Re: openbsd 5.1 and ospfd

2012-10-19 Thread Mathieu Gignac 

On 10/18/2012 04:48 PM, Claudio Jeker wrote:

On Thu, Oct 18, 2012 at 03:50:45PM -0400, Mathieu Gignac wrote:

Hi,

I'm testing ospf on openBSD 5.1 on a lab before sending firewalls in
production and I'm actually having a problem with ospfd that I do not
understand.  I already work with ospfd on openBSD 4.7 and 4.9 and
I'm wondering if you could help me with my problem.

I have 2 firewalls connected to each other.

FW1 vr0 - FW2 vr0

Both routers are communicating together via ospf and exchanging
informations. The only problem is that routing tables on each routers
are not updated or ospf does not seam to exchange routes with each
others.


Here is the information of each firewall.

-
FW1 :
-


vr0 : 10.10.10.1/24
vr2 : 192.168.0.1/24


snip
  

ospfctl show nei

ID  Pri StateDeadTime Address Iface Uptime
192.168.1.1 1   FULL/DR  00:00:35 10.10.10.2  vr0 00:00:10

ospfctl show rib

Destination  Nexthop   Path TypeType CostUptime
10.10.10.0/2410.10.10.1Intra-Area   Network 10  00:00:16

ospfctl show fib

flags: * = valid, O = OSPF, C = Connected, S = Static
Flags  Prio Destination  Nexthop
*C4 10.10.10.0/24link#1
*O   32 10.10.10.0/2410.10.10.1
*C0 127.0.0.0/8  link#0
*S8 127.0.0.0/8  127.0.0.1
* 4 127.0.0.1/32 127.0.0.1
  C4 192.168.0.0/24   link#3
*S8 224.0.0.0/4  127.0.0.1


I also tried redistribute 192.168.0.0/24 and redistribute
connected and it is not working.


In the show fib output you can see that 192.168.0.0/24 is not a valid
route. In other words the link is most probably not up on the interface
and therefor the information is not distributed.

Make sure that vr2 has link and is up and then the route should be valid
in ospfd and redistributed to the other side.


Thanks for your quick answers.  I forgot about link-state in OSPF,
so it is why it was not working and not distributing routes.

openbsd 5.1 and ospfd

2012-10-18 Thread Mathieu Gignac 

Hi,

I'm testing ospf on openBSD 5.1 on a lab before sending firewalls in
production and I'm actually having a problem with ospfd that I do not
understand.  I already work with ospfd on openBSD 4.7 and 4.9 and
I'm wondering if you could help me with my problem.

I have 2 firewalls connected to each other.

FW1 vr0 - FW2 vr0

Both routers are communicating together via ospf and exchanging
informations. The only problem is that routing tables on each routers
are not updated or ospf does not seam to exchange routes with each
others.


Here is the information of each firewall.

-
FW1 :
-


vr0 : 10.10.10.1/24
vr2 : 192.168.0.1/24


pf.conf


 Macros 

# Interfaces #
ext_if = vr0
int_if = vr2
loopback_if = lo0

# Networks #
int_net = $int_if:network

 Tables 

table bruteforce persist

 Options 

set skip on $loopback_if

 Queueing 

 Rules 

# Block bruteforcers
block quick from bruteforce

# Default policy
block log all

# Antispoofing
antispoof log quick for $ext_if

# FTP Proxy
anchor ftp-proxy/*

match out on $ext_if inet proto { icmp, udp, tcp } from !$ext_if to any 
nat-to ($ext_if)


pass quick on $int_if proto ospf
pass quick on $ext_if proto ospf


# External interface
pass in on $ext_if inet proto tcp from any to $ext_if port 22 keep state 
(max-src-conn 15, max-src-conn-rate 5/3, overload bruteforce flu

sh global)
pass in on $ext_if inet proto icmp from any to any
pass out on $ext_if inet proto { icmp, udp, tcp } from any to any


# Internal interface
pass in on $int_if inet proto { icmp, udp, tcp } from $int_net to any
pass out on $int_if inet proto { icmp, udp, tcp } from $int_if to $int_net



ospfd.conf
--

#macros
md1=r72oc9Elk4t3IFU
md2=r5GZm1jqkk185c0

ext_if=vr0
int_if=vr2

router-id 192.168.0.1

# areas
area 0.0.0.0 {
auth-type crypt
auth-md 1 $md1
auth-md 2 $md2
auth-md-keyid 1

#local link
interface $ext_if
interface $int_if
}



sysctl.conf


#   $OpenBSD: sysctl.conf,v 1.52 2011/06/24 19:47:48 naddy Exp $
#
# This file contains a list of sysctl options the user wants set at
# boot time.  See sysctl(3) and sysctl(8) for more information on
# the many available variables.
#
net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 
packets
#net.inet.ip.mforwarding=1  # 1=Permit forwarding (routing) of IPv4 
multicast packets

#net.inet.ip.multipath=1# 1=Enable IP multipath routing
#net.inet.icmp.rediraccept=1# 1=Accept ICMP redirects
#net.inet6.icmp6.rediraccept=1  # 1=Accept IPv6 ICMP redirects (for hosts)
#net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 
packets
#net.inet6.ip6.mforwarding=1# 1=Permit forwarding (routing) of IPv6 
multicast packets

#net.inet6.ip6.multipath=1  # 1=Enable IPv6 multipath routing
#net.inet6.ip6.accept_rtadv=1   # 1=Permit IPv6 autoconf (forwarding 
must be 0)
#net.inet.tcp.rfc1323=0 # 0=Disable TCP RFC1323 extensions (for 
if tcp is slow)
#net.inet.tcp.rfc3390=0 # 0=Disable RFC3390 for TCP window 
increasing

#net.inet.esp.enable=0  # 0=Disable the ESP IPsec protocol
#net.inet.ah.enable=0   # 0=Disable the AH IPsec protocol
#net.inet.esp.udpencap=0# 0=Disable ESP-in-UDP encapsulation
#net.inet.ipcomp.enable=1   # 1=Enable the IPCOMP protocol
#net.inet.etherip.allow=1   # 1=Enable the Ethernet-over-IP protocol
#net.inet.tcp.ecn=1 # 1=Enable the TCP ECN extension
#net.inet.carp.preempt=1# 1=Enable carp(4) preemption
#net.inet.carp.log=3# log level of carp(4) info, default 2
#ddb.panic=0# 0=Do not drop into ddb on a kernel panic
#ddb.console=1  # 1=Permit entry of ddb from the console
#fs.posix.setuid=0  # 0=Traditional BSD chown() semantics
#vm.swapencrypt.enable=0# 0=Do not encrypt pages that go to swap
#vfs.nfs.iothreads=4# Number of nfsio kernel threads
#net.inet.ip.mtudisc=0  # 0=Disable tcp mtu discovery
#kern.usercrypto=1  # 1=Enable userland use of /dev/crypto
#kern.userasymcrypto=1  # 1=Permit userland to do asymmetric crypto
#kern.splassert=2   # 2=Enable with verbose error messages
#kern.nosuidcoredump=2  # 2=Put suid coredumps in /var/crash
#kern.watchdog.period=32# 0=Enable hardware watchdog(4) timer 
if available
#kern.watchdog.auto=0   # 0=Disable automatic watchdog(4) 
retriggering

#kern.pool_debug=0  # 0=Disable pool corruption checks (faster)
#hw.allowpowerdown=0# 0=Disable power button shutdown
#machdep.allowaperture=2# See xf86(4)
#machdep.apmhalt=1  # 1=powerdown hack, try if halt -p 
doesn't work
#machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a 
nice halt

#machdep.lidsuspend=1   # laptop