Looking for help with vrf, ntp and dns configuration

karlkalk · January 3, 2024, 2:48pm

Hello,
I am currently trying to switch my OpenVPN clients to WireGuard clients.
The connection itself works in both directions. However, what no longer works is NTP and DNS in the CAM-LAN.
The following configuration is a client configuration. The client serves as a gateway for other devices in remote locations.
It would be advantageous to be able to use the client (10.32.169.254) as a NTP and DNS server as well, but I am currently facing challenges in achieving that.
Is it because of VRF? I found this post but I don’t think it’ll help: http://forum.mikrotik.com/t/v7-inter-vrf-route-leak-doesnt-work-for-local-ips/154626/1
I hope someone can provide me with a helpful tip.

# 2024-01-03 15:12:25 by RouterOS 7.14beta4
# model = RB750Gr3
/interface bridge add name=CAM-LAN port-cost-mode=short
/interface ethernet set [ find default-name=ether2 ] name=cam2
/interface ethernet set [ find default-name=ether3 ] name=cam3
/interface ethernet set [ find default-name=ether4 ] name=cam4
/interface ethernet set [ find default-name=ether5 ] name=cam5
/interface ethernet set [ find default-name=ether1 ] name=wan1
/interface wireguard add listen-port=13231 mtu=1420 name=wg0-hub01
/interface wireguard add listen-port=13232 mtu=1420 name=wg1-rhub01

/ip vrf add interfaces=CAM-LAN,wg0-hub01 name=CAM

/port set 0 name=serial0

/interface bridge port add bridge=CAM-LAN ingress-filtering=no interface=cam2 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=CAM-LAN ingress-filtering=no interface=cam3 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=CAM-LAN ingress-filtering=no interface=cam4 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=CAM-LAN ingress-filtering=no interface=cam5 internal-path-cost=10 path-cost=10

/ip firewall connection tracking set udp-timeout=10s

/ipv6 settings set disable-ipv6=yes

/interface wireguard peers add allowed-address=0.0.0.0/0 client-address=10.16.32.169/24 endpoint-address=wg.example.org endpoint-port=13231 interface=wg0-hub01 persistent-keepalive=5m preshared-key="ps169" public-key="pkhub01"
/interface wireguard peers add allowed-address=0.0.0.0/0 client-address=10.64.32.169/24 endpoint-address=wg.example.org endpoint-port=13232 interface=wg1-rhub01 persistent-keepalive=5m preshared-key="ps169" public-key="pkhub01"

/ip address add address=10.32.169.254/24 interface=CAM-LAN network=10.32.169.0
/ip address add address=10.16.32.169 interface=wg0-hub01 network=10.16.32.0
/ip address add address=10.64.32.169/24 interface=wg1-rhub01 network=10.64.32.0

/ip dhcp-client add interface=wan1

/ip dns set allow-remote-requests=yes servers=10.16.63.254,8.8.8.8,1.1.1.1,9.9.9.9

/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input dst-port=53 protocol=udp
/ip firewall filter add action=accept chain=forward dst-port=53 protocol=udp
/ip firewall filter add action=accept chain=input dst-port=53 protocol=tcp
/ip firewall filter add action=accept chain=forward dst-port=53 protocol=tcp
/ip firewall filter add action=accept chain=input dst-port=123 protocol=udp
/ip firewall filter add action=accept chain=forward dst-port=123 protocol=udp
/ip firewall filter add action=accept chain=input dst-port=123 protocol=tcp
/ip firewall filter add action=accept chain=forward dst-port=123 protocol=tcp
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
/ip firewall filter add action=drop chain=input comment="defconf: drop all from WAN" in-interface=wan1
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=wan1
/ip firewall nat add action=masquerade chain=srcnat comment="NAT on WAN Interface" out-interface=wan1
/ip firewall nat add action=masquerade chain=srcnat comment="NAT on management tunnel" out-interface=wg1-rhub01

/ip route add disabled=no dst-address=10.95.254.254/32 gateway=wg1-rhub01 routing-table=main suppress-hw-offload=no
/ip route add disabled=no dst-address=172.31.254.254/32 gateway=wg1-rhub01 routing-table=main suppress-hw-offload=no
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg0-hub01@CAM pref-src="" routing-table=CAM scope=30 suppress-hw-offload=no target-scope=10

/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh port=2332
/ip service set www-ssl disabled=no

/routing rule add action=lookup disabled=no interface=CAM-LAN table=CAM

/system clock set time-zone-name=Europe/Vienna
/system identity set name=vpn-client169
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp server set enabled=yes manycast=yes
/system ntp client servers add address=10.16.63.254
/system ntp client servers add address=pool.ntp.org
/tool sniffer set filter-ip-protocol=udp filter-port=dns

verbylab · January 6, 2024, 1:59am

I am trying to solve the same problem. DNS is unfortunately not listed as a supported feature for VRF, see https://help.mikrotik.com/docs/pages/viewpage.action?pageId=328206#VirtualRoutingandForwarding(VRF)-Supportedfeatures. I haven’t figured out yet how one can make it work with some firewall rules. If that’s not possible, I have to consider migrating away from the VRF-approach.

fragtion · February 21, 2024, 4:12pm

I’m in the same boat. I have two huawei LTE routers as WAN1,WAN2 and want to keep their default IP’s 192.168.8.1, so I have them in their own VRF’s. everything works fine except for services like ntp & dns. hopefully a solution is found

jaclaz · February 21, 2024, 4:29pm

Cannot say if it can apply to your case, in a similar setup I managed to “invert” the VRF (making it on the LAN side) thus having the DNS and NTP working normally, see the thread here:
http://forum.mikrotik.com/t/attempting-to-evolve-from-cavemans-failover/170048/1

The “normal” VRF configuration (without working DNS and NTP):
http://forum.mikrotik.com/t/attempting-to-evolve-from-cavemans-failover/170048/1

and the “reversed” one (with working DNS and NTP), at the cost of three LAN addresses instead of 1:
http://forum.mikrotik.com/t/attempting-to-evolve-from-cavemans-failover/170048/1