Add ability to filter OSPF (PEPVPN) routes

We have a large and growing network - two data centers with B710s. 120 remote peers, each with PEPVPN to one or both data centers. MOstly MAX-BR1
In some cases there are sets of remote units that also have conections to each other.
Example is a chain of medical clinics - 5 locations. Central location has a Balance 380. other 4 are BR1s.
Each units has a speedfusion vpn to one of our data centers (for their phones), plus a speedfusion to the B380 (for their internal network), plus several IPSEC VPN connections to various other vendors (X-Ray processing etc).

The issue we are trying to work around is that the IPSEC VPN routes cna some of the local subnets need to be advertised to the other units in their network, but NOT to the B710s.

When we used to deploy Sonicwall we would use “route filtering” on the advanced OSPF settings on the central/hub unit to filter out route updates we did NOT want to process.
We would like to see this feature added to peplink speedfusion. You can almost accomplish this by controlling route advertising at the remote units, but that is all or nothing - you cannot say "advertise this route to speedfusion link B, but not to A. Filtering allows both finer control AND allows us to avoid issues with people making mistakes with remote units. i.e. I would always filter out 192.168.1.0/24 and 192.168.50.0/24 at the central unit.

1 Like

This feature was put into the roadmap. Engineering team will look into this.

Thanks for your feature request!

2 Likes

+1
This makes sense
Cheers
Dana

I’d also like to add that I’d like to see this feature.

Hey TK

Has any further progress been made with this feature request as we currently have a requirement where this would be a really useful feature.

Thanks
James

Just wanted to try and illustrate why ospf filtering would be useful to us.We have several balances which terminate multiple customer networks. we have a management network configured for each of the remote sites and we want to make these networks available to another “management” pepwave (hd2 for arguements sake). We would like to connect the management LAN to each of customer networks and just learn the management networks connected to each of the customers but we don’t want to know the customer networks as we don’t want to be routing between customers.

2 Likes

@james.webster1, do you think advertise Management VLAN only from each remote HD2 will help?

2 Likes

Hi TK,

No this wouldn’t help as the customer wants their network to be advertised between all their remote sites via each b1350 for there inter-site routing. We are just tapping into each network wanting to grab the specific routes that allow us to monitor remote devices. The plan is to have SNMP passing over these routes to monitor the peplink/pepwave and 3rd party hardware on each site.

Thanks
James

2 Likes

thank you a lot james. by answered that question you helped me too. going to breakfast now but was wondering if i can ask you some questions further in case i would have any? i see you do have some knowledge about this. thanks

Ask away, I’m sure that if I can’t help there are plenty of people here who can.

@james.webster1, you may have such design to achieve your requirement.

2 Likes

Hi TK

if I create a new area how do I prevent the customer network routes being shared over area 1 while still sharing the management network routes?

It seems to be all or nothing without filtering, or am I missing something?

Thanks
James

1 Like

@james.webster1

What @TK_Liew suggested is just a general Idea to have the “OSPF Discontiguous Areas” to isolate the route distribution between customers ABR B1350. It just a rough idea for the OSPF design that the “OSPF Discontiguous Areas” may help on this case. For the detail OSPF settings and design, we still need more info in-order to suggest the best design for this.

For me, it’s more to the OSPF design more than the OSPF route filter as requested. This is a very weird design using single OSPF router connecting multiple customers that having different OSPF backbone design. For my experience, this is not a recommended design instead.

Would you able to provide more info for the design that given previously ?

image

  1. You have direct physical connection to 3 different customers ?
  2. What is the connection type used to connect to 3 different customer ?
  3. The B1350 customer routers, is fully manage by you ?
  4. PepVPN is used for the remote HD2 connect to B1350 ?
  5. Do you think you can provide the use case info for the given design ?
2 Likes

Hey Sit Loong

It’s actually more than 3 customers as we terminate the customer traffic in a DC. Each of those customer links have 10s-100s of peers as well the graphic was just an example.

The HD2 at the top of the drawing has a SF tunnel to our site which is to allow us to provide management for all the customers and run SNMP traffic to all the remote customer devices. We don’t want the custnetwork ip ranges being passed over this link and we also don’t want the HD2 (at the top of the diagram) to learn the routes.

This design is based on how OSPF is designed to work and the BIRD routing engine allows for this. The following shows an example of how the config file can be set to filter out certain networks:

We are just asking for this to be added to the GUI like the firewall rules so we can add and use OSPF filtering.

Thanks
James

Currently we have found that the only way that we can achieve this is to use a 3rd party router that supports route filtering and putting it in the middle of the 1350 and the HD2.

We get it to filter the received routes from the 1350 and then have it redistribute the the management network routes to the HD2.

It would be useful in the future if we could do this just on the peplink/pepwave hardware.

Thanks

@james.webster1

For the third party router, would you please let us know the Area defined and the redistribute method used ? Inter-Area filter or Intra-Area filter ? How the the router router participate in the PepVPN OSPF route ?

1 Like

Hi Sit Loong

The 3rd party router will have 2 networks in layer3. We will have one network connect to each customer 1350 and it will be in area 0. The router will then use a route filter to only accept the managment networks.
The second network will be connected to the hd2 on area 1 (or should be able to just advertise on area 0 as well but we haven’t tested this yet) and will only advertise the learned routes after filtering. This will mean that the HD2 will only learn the management network routes and not the customer ones.

Ideally though being able to filter the routes on the HD2 would remove the need for adding the 3rd party router.

Thanks
James

1 Like