Setup Quagga

OMINOUS WARNING:

Warning

This Wiki page is still new, and a work in progress, and the procedures here have not yet been validated for production use. Information here may be misleading or incorrect. Test thoroughly, and contribute your findings.

Contents

Quagga on OPNsense

Quagga is a routing software suite, providing implementations of OSPFv2, OSPFv3, RIP v1 and v2, RIPng and BGP-4. For more information about the capabilities of Quagga, please see the official Quagga Routing Software Suite website.

Quagga can be run on OPNsense, but there is no web user interface. All installation and configuration has to be done through the command shell. Installation and initial setup requires root privileges, once it’s up and running, root privileges are not required for ongoing configuration.

Prerequisites

The package does not have any GUI integrated into OPNsense.

This document assumes basic knowledge FreeBSD system administration, as well as knowledge about how to configure OPNsense for SSH access. For learning about these topics, please see the FreeBSD Handbook and the OPNSense User Manual.

This document also assumes knowledge about routing protocols, and how to configure Quagga to the appropriate task desired. For learning about Quagga, please see the Quagga Documentation.

Installing the Quagga package

  1. Connect to the OPNsense console, either locally, over the serial port, or using SSH.
  2. Use the Shell option to get into the command shell by typing 8
  3. Install quagga using pkg install quagga, as in the section below. Ignore the suggested configuration steps that are shown on the console, they are not correct for OPNsense.
root@example:~ # pkg install quagga
Updating OPNsense repository catalogue...
OPNsense repository is up-to-date.
All repositories are up-to-date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        quagga: 0.99.24.1_2

The process will require 6 MiB more space.

Proceed with this action? [y/N]: y
[1/1] Installing quagga-0.99.24.1_2...
===> Creating users and/or groups.
Creating group 'quagga' with gid '101'.
Creating user 'quagga' with uid '101'.
[1/1] Extracting quagga-0.99.24.1_2: 100%
Message for quagga-0.99.24.1_2:
==========================================================
To enable quagga, add the following lines to rc.conf:

defaultrouter="NO"
quagga_enable="YES"

Also, you may wish to set the following options:"
quagga_daemons="zebra bgpd etc..."
quagga_flags="...."
quagga_extralibs_path="... ..."
router_enable="NO"
watchquagga_enable="YES"
==========================================================

Now, determine what daemons of Quagga you want to running. Please see the Quagga documentation for the names of the daemons you want to run. In this document, we will configure Quagga for OSPF, and will therefore be running the zebra and ospfd daemons. If this does not match your desired setup, please adjust the instructions accordingly.

An easy way to bootstrap Quagga configuration is simply to create empty configuration files for the required daemons, like this:

root@example:~ # cd /usr/local/etc/quagga/
root@example:/usr/local/etc/quagga # touch zebra.conf ospfd.conf
root@example:/usr/local/etc/quagga # chmod 600 zebra.conf ospfd.conf
root@example:/usr/local/etc/quagga # chown quagga:quagga zebra.conf ospfd.conf
root@example:/usr/local/etc/quagga # ls -al
total 8
drwxr-x---   2 quagga  quagga   512 Sep 15 13:24 .
drwxr-xr-x  27 root    wheel   3072 Sep 14 10:36 ..
-rw-------   1 quagga  quagga     0 Sep 15 13:24 ospfd.conf
-rw-------   1 quagga  quagga     0 Sep 15 13:24 zebra.conf
root@example:/usr/local/etc/quagga #

After this, create a file named /etc/rc.conf.d/quagga with the following content:

quagga_enable="YES"
quagga_daemons="zebra ospfd"

Finally, start the quagga daemons using service quagga start like this:

root@example:~ # service quagga start
Checking zebra.conf
OK
Starting zebra.
Checking ospfd.conf
OK
Starting ospfd.
root@example:~ #

Configuring Quagga

At this point, Quagga is up and running but isn’t actually doing anything. The vtysh tool may now be used to perform configuration of Quagga. Exactly how this works is out of scope of this document - see the Quagga Documentation to learn how to configure and use Quagga.

If you have a multi-user system, and you want other administrators to be able to administer quagga using vtysh, the minimum they need to be granted in order to access vtysh (which gives them full permissions to quagga in the default configuration) is:

  • Via the OPNsense User Manager (System -> User manager) the user needs to be granted the User - System - Shell account access permission.
  • The user needs to be granted membership in the quagga UNIX group. (Note: Not a OPNsense group named quagga, but rather the group in the underlying operating system). A user may be added to the group using the command pw groupmod quagga -m exampleuser. See the manual page for pw(8) for more options.

Watchquagga

Quagga includes the watchquagga daemon which will attempt to restart quagga in case of crashes or faults.

A basic (untested) configuration would be by putting the following in /etc/rc.conf.d/watchquagga:

watchquagga_enable="YES"
watchquagga_flags="-d zebra ospfd"

Don’t forget to start watchquagga using service watchquagga start:

root@example:~ # service watchquagga start
Starting watchquagga.
root@example:~ #

Caveats

  • Quagga is unaware of the OPNsense configuration. Therefore it knows nothing about the OPNsense interface names, instead you always have to work with the operating system’s device names. These can be seen using the Status -> Interfaces page on the webconfigurator.
  • OPNsense is unaware of Quagga. Therefore, if you perform conflicting configuration on Quagga, OPNsense might clobber it and the other way around.
  • Configuration backups will not include the Quagga configuration. The appropriate configuration files need to be backed up seperately.
  • Appropriate firewall rules need to be installed to permit routing protocol traffic.
  • This Wiki page is still new, and a work in progress, and the procedures here have not yet been validated for production use.