From securityrouter.org, an OpenBSD-based firewall
Revision as of 17:15, 10 February 2018 by Anders (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Open Shortest Path First[1] (OSPF) is an link-state routing protocol for Internet Protocol (IP) networks. We use OpenBSD's OpenOSPFD[2] which makes ospfd.conf's manual page[3] a great source of information. Currently, OSPF can only be configured by altering the clear-text configuration file.


The following sub-chapters will describe, and provide examples for, a few common scenarios. The web administration's plain-text editor or the CLI configure command can be used to add the OSPF configuration to the configuration file.

Redundant firewalls

It's not unusual to have two redundant BGP routers and two redundant firewalls, connected using OSPF. In this example, we will show the configuration of an OSPF firewall. The firewall will make the redundant service available to the LAN using CARP. The configuration below are used on both firewalls, except the "advskew" value should be higher on the backup firewall. The firewall that is active will announce it's "LAN" (carp0) network to the routers. Likewise, if a firewall loses all OSPF connectivity, it will demote itself from being master.

interface em0 {
   description "LAN"
   interface carp0 {
      advskew 1
ospf {
   router-id X.X.X.X
   area {
      auth-type crypt
      auth-md 1 "xxxxxx"
      auth-md-keyid 1
      demote carp
      interface emX
      # LAN, only announced if CARP master
      interface carp0

Monitoring and administration

Most run-time information is viewed by using the ospfctl[4] command. For example, if you wish to show the status for OSPF neighbours you can issue the following command:

admin> ospfctl show nei
ID             Pri State        DeadTime Address        Iface     Uptime  1   FULL/OTHER   00:00:33  em2       06w4d01h  1   FULL/DR      00:00:33  em2       06w4d01h

Common errors

Routes flapping when running in a cluster with same router-ID

If you're using two routers running in a cluster, it's very important to specify a unique router-id per node. Otherwise, they might use the same router ID, which will make other routers very confused, and cause route flapping.