OSPF across Wireguard using ptp, not nbma?

wojo · Tue Jan 02, 2024 7:16 am

Is it possible to get OSPF working on Wireguard in PTP mode? I've seen mixed things around broadcast/multicast not working on Wireguard to the fact that I just need to allow 224.0.0.0/24 in the Wireguard AllowedIPs and it should work.

When set to ptp, I see the traffic and nothing is being blocked (have a log on all firewall rules that drop), but the routers never discover each other (no entries in neighbors). However, if I set nbma and static neighbor entries everything is discovered and routes are shared.

My Wireguard config is set to allow `0.0.0.0/0` right now, but I've allowed 224.0.0.0/24 specifically as well alongside my other networks. Not sure what else needs to be configured.

You can see the config that works below, but I'd like to change it to use ptp if possible. Thoughts?

ATL router:

/interface bridge
add name=loopback
/ip/address/print where interface=loopback
Columns: ADDRESS, NETWORK, INTERFACE
 # ADDRESS        NETWORK     INTERFACE
14 172.18.0.1/32  172.18.0.1  loopback

/routing id
add disabled=no id=172.18.0.1 name=ospf-id select-dynamic-id=""

/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=ospf-id
/routing ospf area
add disabled=no instance=ospf-instance-1 name=backbone
/routing ospf interface-template
add area=backbone disabled=no interfaces=wireguard-db type=nbma
add area=backbone disabled=no interfaces=all-lans passive
add area=backbone disabled=no interfaces=loopback passive
/routing ospf static-neighbor
add address=192.168.99.2%wireguard-db area=backbone disabled=no poll-interval=15s

and router DB:

/interface bridge
add name=loopback
/ip/address/print where interface=loopback
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS        NETWORK     INTERFACE
1 172.18.0.2/32  172.18.0.2  loopback

/routing id
add disabled=no id=172.18.0.2 name=ospf-id select-dynamic-id=""

/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=ospf-id
/routing ospf area
add disabled=no instance=ospf-instance-1 name=backbone
/routing ospf interface-template
add area=backbone disabled=no interfaces=wireguard-atl type=nbma
add area=backbone disabled=no interfaces=all-lans passive
add area=backbone disabled=no interfaces=loopback passive
/routing ospf static-neighbor
add address=192.168.99.1%wireguard-atl area=backbone disabled=no poll-interval=15s

Wireguard is simple as well, router ATL:

/ip/address/print where interface=wireguard-db
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS          NETWORK       INTERFACE
4 192.168.99.1/30  192.168.99.0  wireguard-db

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-db

/interface wireguard peers
add allowed-address=192.168.0.0/24,192.168.100.1/24,192.168.3.0/24,192.168.99.2/32,192.168.97.0/24,224.0.0.0/24,0.0.0.0/0 endpoint-address=x endpoint-port=13231 interface=wireguard-db persistent-keepalive=25s ...

and router DB:

/ip/address/print where interface=wireguard-atl
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS          NETWORK       INTERFACE
0 192.168.99.2/30  192.168.99.0  wireguard-atl

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-atl

/interface wireguard peers
add allowed-address=172.16.32.0/22,192.168.99.1/32,192.168.98.0/24,172.26.0.0/16,224.0.0.0/24,0.0.0.0/0 endpoint-address=x endpoint-port=13231 interface=wireguard-atl persistent-keepalive=25s ...

mantouboji · Tue Jan 02, 2024 7:58 am

Did you allow OSPF protocol input/forward in /ip/firewall/filter？

I use OSPF ptp through wireguard both on IPv4 and v6，works well。

wojo · Thu Jan 04, 2024 3:04 am

Did you allow OSPF protocol input/forward in /ip/firewall/filter？

I use OSPF ptp through wireguard both on IPv4 and v6，works well。

Yes, in fact I am allowing all input (not just ospf) on the wireguard interfaces. I also log any drops and nothing shows up.

I must be missing something, do you mind posting your sanitized config matching the sections above?

mantouboji · Thu Jan 04, 2024 4:56 am

/routing ospf instance add comment="OSPF v2" disabled=no name=ospf-v2 router-id=192.168.20.1
/routing ospf instance add comment="OSPF v3" disabled=no name=ospf-v3 router-id=192.168.20.1 version=3
/routing ospf area add disabled=no instance=ospf-v2 name=ospf-area-4
/routing ospf area add disabled=no instance=ospf-v3 name=ospf-area-6
/ip firewall filter add action=accept chain=input comment="accept OSPF" protocol=ospf
/ipv6 firewall filter add action=accept chain=input comment="accept OSPF" protocol=ospf
/routing ospf interface-template add area=ospf-area-4 disabled=no interfaces=bridge1
/routing ospf interface-template add area=ospf-area-6 disabled=no interfaces=bridge1
/routing ospf interface-template add area=ospf-area-4 cost=10 disabled=no interfaces=wg1 type=ptp
/routing ospf interface-template add area=ospf-area-6 cost=10 disabled=no interfaces=wg1 type=ptp

wojo · Thu Jan 04, 2024 4:58 am

/routing ospf instance add comment="OSPF v2" disabled=no name=ospf-v2 router-id=192.168.20.1
/routing ospf instance add comment="OSPF v3" disabled=no name=ospf-v3 router-id=192.168.20.1 version=3
/routing ospf area add disabled=no instance=ospf-v2 name=ospf-area-4
/routing ospf area add disabled=no instance=ospf-v3 name=ospf-area-6
/ip firewall filter add action=accept chain=input comment="accept OSPF" protocol=ospf
/ipv6 firewall filter add action=accept chain=input comment="accept OSPF" protocol=ospf
/routing ospf interface-template add area=ospf-area-4 disabled=no interfaces=bridge1
/routing ospf interface-template add area=ospf-area-6 disabled=no interfaces=bridge1
/routing ospf interface-template add area=ospf-area-4 cost=10 disabled=no interfaces=wg1 type=ptp
/routing ospf interface-template add area=ospf-area-6 cost=10 disabled=no interfaces=wg1 type=ptp

Well that's about as simple as it can be, wonder why I'm having issues. The only thing you have different (ignoring v3) is the costs I guess.

On your wireguard interfaces, do you allow 0.0.0.0/0 or 224.0.0.0/24?

mantouboji · Thu Jan 04, 2024 5:17 pm

0.0.0.0/0,::/0

/interface wireguard peers add allowed-address=0.0.0.0/0,::/0 comment=vps1 endpoint-address=MY_VPS_IP endpoint-port=46715 interface=wg1 persistent-keepalive=25s public-key="X"

wojo · Sat Jan 06, 2024 3:31 am

Ugh, it was a raw filter for bogons gone wrong. Closing this thread.

anav · Sat Jan 06, 2024 8:45 pm

Wojo........... If you are familiar with OSPF
Looking to do something for failovers.
Imagine 2 WAN inputs to MT router............. and a CHR on a VPS in the cloud.

What I want to do is connect the two WANS via wireguard and L2TP (plain -->best way to handle packet fragmentation), [from MT router to CHR VPS} such that the VPS internet is the public facing IP address.
I want to use OSPF to decide which routing should be taken (best path) based on BDF monitoring/detection of connectivity.
Overall goal is to provide as seamless failover as possible without recursive routing and without netwatch scripts or regular timing scripts......
Connections are cleared promptly and routing is redirected smoothly.

OSPF across Wireguard using ptp, not nbma? [SOLVED]

OSPF across Wireguard using ptp, not nbma? [SOLVED]

Re: OSPF across Wireguard using ptp, not nbma?

Re: OSPF across Wireguard using ptp, not nbma?

Re: OSPF across Wireguard using ptp, not nbma?

Re: OSPF across Wireguard using ptp, not nbma?

Re: OSPF across Wireguard using ptp, not nbma?

Re: OSPF across Wireguard using ptp, not nbma?

Re: OSPF across Wireguard using ptp, not nbma?

Who is online