High Availability pfSense in vSphere Part 2

In part 1, we set up the high-availbility pfSense pair. Now we need to configure OSPF so that all VLANs created within pfSense will get advertised out to our router. Doing this means we will not need to create static routes for the VLANs created within pfSense.

First thing is to create another VLAN in pfSense. I already have VLAN 100 for pfsync, so I created a new VLAN 110 for a 10.10.10.0/24 network.

pfSense has several packages available for OSPF, and I decided to use FRR.

In the pfSense web interface, go to System \ Package Manager.

Then to Available Packages.

Find and install frr.

After installation, we need to configure the OSPF settings.
First we will go to Services \ FRR Global/Zebra

We need to Enable FRR, Master Password is required, select a CARP Status IP, and provide a router ID.
Router ID does not actually need to be the IP address; it is just a 32-bit number.
To keep things descriptive, I just use the primary device IP (or in this case, the WAN CARP IP.)

Now go to OSPF interfaces, as we need to create the pfSense interface that will be used for OSPF route distribution.

Click Add.

We are advertising via the WAN interface, and then a description.
As this is just my homelab, I’m not concerned with authentication.

Next we will need to go to the OSPF configuration area. Click the [OSPF] link.
Enable OSPF router, provide router ID and set the default area.
Default area, again, is not an IP address just written like one.
I left default area type at normal, as none of the other types really fit.

Only other setting here I configured was to enable Redistribute Connected Networks in the Route Redistribution, as we want this to redistribute routing to networks only available behind this.

Now that pfSense has OSPF enabled and configured, we need to configure OSPF on our EdgeRouter.
In this instance, we need to configure OSPF on the eth1 (LAN) interface, as that is the interface our pfSense WAN is connected to.

Enable OSPF on eth1, set priority 0 (as it’s primary for the 192.168.1.0/24 network,) set to broadcast, configure router-id, and configure area.

ubnt@edgerouter# set interfaces ethernet eth1 ip ospf priority 0
[edit]
ubnt@edgerouter# set interfaces ethernet eth1 ip ospf network broadcast
[edit]
ubnt@edgerouter# set protocols ospf parameters router-id 192.168.1.1
[edit]
ubnt@edgerouter# set protocols ospf area 0 network 192.168.1.0/24
[edit]
ubnt@edgerouter# commit;save
Saving configuration to '/config/config.boot'...
Done
[edit]

We should be broadcasting now, and as both devices are configured let’s see if our EdgeRouter can see pfSense as an OSPF neighbor.

ubnt@edgerouter:~$ show ip ospf neighbor

Total number of full neighbors: 0
OSPF process 0 VRF(default):
Neighbor ID     Pri   State            Dead Time   Address         Interface           Instance ID
192.168.1.254     1   Init/DROther     00:00:33    192.168.1.241   eth1                    0

Wonderful! The EdgeRouter sees device with router ID 192.168.1.254 (our pfSense) as an OSPF neighbor.
Now to make sure pfSense can see the EdgeRouter with router ID 192.168.1.1 as an OSPF neighbor.

Back in the pfSense web interface, go to the Status menu in FRR.

Select OSPF to view just the OSPF status.

Scroll down to OSPF neighbors.

We can see that pfSense is detecting router ID 192.168.1.1 as an OSPF neighbor.

Now let’s look at the OSPF database in OSPF. In the OSPF status page, scroll down to OSPF Database.
We can see that it is advertising the 10.10.10.0 and 10.10.255.0 networks via 192.168.1.254

On our EdgeRouter, we can validate that the routes for those subnets are being received via OSPF.

ubnt@edgerouter:~$ show ip route ospf
IP Route Table for VRF "default"
O E2 *> 10.10.10.0/24 [110/20] via 192.168.1.241, eth1, 00:21:28
O E2 *> 10.10.255.0/24 [110/20] via 192.168.1.241, eth1, 00:21:28

We can also show all the routes and source of the routes on the EdgeRouter.

ubnt@edgerouter:~$ show ip route forward
10.0.10.0/24 dev eth1.10 proto kernel scope link src 10.0.10.1
10.0.20.0/24 dev eth1.20 proto kernel scope link src 10.0.20.1
10.0.30.0/24 dev eth1.30 proto kernel scope link src 10.0.30.1
10.0.40.0/24 dev eth1.40 proto kernel scope link src 10.0.40.1
10.10.10.0/24 via 192.168.1.241 dev eth1 proto zebra
10.10.255.0/24 via 192.168.1.241 dev eth1 proto zebra
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
192.168.100.0/24 dev eth1.60 proto kernel scope link src 192.168.100.1

I removed the eth0 (WAN) routers, but we can see that the first 4 routes are configured via VLANs on the EdgeRouter, but the next two are via OSPF (via Zebra package.)
From a workstation on the 192.168.1.0/24 network, we can see that there is connectivity.

P:\>pathping 10.10.10.4

Tracing route to 10.10.10.4 over a maximum of 30 hops

0 boxen.incendiary.local [192.168.1.10]
1 192.168.1.241
2 10.10.10.4

Leave a Reply

Your email address will not be published. Required fields are marked *