Strange Path Selection in WatchGuard OSPF

Question

I am trying to configure OSPF between some cisco CPE routers and two WatchGuards. Already tried quite a lot of different setups, already trying to change network design, unfortunately every time I have the same result.

Below I have drawn the network design. Generally everything that is behind CPEs I can't have access. As well I have limited configuration options in networks 10 and 11.

As you may see on the figure, trace from network 2 to 11 is going through R1. So basically the WG R2 has the following routing table:

Destination     Gateway         Genmask         Flags   Metric    Interface 
192.168.2.0     0.0.0.0         255.255.255.0   U       0         vlan10
10.0.0.0        172.17.12.1     255.255.255.255 UGH     20        vlan15 
172.17.12.0     0.0.0.0         255.255.255.248 U       0         vlan15
172.17.22.0     0.0.0.0         255.255.255.248 U       0         vlan400 
192.168.1.0     172.17.12.1     255.255.255.0   UG      20        vlan15
192.168.11.0    172.17.12.1     255.255.255.0   UG      20        vlan15
192.168.10.0    172.17.12.1     255.255.255.0   UG      20        vlan15

From here I can't understand why my router uses this strange path to 10.0.0.0 and 192.168.10-11.0 networks.

If we check the OSPF results from the same router, we see the following.

============ OSPF network routing table ============
N    172.17.11.0/29        [20] area: 0.0.0.0
                           via 172.17.12.1, vlan15
N    172.17.22.0/29        [10] area: 0.0.0.0
                           directly attached to vlan400
N    172.17.12.0/29        [10] area: 0.0.0.0
                           directly attached to vlan15

============ OSPF router routing table =============
R    172.17.11.1           [20] area: 0.0.0.0, ASBR
                           via 172.17.12.1, vlan15
R    172.17.22.1           [10] area: 0.0.0.0, ASBR
                           via 172.17.22.1, vlan400
R    192.168.1.1           [10] area: 0.0.0.0, ASBR
                           via 172.17.12.1, vlan15

============ OSPF external routing table ===========
N E1 10.0.0.1/32           [2020] tag: 6837
                           via 172.17.12.1, vlan15
N E2 192.168.1.0/24        [10/20] tag: 0
                           via 172.17.12.1, vlan15
N E1 192.168.10.0/24       [2020] tag: 6837
                           via 172.17.12.1, vlan15
N E1 192.168.11.0/24       [2020] tag: 6837
                           via 172.17.12.1, vlan15

Could someone turn me into the right direction? It might be a minor thing I could miss, but I can't understand why my WG R2 decides that path through R1 is better than directly via CPE2. It is clear for networks 172.17.11.0/29 and 192.168.1.0, but not for 10th and 11th.

Moreover when I use auto-cost reference-bandwidth 1000 then the R1 and R2 swap the roles. I.e. R2 sends everything correctly over CPE2, but R1 selects R2 for all destinations behind CPEs.

Answer 1

Since the OSPF cost is based on bandwidth, R2 prefers the path through R1 because the R1/R2 link and the R1/CPE links have a higher bandwidth than R2/CPE. If you want R2 to use its CPE link, decrease the metric (or increase the R1/R2 metric).