I now have the basics working (key was to kill /etc/mygate) but am
looking for some refinement advice and have a few specific questions.
More details about what I am trying to do are below in a previously
quoted post, basically I have a pair of firewalls connecting to the
internet and a DMZ and another pair of router/firewalls connected to a
couple internal networks. All four of these machines are OpenBSD and
have links to eachother.
First question:
Right now I include all links but the "pair partner link" (used for
pfsync) in my ospf configs. This leads to each host showing two ospf
neighbors rather than three. Is this ok? Should I add the pair links?
The only reason they would be used is so paired routers would know about
their pair through OSPF from a direct connection. I currently use
link-local addresses (169.254.254.x) for the pfsync/pair links. Will
this cause a problem?
Second question:
The links to the internet and internal networks should be advertised
over ospf and that is working fine. However, no OSPF-specific traffic
such as hellos or link state advertisements should be sent over those
interfaces. What is the proper way to do this? I read about "passive"
but am not sure if this is the correct approach.
Question the third:
It seems like there is more than one DR (designated router) from the
output of ospfctl show neighbors. From my reading about OSPF I thought
there was only one DR per area, but it seems like there is one DR per
neighbor pair and a router can be a DR for one pair but BDR for another.
What am I misunderstanding here? I think I just don't fully understand
the output of ospfctl show neighbor.
Question D:
Is there a way to get ospfd to reread its config without totally killing
and restarting? kill -HUP'ing the parent process did not seem to do
anything and HUP'ing the engine process killed all three processes.
My configs:
For the pair touching the internet and dmz:
inlink0if="bge0"
inlink1if="bge1"
pairif="em3"
router-id 0.0.0.30 (other fw is .40)
fib-update yes
redistribute connected
redistribute default
area 0 {
interface $inlink0if {
auth-type none
}
interface $inlink1if {
auth-type none
metric 100 # to make this a backup
}
interface $pairif {
auth-type none
}
interface carp0 { # internet IPs
auth-type none
}
interface carp1 { # dmz
auth-type none
}
}
routers connected to our internal networks:
uplink0if="bge0"
uplink1if="bge1"
pairif="em3"
servif="carp0"
desktopif="carp1"
router-id 0.0.0.10 # other internal is .20
fib-update yes
redistribute connected
area 0 {
interface $uplink0if {
auth-type none
}
interface $uplink1if {
auth-type none
metric 100 # to deprioritize
}
interface $pairif {
auth-type none
}
interface $servif {
auth-type none
}
interface $desktopif {
auth-type none
}
}
I do plan on putting auth in place once I verify everything is working
without it. In addition I hope to collapse all these separate auth-type
directives into the global or area portions of the conf file. Any other
suggestions?
Thanks!
Chris
Chris Black wrote:
> I have four router/firewalls that are all interconnected (each one to
> every other with a direct crossover link). Two of these are
> external-facing and have interfaces connected to the internet and our
> DMZ. The other two are internal-facing and have connections to our
> internal networks. I am already using carp to handle failover to each of
> these networks. The remaining issue is handling failover routes between
> the internal routers and external routers. I posted to the list awhile
> ago with a few alternative approaches for this and am now experimenting
> with ospf. Unfortunately I am new to ospf and was unable to find any
> docs talking about this type of situation or even really explaining all
> the various options available in ospfd.conf.
> I have ospfd running on the machines and all the routers are talking to
> eachother and seeing eachother as evidenced by output of various ospfctl
> commands. My main problem is that ospf does not seem to be changing my
> default route for the internal routers.
