2
*C 0 127.0.0.0/8 link#0
*S 8 127.0.0.0/8 127.0.0.1
* 4 127.0.0.1/32 127.0.0.1
C 4 192.168.1.0/24 link#3
*S 8 224.0.0.0/4 127.0.0.1
-- Mathieu
