Community discussions

MUM Europe 2020

Search found 19 matches

by heribertos
Thu May 02, 2019 5:17 pm
Forum: Forwarding Protocols
Topic: BGP ECMP (multipathing)
Replies: 36
Views: 12673

Re: BGP ECMP (multipathing)

Sorry, for my confusing wording. I think we mean the same. ECMP Route is for me 1 route with multiple gateways, it appears as 1 destination prefix in the table. Of course, that are 2 or more routes , but considered as 1 with respect to administrative distance. With 2 active routes I ment 2 seperate ...
by heribertos
Thu May 02, 2019 2:04 pm
Forum: Forwarding Protocols
Topic: BGP ECMP (multipathing)
Replies: 36
Views: 12673

Re: BGP ECMP (multipathing)

I solved this for me with Routing Filters under Set Next-Hop-in with multiple Gateway-Addresses. This works for me even for BGP. Please observe, that in CISCO the max-path n does 2 things: (1) Installation of best path and (n-1) looser pathes (2) Forming an ECMP Route from the multiple routes to the...
by heribertos
Tue Feb 26, 2019 3:36 pm
Forum: Forwarding Protocols
Topic: Public IP Forward for Internal/Lan Subnet
Replies: 5
Views: 934

Re: Public IP Forward for Internal/Lan Subnet

you are welcome
by heribertos
Tue Feb 26, 2019 2:03 pm
Forum: Forwarding Protocols
Topic: Public IP Forward for Internal/Lan Subnet
Replies: 5
Views: 934

Re: Public IP Forward for Internal/Lan Subnet

I wrote the same time. See my update. srcnat is needed if host and server are in the same subnet.
by heribertos
Tue Feb 26, 2019 1:18 pm
Forum: Forwarding Protocols
Topic: Public IP Forward for Internal/Lan Subnet
Replies: 5
Views: 934

Re: Public IP Forward for Internal/Lan Subnet

In your dst-nat rule you have input-interface WAN, here you must add your LAN Interface also, because you want dst-nat in both cases, otherwise traffic goes to input chain and router web-page appears! The ip firewall nat rule is needless, exepct in cases where from a subnet you want to access the se...
by heribertos
Tue Feb 26, 2019 12:01 pm
Forum: General
Topic: NTP in VRF
Replies: 21
Views: 1435

Re: NTP in VRF

I dont agree about the same security levels. In the beginning, when I proposed a route to your NTP-Server in the main table you refused that solution for security reasons. I am confused, because this is exactly what you are doing now, at the and of the day. Routing Rules are applied to any routed tr...
by heribertos
Tue Feb 26, 2019 9:27 am
Forum: General
Topic: NTP in VRF
Replies: 21
Views: 1435

Re: NTP in VRF

It was me a pleasure. I gained also deeper insight into this subject. I would like to share my conclusions: The decision chain for traffic originated at ROS is: Routing Decision → Mangle (Output Chain) → Filter → Routing-Adjustment → Routing Rule The Routing Decision requieres an active route which ...
by heribertos
Mon Feb 25, 2019 7:07 pm
Forum: General
Topic: NTP in VRF
Replies: 21
Views: 1435

Re: NTP in VRF

My last ideas: I played with the default route in table main, and it is influencing the src-address NTP client uses: - loopback interface in VRF gateway=loopback-interface -> IP of loopback is used! -> is working - ether1 is in my config a port of a bridge and bridge is in VRF, ether1 does not carry...
by heribertos
Mon Feb 25, 2019 6:35 pm
Forum: General
Topic: NTP in VRF
Replies: 21
Views: 1435

Re: NTP in VRF

deleted
by heribertos
Mon Feb 25, 2019 5:30 pm
Forum: General
Topic: NTP in VRF
Replies: 21
Views: 1435

Re: NTP in VRF

I could imagine that the ip-address is taken by ROS from the VRF or main, where the default-route is resolved. For test purposes, change default-route to /ip route dst-address=0.0.0.0/0 gateway=VLAN92 or /ip route dst-address=0.0.0.0/0 gateway=10.999.1.8%VLAN92 (with character % in front of VLAN92) ...
by heribertos
Mon Feb 25, 2019 5:09 pm
Forum: General
Topic: NTP in VRF
Replies: 21
Views: 1435

Re: NTP in VRF

It goes into the wrong VLAN. There is no physical interface with ip-address? Only VLAN?

Try instead of mangle routing rule just for test: src-address=77.999.999.146 action=lookup routing-mark=mgmt

and/or specify in mangle as match property src-address=77.999.999.146
by heribertos
Mon Feb 25, 2019 4:58 pm
Forum: General
Topic: NTP in VRF
Replies: 21
Views: 1435

Re: NTP in VRF

Hi, what means in your ip-addresses 999.
You can use only 0 ... 255 in your addresses.

Is that realy configured or are you hiding something?
by heribertos
Mon Feb 25, 2019 3:50 pm
Forum: General
Topic: NTP in VRF
Replies: 21
Views: 1435

Re: NTP in VRF

Do you mean the posted configuration is working? I would disable all routing rules (better delete them) and then check: Are packets counted in mangle rule? -> it is used which ip-address is NTP-Client using? Observe port 123 in firewall/connections. it is visible for a few seconds. If this works, wh...
by heribertos
Mon Feb 25, 2019 2:45 pm
Forum: General
Topic: NTP in VRF
Replies: 21
Views: 1435

Re: NTP in VRF

Hi, I tried to understand your network topology. What I would like to comment is: If x.y.z. in the ip-addresses means always the same then you are working with overlapping ip-addresses in your VLANs. I know that VRFs are advertised as capable of handling overlapping ip-addresses, but this is only tr...
by heribertos
Sun Feb 24, 2019 3:14 pm
Forum: General
Topic: NTP in VRF
Replies: 21
Views: 1435

Re: NTP in VRF

I just tested the idea in my environment and it is working, but you have to make sure that your NTP-Server has a route back to the destination, which ROS uses as Source Address. ROS uses any IP from an interface on your Router, and this might be from another VRF or Main, not from VRF Mgmt. I checked...
by heribertos
Sun Feb 24, 2019 1:39 pm
Forum: General
Topic: NTP in VRF
Replies: 21
Views: 1435

Re: NTP in VRF

OK, I understood now your intention. My idea in this case is: do not use the route in main table I suggested but a mangle rule in OUTPUT-chain like Chain output match dst-address=NTP-Server action routing-mark=mgmt The respone from NTP-server goes "automatically" even in VRF magmt into the INPUT-cha...
by heribertos
Sat Feb 23, 2019 10:09 pm
Forum: General
Topic: NTP in VRF
Replies: 21
Views: 1435

Re: NTP in VRF

Hi, thanks for clarification, but I believe the solution concept remains unchanged. Instead of default-route you add the route to the NTP Server. The special Gateway syntax gateway=w.x.y.z%ether1 says, that the route is to be resolved at ether1 which is in VRF management, in your case. In case of p2...
by heribertos
Sat Feb 23, 2019 5:28 pm
Forum: General
Topic: NTP in VRF
Replies: 21
Views: 1435

Re: NTP in VRF

Hi, you should define a static default-route in the main table. E.g. your ISP gives you gateway=192.168.178.1/24 and the WAN interface is ether1, lying in VRF Green then the route is /ip route add dst-address=0.0.0.0/0 gateway=192.168.178.1/24%ether1 Greetings UPDATE: a generic solution (workaround)...
by heribertos
Sat Feb 23, 2019 10:17 am
Forum: Forwarding Protocols
Topic: VRF Management
Replies: 5
Views: 2719

Re: VRF Management

Hi, This problem can be solved easily. But it is important to understand where the problem arises from: Assuming a VRF Green with e.g. bridge-interface IP 10.0.0.1/24 or a loopback interface with ip 10.0.0.1/32 Your Winbox traffic enters the VRF Green via an associated interface. The ip-packets with...