7.1.1, 7.2rc1, wireguard, ospf, nmba - problem

RouterOS Forwarding Protocols
1

Hello!

I want to use several mikrotik devices connected over wireguard to the same server, with ospf.
I created wireguard server on centos 7, with address 192.168.89.1/24 and bird as ospf service.
Then I connect mikrotik over wireguard. Everything is good here.
If I set AllowedIPs = 0.0.0.0/0 then ospf just works over multicast in one peer mode,
but this does not work if more then one peer.
So I limited this on server side to AllowedIPs = 192.168.89.2/32.
Any traffic passes over wireguard then but multicast.
So I need unicast:

/routing ospf instance
add name=ospf-instance-1 router-id=192.168.89.2
/routing ospf area
add area-id=0.0.0.1 instance=ospf-instance-1 name=ospf-area-1

/routing ospf interface-template
add area=ospf-area-1 networks=192.168.89.0/24 priority=0 type=nbma
/routing ospf static-neighbor
add address=192.168.89.1%wireguard1 area=ospf-area-1 poll-interval=5s

And here problem starts.
As I can see from tcpdump on server side mikrotik does not send hellos into wireguard interface, I see only hellos from bird:

tcpdump -n -i wg0 host 192.168.89.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
13:57:56.341322 IP 192.168.89.1 > 192.168.89.2: OSPFv2, Hello, length 44
13:58:16.341272 IP 192.168.89.1 > 192.168.89.2: OSPFv2, Hello, length 44
13:58:36.341131 IP 192.168.89.1 > 192.168.89.2: OSPFv2, Hello, length 44


If I connects from my desktop as second peer using FRR then everything works just fine:
interface wg0
ip ospf network non-broadcast
ip ospf priority 0
!
router ospf
ospf router-id 192.168.89.3
network 192.168.89.0/24 area 1
neighbor 192.168.89.1

ospfd# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
10.1.1.5 128 Full/DR 39.863s 192.168.89.1 wg0:192.168.89.3 0 0 0

ospfd#


Could you tell me what is wrong here? Looks like mikrotik bug for me…

Thank you!

2

/routing ospf interface-template
add area=ospf-area-1 networks=192.168.89.0/24 priority=0 type=nbma

change this to:
type=ptp

(and the equivalent on frr side)
:slight_smile:

3

ptp will work only if multicast traffic works, it works only in point to point mode, not when one have several peers.

well, there is workaround- gre over wireguard, tunnel for each peer, to make it ptp , it works…

4

For nbma and also ptmp network types static-neighbor configuration must be set.

5

Yes, sure, it is in first message here:

/routing ospf static-neighbor
add address=192.168.89.1%wireguard1 area=ospf-area-1 poll-interval=5s

6

Well, we don’t need this type of link right now, but we need to use router.
So, I have no mikrotik router for testing anymore.
Just interesting- does nmba work in v7 without wireguard?

7

Well 7.2rc3 fixed nbma hellos, now I receive them.
But bird does not like them:

bird: MyOSPF: Bad HELLO packet from nbr 192.168.89.2 on wg0 - eligibility mismatch (1)

fortunately, ptmp works in unicast mode :slight_smile:

somethink like this:

/routing ospf interface-template
add area=ospf-area-1 networks=192.168.89.0/24 priority=1 type=ptmp
/routing ospf static-neighbor
add address=192.168.89.1%wireguard1 area=ospf-area-1 poll-interval=5s

and on bird side:

interface "wg0" {
#wg test
priority 128;
cost 1;

type nbma;

type ptmp;
strict nonbroadcast yes;
neighbors {
192.168.89.2;
192.168.89.3;
};
};

So it works in unicast mode on both sides.

To install routes into mikrotik we need :
/interface wireguard peers
add allowed-address=0.0.0.0/0

otherwise mikrotik does not install routes...

8

I got mine working by adding the ospf multicast address 224.0.0.5/32 to my wireguard link.

9

Adding multicast will only work in point-to-point scenario, otherwise peers will not send it all other peers :slight_smile:
I.e. this is not an option.

10

I experienced same issue