205d FreeBSD 7.2 ipfw + ospf + OpenVPN [Archive] - The FreeBSD Forums
PDA

View Full Version : FreeBSD 7.2 ipfw + ospf + OpenVPN

tekkitan
May 22nd, 2009, 05:25
I have been searching here and google and not found a solution to my problem yet.

I have a FreeBSD 7.2 router at home, running OpenVPN to connect to work through a site to site style VPN tunnel and also passing OSPF over the tun0 interface.

I have ipfw working with NAT when connecting externally. I have rules put in place to troubleshoot at the top of my ipfw ruleset allowing ip, ospf and igmp (any to any via tun0).

Doing a tcpdump on my tun0 interface, I see OSPF broadcasts from my tun0 IP and the peer IP, nothing else. It seems like OSPF is just not working at all through the interface. I am not sure if it is ipfw, but I had the same exact setup working with a Linksys running OpenWRT with iptables. I switched to FreeBSD because I love it :-)

Where do we start with troubleshooting? I am seeing these in the debug logs for ospfd (quagga). It just repeats the same over and over:

2009/05/21 20:18:07 debugging: OSPF: LSA[Refresh]:ospf_lsa_refresh_walker(): start
2009/05/21 20:18:07 debugging: OSPF: LSA[Refresh]: ospf_lsa_refresh_walker(): next index 235
2009/05/21 20:18:07 debugging: OSPF: LSA[Refresh]: ospf_lsa_refresh_walker(): refresh index 234
2009/05/21 20:18:07 debugging: OSPF: LSA[Refresh]: ospf_lsa_refresh_walker(): end
2009/05/21 20:18:07 debugging: OSPF: make_hello: options: 2, int: em0:192.168.99.1
2009/05/21 20:18:07 debugging: OSPF: Hello sent to [224.0.0.5] via [em0:192.168.99.1].
2009/05/21 20:18:08 debugging: OSPF: ip_v 4
2009/05/21 20:18:08 debugging: OSPF: ip_hl 5
2009/05/21 20:18:08 debugging: OSPF: ip_tos 192
2009/05/21 20:18:08 debugging: OSPF: ip_len 64
2009/05/21 20:18:08 debugging: OSPF: ip_id 10699
2009/05/21 20:18:08 debugging: OSPF: ip_off 0
2009/05/21 20:18:08 debugging: OSPF: ip_ttl 1
2009/05/21 20:18:08 debugging: OSPF: ip_p 89
2009/05/21 20:18:08 debugging: OSPF: ip_sum 0x8894
2009/05/21 20:18:08 debugging: OSPF: ip_src 172.19.110.37
2009/05/21 20:18:08 debugging: OSPF: ip_dst 224.0.0.5
2009/05/21 20:18:08 debugging: OSPF: Hello received from [172.19.20.10] via [tun0:172.19.110.38]
2009/05/21 20:18:08 debugging: OSPF: src [172.19.110.37],
2009/05/21 20:18:08 debugging: OSPF: dst [224.0.0.5]
2009/05/21 20:18:08 warnings: OSPF: interface tun0:172.19.110.38: ospf_read network address is not same [172.19.110.37]
2009/05/21 20:18:08 debugging: OSPF: ospf_read[Hello/172.19.110.37]: Header check failed, dropping.
2009/05/21 20:18:09 debugging: OSPF: make_hello: options: 2, int: tun0:172.19.110.38
2009/05/21 20:18:09 debugging: OSPF: Hello sent to [224.0.0.5] via [tun0:172.19.110.38].
tekkitan
May 27th, 2009, 13:52
Does anyone have experience with this? Thanks in advance!
DutchDaemon
May 27th, 2009, 14:09
OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number 89. Do you allow proto 89 in your firewall?

grep -i ospf /etc/protocols
ospf 89 OSPFIGP # Open Shortest Path First IGP
tekkitan
May 28th, 2009, 02:04
OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number 89. Do you allow proto 89 in your firewall?

grep -i ospf /etc/protocols
ospf 89 OSPFIGP # Open Shortest Path First IGP

Yes sir. :-)

Here is my current ipfw ruleset that is active. This isn't the final ruleset, it's messy and quite open because of troubleshooting this issue.


[root@jessica ~]# ipfw show
00010 274663 22563284 allow ip from any to any via tun0
00011 0 0 allow ospf from any to any via tun0
00012 0 0 allow igmp from any to any via tun0
00013 50592 3237888 allow ospf from any to any
00014 0 0 allow igmp from any to any
00050 98759644 65733978523 nat 1 log ip from any to any via rl0
00100 0 0 check-state
00120 278 21100 allow ip from any to any via lo0
00500 0 0 allow ip from 192.168.99.0/24 to 172.19.0.0/16 via tun0
00510 0 0 allow ip from 192.168.99.0/24 to 204.*.*.0/24 via tun0
00520 0 0 allow ip from 172.19.69.4 to 192.168.99.0/24 via tun0
00530 0 0 allow ip from 172.19.69.5 to 192.168.99.0/24 via tun0
00540 282 23120 allow ospf from any to any via tun0
00600 91496 6406272 allow ip from me to any keep-state
00700 0 0 allow tcp from any to me dst-port 22 in via rl0 keep-state
00710 0 0 allow icmp from any to me in via rl0
00720 0 0 allow udp from any to me dst-port 53 in via rl0
00730 0 0 deny ip from any to me in via rl0
00740 0 0 deny ip from any to 192.168.0.0/16 in via rl0
00750 0 0 deny ip from any to 10.0.0.0/8 in via rl0
00760 0 0 deny ip from any to 172.0.0.0/12 in via rl0
01000 95414964 65355656767 allow ip from 192.168.99.0/24 to any keep-state
01010 0 0 allow ip from 10.0.0.0/24 to me in via rl1 keep-state
01020 0 0 allow ip from 10.0.0.0/24 to 192.168.99.2 keep-state
01030 0 0 deny ip from 10.0.0.0/24 to 192.168.99.0/24 via rl1
01040 0 0 allow tcp from 10.0.0.0/24 to any dst-port 80 keep-state
01050 0 0 allow tcp from 10.0.0.0/24 to any dst-port 443 keep-state
01060 0 0 allow tcp from 10.0.0.0/24 to any dst-port 5190 keep-state
01080 0 0 deny ip from 10.0.0.0/24 to any
65535 122173 23685969 allow ip from any to any


Thanks for the reply!
zhengwei_zw
June 9th, 2009, 09:47
[only English allowed] - DD
0