Dynamic Routing Protocols (OSPF/RIP/BGP)

Barracuda NG Firewall 5.
Dynamic Routing Protocols (OSPF/RIP/BGP)

To segment large networks where multiple paths are possible and static routing is not practical, you can use a dynamic
routing protocol. The Barracuda NG Firewall supports three dynamic routing protocols:
Open Shortest Path First (OSPF)

Routing Information Protocol (RIP version 1 and RIP version 2)
Border Gateway Protocol (BGP)
In this Section
Dynamic Routing Protocols Overview

How to Install and Configure OSPF/RIP/BGP
How to Configure OSPF Routers and Areas
How to Configure RIP Router Setup
How to Configure BGP Router Setup
How to Configure Network Interfaces for OSPF and RIP
How to Configure Filter Setup for OSPF and RIP
How to Configure EBGP Multihop Routing
How to Configure Dynamic BGP Routing over VPN
How to Configure Route-Based IPsec VPN and BGP
Example for OSPF and RIP Configuration
How to Enable Debugging for OSPF
https://techlib.barracuda.com/DoFq
1 / 41

The Barracuda NG Firewall supports three dynamic routing protocols - Open Shortest Path First (OSPF), Routing Information
Protocol (RIP Version 1 and RIP Version 2) and Border Gateway Protocol (BGP). OSPF and RIP are Interior Gateway Protocols
(IGP) and distribute routing information within an autonomous system while BGP is a Exterior Gateway Protocol.
In this article:
OSPF Basics
OSPF is a link state protocol and uses Dijkstra algorithm to calculate the shortest path tree. A router's interface is the "link".
The "state" of this interface is summed up by its IP address, subnet mask, interface type, neighbour state Every router
keeps track of all connected interfaces and states and sends this information with multicasts to its neighbours. These
packets are known as LSAs (Link State Advertisements). The router builds its link state database with the information
provided by the LSAs. Every time a network change occurs, LSAs containing the new information are sent thus triggering
every router to update its database. After having received all LSAs, the router calculates the loop-free topology. LSAs cannot
be filtered within an area because all routers in an area must have the same link state database. If some information is
missing, routing loops can occur.
OSPF is a hierarchical IGP - it uses Areas to achieve this. The top-level Area is known as Backbone Area and the number of
this Area always has to be 0 or 0.0.0.0 - this is a must. All other Areas must be physically connected to this Backbone Area.
A very important thing within OSPF is that Areas must not be split (If this cannot be avoided, a virtual link has to be used to
expand Area 0 over any other area.). Routers within an area are known as Area Routers. Routers connected to two or more
areas are known as Area Border Routers (ABR) and routers connected to other autonomous systems are called Autonomous
System Boundary Routers (ASBR). Routing information may be summarized on ABRs and ASBRs, it is not possible to
summarize routing information within an area.
The metric used by OSPF is cost. Every link has an associated cost value, derived from the link bandwidth. The metric to a
destination is calculated by adding up all costs. If there are more possible paths to a destination the route with the lowest
cost is chosen as the best route. To advertise LSAs, the router has to live in OSPF neighbourship with other routers. When
this neighbourship is fully established, the interfaces begin sending the updates (LSAs). To build an adjacency, hello packets
are continuously exchanged between neighbouring routers. This also keeps track of the existence of the connected OSPF
neighbours. To lower down the number of updates exchanged on a Broadcast Medium (for example Ethernet), LSAs are only
sent to a so called Designated Router (DR). This interface advertises the information to all other routers on the shared
medium. Without a DR, an any-to-any neighbourship between all OSPF routers on this segment would be needed. For backup
reasons, a Backup DR (BDR) is elected. Each other router establishes neighbourship only with the DR and BDR.
Areas can be configured as stub areas, where external routes are not advertised by ABRs to the Area Routers. Instead, a
default route is injected to the area. Area 0 cannot be stub.
OSPF is very CPU and memory intensive. Therefore, be careful when enabling OSPF on low-end interfaces in a large
network.
RIP Basics
RIP is a distance-vector protocol. The expression "distance-vector" can be defined as follows: The vector is the direction to
the destination (next hop); the distance is treated as a metric type. Example: Destination A is a distance of 3 hops away and
the direction is via router AA. RIP uses Hop Count as metric. A maximum of 15 hops are possible; metric 16 means that a
network is unreachable. All RIP routers periodically send routing updates. Every update includes the whole routing table. The
following techniques have been introduced to prevent routing loops:
2 / 41
Split Horizon - When sending Updates out a particular interface, the routes learned from this interface are not included in
the update.
Split Horizon with Poison reverse - This method is an extension to Split Horizon. The router includes learned routes in
the update but marks these routes as unreachable.
Counting to infinity - To recognize unreachable networks on link failures. Infinity in RIP is defined as 16 hops. Every time
a routing update passes a router, the hop count is increased by 1. When the counter reaches 16, the network is considered
unreachable.
RIPv1 is classful, which means that subnet information cannot be distributed. RIPv2, on the other hand, is classless, that
means the subnet mask is included in the routing update.
BGP Basics
BGP is an Exterior Gateway Protocol (EGP) and is typically used to connect autonomous systems (AS) of Internet service
providers. BGP calculates routing paths based on several information like AS Path, IGP-Metric, Multi-Exit Discriminator,
Communities, Local Preferences, Next Hop, Weight and Origin. AS are communicating with each other through TCP sessions
on port 179. BGP can run between peers in the same AS as well as peers on the border to other AS. So it acts as
an IBGP (Interior Border Gateway Protocol) as well as an Exterior Gateway Protocol (EGP).
Protocol Comparison
The following table summarizes the feature differences between the supported dynamic routing protocols.
Attribute
OSPF
RIP
BGP
Convergence
Fast
Slow
Slow
Network size
For large and small

networks.
Only for small to medium

networks due to the fact that
max. metric is 15 hops.
For large networks.
Need of device
resources
Memory and CPU

intensive.
Much less memory and CPU

intensive than OSPF.
Depends on the size of the routing

table but scales better that OSPF.
Need of network
resources
Less than RIP; Only

Bandwidth consuming; Whole
small Updates are sent. Routing table is sent (default:
every 90 seconds).
Metric
Is based on bandwidth.
Is based on hop count, no matter Is based on AS Path, IGP-Metrik,

how fast the connections are.
Multi-Exit Discriminator, Communities,
Local Preferences, Next Hop, Weight
and Origin.
Design
Hierarchical network
possible.
Flat network.
Bandwidth consuming while learning

network routes from connected AS or
while update bursts.
Fully meshed.
HA Operation
The OSPF/RIP service synchronizes externally learned routes with its HA partner. Routes cannot be introduced on the
partner, while this is "passive" because network routes required to do so are missing. The external routes HA information is
thus stored in a file and introduced on the HA system during startup of the OSFP/RIP service. Take over and startup of the
OSPF/RIP service usually take a few seconds. The HA routes are introduced as protocol "extha" (number 245). These routes
are then either replaced by newly learned external OSPF or RIP routes (protocols "ospfext" or "ripext") or removed with the
HA garbage collection after five minutes.
3 / 41
How to Install and Configure OSPF/RIP/BGP

This article provides step-by-step information on how to install and configure dynamic routing protocols. To configure
either OSPF/RIP or BGP on a Barracuda NG Firewall system, a new virtual service has to be introduced. For more
information, see How to Create a Service.
To configure OSPF/RIP/BGP Settings, proceed with the following steps:
1. Log into the Barracuda NG Firewall.
2. Open the OSPF/RIP/BGP Settings page (Config > Full Config > Box > Virtual Servers > <your
Server> > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings).

3. Click Lock.
4. From the Configuration menu in the left navigation pane, select Operational Setup. In this section, the
general parameters of the dynamic routing protocols, like enabling/disabling the protocol and handling of
dynamic routes are configured.
On a Barracuda NG Firewall, route selection is directly dependent of the metric of a route; routes with a lower metric
are preferred to routes with a higher metric. Static routes have a metric of 1 by default. RIP routes can have a
maximum metric of 15 hops and OSPF routes will mostly have a cost of more than 20. As it is desirable that OSPF
routes be preferred to RIP routes, metrics can be increased artificially through defining administrative distances. The
corresponding parameter Administrative Distance for RIP is by default set to 120. The congeneric parameter
Admin Distance related to OSPF is by default left empty. The value specified for the administrative distance is
going to be added to every route learned through OSPF or RIP respectively.
Operational Setup
Idle Mode
If this parameter is set to yes, the OSPF/RIP/BGP wrapper gets started by the control daemon but does
not start up the actual OSPF/RIP/BGP routing service.
Run OSPF Router By setting this value the OSPF routing functionality can be enabled or disabled.
Run RIP Router
By setting this value the RIP routing functionality can be enabled or disabled.
Run BGP Router
By setting this value the BGP routing functionality can be enabled or disabled.
Hostname
Allows overriding the propagated hostname, which by default is the box hostname.
Operation Mode
The operation mode defines handling of route learning and propagation. The following settings are
possible:
advertise-only - Routes are only advertised.
learn-only - Networks are not propagated, except those networks living on the interfaces configured
for OSPF/RIP/BGP themselves; learned routes from other systems are still advertised.
advertise-learn - OSPF/BGP routes are learned and propagated.
Router ID
Every OSPF/BGP router is identified by its Router ID. This ID is defined by an IP address explicitly
configured for this router.
Note that the router ID must also be set if the routing service only provides a RIP service, although not
used by RIP, you must enter any IP address.
OSPF Preferences
4 / 41
Log Level
Specifies the verbosity of the OSPF routing service:
critical
debugging
emergencies
errors
informational (default)
notifications
warnings
alerts
Use Special
By setting this parameter to yes and selecting a table name below, routes learned by the OSPF service
Routing Table are introduced into an own routing table. Note that the routing table is not automatically introduced but
has to be configured manually by introducing Policy Routes.
Table Names
A list of policy routing names can be specified here. Routes learned by the routing daemon are introduced
into each of the enlisted routing tables.
Multipath
Handling
ignore
Multipath routes will be discarded.

OSPF summarizes routes to multipath routes
automatically if more than one next hop to a prefix
exists. Use setting "ignore" with caution.
assign-internal-preferences
Multipath routes will be translated to several routes

with different metrics (preferences).
accept-on-same-device
Multipath routes will be introduced as multipath if

all nexthops are reachable on the same interface.
accept-all (default)
Multipath routes will be introduced.
For more detailed information on OSPF Router configuration, see How to Configure OSPF Routers and Areas.
RIP Preferences
This section, accessible via the link in the Configuration menu, can be specified the same way.
For more detailed information on RIP Router configuration, see How to Configure RIP Router Setup.
For a setup example including screenprints, see Example for OSPF and RIP Configuration.
BGP Router Setup

Setting
Description
AS Number
Number of the autonomous system this router belongs to.
Confederation Parent AS Number of the autonomous system that internally includes multiple sub-autonomous systems
(aka confederation).
Confederation Partners
Sub-autonomous system numbers belonging to same confederation.
Terminal Password
Password to connect to the BGP router through telnet. The system is reachable on loopback
TCP port 2605.
Privileged Terminal
Password
Password to enable configuration through a telnet connection.
Networks
Enter all networks the BGP router should run on. When running a Exterior Gateway Protocol
BGP router, enter your WAN network.
Make sure to enter an IP address including netmask. For example: 210.80.90.100/26
Route Aggregations
Enter network addresses to perform route aggregation to decrease the size of routing tables.
5 / 41
Advanced settings
Configuration of advanced BGP

Settings.
External Distance Definition - Administrative

distance for BGP external routes. External routes are the
best path learned from a neighbor that is external to the
AS. (default 20)
Internal Distance Definition - Administrative
distance for BGP internal routes. Internal routes are the
best path learned from other BGP speakers within the
same AS. (default 200)
Local Distance Definition - Administrative distance
for BGP local routes. Local routes are networks configured
with the network command. (default 200)
aKeep Alive Timer - Number of seconds this BGP
speaker waits for a keepalive message before deciding
that the connection is down. Recommended value is 1/3
of of Hold Time.
Administrative Distance - Number of seconds this
BGP speaker waits for a keepalive, update, or notification
message before deciding that the connection is down.
Recommended value is 3 times of Keep Alive Timer.
BGP Preferences
Setting
Description
Log Level
Logging level of the BGP routing daemon.
Use Special Routing

Table
Routes learned via BGP will not be introduced in main table, but in tables given below.
Table Names
Tables must exist in network configuration.
Multipath Handling
ignore - Multipath routes will be discarded.

assign-internal-preferences - Multipath routes will be translated to several routes with
different metrics (preferences).
accept-on-same-device - Multipath routes will be introduced as multipath, if all nexthops
are reachable on the same device.
For more detailed information on BGP Router configuration, see How to Configure BGP Router Setup.
GUI as Text
This parameter set is only available in Advanced View mode. The configuration done with the GUI is displayed here in
quagga/Cisco commands.
Show as Text - Set this to yes to show created OSPF syntax configuration after Send Changes.
OSPF Text - Created OSPF syntax configuration. Shown, if Show as Text is set to yes.
RIP Text - Created RIP syntax configuration. Shown, if Show as Text is set to yes.
BGP Text - Created BGP syntax configuration. Shown, if Show as Text is set to yes.
Text Based Configuration

Configure dynamic routing here, if you do not want to configure it with the GUI. Already done GUI configuration will be
replaced. Syntax as used for quagga or Cisco applies.
OSPF Configuration / Free Format RIP Configuration:
Use Free Format - Set this to yes to use free OSPF/RIP syntax configuration.
6 / 41
Free Format Text - OSPF/RIP/BGP syntax configuration. This field applies when parameter Use Free Format is set
to yes.
Routing Configuration Example

Network routes which are required for an OSPF/RIP network prefix must NOT be a subset of another route (see below
for an explanation).
OSPF network prefix: 10.0.66.0/24

Server IP: 10.0.66.98
Box network route:10.0.66.0/24 via dev eth1
Additional box network route: 10.0.0.0/8 via dev eth0
In this configuration example, the required box network route "10.0.66.0/24 via dev eth1" is completely included in the
additional box network route (bold). This will lead to a mismatch in the OSPF configuration. OSPF will neither detect eth0 nor
eth1 as OSPF enabled and therefore not work.
HA Operation
The OSPF/RIP service synchronizes externally learned routes with its HA partner. Routes cannot be introduced on the
partner, while this is "passive" because network routes required to do so are missing. The external routes HA information is
thus stored in a file and introduced on the HA system during startup of the OSFP/RIP service. Take over and startup of the
OSPF/RIP service usually take a few seconds. The HA routes are introduced as protocol "extha" (number 245). These routes
are then either replaced by newly learned external OSPF or RIP routes (protocols "ospfext" or "ripext") or removed with the
HA garbage collection after five minutes.
7 / 41
How to Configure OSPF Routers and Areas

After enabling and configuring OSPF, set up your OSPF router and areas.
This article provides instructions on configuring global settings and
network definitions that are used by OSPF to build relationships with
neighbors and advertise routes.
Related Articles
In this article:

How to Install and Configure
OSPF/RIP/BGP
Configure OSPF Routers

Edit the following settings:
Setting
Description
ABR Type
Specifies the area border router (ABR) behavior of the OSPF routing daemon. You can select:
Not an ABR
Cisco Type
Standard RFC 2328 Type
IBM Type
Terminal Password
The password to connect via telnet. The OSPF router is reachable on TCP port 2604 (loopback
only).
Privileged Terminal
Password
The password to enable configuration via Telnet.
RFC1583 Compatibility Specifies if the router is compatible with RFC 1583 standards.
Auto-Cost Ref Bwidth
[MBit/s]
The OSPF metric. This metric is calculated as reference bandwidth divided by bandwidth. The
default setting is 10000.This value is overwritten by explicit cost statements. This setting
should be used equally with all OSPF routers in an autonomous system. Otherwise, the metric
calculation will be incorrect.
Network Prefix
Defines the interfaces on which OSPF runs and the networks that are propagated as OSPF
intra-area or inter-area routes. Enter a network address including the network mask.
Network Area
Enter an existing area ID.
Advanced Settings
To specify the following advanced settings, click Set or Edit:

Support Opaque LSA - To enable Opaque LSA, select yes.
SPF Delay Timer - The length of time in seconds to wait before running an SPF after
receiving a database change.
SPF Hold Timer - The length of time in seconds to wait between consecutive SPF runs.
Refresh Timer - You can enter values from 10 to 1800.
Default Metric - Defines the default metric for the OSPF protocol. Use if other protocols
are also used for metric-translation.
Admin Distance - To determine which routing protocol to use if two protocols provide
routing information for the same destination, the administrative distance is used as the first
criterion. Higher distance values imply lower trust ratings. The admin distance setting is used to
increase the metric of routes that are introduced to the system. For instance, an externally
learned RIP route with metric 2 and administrative distance of 100 is introduced with metric
102. As a result, the OSPF route is favored over the RIP route.Remember that administrative
distance is not advertised and thus only has local impact.
8 / 41
Default Route
Distribution
The default route distribution settings. To edit the following settings, click Edit:
OSPF Metric - Set the metric in the routers link state advertisement. The SPF algorithm
uses this value to calculate the cost for each route. Routes with lower costs are preferred over
routes with higher costs.
OSPF External Metric - Select an external metric type:
Type1 - Type 1 external routes have a cost that is the sum of the cost of this external
route plus the cost to reach the ASBR.
Type2 - The cost of Type 2 external routes is defined similarly to the cost of Type 1
routes but without the cost to reach the ASBR.
Route Maps - Filter definitions. Reference the Route Map Filters settings on the Filter
Setup page. For more information, see How to Configure Filter Setup for OSPF and RIP.
Route Redistribution
In this table, add route redistribution settings. For each entry, you can edit the following
settings:
Route Types - The route type. You can select connected, RIP, or BGP.
OSPF Metric - Set the metric in the routers link state advertisement. The SPF algorithm
uses this value to calculate the cost for each route. Routes with lower costs are preferred over
routes with higher costs.
OSPF External Metric - If required, select an external metric type:
Type1 - Type 1 external routes have a cost that is the sum of the cost of this external
route plus the cost to reach the ASBR.
Type2 - The cost of Type 2 external routes is defined similarly to the cost of Type 1
routes but without the cost to reach the ASBR.Otherwise, select NOT-SET if an external metric
setting is not required.
Route Maps - Filter definitions. Reference the Route Map Filters settings on the Filter
Setup page. For more information, see How to Configure Filter Setup for OSPF and RIP.
Log into the Barracuda NG Firewall.
1.
Open the OSPF/RIP/BGP Settings page (Config > Full Config > Box > Virtual Servers > your server > Assigned
2.
Services > OSPF-RIP-BGP Service).
Click Lock.
3.
From the Configuration menu in the left navigation pane, select OSPF Router Setup.
4.
Click Send Changes and then click Activate.
5.
Configure OSPF Areas

In the Areas table, add your OSPF areas. For each entry, you can edit the following settings:
Setting
Description
Enable Configuration
Enables or disables the area:

To enable the area, select yes.
To disable the area, select no.
Area ID Format
Specifies which format is used to enter the area ID. You can select:
Integer (default) - Enter your area ID as an integer in the Area ID [Int] field.
Quad-IP - Enter your area ID as a Quad IP address in the Area ID [IP] field.
Area ID [IP]
The area ID in Quad IP address format. For example, 0.0.0.1.
Area ID [Int]
The area ID as a number. For example, 0. The ID for the first area must be 0.
Authentication Type
The authentication method for the area (default: Digest-MD5).
9 / 41
Simple Authentication Key
The OSPF area authentication credentials for simple authentication.
Digest Authentication Key
The OSPF area authentication credentials for digest authentication.
Message Digest Key ID
The key for digest authentication.
Special Type
Specifies if the area is a Stub or Not-So-Stubby Area. You can select:

NONE - Default setting. The area is not a special type.
stub - Stub areas do not import or originate external LSAs.
nssa - The OSPF Not-So-Stubby Area where an ASBR can be located in a stub area
(see RFC 3101).
NSSA-ABR Translate Election This setting option is defined by RFC 3101.

Disable Summary
Disables summary LSAs.
Virtual Link ID (ABR)
The virtual link ID for this area. This setting is only available in Advanced View mode.
Virtual Link Params
To edit the settings for the virtual link, click Edit. For more information on these settings,
see the "Template Configuration" section of How to Configure Network Interfaces for
OSPF and RIP. This setting is only available in Advanced View mode.
Area Default Cost
The cost for the default route injected in an attached stub area.
Summary Range IP/Mask
In this table, configure special actions for a summary range. For each entry, you can edit
the following settings:
Summary Range IP/Mask - The IP address/mask of the summary range.
Range Action - The special action for the range. You can select:
advertise (default)
non-advertise
substitute
Range Cost - Cost for a range.
Advertised Range - Advertise configured range to.
Area Export Filters
In this table, create an export ACL.
Area Import Filters
In this table, create an import ACL.
Area in Filters
In this table, create an import prefix list.
Area out Filters
In this table, create an export prefix list.
1.
Open the OSPF/RIP/BGP Settings page (Config > Full Config > Box > Virtual Servers > your
2.
server > Assigned Services > OSPF-RIP-BGP Service).
Click Lock.
3.
From the Configuration menu in the left navigation pane, select OSPF Area Setup.
4.
Click OK.
5.
6.
10 / 41
How to Configure RIP Router Setup

After enabling and configuring RIP, set up your RIP router. This article
provides instructions on configuring global settings and network definitions
that are used by RIP to advertise routes.
Related Articles
This tab only has to be configured when RIP has been activated in
the Operational Setup tab through setting the Run RIP Router
parameter to yes. Specification of global RIP settings such as
version, timers and authentication, and definition of interfaces on
which the RIP process is to run, is done in this place.

OSPF/RIP/BGP
To configure RIP Router setup, proceed with the following steps:

From the Configuration menu in the left navigation pane, select RIP Router Setup. In this section, the parameters can be
specified as follows:
Parameter
Description
RIP Keychains
Key/Key String
To enable RIP authentication, so-called key

chains must be introduced. A key chain can
consist of several keys, where each key is
identified by a number and a key string
(password).
RIP Version
The Barracuda NG Firewall routing service allows usage of

both standardized RIP versions RIPv1 or RIPv2. The
following values are thus available for selection:
RIP Terminal
Password
Password to connect via telnet and query status information of the RIP router. The RIP router is
reachable on TCP port 2604 (loopback only). This is mainly useful for debugging purposes. Note that
remote connection to the RIP terminal is not possible.
Privileged RIP
Terminal
Password
Password to connect via telnet and change configuration of the RIP router (not recommended since
changes made via the terminal are not persistent). Note that remote connection to the RIP terminal is
notpossible.
Networks
Route Update Filtering is used to provide Access Control Mechanisms and mechanisms to fine-tune RIP
metrics.
Version_1 (classful)
Version_2 (classless)
Metric Offsets
Configuring Metric Offsets adds an offset to incoming and
outgoing metrics to routes learned via RIP.
Update Direction
Enforced Metric
ACLs Devices
Route In/Out Filters

Route Filters are used to control the advertising and
learning of routes in routing updates. Filters with the
parameter Update Direction set to "in" apply to routes
processed in incoming routing updates. The filter is
matched against the content of the update, not against the
source or destination of the routing update packets.
Update Direction
Object Type
ACLs
IP Prefix List
Devices
In the RIP Preferences section, accessible from the Configuration menu, the settings can be specified as follows:
Parameter
Log Level
Description
Specifies the verbosity of the RIP routing
service. Available values are:
critical
debugging
emergencies
errors
informational (default)
notifications
warnings
alerts
11 / 41
Use Special
Routing Table
By setting this parameter to yes and selecting a table name below, routes learned by the RIP service
are introduced into an own routing table. Note that the routing table is not automatically introduced,
but has to be configured manually by introducing How to Configure RIP Router Setup.
Table Names
A list of policy routing names can be specified here. Routes learned by the routing daemon are
introduced into each of the enlisted routing tables.
Multipath
Handling
ignore - multipath routes will be discarded.RIP summarizes routes to multipath routes

automatically if more than one next hop to a prefix exists. Use setting ignore with caution.
assign-internal-preferences - multipath routes will be translated to several routes with
different metrics (preferences).
accept-on-same-device - multipath routes will be introduced as multipath if all nexthops are
reachable on the same interface.
accept-all (default) - multipath routes will be introduced.
1.
Open the OSPF/RIP Settings page (Config > Full Config > Box > Virtual Servers > your server > Assigned
2.
Services > ospf).
Click Lock.
3.
Click Send Changes and then Activate.
4.
12 / 41
How to Configure BGP Router Setup

In this article:
Related Articles

OSPF/RIP/BGP
Requirements
Request or own an unique ARIN registered autonomous system (AS) number for your BGP site.
Know the AS nubers of BGP sites to be connected.
Create an OSPF/RIP/BGP service on the Barracuda NG Firewall. For more information on creating services, see How to
Create a Service.
1. Configure Basic Settings

2. Open the OSPF/RIP/BGP Settings page (Config > Full Config > Box > Virtual Servers > server
3.
4.
5.
6.
name > Assigned Services > service name (OSP-RIP-BGP-Service) > OSPF/RIP/BGP Settings).
Enable BGP (If you are not using OSPF and RIP, disable them).
From the Operation Mode drop down field, select one of the following options according to your
requirements:
a. advertise-only - Networks are only advertised.
b. learn-only - Only networks on the interfaces that are configured for OSPF/RIP/BGP are propagated; learned
routes from other systems are still advertised.
c. advertise-learn - Networks are learned and propagated.
In the Hostname field, enter the hostname of the BGP router.
In the Router ID field, enter the IP address of the BGP router. You can enter any address from your ARIN
range. Usually, the first or last IP address in the subnet is used.You must also add this IP address as an additional
IP address in the Virtual Server Properties on the Barracuda NG Firewall, as described later in Step 6 of the
configuration.
7. Click Send Changes and then click Activate.
2. Configure Operational Settings

In the settings for network routes that should be propagated by the BGP router, make sure that you enable the
Advertise Route setting. See How to Configure Direct Routes or How to Configure Gateway Routes.
1. On the OSPF/RIP/BGP Settings page, click BGP Router Setup from the Configuration menu in the left navigation
13 / 41
pane.
2. In the AS Number field, enter the AS number that you received from the ARIN. (This is the number of the
autonomous system that the BGP router belongs to).

3. In the Terminal Password field, specify the password for the connection to the BGP routing daemon
through the command-line interface.

4. In the Networks table, add an entry for the ARIN network and any other network that you want to advertise.
a. Enter a name for the network and click OK. The Network window opens.
b. In the Network Prefix field, enter the network and subnet mask in CIDR notation for the autonomous
system of the BGP router.
c. Click OK.
5. In the Route Distribution Configuration section, enable the network route types to be redistributed by
this BGP router according to your requirements. You can enable the following network routes:
a. Kernel Routes - Kernel network routes will be redistributed.
b. Static Routes - Gateway network routes will be redistributed.
c. Connected Routes - Network routes of directly attached networks will be redistributed.
d. RIP Routes - Network routes learned by the RIP router will be redistributed.
e. OSPF Routes - Network routes learned by the OSPF router will be redistributed.
3. Configure BGP Preferences

In most cases, the default BGP preferences are sufficient and do not have to be configured. If you want, you can configure
more detailed logging, special routing tables, and multipath handling.
1. On the OSPF/RIP/BGP Settings page, click BGP Preferences from the Configuration menu in the left navigation
pane.
2. Specify the logging details according to your requirements.
4. Add an IP Prefix Filter

1. On the OSPF/RIP/BGP Settings page, click Filter Setup IPv4 from the Configuration menu in the left navigation
pane.The Barracuda NG Firewall does also provide this configuration area for IPv6 addresses. When using IPv6, specify all
settings described in the sections designated for IPv6.
2. In the IPv4 Prefix Filter table, add an entry for the IP prefix filter. Enter a descriptive name, for
3.
4.
5.
6.
7.
example ARIN, and then click OK.

In the IPv4 Prefix Filter configuration, enter an optional description. For example, ARIN Range.
In the Sequence Number section, click + to add a Sequence Number configuration and specify a unique
identifier number for the prefix list item in the Sequence Number field. For example, 01.
In the Network Prefix field, enter the network IP range that you received from the ARIN (in this
example 198.200.200.0/24). Then click OK.
Click OK.
5. Configure Neighbor Settings

Before you configure the neighbor settings, the network for each provider that participates in BGP routing must be
configured properly. Obtain and carefully verify the default gateway IP address for each provider.
14 / 41
You must only start configuring the neighbor settings on the provider side after you have completed the previous
sections for enabling BGP, configuring the BGP router and adding an IP prefix filter. Otherwise, the BGP routing
infrastructure will dampen any ICMP request and response, and the BGP service will have to be restarted on the ISP
side. This ping dampening will occur whenever the BGP service goes up and down numerous times over a small period
of time.
1. On the OSPF/RIP/BGP Settings page, click Neighbor Setup IPv4 from the Configuration menu in the left navigation
pane.
2. In the Neighbors table, add an entry for each provider network:
a. Enter a descriptive name for the network and then click OK. The Neighbors window opens.
b. In the Neighbor IP field, enter the default gateway IP address of the existing provider.
c. From the Enable BGP Routing Protocol Usage list, select yes.
d. In the BGP Parameters section, enter the BGP AS number of the ISP. (Do not enter the customer AS number that was
specified in the BGP router settings.)
e. In the Neighbor Password field, enter the password that should be used to connect to the neighbor peer.
f. Select yes from the Update Source drop down list to enable the Update Source Interface setting.
g. In the Update Source Interface field, enter an IP address from your network that should be used for the BGP session
to this neighbor.If you only advertise the ARIN route to go to providers (and not the network IP ranges or the ranges of
other ISPs), it is highly recommended that you configure the Peer Filtering for Output settings. Select the Peer
Filter from the IP filter list that you created in the previous section (- Add an IP Prefix Filter).
h. Click OK.
6. Add the IP Address of the BGP Router

You must add the IP address of the BGP router as an additional IP address in the Virtual Server Properties on the
Barracuda NG Firewall. To add the IP address of the BGP router:
1. Open the Server Properties page for your virtual server (Config > Full Config > Box > Virtual Servers > virtual
server > Server Properties).
2. Click Lock.
a. In the Virtual Server IP Addresses section, add an entry to the Additional IP table.
b. In the Additional IP field, enter the IP address of the BGP Router.
c. From the Reply to Ping list, select yes.
d. You can enter an optional description.
e. Click OK.
7. Create a Firewall Rule for BGP Router Communication

To allow communication with other BGP routers, introduce a host firewall rule that allows network traffic through TCP port
179. For more information on creating firewall rules, see Firewall Rules.
Administrating BGP Routers from the Command Line

The BGP routing daemon for the Barracuda NG Firewall is based on the Quagga Software Routing Suite. You can configure
and administrate the BGP router from the Barracuda NG Firewall command-line interface.
1. Open the Command-Line Interface.
2. Enter vtysh to launch the configuration tool.
15 / 41
How to Configure Network Interfaces for

OSPF and RIP
This article provides information on how to configure the parameters for
the Network Interfaces Configuration section within the OSPF/RIP
Settings of the Barracuda NG Firewall.
In the Network Interfaces Configuration section, interface specific
parameters of the routing protocols are configured (This applies to
OSPF and RIP).
Related Articles

OSPF/RIP/BGP

2. Open the OSPF/RIP/BGP Settings page (Config > Full
Config > Box > Virtual Servers > <your
Server> > Assigned Services > ospf).
3. Click Lock.
4. From the Configuration menu in the left navigation pane,
select Network Interfaces. In this section, the parameters can be
specified as follows:
Section Network Interfaces Configuration
Load Interface Info - If set to yes, the list of available interfaces is loaded after execution of Send Changes.
Interfaces - See Interface list (Available Interfaces).
Shared Interfaces Configuration

Shared interfaces can be edited by double clicking or added by using the + icon.
Interface Description - Informational text field.

Apply to Interface - Specifies the network interface to which the following settings apply.
Activate Config for - Specifies the routing protocols for which the settings should be activated on this interface. Possible
settings are OSPF, RIP or OSPF+RIP.
Passive Interface - On a passive interface the routing protocol does not send Hello packets. The network configured for
this interface is still advertised. An interface is active by default (setting: No).
Parameter Template - References templates for this interface.
OSPF Specific Parameters
Network Type - Type of network. Ethernet is normally broadcast. Sometimes there may be a need to use point-to-point
for Ethernet-Links, for example when there is only a /30 subnet. Type non-broadcast is needed to propagate OSPF over a
VPN tunnel.
Bandwidth [kBit/s] - Bandwidth of the interface. Configuration is highly recommended since this information can not be
determined automatically. This setting is used by OSPF to calculate the metric.
Interface Addresses - By specifying an Interface Address the configuration only applies for a single OSPF network. This
parameter can be useful in multinet environments. Otherwise the parameters applies to all OSPF networks on the given
interface.
Parameter Template for Address - References templates for this interface.
16 / 41
RIP Specific Parameters
Enable Split Horizon - Split Horizon is a mechanism used by RIP to reduce the possibility of routing loops. By enabling
this parameter (default: yes), routes learned from a specific interface, are not re-advertised on this interface.
Enable Poisoned Reverse - This technology is an extension to Split Horizon. By enabling this setting (default: no), routes
learned from a specific interface are re-advertised on this interface but the metric is set to infinity (16).
Section Available Interfaces

This section displays a read-only list of the available network interfaces. Available interfaces can be edited by double clicking
or added by using +.
Section Parameter Template Configuration

Shared interfaces can be edited by double clicking or added by using the + icon.
OSPF Parameters
Authentication Type - Authentication for neighbours on specified interface. Either no authentication (default: null),
simple authentication as specified in RFC1583 or the cryptographic authentication digest-MD5 (RFC2328) can be used.
Simple Authentication Key - Password for simple authentication. This value only has to be specified with
Authentication type set to simple.
Digest Authentication Key - Password for digest authentication. This value only has to be specified with
Authentication type set to digest-MD5.
Message Digest Key ID - Key for digest authentication. This value only has to be specified with Authentication type
set to digest-MD5.
OSPF Priority - Set to a higher value, the router will be more eligible to become a Designated Router or a Backup
Designated Router. Set to 0, the router is no longer eligible to become a Designated Router. Default: 1.
OSPF Dead Interval - Seconds for timer value used for Wait Timer and Inactivity Timer. This value must be the same for
all routers attached to a common network.
OSPF Hello Interval - Time to wait between OSPF "hello" messages to neighbours (sec). This value must be the same for
all routers attached to a common network.
OSPF Retransmit Interval - Minimum time waited between retransmissions (sec).
OSPF Transmit Delay - Sets number of seconds for InfTransDelay value. The InfTransDelay parameter defines the
estimated time required to send a link-state update packet on the interface.
RIP Parameters
Authentication Type - Authentication for neighbours on specified interface. Either no authentication (default: null), text
authentication or the cryptographic authentication digest-MD5 (RFC2082) can be used.
RIP Key Chain - The pull-down menu displays the configured key chains (see: How to Configure RIP Router Setup) and
allows selection of a key chain which is used for authentication.
RIP Text Secret - Specifies the text secret used for authentication purposes. Note that the value specified here always
takes precedence over the RIP Keychains settings.
Send Protocol - Configures protocol types for transmission. Possible values are Version_1, Version_2 or Version_1+2.
Receive Protocol - Configures protocol types for reception. Possible values are Version_1, Version_2 or Version_1+2.
Neighbor Setup
17 / 41
For connectivity issues it is sometimes recommended to set the neighbours statically.

1.
2.
3.
4.
From the Configuration menu in the left navigation pane, select Neighbor Setup.
To add an entry, click +.

Enter a descriptive name and click OK... to open the configuration window.
In this section, the parameters can be specified as follows:
a. Neighbor IP - IP address of the neighbor to exchange routing information with.
b. Active - Set to no if you want to disable this neighbor configuration.
c. Routing Protocols - Specifies which routing protocols should be exchanged with this neighbor. Possible
values are OSPF, RIP or BGP.
d. Neighbor Priority - This parameter influences the Designated Router election. Set to a higher value, the
router will be more eligible to become a Designated Router. Set to 0, the router is no longer eligible to
become a Designated Router or a Backup Designated Router. Default: 1.
e. Dead Neighbor Poll Interval - Seconds between two neighbor probings.
5. Click OK.
6. Click Send Changes and then Activate.
18 / 41
How to Configure Filter Setup for OSPF and

RIP
This article explains how to set up filters for OSPF and RIP. A filter is
required, for example, when redistributing routes from one protocol to
another. Route maps can be used to modify routing information. In route
maps, the filter is applied to match the routes. Some set actions can be
applied to the matching routes.
Related Articles
Example: The RIP learned route 10.0.0.0/24 with metric 4 hops should
have metric 6 instead. The match condition in the route map must be a
filter matching 10.0.0.0/24 and the set condition must be metric 6.

OSPF/RIP/BGP
When applying route filters in the RIP or OSPF section, only ACLs or
Prefix-lists but no route maps are needed.
This dialog is restricted to basic ACLs. Extended ACLs must be be configured in tab Text Based Configuration.
To configure OSPF/RIP Filter setup, proceed with the following steps:

From the Configuration menu on the left, select Filter Setup. In this section, the parameters can be specified as
follows:Access List FiltersThis section allows the definition of filters which can be referenced within the OSPF Area Setup
(see: How to Configure OSPF Routers and Areas) and within the RIP Route Update Filtering section (see: How to Configure
RIP Router Setup).
Setting
Description
Name
This is the ACL name / ID.
Description
A short description of the ACL.
Network Prefix Network/Netmask - Enter this address in Inverted CIDR Notation.This address will be converted to
Cisco notation for the config file.
Type
Specifies if the traffic is allowed or blocked:
permit (default) / deny
Route Map FiltersRoute maps are used to control and modify routing information that is exchanged
between routing domains.
Setting
Description
Name
This is the Route Map Name.
Route Map
Configuration
A short description of the route map.
OSPF Specific
Conditions
Sequence Number
Unique identifier for a route map entry.
Type
Action for route map: permit (default) / deny
Match Condition
The route map entry matches when the route
matches the configured criteria or filter:
ACL (default)
PREFIXLIST
Gateway-IP
Interface-Name
ACL Name - Name of ACL defined in the Access-Lists section above.

IP Prefix List - Name of IP prefix list defined in OSPF/RIP Settings - Filter Setup - IP
Prefix List Filters.
Gateway IP - IP of the Next Hop in the route.
Out Interface Name - See interfaces to gain available interface names.
Set Action - Defines action to set: Metric / Metric-Type
Set OSPF Metric - Set metric for route map.
Set OSPF External Metric - Set external metric-type for route map.
19 / 41
RIP Specific
Conditions
Sequence Number
Unique identifier for a route map entry.
Type
Action for route map: permit (default) / deny
Match ConditionThe route map entry matches

when the route matches the configured criteria
or filter:
ACL (default)
PREFIXLIST
Gateway-IP
Interface-Name
Metric
ACL Name - Name of ACL defined in the Access-Lists section above.

IP Prefix List - Name of IP prefix list defined in OSPF/RIP Settings - Filter Setup - IP
Prefix List Filters.
Gateway IP - IP of the Next Hop in the route.
Out Interface Name - See interfaces to gain available interface names.
Match Metric - Defines when a route map is used.
Set Action - Defines action to set: Next Hop / Metric
Set RIP Metric - Set metric for route map.
Set RIP Next-Hop IP - Set next-hop IP address.
IP Prefix List FiltersPrefix lists are easier to understand for route-filters than ACLs. Example for IP
prefix list filter usage:
Network Prefix
Type
Extent Type
Deny default route 0.0.0.0/32
0.0.0.0/32
deny
none
permit prefix 10.0.0.0/24
10.0.0.0/24
permit
none
Setting
Description
Name
This is the name of the IP prefix list.
IP Prefix List Configuration
Description
A short description of the IP prefix list.
Sequence Number Unique identifier for a prefixlist item.

Network Prefix
Network/Netmask
Type
Action for prefixterm: permit / deny
Extent Type
Matching condition:
Prefix Length
none (default)
greater-than
less-than
Minimum or maximum prefix length to be matched.
1.
Go to the Config > Full Config page.
2.
From the Config Tree, expand Box > Virtual Servers > <your
3.
Server> > Assigned Services > <servicename> (ospf).
Open the OSPF/RIP Settings object by double clicking it.
4.
In the upper right of the page, click Lock.
5.
Click OK to confirm your settings.

In the upper right of the page, click Send Changes and then click Activate.
6.
7.
20 / 41
How to Configure EBGP Multihop Routing

To allow connections between BGP neighbors that are not directly connected to each other, you can configure EBGP
multihop routing with either a route map or static routes. This article provides example scenarios and step-by-step
instructions for configuring EBGP.
In this article:
Choosing to Use a Routing Map or Static Routes

There are different scenarios which may require the implementation of EBGP multihop routing - for example, as illustrated in
the following diagrams:
Scenario 1 A BGP peer runs on a loopback address that is externally unreachable. This can be required if the other IP
addresses of the system are dynamically changeable.
Scenario 2 The BGP peer (router R1) is located in an external network.
For both scenarios, you can configure EBGP multihop routing with either a route map or static routes:
Route Map If you do not require load balancing over more than one router, using a route map is the simplest way of
configuring EBGP. You only need to configure the BGP neighbor and do not need to introduce additional routes. All routes
learned by router R1 (as configured in Scenario 2) are directed over one gateway. However, this setup can prolong traffic
from routes whose next hop would initially have been directly reachable from router R0, and load balancing over more
than one router is no more possible.
Static Routes For arriving routes without a directly reachable next hop, configure static routes. You only need to
configure the neighbor once for EBGP multihop routing and do not need to change any other BGP configurations. Routes
received via next hop can be analyzed. However, you must also set up a new next hop, and the routing table for the kernel
becomes more complicated.
Complete the steps in the following sections to configure EBGP multihop routing with either a route map or static routes,
depending on your network architecture. The sections provide examples of how to configure EBGP multihop routing for
Scenario 2, as illustrated in the above diagram. BGP peer R1 in an external network is configured on router R0.
21 / 41
Configuring EBGP with a Route Map

This example procedure configures a route map to modify all routes arriving from router R1 so that the next hop is changed
to the IP address of the gateway for router R0. This gateway is always directly reachable from R0 and then autonomously
forwards data traffic to router R1.
1. Introduce a Route Map

Introduce a route map to modify routes arriving from R1 so that the next hop is set to the gateway of R0.
1. Open the OSPF/RIP/BGP Settings page (Config > Full Config > Box > Virtual Servers > your
2. From the Configuration menu in the left navigation pane, click Filter Setup IPv4.
3. Click Lock.
4. In the Route Maps IPv4 table, click + to add an entry for the route map.
5. Enter a name for the route map and then click OK.
6. In the BGP Specific Conditions table, click + to add an entry for the BGP settings.
7. In the Route Map Entry window, specify the following settings and then click OK:
a. Sequence Number Enter a unique number for the route map entry.
b. Type Select permit.
c. Match Condition Select None to specify that all routes must be modified.
d. Set Action Select Next_Hop.
e. Set Next-Hop IP Enter 10.0.0.1, the gateway address.
8. In the Route Maps window, click OK.

Configure EBGP in the neighbor settings for R1.
1. On the OSPF/RIP/BGP Settings page, click Neighbor Setup IPv4 from the Configuration menu in the left
navigation pane.
2. Click Lock.
3. In the Neighbors table, click + to add an entry for the neighbor settings.
4. Enter a name for the neighbor settings and then click OK.
5. In the Usage and IP section of the Neighbors window, specify the following settings:
Neighbor IPv4 Enter 10.1.0.2.
BGP Routing Protocol Usage Select yes.
6. In the BGP Parameters section, specify the following settings:
AS Number Enter 200.
Update Source Select Address.
Update Source IPv4 Address Enter 10.0.0.2.
7. To add a new route map, click Set next to Peer Filtering For Inputs.
8. In the EBGP MultiHop field, you can specify the maximum allowed next hop distance to the neighbor. For
example, 20.
9. After you specify all of the required settings in the Neighbors window, click OK.
Configuring EBGP with Static Routes

This example procedure configures the neighbor settings for router R1 and introduces two routes:
A static route over the gateway of router R0 to the network of router R1.
A direct route to the network of router R1.
22 / 41

Configure EBGP in the neighbor settings for R1.
1. Open the OSPF/RIP/BGP Settings page (Config > Full Config > Box > Virtual Servers > your
2. From the Configuration menu in the left navigation pane, click Neighbor Setup IPv4.
3. Click Lock.
4. In the Neighbors table, click + to add an entry for the neighbor settings.
5. Enter a name for the neighbor settings and then click OK.
6. In the Usage and IP section of the Neighbors window, specify the following settings:
Neighbor IPv4 Enter 10.1.0.2.
BGP Routing Protocol UsageSelect yes.
7. In the BGP Parameters section, specify the following settings:
AS Number Enter 200.
Update Source Select Address.
Update Source IPv4 Address Enter 10.0.0.2.
8. In the EBGP MultiHop field, you can specify the maximum allowed next hop distance to the neighbor. For
example, 20.
9. After you specify all of the required settings in the Neighbors window, click OK.
2. Execute a Next Hop Lookup

Assuming that a route arrives at 192.168.0.0/24 with the next hop 10.1.0.2, execute a next hop lookup for R1 (10.1.0.2). The
lookup should provide the IP address of the gateway for R0 (10.0.0.1) and the interface port1.
3. Configure a Static Route

Introduce a static route over the gateway of R0 to the network of R1. Use the following settings:
Target Network Address: 10.1.0.2/32

Route Type: gateway
Gateway: 10.0.0.1
For more information, see How to Configure Gateway Routes.
4. Configure a Device Route

To introduce the route that was learned over BGP, you must configure a direct route with the following settings:
Target Network Address: 10.1.0.2/32

Route Type: directly attached network
Interface Name: port1
For more information, see How to Configure Direct Routes.
Whenever a route with an unknown next hop is received, you must execute a next hop lookup, configure a static route,
and then configure a device route. Use the example steps from above.
23 / 41
How to Configure Dynamic BGP Routing

over VPN
This article applies to Barracuda NG Firewall version 5.2.6 or higher.
With the Barracuda NG Firewall, BGP routing and communication can be carried out over VPN. To configure BGP over VPN,
configure the VPN interface, site-to-site VPN, and BGP router. Then create inbound and outbound host firewall rules to allow
traffic from the Internet to be directed to your network over TCP port 179 (BGP).
In this article:
Prerequisites
Before configuring BGP over VPN, you must:
Create and configure the VPN service. For more information, see How to Create a Service.
Register with the ARIN to obtain an AS number and be assigned a network range.
1. Add a VPN Interface

Add a VPN interface and introduce the BGPVPN network prefix from where all participating VPN servers gather their IP
addresses.
2. Open the VPN Settings page (Config > Full Config > Box > Virtual Servers > your virtual server > Assigned
Services > VPN-Service).
3. Click Lock.
4. Under the Settings tab, click Click here for Server Settings.
5. Click the Advanced tab.
6. In the VPN Next Hop Interface Index Configuration table, add the VPN interface.
7. In the VPN Interface Properties window, configure the following settings and then click OK:
In the VPN Interface Index field enter a number from 0-999.
In the IP Addresses field, enter an IP address from the implemented BGPVPN network. The netmask is mandatory (for
example, 192.168.20.0/24).
8. In the Server Settings window, click OK.
2. Introduce the VPN Interface IP Address

Introduce the IP address of the VPN interface as a virtual server IP address.
1.
2.
3.
4.
Open the Server Properties page (Config > Full Config > Box > Virtual Servers > your virtual server).
Click Lock.
In the Additional IP table, add the IP address of the VPN interface.
24 / 41
3. Specify the VPN Interface in the Site-to-Site VPN Settings

Before you begin, configure the site-to-site VPN tunnel according to your requirements. For more information, see How to
Create a TINA VPN Tunnel between Barracuda NG Firewalls.
Then specify the new VPN interface:
1. Open the Site to Site page (Config > Full Config > Box > Virtual Servers > your virtual server > Assigned
Services > VPN-Service > Site to Site).
2. Click Lock.
3. Under the TINA Tunnels tab, either double-click the VPN tunnel or right-click it and select Show/Edit.
4. Click the Remote Networks tab.
5. Enter the VPN interface index number that you defined in the VPN Next Hop Interface configuration.
6. Click OK.
4. Configure the BGP Router

Configure the BGP router according to your requirements. In the neighbor settings, make sure that you specify the IP
addresses of the neighbors that should be reachable via VPN. For more information, see How to Configure BGP Router
Setup.
5. Create the Host Firewall Rules

Make sure that an Inbound firewall rule and an Outbound firewall rule have been created to allow traffic from the Internet to
be directed to your network over TCP port 179 (BGP).
To create these firewall rules:
1. Open the Host Firewall Rules page (Config > Full Config > Box > Infrastructure Services).
2. Click Lock.
3. Click the Inbound tab and then create a firewall rule with the following settings:
Action: Pass
Source: World (0.0.0.0/0)
Service: TCP 179
Destination: Server IPs
4. Click the Outbound tab and then create a firewall rule with the following settings:
Action: Pass
Source: Server IPs
Service: TCP 179
Destination: World (0.0.0.0/0)
Additional Information
In addition to the vpn* interfaces, there should now exist a vpnr* interface to which an IP address out of the
BGPVPN-network is assigned. Verify this on the Control > Network > Interfaces > IPs page. Routes that have been
learned from BGP via VPN should now be introduced to the kernel routing table and routed through vpnr*. For more
information about the vpnr* interfaces, use the command: ktinactrl rdev show (see also: ktinactrl).
25 / 41
How to Configure Route-Based IPsec VPN

and BGP
This article applies to Barracuda NG Firewall version 5.2.6 or higher.
IPsec VPN can be configured either using a policy based or route based setup. The policy based setup uses fixed encryption
domains where you can define the networks on both sides on both IPsec configurations. A specific SA (Security Association)
is a setup for these networks to communicate. The route based setup uses a VPN interface for each VPN tunnel. All data
routed towards this interface is encrypted and sent to the other side. Routing of the networks can be done statically or
dynamically.
Setup Example
In the setup, a transit LAN is created between the Barracuda NG Firewall and the device on the other side. This network is
typically very small and contains only both IPsec hosts. BGP is negotiated between those two IPs and new routes for each
network are sent over the other side.
In this example the BGP AS details and networks where provided by the cloud provider. In other cases this can be negotiated
between both sides.
Configure the VPN Interfaces

Configuration of the VPN interfaces for each VPN tunnel can be done in the VPN Settings:
1. Open the VPN Settings page (Config > Full Config > Box > Virtual Servers > your virtual server > Assigned
Services > VPN-Service).
2. Click Lock.
3. Open the Click here for Server Settings link and click the Advanced tab.
4. In the VPN Next Hop Interface Configuration section, click + to add the interface, enter the correct IP address for
this side of the tunnel and adjust the MTU if required.
26 / 41
IPsec Configuration
First, you have to create the IPsec tunnel (see: How to Create an IPsec VPN Tunnel between the Barracuda NG Firewall and a
pfSense Firewall). The IPsec configuration in this case is similar to a policy based VPN. You still need to enter a network on
both sides but this can be the transit LAN and the same on both sides.
However, the difference is that the policy based routing is configured in the Advanced tab of the tunnel settings. In this tab
you configure the VPN interface as you configured it in the VPN settings and you defined the next hop router in the transit
LAN for this configuration.
27 / 41
To validate that the tunnel is up and running and interfaces are valid you can check in Control > Network and
the VPN > Site-to-Site tab.
BGP Configuration
For BGP, you need to agree with the other side on negotiation details. In the BGP settings, you must enable BGP and then
configure the BGP Router- and Neighbor settings.
Once you have setup this you can on the CLI connect to the Quagga router on port 2065. This will ask you for a password
and you can see the live BGP configuration. Beware you can also change this configuration - however, after a reload of the
configuration this can be overwritten by Barracuda NG Admin. For more information,
see: http://www.nongnu.org/quagga/docs/docs-info.html.
28 / 41
Example for OSPF and RIP Configuration

The following description is meant to point out a convenient way for OSPF and RIP configuration on a Barracuda NG Firewall.
The example assumes that a Barracuda NG Firewall is added to a network already configured for OSPF.
In this article:
Network Setup
Four routers are appointed to learn routes from OSPF and RIP "Clouds". Router 1 and router 2 are both attached to LAN
segment 62.99.0.0/24 and belong to OSPF Area 0. Router 3 is attached to LAN segment 194.93.0.0/24 serving as OSPF
router in OSPF Area 1 and as RIP router for RIP Cloud 2. Router 4 is a sole RIP router attached to LAN segment 194.93.0.0/24.
Two further networks 192.168.10.0/24 and 192.168.11.0/24 live in Rip Cloud 2.
Example setup for OSPF and RIP configuration:
Router 1 OSPF learned networks from OSPF Cloud 1:
62.99.0.0/24
Router 2 OSPF learned networks from OSPF Cloud 1:
62.99.0.0/24
29 / 41
Router 3 RIP and OSPF learned networks from OSPF and RIP Cloud 2:
194.93.0.0/24 192.168.10.0/24 192.168.11.0/24
Router 4 RIP learned networks from RIP Cloud 2:
194.93.0.0/24
OSPF Basic Setup

The network is already configured for OSPF. Several destinations are reachable through multiple paths. The newly installed
Barracuda NG Firewall should participate in the routing and load-sharing is to be used.
Step 1: Install the OSPF/RIP Service

For more information on how to setup a virtual service, see: How to Create a Service.
Step 2: Add the Network Interfaces Speaking OSPF to the Server Properties
OSPF is spoken on two interfaces linking to the following networks: eth1 (62.99.0.0/24) and eth2 (194.93.0.0/24).
Configuring of addresses in the Server Properties:
Step 3: Configure OSPF Routing Settings

Operational Setup
30 / 41
The Barracuda NG Firewall is configured to operate as "normal" router. The operation mode is set to "active-passive" (that is
advertise-learn). By this means, all routes are learned and forwarded. Setting a Router ID is mandatory. It is important for
easily identifying LSAs during troubleshooting.
OSPF Router Setup

Specify a Terminal Password and a Privileged Terminal Password. These passwords are needed to to access the
routing engine directly via telnet. Setting Auto-Cost Ref Bandwidth to 10000 causes a more granular cost in LAN
environments. The cost is calculated as ref-bandwidth divided by intf-bandwidth (MBit/s). In the example, a 1 GBit link would
have a cost of 10 (10000/1000).
31 / 41
Specify the interfaces where OSPF should be enabled and where adjacencies should be built through the Network Prefix
parameter. In the example, the Barracuda NG Firewall is made an Area Border Router (ABR) with interfaces in Area 0 and
Area 1. The network 62.99.0.0/24 is part of Area 0; the network 194.93.0.0/24 is part of Area 1.
Step 4: Send Changes and Activate the configuration

The basic OSPF setup is complete. The routes learned through OSPF can now be viewed in the Barracuda NG Firewall's
routing table:
32 / 41
A further way to see more detailed information regarding the OSPF service is to connect to the quagga engine itself with a
telnet to localhost:2604 at the Command Line Interface. This mode can also be used for debugging purposes. If needed,
see www.quagga.net for information about the Quagga Routing Suite. The following screenprint shows the Quagga engine
output of the commands sh ip ospf neigh and sh ip ospf route.
[root@NF1:~]# telnet localhost 2604

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Hello, this is quagga (version 0.96.5).
Copyright 1996-2002 Kunihiro Ishiguro.
User Access Verification
Password:
NF1> en
Password:
NF1# sh ip ospf neigh
Neighbor ID
Pri
State
Dead Time
Address
Interface
RXmtL RqstL DBsmL
192.168.254.3
1
Full/DR
00:00:35
194.93.0.254
eth2:194.93.0.105
0
0
0
192.168.254.2
1
Full/DR
00:00:33
62.99.0.253
eth1:62.99.0.105
0
0
0
192.168.254.1
1
Full/Backup
00:00:35
62.99.0.254
eth1:62.99.0.105
0
0
0
NF1# sh ip ospf route
============ OSPF network routing table ============
N
62.99.0.0/24
[1000] area: 0.0.0.0
directly attached to eth1
N
192.168.1.0/24
[1010] area: 0.0.0.0
via 62.99.0.253, eth1
D IA 192.168.10.0/23
Discard entry
N
192.168.10.0/24
[1010] area: 0.0.0.1
via 194.93.0.254, eth2
N
192.168.11.0/24
[1010] area: 0.0.0.1
via 194.93.0.254, eth2
N
192.168.12.0/24
[1010] area: 0.0.0.1
via 194.93.0.254, eth2
33 / 41
192.168.254.1/32
[1001] area: 0.0.0.0

via 62.99.0.254, eth1
N
192.168.254.2/32
[1001] area: 0.0.0.0
via 62.99.0.253, eth1
N
192.168.254.3/32
[1001] area: 0.0.0.1
via 194.93.0.254, eth2
N
194.93.0.0/24
[1000] area: 0.0.0.1
directly attached to eth2
============ OSPF router routing table =============
R
192.168.254.1
[1000] area: 0.0.0.0, ABR, ASBR
via 62.99.0.254, eth1
R
192.168.254.2
[1000] area: 0.0.0.0, ABR
via 62.99.0.253, eth1
R
192.168.254.3
[1000] area: 0.0.0.1, ABR, ASBR
via 194.93.0.254, eth2
============ OSPF external routing table ===========
N E1 10.0.84.0/24
[1010] tag: 0
via 62.99.0.254, eth1
N E1 28.235.0.0/24
[1010] tag: 0
via 62.99.0.254, eth1
N E1 38.232.0.0/24
[1010] tag: 0
via 62.99.0.254, eth1
N E1 38.232.1.0/24
[1010] tag: 0
via 62.99.0.254, eth1
N E1 56.47.0.0/24
[1010] tag: 0
via 62.99.0.254, eth1
N E1 56.47.1.0/24
[1010] tag: 0
via 62.99.0.254, eth1
N E1 79.29.0.0/24
[1010] tag: 0
via 62.99.0.254, eth1
N E1 79.29.1.0/24
[1010] tag: 0
via 62.99.0.254, eth1
N E1 123.43.0.0/24
[1010] tag: 0
via 62.99.0.254, eth1
N E1 123.43.1.0/24
[1010] tag: 0
via 62.99.0.254, eth1
N E1 134.46.0.0/24
[1010] tag: 0
via 62.99.0.254, eth1
N E1 134.46.1.0/24
[1010] tag: 0
via 62.99.0.254, eth1
Redistribution of Connected Networks to OSPF

Proceed as follows to configure redistribution of connected networks:
1.
2.
3.
4.
5.

Go to the Config > Full Config page.
From the Config Tree, expand Box > Network.
From the Configuration menu on the left, select IP Configuration.
In the upper left of the page, click Lock.
34 / 41
6. Set the parameter Advertise Route to yes.

7. Click Send Changes and then Activate.
Step 6: Configure Route Redistribution

Route Redistribution is configured in the OSPF Router tab within the OSPF Routing Settings configuration. In the
example, the following values are specified for the available parameters:
With these configuration settings, all networks connected to the Barracuda NG Firewall will be redistributed to OSPF with a
cost of 10 and Metric-type External 1.
Injecting the Default Route to OSPF

Step 7: Activate OSPF Advertising
Static Routes as well are only advertised via OSPF when the Advertise Route option is set in the network configuration.
This should already be done by the steps described in Step 6.
Step 8: Configure Default Route Redistribution

Default Route Redistribution is configured in the OSPF Router tab within the OSPF Routing Settings configuration. In the
example, the following values are specified for the available parameters:
35 / 41
With these configuration settings, the default route (if configured) will be redistributed to OSPF with a cost of 10 and
Metric-type External 1. If a default route should always be distributed unless configured or not, set parameter Originate
Always to yes.
OSPF Multipath Routing

Multipath routing is configured in the OSPF Routing Settings OSPF Preferences view. Three options are available for
Multipath Handling:
ignore - No Multipath routing is used; learned Multipath routes are ignored.

assign internal preferences - The metric of every equal cost route is translated to different values - load-sharing is not
used. Additional routes are only used as backup.
accept on same device - Multipath routing is enabled but it is only available when the routes are learned on the same
interface.
The example configuration uses the setting accept on same device.
OSPF Link Authentication

Two methods for OSPF authentication exist:
Authentication in an Area
Authentication on a Link
Area authentication is configured within the OSPF Area Setup. For Link Authentication first a parameter template has to be
created, and then a reference to this template has to be established. The example uses Link Authentication. Authentication
configuration is done in the Network Interfaces section of the OSPF Routing configuration. Proceed as follows to configure
Link Authentication:
Step 9: Configure a Parameter Template

Open the Network Interfaces section and click the Insert button in the Parameter Template Configuration section to create
a new parameter template.
The following values are defined in the example: MD5 Authentication usage with key ID 1 and authentication key
Barracuda.
36 / 41
Step 10: Create a Reference to the Parameter Template

Click the Insert button in Network Interface > Interfaces (Network Interfaces view) to configure link authentication on
an interface. The example defines the following values:
All other routers on this interface must have the same settings. Otherwise, adjacency cannot be established.
OSPF Route Summarisation

In large networks is it useful to summarize routes on Area or Autonomous system borders. In the example setup, two
networks live in Area 1: 192.168.10.0/24 and 192.168.11.0/24. The aim is to summarize these two networks to
192.168.10.0/23. The configuration for summarisation of areas is done in the OSPF Area Setup.
Click Insert to create new configuration settings for Area 1. Set the value for Area ID [Int] to 1.
Create a new entry for parameter Summary Range IP/Mask by clicking Insert
A new window opens allowing for configuration of the following values:
37 / 41
Range 192.168.10.0/23 is now going to be advertised as summary route with cost 10. A router in Area 0 is going to create an
entry in its routing table.
SW2#sh ip route 192.168.10.0

Routing entry for 192.168.10.0/23, supernet
Known via "ospf 1", distance 110, metric 1020, type inter area
Last update from 62.99.0.105 on Vlan111, 00:03:46 ago
Routing Descriptor Blocks:
* 62.99.0.105, from 192.168.254.10, 00:03:46 ago, via Vlan111
Route metric is 1020, traffic share count is 1
RIP Basic Setup

Basic RIP settings are to be configured within the Operational Setup, the RIP Preferences and the RIP Router Setup. In the
example setup, RIP Version 2 is used and multipath routes are discarded. Therefore, the following configuration settings
apply:
Operational Setup - RIP is activated by setting parameter Run RIP Router to yes.
RIP Preferences - Parameter Multipath Handling is set to ignore.
RIP Router Setup - RIP Version 2 is enabled on Network Device eth2 in the Networks section. Redistribution of
connected networks to RIP is configured in the Route Redistribution section. In the example, all connected networks are
redistributed to RIP with a hopcount of 2.
38 / 41
Redistribution Between RIP and OSPF

To implement redistribution between RIP and OSPF the following minimum settings must be configured:
OSPF Router Setup - To redistribute routes learned by RIP insert a new entry in the Route Redistribution Configuration
section.
RIP Router Setup - To redistribute routes learned by OSPF insert a new entry in the Route Redistribution Configuration
39 / 41
section.
40 / 41
How to Enable Debugging for OSPF

On the Barracuda NG Firewall, you can activate debugging for OSPF. This can be useful when a higher verbosity for OSPF
logging is required.
1. In the directory that contains the OSPF configuration files, create a new file named ospf.debug. cd
/opt/phion/config/active/servers//services/ospf/
vi ospf.debug
2. In the ospf.debug file, enter the cipher 9 as the initial and only value. Then save the file.The OSPF service does not
have to be restarted.The following entry is generated in the OSPF log file after the file has been saved, indicating a
changed log level:INFO Debug file changed: reloading (9 -> verb: 9, exact: -1)
41 / 41

Dynamic Routing Protocols (OSPF/RIP/BGP)

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Dynamic Routing Protocols (OSPF/RIP/BGP)

Caricato da

Copyright:

Formati disponibili

Barracuda NG Firewall 5.

Dynamic Routing Protocols (OSPF/RIP/BGP)

Open Shortest Path First (OSPF)

Dynamic Routing Protocols Overview

Dynamic Routing Protocols Overview

For large and small

Only for small to medium

For large networks.

Memory and CPU

Much less memory and CPU

Depends on the size of the routing

Less than RIP; Only

Is based on hop count, no matter Is based on AS Path, IGP-Metrik,

Bandwidth consuming while learning

How to Install and Configure OSPF/RIP/BGP

Server> > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings).

Run BGP Router

Specifies the verbosity of the OSPF routing service:

Multipath routes will be discarded.

Multipath routes will be translated to several routes

Multipath routes will be introduced as multipath if

Multipath routes will be introduced.

BGP Router Setup

Number of the autonomous system this router belongs to.

Sub-autonomous system numbers belonging to same confederation.

Password to enable configuration through a telnet connection.

Configuration of advanced BGP

External Distance Definition - Administrative

Logging level of the BGP routing daemon.

Use Special Routing

Tables must exist in network configuration.

ignore - Multipath routes will be discarded.

Text Based Configuration

Routing Configuration Example

OSPF network prefix: 10.0.66.0/24

How to Configure OSPF Routers and Areas

Dynamic Routing Protocols Overview

Configure OSPF Routers

The password to enable configuration via Telnet.

Enter an existing area ID.

To specify the following advanced settings, click Set or Edit:

Log into the Barracuda NG Firewall.

Services > OSPF-RIP-BGP Service).

Click Send Changes and then click Activate.

Configure OSPF Areas

Enables or disables the area:

The area ID in Quad IP address format. For example, 0.0.0.1.

The authentication method for the area (default: Digest-MD5).

Simple Authentication Key

The OSPF area authentication credentials for simple authentication.

Digest Authentication Key

The OSPF area authentication credentials for digest authentication.

Message Digest Key ID

The key for digest authentication.

Specifies if the area is a Stub or Not-So-Stubby Area. You can select:

NSSA-ABR Translate Election This setting option is defined by RFC 3101.

Disables summary LSAs.

Virtual Link ID (ABR)

Virtual Link Params

Area Default Cost

Summary Range IP/Mask

Area Export Filters

In this table, create an export ACL.