OSPF Route Filtering


#1

Hi,
I’ve been using VyOS for a while now, and it’s great!

I am currently looking for a way to filter OSPF routes that are coming through an interface, or not accept routes broadcasted from that interface. The interface, however should still send OSPF broadcasts.

Two routers (soon will be more) are connected together via OpenVPN. Each router has a OpenVPN Server, and connects to the other router via it’s OpenVPN Server and vice versa.

OpenVPN Server on Server 1 (cr01) is using 10.4.1.0/24 as it’s subnet, while Server 2 (cr02) is using 10.4.2.0/24 as it’s subnet. Both servers are on vtun3 and both clients are on vtun7 on each respective server.

Some config:

vyos@cr01# sh protocols ospf access-list 1 { export connected export static } area 1 { area-type { normal } authentication md5 network 10.1.1.0/24 network 10.2.1.0/24 network 10.3.1.0/24 network 10.5.1.0/24 network 10.4.1.0/24 network 10.4.2.0/24 } auto-cost { reference-bandwidth 1000 } log-adjacency-changes { } passive-interface vtun6 passive-interface vtun2 passive-interface lo redistribute { connected { metric-type 2 route-map OSPF-FILTER } } vyos@cr01# sh policy route-map OSPF-FILTER { description "Do not redistribute public IPs" rule 11 { action permit match { interface vtun2 } } rule 12 { action permit match { interface vtun7 } } rule 13 { action permit match { interface vtun4 } } rule 14 { action permit match { interface vtun5 } } rule 15 { action permit match { interface vtun6 } } rule 998 { action deny match { interface vtun3 } } rule 999 { action deny } } vyos@cr01# ip route default via 192.3.176.129 dev eth0 proto zebra 10.1.1.0/24 dev vtun6 proto kernel scope link src 10.1.1.1 10.1.2.0/24 proto zebra metric 1100 nexthop via 10.4.1.3 dev vtun3 weight 1 nexthop via 10.4.2.1 dev vtun7 weight 1 10.2.1.0/24 dev vtun4 proto kernel scope link src 10.2.1.1 10.2.2.0/24 proto zebra metric 1100 nexthop via 10.4.1.3 dev vtun3 weight 1 nexthop via 10.4.2.1 dev vtun7 weight 1 10.3.1.0/24 dev vtun2 proto kernel scope link src 10.3.1.1 10.3.2.0/24 proto zebra metric 1100 nexthop via 10.4.1.3 dev vtun3 weight 1 nexthop via 10.4.2.1 dev vtun7 weight 1 10.4.1.0/24 dev vtun3 proto kernel scope link src 10.4.1.1 10.4.2.0/24 dev vtun7 proto kernel scope link src 10.4.2.3 10.5.1.0/24 dev vtun5 proto kernel scope link src 10.5.1.1 10.5.2.0/24 proto zebra metric 2000 nexthop via 10.4.1.3 dev vtun3 weight 1 nexthop via 10.4.2.1 dev vtun7 weight 1 127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1 172.16.11.0/24 proto zebra metric 1100 nexthop via 10.4.1.3 dev vtun3 weight 1 nexthop via 10.4.2.1 dev vtun7 weight 1 192.3.176.128/25 dev eth0 proto kernel scope link src 192.3.176.189

As you can see, there are extra nexthop routes that should not be there (The ones from vtun3)


#2

Nvm, managed to fix it.