Guide to Configuring FRR with OSPF on IPv4 and IPv6 (link-local) and CSF
This guide provides detailed instructions for configuring FRR (Free Range Routing) on an Ubuntu server to manage OSPF on IPv4 and OSPFv3 on IPv6, using link-local addresses. It also includes configurations to ensure that CSF (ConfigServer Security & Firewall) does not block OSPF traffic.
1. Installing FRR and Enabling the Service
First, install FRR and the necessary components on Ubuntu. Update the package list, then install FRR and the associated tools using the following commands:
sudo apt-get update
sudo apt-get install frr frr-pythontools
After installing FRR, enable and start the FRR service to ensure it runs on system startup:
sudo systemctl enable frr
sudo systemctl start frr
Once the service is running, open the main FRR configuration file for editing:
sudo nano /etc/frr/frr.conf
2. Enabling OSPF and OSPFv3 Daemons
After installing FRR, you need to enable the daemons for OSPF and OSPFv3.
Open the `/etc/frr/daemons` file for editing:
sudo nano /etc/frr/daemons
Set `ospfd=yes` to enable the OSPF daemon for IPv4 and `ospf6=yes` to enable the OSPFv3 daemon for IPv6.
Save the file and restart the FRR service to apply the changes:
sudo systemctl restart frr
3. Configuring FRR for OSPF on IPv4 and IPv6
Next, configure FRR to manage OSPF on IPv4 and OSPFv3 on IPv6.
Open the main FRR configuration file located at `/etc/frr/frr.conf`:
sudo nano /etc/frr/frr.conf
Insert the following configuration:
frr version 8.4.4
frr defaults traditional
hostname myhost.my.domain
log syslog informational
ip forwarding
ipv6 forwarding
service integrated-vtysh-config
router ospf
ospf router-id 203.0.113.24
network 203.0.113.0/24 area 0
exit
router ospf6
ospf6 router-id 203.0.113.24
interface ens160 area 0.0.0.0
exit
interface ens160
ipv6 ospf6 area 0.0.0.0
ipv6 address fe80::1/64
ip ospf priority 0
ipv6 ospf6 priority 0
exit
This configuration enables forwarding for both IPv4 and IPv6, configures OSPF for IPv4, and OSPFv3 for IPv6, using the `ens160` interface and the specified link-local IPv6 address. Save the changes and close the file.
4. Configuring CSF to Allow OSPF Traffic
To ensure that CSF does not block OSPF traffic, follow these steps:
Create or modify the file `/etc/csf/csfpost.sh`:
sudo nano /etc/csf/csfpost.sh
Add the following rules to allow OSPF traffic on IPv4 and OSPFv3 on IPv6:
#!/bin/bash
# Custom rules to allow OSPF traffic on IPv4
# IPv4 OSPF
iptables -I INPUT -p 89 -j ACCEPT
iptables -I OUTPUT -p 89 -j ACCEPT
iptables -I INPUT -d 224.0.0.5 -j ACCEPT
iptables -I OUTPUT -d 224.0.0.5 -j ACCEPT
iptables -I INPUT -d 224.0.0.6 -j ACCEPT
iptables -I OUTPUT -d 224.0.0.6 -j ACCEPT
iptables -I INPUT -s 203.0.113.1 -j ACCEPT
iptables -I OUTPUT -d 203.0.113.1 -j ACCEPT
iptables -I INPUT -s 203.0.113.2 -j ACCEPT
iptables -I OUTPUT -d 203.0.113.2 -j ACCEPT
iptables -I INPUT -s 203.0.113.3 -j ACCEPT
iptables -I OUTPUT -d 203.0.113.3 -j ACCEPT
iptables -I INPUT -s 203.0.113.4 -j ACCEPT
iptables -I OUTPUT -d 203.0.113.4 -j ACCEPT
iptables -I INPUT -s 203.0.113.5 -j ACCEPT
iptables -I OUTPUT -d 203.0.113.5 -j ACCEPT
iptables -I INPUT -s 203.0.113.20 -j ACCEPT
iptables -I OUTPUT -d 203.0.113.20 -j ACCEPT
# IPv6 OSPFv3
ip6tables -I INPUT -p 89 -j ACCEPT
ip6tables -I OUTPUT -p 89 -j ACCEPT
ip6tables -I INPUT -d ff02::5 -j ACCEPT
ip6tables -I OUTPUT -d ff02::5 -j ACCEPT
ip6tables -I INPUT -d ff02::6 -j ACCEPT
ip6tables -I OUTPUT -d ff02::6 -j ACCEPT
ip6tables -I INPUT -s fe80::/10 -j ACCEPT
ip6tables -I OUTPUT -d fe80::/10 -j ACCEPT
Save and close the file.
Make the file executable with the command: sudo chmod +x /etc/csf/csfpost.sh
Then restart CSF to apply the new rules: sudo csf -r
5. Verifying the Configuration
After configuring FRR and CSF, it’s important to verify that everything is functioning correctly.
Follow these steps:
Access `vtysh`: sudo vtysh
Check the status of OSPF neighbors for IPv4 with the command: show ip ospf neighbor
Check the status of OSPFv3 neighbors for IPv6 with the command: show ipv6 ospf6 neighbor
Finally, view the IPv6 routing table with the command: show ipv6 route
If everything is configured correctly, you should see active OSPF neighbors and a routing table populated with OSPF routes.
This complete guide enables you to configure FRR to manage OSPF on IPv4 and OSPFv3 on IPv6 while ensuring that CSF does not block the necessary traffic.