# FreeBSD 7.2 ipfw + ospf + OpenVPN



## tekkitan (May 22, 2009)

I have been searching here and google and not found a solution to my problem yet.

I have a FreeBSD 7.2 router at home, running OpenVPN to connect to work through a site to site style VPN tunnel and also passing OSPF over the tun0 interface.

I have ipfw working with NAT when connecting externally. I have rules put in place to troubleshoot at the top of my ipfw ruleset allowing ip, ospf and igmp (any to any via tun0). 

Doing a tcpdump on my tun0 interface, I see OSPF broadcasts from my tun0 IP and the peer IP, nothing else. It seems like OSPF is just not working at all through the interface. I am not sure if it is ipfw, but I had the same exact setup working with a Linksys running OpenWRT with iptables. I switched to FreeBSD because I love it 

Where do we start with troubleshooting? I am seeing these in the debug logs for ospfd (quagga). It just repeats the same over and over:


```
2009/05/21 20:18:07 debugging: OSPF: LSA[Refresh]:ospf_lsa_refresh_walker(): start
2009/05/21 20:18:07 debugging: OSPF: LSA[Refresh]: ospf_lsa_refresh_walker(): next index 235
2009/05/21 20:18:07 debugging: OSPF: LSA[Refresh]: ospf_lsa_refresh_walker(): refresh index 234
2009/05/21 20:18:07 debugging: OSPF: LSA[Refresh]: ospf_lsa_refresh_walker(): end
2009/05/21 20:18:07 debugging: OSPF: make_hello: options: 2, int: em0:192.168.99.1
2009/05/21 20:18:07 debugging: OSPF: Hello sent to [224.0.0.5] via [em0:192.168.99.1].
2009/05/21 20:18:08 debugging: OSPF: ip_v 4
2009/05/21 20:18:08 debugging: OSPF: ip_hl 5
2009/05/21 20:18:08 debugging: OSPF: ip_tos 192
2009/05/21 20:18:08 debugging: OSPF: ip_len 64
2009/05/21 20:18:08 debugging: OSPF: ip_id 10699
2009/05/21 20:18:08 debugging: OSPF: ip_off 0
2009/05/21 20:18:08 debugging: OSPF: ip_ttl 1
2009/05/21 20:18:08 debugging: OSPF: ip_p 89
2009/05/21 20:18:08 debugging: OSPF: ip_sum 0x8894
2009/05/21 20:18:08 debugging: OSPF: ip_src 172.19.110.37
2009/05/21 20:18:08 debugging: OSPF: ip_dst 224.0.0.5
2009/05/21 20:18:08 debugging: OSPF: Hello received from [172.19.20.10] via [tun0:172.19.110.38]
2009/05/21 20:18:08 debugging: OSPF:  src [172.19.110.37],
2009/05/21 20:18:08 debugging: OSPF:  dst [224.0.0.5]
2009/05/21 20:18:08 warnings: OSPF: interface tun0:172.19.110.38: ospf_read network address is not same [172.19.110.37]
2009/05/21 20:18:08 debugging: OSPF: ospf_read[Hello/172.19.110.37]: Header check failed, dropping.
2009/05/21 20:18:09 debugging: OSPF: make_hello: options: 2, int: tun0:172.19.110.38
2009/05/21 20:18:09 debugging: OSPF: Hello sent to [224.0.0.5] via [tun0:172.19.110.38].
```


----------



## tekkitan (May 27, 2009)

Does anyone have experience with this? Thanks in advance!


----------



## DutchDaemon (May 27, 2009)

OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number 89. Do you allow proto 89 in your firewall?


```
grep -i ospf /etc/protocols 
ospf	89	OSPFIGP		# Open Shortest Path First IGP
```


----------



## tekkitan (May 28, 2009)

DutchDaemon said:
			
		

> OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP datagrams with protocol number 89. Do you allow proto 89 in your firewall?
> 
> 
> ```
> ...



Yes sir. 

Here is my current ipfw ruleset that is active. This isn't the final ruleset, it's messy and quite open because of troubleshooting this issue.


```
[root@jessica ~]# ipfw show
00010   274663    22563284 allow ip from any to any via tun0
00011        0           0 allow ospf from any to any via tun0
00012        0           0 allow igmp from any to any via tun0
00013    50592     3237888 allow ospf from any to any
00014        0           0 allow igmp from any to any
00050 98759644 65733978523 nat 1 log ip from any to any via rl0
00100        0           0 check-state
00120      278       21100 allow ip from any to any via lo0
00500        0           0 allow ip from 192.168.99.0/24 to 172.19.0.0/16 via tun0
00510        0           0 allow ip from 192.168.99.0/24 to 204.*.*.0/24 via tun0
00520        0           0 allow ip from 172.19.69.4 to 192.168.99.0/24 via tun0
00530        0           0 allow ip from 172.19.69.5 to 192.168.99.0/24 via tun0
00540      282       23120 allow ospf from any to any via tun0
00600    91496     6406272 allow ip from me to any keep-state
00700        0           0 allow tcp from any to me dst-port 22 in via rl0 keep-state
00710        0           0 allow icmp from any to me in via rl0
00720        0           0 allow udp from any to me dst-port 53 in via rl0
00730        0           0 deny ip from any to me in via rl0
00740        0           0 deny ip from any to 192.168.0.0/16 in via rl0
00750        0           0 deny ip from any to 10.0.0.0/8 in via rl0
00760        0           0 deny ip from any to 172.0.0.0/12 in via rl0
01000 95414964 65355656767 allow ip from 192.168.99.0/24 to any keep-state
01010        0           0 allow ip from 10.0.0.0/24 to me in via rl1 keep-state
01020        0           0 allow ip from 10.0.0.0/24 to 192.168.99.2 keep-state
01030        0           0 deny ip from 10.0.0.0/24 to 192.168.99.0/24 via rl1
01040        0           0 allow tcp from 10.0.0.0/24 to any dst-port 80 keep-state
01050        0           0 allow tcp from 10.0.0.0/24 to any dst-port 443 keep-state
01060        0           0 allow tcp from 10.0.0.0/24 to any dst-port 5190 keep-state
01080        0           0 deny ip from 10.0.0.0/24 to any
65535   122173    23685969 allow ip from any to any
```

Thanks for the reply!


----------



## zhengwei_zw (Jun 9, 2009)

[only English allowed] - DD


----------

