Guide to Configuring FRR with OSPF on IPv4 and IPv6 (link-local) and CSF | GOLINE
Goline Logo

FAQ

News

  • In the supply and logistics sectors, email communication is pivotal. However, organizations face threats like email fraud and phishing. GOLINE SA's clients struggled with configuring email authentication protocols manually. To address this challenge, GOLINE SA became an MSP Partner of PowerDMARC, collaborating to streamline implementation and management. PowerDMARC's cloud-based platform automated DMARC, SPF, and DKIM protocols for GOLINE SA's clients. This streamlined the transition to DMARC enforcement policies, bolstering domain protection without compromising email deliverability. The intuitive platform facilitated easy navigation and provided detailed reporting for proactive issue resolution. GOLINE SA's clients experienced tangible benefits: Enhanced Email Security: Automated protocols...
  • Route RPKI validation April 1st, 2022
    RPKI is a security framework by which network owners can validate and secure the critical route updates or Border Gateway Protocol (BGP) announcements between public Internet networks. BGP is essentially the central nervous system of the Internet and one of its fundamental building blocks. The main function of BGP is to facilitate efficient routing between Autonomous Systems (AS), by building and maintaining the Internet routing table. The Internet routing table is effectively the navigation system of the Internet and without it, traffic would be unable to flow between its constituent networks. Unfortunately, routing equipment alone cannot distinguish between legitimate and malicious routing announcements,...
  • RIPE – Atlas Anchor February 17th, 2022
    We have become an even more integral part of the RIPE Atlas project by hosting an anchor, a device that allows for latency analysis of traffic between autonomous systems.https://atlas.ripe.net/probes/7073/RIPE Atlas anchors play an integral role in the RIPE Atlas network by acting both as enhanced RIPE Atlas probes with more measurement capacity, as well as regional measurement targets within the greater RIPE Atlas network. Anchors are able to perform many more measurements than a regular RIPE Atlas probe, and the large amount of data they collect is made available to everyone. In addition, anchors act as powerful targets that can...

Guide to Configuring FRR with OSPF on IPv4 and IPv6 (link-local) and CSF

Guide to Configuring FRR with OSPF on IPv4 and IPv6 (link-local) and CSF

This guide provides detailed instructions for configuring FRR (Free Range Routing) on an Ubuntu server to manage OSPF on IPv4 and OSPFv3 on IPv6, using link-local addresses. It also includes configurations to ensure that CSF (ConfigServer Security & Firewall) does not block OSPF traffic.

1. Installing FRR and Enabling the Service

First, install FRR and the necessary components on Ubuntu. Update the package list, then install FRR and the associated tools using the following commands:

sudo apt-get update
sudo apt-get install frr frr-pythontools

After installing FRR, enable and start the FRR service to ensure it runs on system startup:

sudo systemctl enable frr
sudo systemctl start frr

Once the service is running, open the main FRR configuration file for editing:

sudo nano /etc/frr/frr.conf

2. Enabling OSPF and OSPFv3 Daemons

After installing FRR, you need to enable the daemons for OSPF and OSPFv3.
Open the `/etc/frr/daemons` file for editing:

sudo nano /etc/frr/daemons

Set `ospfd=yes` to enable the OSPF daemon for IPv4 and `ospf6=yes` to enable the OSPFv3 daemon for IPv6.
Save the file and restart the FRR service to apply the changes:

sudo systemctl restart frr

3. Configuring FRR for OSPF on IPv4 and IPv6

Next, configure FRR to manage OSPF on IPv4 and OSPFv3 on IPv6.
Open the main FRR configuration file located at `/etc/frr/frr.conf`:

sudo nano /etc/frr/frr.conf

Insert the following configuration:

frr version 8.4.4
frr defaults traditional
hostname myhost.my.domain
log syslog informational

ip forwarding
ipv6 forwarding

service integrated-vtysh-config

router ospf
ospf router-id 203.0.113.24
network 203.0.113.0/24 area 0
exit

router ospf6
ospf6 router-id 203.0.113.24
interface ens160 area 0.0.0.0
exit

interface ens160
ipv6 ospf6 area 0.0.0.0
ipv6 address fe80::1/64
ip ospf priority 0
ipv6 ospf6 priority 0
exit

This configuration enables forwarding for both IPv4 and IPv6, configures OSPF for IPv4, and OSPFv3 for IPv6, using the `ens160` interface and the specified link-local IPv6 address. Save the changes and close the file.

4. Configuring CSF to Allow OSPF Traffic

To ensure that CSF does not block OSPF traffic, follow these steps:

Create or modify the file `/etc/csf/csfpost.sh`:

sudo nano /etc/csf/csfpost.sh

Add the following rules to allow OSPF traffic on IPv4 and OSPFv3 on IPv6:

#!/bin/bash
# Custom rules to allow OSPF traffic on IPv4

# IPv4 OSPF
iptables -I INPUT -p 89 -j ACCEPT
iptables -I OUTPUT -p 89 -j ACCEPT
iptables -I INPUT -d 224.0.0.5 -j ACCEPT
iptables -I OUTPUT -d 224.0.0.5 -j ACCEPT
iptables -I INPUT -d 224.0.0.6 -j ACCEPT
iptables -I OUTPUT -d 224.0.0.6 -j ACCEPT
iptables -I INPUT -s 203.0.113.1 -j ACCEPT
iptables -I OUTPUT -d 203.0.113.1 -j ACCEPT
iptables -I INPUT -s 203.0.113.2 -j ACCEPT
iptables -I OUTPUT -d 203.0.113.2 -j ACCEPT
iptables -I INPUT -s 203.0.113.3 -j ACCEPT
iptables -I OUTPUT -d 203.0.113.3 -j ACCEPT
iptables -I INPUT -s 203.0.113.4 -j ACCEPT
iptables -I OUTPUT -d 203.0.113.4 -j ACCEPT
iptables -I INPUT -s 203.0.113.5 -j ACCEPT
iptables -I OUTPUT -d 203.0.113.5 -j ACCEPT
iptables -I INPUT -s 203.0.113.20 -j ACCEPT
iptables -I OUTPUT -d 203.0.113.20 -j ACCEPT

# IPv6 OSPFv3
ip6tables -I INPUT -p 89 -j ACCEPT
ip6tables -I OUTPUT -p 89 -j ACCEPT
ip6tables -I INPUT -d ff02::5 -j ACCEPT
ip6tables -I OUTPUT -d ff02::5 -j ACCEPT
ip6tables -I INPUT -d ff02::6 -j ACCEPT
ip6tables -I OUTPUT -d ff02::6 -j ACCEPT
ip6tables -I INPUT -s fe80::/10 -j ACCEPT
ip6tables -I OUTPUT -d fe80::/10 -j ACCEPT

Save and close the file.

Make the file executable with the command: sudo chmod +x /etc/csf/csfpost.sh

Then restart CSF to apply the new rules: sudo csf -r

5. Verifying the Configuration

After configuring FRR and CSF, it’s important to verify that everything is functioning correctly.
Follow these steps:

Access `vtysh`: sudo vtysh

Check the status of OSPF neighbors for IPv4 with the command: show ip ospf neighbor

Check the status of OSPFv3 neighbors for IPv6 with the command: show ipv6 ospf6 neighbor

Finally, view the IPv6 routing table with the command: show ipv6 route

If everything is configured correctly, you should see active OSPF neighbors and a routing table populated with OSPF routes.

This complete guide enables you to configure FRR to manage OSPF on IPv4 and OSPFv3 on IPv6 while ensuring that CSF does not block the necessary traffic.

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x