Internet access OK from LAN but not from the router itself

mtest001 · August 13, 2024, 8:34am

Hi all,
I am continuing my tests with my setup with 2 VRFs used to connect to 2 ISP-provided upstream routers that are both using the same 192.168.1.1 address that I cannot change.

So far everything works fine, the clients on the LAN can access the Internet but I noticed that from the router itself I have no Internet access. I am not able to check for RouterOS updates and NTP synchronisation does not work either.

Here is my config:

# 2024-08-13 10:25:14 by RouterOS 7.15.3
# software id = FD1R-I13Y
#
# model = RB3011UiAS
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_192_168_2 ranges=192.168.2.100-192.168.2.199
/ip dhcp-server
add address-pool=dhcp_192_168_2 interface=bridge lease-time=12h name=defconf
/ip vrf
add comment=vrf_starlink interfaces=ether2 name=vrf_starlink
add comment=vrf_orange interfaces=ether1 name=vrf_orange
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip settings
set accept-source-route=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=sfp1 list=WAN
/ip address
add address=192.168.2.201/24 interface=bridge network=192.168.2.0
/ip dhcp-client
add add-default-route=no interface=ether1
add add-default-route=no interface=ether2
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=9.9.9.9 gateway=192.168.2.201
/ip dns
set allow-remote-requests=yes doh-max-concurrent-queries=100 doh-max-server-connections=20 doh-timeout=6s servers=9.9.9.9 verify-doh-cert=yes
/ip dns static
add address=192.168.2.201 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log-prefix=Masq out-interface-list=WAN
/ip route
add comment=RouteOrange disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1@vrf_orange routing-table=main suppress-hw-offload=no
add comment=RouteStarlink disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1@vrf_starlink routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1@vrf_starlink routing-table=vrf_starlink suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1@vrf_orange routing-table=vrf_orange suppress-hw-offload=no
add disabled=no distance=1 dst-address=100.64.0.1/32 gateway=192.168.1.1@vrf_starlink routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=100.64.0.1/32 gateway=192.168.1.1@vrf_starlink routing-table=vrf_starlink suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=bridge routing-table=vrf_orange suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=bridge routing-table=vrf_starlink suppress-hw-offload=no
/system identity
set name=rb3011
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.metas.ch
/system routerboard settings
set auto-upgrade=yes

I can ping hosts on the Internet from within the 3 VRFs:

[admin@rb3011] > /ping 8.8.8.8 vrf=vrf_starlink 
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                         
    0 8.8.8.8                                    56  58 32ms121us 
    0 8.8.8.8                                    56  58 32ms241us 
    1 8.8.8.8                                    56  58 30ms162us 
    1 8.8.8.8                                    56  58 30ms280us 
    sent=2 received=4 packet-loss=-100% min-rtt=30ms162us avg-rtt=31ms201us max-rtt=32ms241us 

[admin@rb3011] > /ping 8.8.8.8 vrf=vrf_orange   
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                         
    0 8.8.8.8                                    56 115 17ms655us 
    0 8.8.8.8                                    56 115 17ms783us 
    1 8.8.8.8                                    56 115 16ms667us 
    1 8.8.8.8                                    56 115 16ms786us 
    sent=2 received=4 packet-loss=-100% min-rtt=16ms667us avg-rtt=17ms222us max-rtt=17ms783us 

[admin@rb3011] > /ping 8.8.8.8 vrf=main       
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                         
    0 8.8.8.8                                    56  58 28ms416us 
    0 8.8.8.8                                    56  58 28ms538us 
    1 8.8.8.8                                    56  58 45ms138us 
    1 8.8.8.8                                    56  58 45ms260us 
    sent=2 received=4 packet-loss=-100% min-rtt=28ms416us avg-rtt=36ms838us max-rtt=45ms260us

…but I cannot ping using the bridge local address:

[admin@rb3011] > /ping 8.8.8.8 src-address=192.168.2.201
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                         
    0 8.8.8.8                                                      timeout                                                                                        
    1 8.8.8.8                                                      timeout                                                                                        
    2 8.8.8.8                                                      timeout                                                                                        
    sent=3 received=0 packet-loss=100% 
    
[admin@rb3011] > /ping 8.8.8.8 src-address=192.168.2.201 vrf=main 
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                         
    0 8.8.8.8                                                      timeout                                                                                        
    1 8.8.8.8                                                      timeout                                                                                        
    sent=2 received=0 packet-loss=100%

Which makes me wonder… How come can I ping from the main vrf (/ping 8.8.8.8 vrf=main) but not using the bridge address which also is in the main VRF ? What is the source IP used when pinging from a VRF without using src-address ?

Any idea?

jaclaz · August 13, 2024, 11:36am

Maybe is the one obtained by DHCP client on ether1 (or ether2) in the 192.168.1.0 range (i.e. the one “nearest” to the gateway).

I am not sure to follow you on why you are using two DHCP clients (that must be in the same network range of 192.168.1.0 as the two servers).
Isn’t there a risk of a conflict? Rare case, but possible.

I would feel more safe using static addresses.

Does this logging:

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log-prefix=Masq out-interface-list=WAN

show anything?

mtest001 · August 13, 2024, 9:49pm

The masquerading seems to work OK…

Time		2024-08-13 14:57:16
Buffer		memory
Topics		
firewall
info
Message		Masq srcnat: in:bridge out:ether2, connection-state:new src-mac 5c:f9:38:a6:47:44, proto TCP (SYN), 192.168.2.191:56437->45.57.75.226:443, len 64

jaclaz · August 14, 2024, 8:46am

I am not sure to follow you, actually I am pretty sure I am not following you.

I meant what happens in the log when running specifically the commands:
/ping 8.8.8.8 vrf=vrf_starlink
/ping 8.8.8.8 vrf=vrf_orange
/ping 8.8.8.8 vrf=main
/ping 8.8.8.8 src-address=192.168.2.201
/ping 8.8.8.8 src-address=192.168.2.201 vrf=vrf_starlink
/ping 8.8.8.8 src-address=192.168.2.201 vrf=vrf_orange
/ping 8.8.8.8 src-address=192.168.2.201 vrf=main
and/or try using “interface” parameter instead of “src-address”
(maybe nothing happens with any of the above)

The new (current) help at mikrotik.com is a joke, the old wiki one:
https://wiki.mikrotik.com/wiki/Manual:Tools/Ping
hints that the src-address determines (actually it is obvious) the “return” address, so it may still be something connected to return routes, though now yours seem fine .

mtest001 · August 16, 2024, 3:21pm

Sorry in the delay in responding, here are the results of the various tests:

[admin@rb3011] > /ping 8.8.8.8 vrf=vrf_starlink
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                         
    0 8.8.8.8                                    56  58 32ms386us 
    1 8.8.8.8                                    56  58 28ms729us 
    2 8.8.8.8                                    56  58 27ms250us 
    sent=3 received=3 packet-loss=0% min-rtt=27ms250us avg-rtt=29ms455us max-rtt=32ms386us 

[admin@rb3011] > /ping 8.8.8.8 vrf=vrf_orange
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                         
    0 8.8.8.8                                    56 115 17ms195us 
    1 8.8.8.8                                    56 115 17ms285us 
    2 8.8.8.8                                    56 115 16ms578us 
    sent=3 received=3 packet-loss=0% min-rtt=16ms578us avg-rtt=17ms19us max-rtt=17ms285us 

[admin@rb3011] > /ping 8.8.8.8 vrf=main
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                         
    0 8.8.8.8                                    56  58 27ms288us 
    1 8.8.8.8                                    56  58 26ms505us 
    sent=2 received=2 packet-loss=0% min-rtt=26ms505us avg-rtt=26ms896us max-rtt=27ms288us 

[admin@rb3011] > /ping 8.8.8.8 src-address=192.168.2.201
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                         
    0 8.8.8.8                                                      timeout                                                                                        
    1 8.8.8.8                                                      timeout                                                                                        
    2 8.8.8.8                                                      timeout

[admin@rb3011] > /ping 8.8.8.8 src-address=192.168.2.201 vrf=vrf_starlink
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                         
    0                                                              could not make socket                                                                          
    1                                                              could not make socket                                                                          
    sent=2 received=0 packet-loss=100% 

[admin@rb3011] > /ping 8.8.8.8 src-address=192.168.2.201 vrf=vrf_orange
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                         
    0                                                              could not make socket                                                                          
    1                                                              could not make socket                                                                          
    2                                                              could not make socket                                                                          
    sent=3 received=0 packet-loss=100% 

[admin@rb3011] > /ping 8.8.8.8 src-address=192.168.2.201 vrf=main
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                         
    0 8.8.8.8                                                      timeout                                                                                        
    1 8.8.8.8                                                      timeout                                                                                        
    2 8.8.8.8                                                      timeout                                                                                        
    sent=3 received=0 packet-loss=100% 

[admin@rb3011] > /ping 8.8.8.8 interface=bridge  vrf=main                   
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                         
    0 8.8.8.8                                                      timeout                                                                                        
    1 8.8.8.8                                                      timeout                                                                                        
    2 8.8.8.8                                                      timeout                                                                                        
    3 192.168.2.201                              84  64 124ms233us host unreachable                                                                               
    sent=4 received=0 packet-loss=100% 

[admin@rb3011] > /ping 8.8.8.8 interface=ether1  vrf=vrf_orange                     
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                         
    0 8.8.8.8                                    56 115 16ms582us 
    1 8.8.8.8                                    56 115 16ms321us 
    2 8.8.8.8                                    56 115 16ms633us 
    3 8.8.8.8                                    56 115 16ms582us 
    4 8.8.8.8                                    56 115 16ms389us 
    sent=5 received=5 packet-loss=0% min-rtt=16ms321us avg-rtt=16ms501us max-rtt=16ms633us 

[admin@rb3011] > /ping 8.8.8.8 interface=ether2  vrf=vrf_starlink                     
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                         
    0 8.8.8.8                                    56  58 18ms542us 
    1 8.8.8.8                                    56  58 20ms551us 
    2 8.8.8.8                                    56  58 24ms259us 
    sent=3 received=3 packet-loss=0% min-rtt=18ms542us avg-rtt=21ms117us max-rtt=24ms259us

jaclaz · August 16, 2024, 4:08pm

Which confirms that the tests with interface= work, while any with the src-address= fail.
Someone more expert may be able to explain WHY this happens.
In any case the “interface=” should be intended as “out-interface=” (or at least this explains nicely why interface=bridge does not work).

Your “main” problem remains:

So far everything works fine, the clients on the LAN can access the Internet but I noticed that from the router itself I have no Internet access. I am not able to check for RouterOS updates and NTP synchronisation does not work either.

This happens because DNS is still not working with VRF’s (or - while it is reported to having been fixed/added on 7.15beta4 it either doesn’t work or needs a special configuration which details are unknown).

But have you tried?:
https://help.mikrotik.com/docs/pages/viewpage.action?pageId=328206

/ip dns set vrf=vrf1

mtest001 · August 16, 2024, 5:40pm

Thank you, yes I did try but to change the VRF settings for the DNS but it does not help.

I read several posts mentioning some bugs with VRFs and DNS, so maybe I’ll have to wait for a future update then.

Thank you once again for your help, very appreciated.

jaclaz · August 17, 2024, 8:28am

I find this very perplexing, I cannot believe that the good Mikrotik guys are intentionally lying, reporting in changelog a new feature that doesn’t actually exist/work and even (as always mis-) document it on the help page.

I don’t know if anyone has filed a ticket at support, but I think you should, you have a documented, otherwise perfectly working setup, so it could be the occasion to have them put their act together, once and for all.

The thought of updating my currently working setup (the one in which I have “inverted” the VRF, putting it on the LAN side):
http://forum.mikrotik.com/t/attempting-to-evolve-from-cavemans-failover/170048/1
crosses my mind from time to time, but given the changes in VRF’s in 7.14 and 7.15 and your definite report of the DNS not working properly on them, I will wait before making a new experiment.

mtest001 · August 17, 2024, 11:15am

Indeed I am going to open a support case. There is nothing critical on my network (it’s a home setup) so I can mess around with things as much as I want if support wants me to try out things.