Hi everyone,
I’m running into some issues with the configuration of VRFs on two CCR2004 routers, and I’m hoping someone can help me identify what I’m doing wrong.
Setup Overview:
I have two CCR2004 routers set up in a VRRP configuration for internal routing, which is running in the VRF: main. This setup works as expected: when one router goes offline, the other takes over as master seamlessly.
Problem: After a failover, I’m having trouble with routing to the internet.
Internet Setup:
The internet connection is established via PPPoE. I wrote a script to handle the PPPoE failover to the master VRRP router, which disables the PPPoE interface on the backup router and enables it on the master when it takes over.
While the script is basic, it works for now—when an update causes a failover, the master router takes over PPPoE. I plan to refine the script in the future, but for now, I just need the current setup to work for simple failovers.
The Issue:
When either router is the master, I can reach the internet, but there’s an inconsistency between the two routers:
On Edge1 (when it’s master), internet access works without any issues.
On Edge2 (when it becomes master), I cannot reach the internet without explicitly specifying the VRF_EXT for internet routing.
Example: I have to run ping 9.9.9.9 vrf=VRF_EXT on Edge2 for it to work.
Both routers are configured similarly from what I can tell, but I must have made a mistake somewhere. Does anyone have an idea of what might be causing this issue?
Secondary Issue:
After upgrading Edge1 from RouterOS 7.12.x to 7.16.1, I noticed that the VRF for external routing was renamed from VRF_EXT to VRF_EXT_. Now, when I try to rename it back to VRF_EXT, I get an error saying that a VRF with that name already exists, but I can’t see it. How can I revert the VRF back to its original name without conflicts?
Additional Info:
Simplified Network Topology:
Internet → VRF: VRF_EXT → DMZ (Public Subnet 1.2.3.4, VLAN 66) → pfSense → VRF: main (Internal Networks)
VLAN 66 contains other routers, but they don’t use the VRF: main after that. They have their own separate networks and NAT rules.
VRF Functions:
VRF_EXT: Used for DMZ routing
VRF: main: Used for internal routing and inter-VLAN routing
To route traffic from VRF: main (internal networks) to VRF_EXT (internet), the traffic passes through pfSense.
Config Files:
I’ve attached the configuration files for both Edge1 (working) and Edge2 (not working). Please note:
IPs like x.x.x.999 have been obfuscated.
Public IPs/subnets (e.g., 1.2.3.4) have been obfuscated as well.
I’ve removed all disabled entries (disabled=yes) to shorten the configs.
Any insights on what might be causing the failover issue or the VRF renaming issue would be greatly appreciated!
Thanks in advance for your help!
edge2_cleaned.txt (8.4 KB)
edge1_cleaned.txt (10.8 KB)