Hi,
I'm testing ospf on openBSD 5.1 on a lab before sending firewalls in
production and I'm actually having a problem with ospfd that I do not
understand. I already work with ospfd on openBSD 4.7 and 4.9 and
I'm wondering if you could help me with my problem.
I have 2 firewalls connected to each other.
FW1 vr0 - FW2 vr0
Both routers are communicating together via ospf and exchanging
informations. The only problem is that routing tables on each routers
are not updated or ospf does not seam to exchange routes with each
others.
Here is the information of each firewall.
-
FW1 :
-
vr0 : 10.10.10.1/24
vr2 : 192.168.0.1/24
pf.conf
Macros
# Interfaces #
ext_if = vr0
int_if = vr2
loopback_if = lo0
# Networks #
int_net = $int_if:network
Tables
table bruteforce persist
Options
set skip on $loopback_if
Queueing
Rules
# Block bruteforcers
block quick from bruteforce
# Default policy
block log all
# Antispoofing
antispoof log quick for $ext_if
# FTP Proxy
anchor ftp-proxy/*
match out on $ext_if inet proto { icmp, udp, tcp } from !$ext_if to any
nat-to ($ext_if)
pass quick on $int_if proto ospf
pass quick on $ext_if proto ospf
# External interface
pass in on $ext_if inet proto tcp from any to $ext_if port 22 keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload bruteforce flu
sh global)
pass in on $ext_if inet proto icmp from any to any
pass out on $ext_if inet proto { icmp, udp, tcp } from any to any
# Internal interface
pass in on $int_if inet proto { icmp, udp, tcp } from $int_net to any
pass out on $int_if inet proto { icmp, udp, tcp } from $int_if to $int_net
ospfd.conf
--
#macros
md1=r72oc9Elk4t3IFU
md2=r5GZm1jqkk185c0
ext_if=vr0
int_if=vr2
router-id 192.168.0.1
# areas
area 0.0.0.0 {
auth-type crypt
auth-md 1 $md1
auth-md 2 $md2
auth-md-keyid 1
#local link
interface $ext_if
interface $int_if
}
sysctl.conf
# $OpenBSD: sysctl.conf,v 1.52 2011/06/24 19:47:48 naddy Exp $
#
# This file contains a list of sysctl options the user wants set at
# boot time. See sysctl(3) and sysctl(8) for more information on
# the many available variables.
#
net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4
packets
#net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4
multicast packets
#net.inet.ip.multipath=1# 1=Enable IP multipath routing
#net.inet.icmp.rediraccept=1# 1=Accept ICMP redirects
#net.inet6.icmp6.rediraccept=1 # 1=Accept IPv6 ICMP redirects (for hosts)
#net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6
packets
#net.inet6.ip6.mforwarding=1# 1=Permit forwarding (routing) of IPv6
multicast packets
#net.inet6.ip6.multipath=1 # 1=Enable IPv6 multipath routing
#net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding
must be 0)
#net.inet.tcp.rfc1323=0 # 0=Disable TCP RFC1323 extensions (for
if tcp is slow)
#net.inet.tcp.rfc3390=0 # 0=Disable RFC3390 for TCP window
increasing
#net.inet.esp.enable=0 # 0=Disable the ESP IPsec protocol
#net.inet.ah.enable=0 # 0=Disable the AH IPsec protocol
#net.inet.esp.udpencap=0# 0=Disable ESP-in-UDP encapsulation
#net.inet.ipcomp.enable=1 # 1=Enable the IPCOMP protocol
#net.inet.etherip.allow=1 # 1=Enable the Ethernet-over-IP protocol
#net.inet.tcp.ecn=1 # 1=Enable the TCP ECN extension
#net.inet.carp.preempt=1# 1=Enable carp(4) preemption
#net.inet.carp.log=3# log level of carp(4) info, default 2
#ddb.panic=0# 0=Do not drop into ddb on a kernel panic
#ddb.console=1 # 1=Permit entry of ddb from the console
#fs.posix.setuid=0 # 0=Traditional BSD chown() semantics
#vm.swapencrypt.enable=0# 0=Do not encrypt pages that go to swap
#vfs.nfs.iothreads=4# Number of nfsio kernel threads
#net.inet.ip.mtudisc=0 # 0=Disable tcp mtu discovery
#kern.usercrypto=1 # 1=Enable userland use of /dev/crypto
#kern.userasymcrypto=1 # 1=Permit userland to do asymmetric crypto
#kern.splassert=2 # 2=Enable with verbose error messages
#kern.nosuidcoredump=2 # 2=Put suid coredumps in /var/crash
#kern.watchdog.period=32# 0=Enable hardware watchdog(4) timer
if available
#kern.watchdog.auto=0 # 0=Disable automatic watchdog(4)
retriggering
#kern.pool_debug=0 # 0=Disable pool corruption checks (faster)
#hw.allowpowerdown=0# 0=Disable power button shutdown
#machdep.allowaperture=2# See xf86(4)
#machdep.apmhalt=1 # 1=powerdown hack, try if halt -p
doesn't work
#machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a
nice halt
#machdep.lidsuspend=1 # laptop