Community discussions

MikroTik App
  4. RouterOS
  5. Forwarding Protocols

Mikrotik ROS 7 VPN4 firewall BROKEN

Post Reply
 
uCZBpmK6pwoZg7LR
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Jun 15, 2015 12:23 pm

Mikrotik ROS 7 VPN4 firewall BROKEN

Tue Feb 06, 2024 10:12 am

Hi guys. I think it is time to move that to public.
We started to worry about future of mikrotik. Look like that they lost their leading developers who understand network technologies.
In October 2023 i reported to mikrotik problem that VPN4 packets from MPLS interface to VRF marked in firewall as packets from unknown interface to unknown interface. I passed endless discussions and after a while it become even worse. In Current ROS 7 beta such packets became not visible for firewall at all. It means that if you have in your CPE router rules :
Code: Select all
/ip firewall filter
add action=accept chain=forward comment=ER connection state=established,related
add action=drop chain=forward log=yes log-prefix=drop
it will be completely ignored and packets from VPN4 to VRF will completely ignoring forward rules. It should be noted that in ROS 6 firewall working good.


Today morning i got an answer from Mikroitik support that :
Code: Select all
I received information from our specialists that MPLS packet which should be routed in vrf is being sent from vrf interface and is seen in output chain (not forward). 

If you will set output filter you will see the packets.
It is quite clearly shows that person who answered this question never seen packet flow diagram or not understand how packets flow have to go ( https://help.mikrotik.com/docs/display/ ... n+RouterOS ). And we really started to worry about mikrotik future. Do somebody else have same issue ?
Top
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:
Contact sergejs

Re: Mikrotik ROS 7 VPN4 firewall BROKEN

Wed Feb 07, 2024 3:43 pm

Thank you very much for your concerns and bringing it up to the attention.

v7 is now using new linux kernel with proper VRF implementation, which of course will lead to completely different operation principles. VRF has its own vrfinterface which is used as a loopback for all the traffic that needs to be forwarded to that vrf. When MPLS packet is send to loopback Linux moves it to LOCAL_OUT with all the consequences.

We have updated documentation how packet is processed arriving from the MPLS cloud:
https://help.mikrotik.com/docs/display/ ... -MPLSIPVPN

Special care now must be taken when designing firewall on the PE routers.
Top
 
uCZBpmK6pwoZg7LR
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Jun 15, 2015 12:23 pm

Re: Mikrotik ROS 7 VPN4 firewall BROKEN

Thu Feb 08, 2024 9:46 am

Thank you very much for your concerns and bringing it up to the attention.

v7 is now using new linux kernel with proper VRF implementation, which of course will lead to completely different operation principles. VRF has its own vrfinterface which is used as a loopback for all the traffic that needs to be forwarded to that vrf. When MPLS packet is send to loopback Linux moves it to LOCAL_OUT with all the consequences.

We have updated documentation how packet is processed arriving from the MPLS cloud:
https://help.mikrotik.com/docs/display/ ... -MPLSIPVPN

Special care now must be taken when designing firewall on the PE routers.
So you want to say that till 7.13 was old kernetl and on 7.14 beta is a new one ? And because of this need to remove functionality which persist in all another routers vendors ?
Top
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:
Contact sergejs

Re: Mikrotik ROS 7 VPN4 firewall BROKEN

Mon Feb 12, 2024 4:45 pm

Kernel update was in v7 branch, not between 7.13 and 7.14.
Top
Post Reply

Who is online

Users browsing this forum: dioeyandika and 3 guests
  4. RouterOS
  5. Forwarding Protocols