Configuring a VRF on Single MT Router

Itmonkee · August 23, 2018, 6:27am

All,

I’m wondering if it would be possible to configure a VRF(s) on a single MT Router? At the moment, I’m using separate VLAN’s at the moment to segregate the different networks. However, I’m wanting to try and take a different approach with segregating this traffic and would like to use VRF’s for this. I have used VRF’s in the Cisco world and thought it would be a good idea to try and use VRF’s on my favorite MT router!

At the moment, the issue I seem to be having is how do I get the VRF INTERNET of which is on VLAN 100 to NAT out to the Internet? I have searched Google, Youtube, and MT Forum but I have not had much success trying to set this up on a single MT Router. Is this even possible or am I going about this in a inefficient way? Any assistance with this issue is greatly appreciated.

My configuration is as follows:

/ip route
add distance=1 gateway=103.125.127.33 routing-mark=INTERNET

/ip firewall nat
add action=masquerade chain=srcnat log=yes log-prefix="internet ###" routing-mark=INTERNET routing-table=INTERNET

/ip route vrf
add interfaces="VLAN 100 - LAN" route-distinguisher=1:100 routing-mark=INTERNET

/ip address
add address=192.168.100.1/24 comment="Internet LAN" interface="VLAN 100 - LAN" network=192.168.100.0
add address=104.219.115.38/27 interface=WAN network=103.125.127.45

/interface vlan
add comment=Internet LAN interface=ether2 name="VLAN 100 - LAN" vlan-id=100

WAN Info:
103.125.127.32/27
103.125.127.33 - Default GW (ISP)
103.125.127.45 - WAN Interface

LAN Info:
192.168.100.0/24
192.168.100.1 - GW

*** Public WAN IP Info has been replaced with dummy PUBLIC IP for security purposes ***

Thanks | Regards,

John

StubArea51 · August 24, 2018, 5:09pm

You’re close but you need to add the WAN interface to the VRF interfaces as well.

Also remove the routing-table=INTERNET on the NAT rule and just match on routing mark

Itmonkee · August 24, 2018, 10:43pm

Thanks, I’m going to try again either tonight or tomorrow and Ill let you know how it goes. Thanks for the nudge in the right direction, very much appreciated.

Itmonkee · August 24, 2018, 11:23pm

Ok, I was able to find a few minutes of downtime to test this out… so the following code has been corrected as advised earlier. When performing this test, I was not able to get out to the Internet. It took me a few minutes to realize that there was an up/down arrow to add additional interfaces to the vrf INTERNET. Also, the routing-table has been removed from the NAT statement.

Any idea what else I might be missing?

/ip route vrf
add interfaces="VLAN 002 - LAN,WAN" route-distinguisher=1:2 routing-mark=INTERNET 

/ip firewall nat
add action=masquerade chain=srcnat log=yes log-prefix="internet ###" routing-mark=INTERNET