How does a routeros use its own VRF interface to create a VPN

wwj · February 27, 2026, 10:40am

I made a network local (RB750Gr3 v7.21.3) to cloud (CHR-p1 v7.21.3) use l2tp-vpn.

and at the begining, i only have one ISP-WAN, i use this ISP-WAN to create vpn to the cloud node( three routeros nodes in the azure cloud ) ,everything is ok

now i get another two ISP-WAN , i wana make them as blance or backup mode

but i found a big problem , all the three ISP-WAN (ONU as the router and their lan ip address is the same 192.168.1.1/24), and i can not change the onu , so I just can use VRF to split them

in this situation , using different VRFs to do this include do a pcc blance for the lan users access internet has no problem ,but this time not the lan users ,but the routeros itself wana make vpn connection to the different cloud node passthrough different VRF , it doesn't work.

example:
cloud node1  111.0.0.10
cloud node2  112.0.0.10
cloud node3  113.0.0.10

configuration：
/ip vrf
add vrf=vrf2 interface=ether2
add vrf=vrf3 interface=ether3

/ip add
add address=192.168.1.2/24 interface=ether1
add address=192.168.1.2/24 interface=ether2
add address=192.168.1.2/24 interface=ether3
add address=1.1.1.1 interface=lo
#wana use this loopback ip address as source through from vrf ,But it seems that I cannot specify the source address for wireguard or pptp-client or l2tp-client ,I'm not quite sure about the principle of source address selection in these VPN protocols, or the principle of source address assignment in router systems

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1
add chain=srcnat action=masquerade out-interface=ether2
add chain=srcnat action=masquerade out-interface=ether3

/ip rou
add dst-address=0.0.0.0/0 gateway=192.168.1.1%ether1  routing-table=main
add dst-address=0.0.0.0/0 gateway=192.168.1.1%ether2@vrf2  routing-table=vrf2
add dst-address=0.0.0.0/0 gateway=192.168.1.1%ether3@vrf3  routing-table=vrf3

#and i wana connect  cloud node2  112.0.0.10 through vrf2
#and i wana connect  cloud node3  113.0.0.10 through vrf3
#i config like this, include out and back

#version1:
/ip rou add dst-address=112.0.0.10 gateway=192.168.1.1%ether2@vrf2 routing-table=main
/ip rou add dst-address=113.0.0.10 gateway=192.168.1.1%ether3@vrf3 routing-table=main
/ip rou add dst-address=1.1.1.1 gateway=lo@main routing-table=vrf2
/ip rou add dst-address=1.1.1.1 gateway=lo@main routing-table=vrf3

#version2: Recursive routing
/ip rou add dst-address=112.0.0.10 gateway=vrf2@vrf2 routing-table=main
/ip rou add dst-address=113.0.0.10 gateway=vrf3@vrf3 routing-table=main
/ip rou add dst-address=1.1.1.1 gateway=lo@main routing-table=vrf2
/ip rou add dst-address=1.1.1.1 gateway=lo@main routing-table=vrf3

all ping test were failed（source-address 1.1.1.1），configuration doesn't work , the vpn must be created in main routing-table ，because it will used for bpg and mpls

so I'm not sure if my configuration is wrong, my thinking is wrong, or the router simply doesn't support this mode, Please help me, thank a lot.

jaclaz · February 27, 2026, 10:56am

I solved a similar problem "reversing" the VRF, i.e. having only one on the LAN side and having the three interfaces in "main".

See here (mind you, not necessarily "right", but it works) to have an idea of the approach I am using:
Thread start:
Attempting to evolve from caveman's failover

Relevant posts are:
Attempting to evolve from caveman's failover - #36 by jaclaz
Attempting to evolve from caveman's failover - #37 by jaclaz

Cannot say how this approach might be adapted to your case (with the l2tp-vpn) but maybe it gives you some inspiration.

wwj · February 27, 2026, 7:30pm

thank you very much , i read your topic , our problems are different ,about vrf routing and nat ,include crossing bgp mpls network share vrfs isp-line ,i had made it succussfully , in this case, just want to solve routeros its own communication from its own vrfs