Management inside a routing-table

davidcx · November 14, 2017, 5:25pm

I want to keep a management port on each device for “local only” management using the 192.168.88.1 addresses. I wish to put this address and that interface into a routing-table so it does not pollute the global table (so the equivalent of “VRF-lite” on Cisco).

In this example, ether1-mgmt is the designated interface:

[admin@MikroTik] > /ip addr print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   192.168.88.1/24    192.168.88.0    ether1-mgmt
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  192.168.88.0/24    192.168.88.1    ether1-mgmt               0

As soon as I move that interface into a routing-table, I can no longer manage the device (winbox or ssh):

[admin@MikroTik] > /ip route vrf add routing-mark=mgmt interfaces=ether1-mgmt
[admin@MikroTik] > /ip route vrf print
Flags: X - disabled, I - inactive
 0 X routing-mark=mgmt interfaces=ether1-mgmt
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  192.168.88.0/24    192.168.88.1    ether1-mgmt               0

However I can still ping the device at 192.168.88.1, and the device can still ping me (when told to use the right routing-table):

[admin@MikroTik] > ping 192.168.88.1 routing-table=mgmt
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.88.1                               56  64 0ms
    1 192.168.88.1                               56  64 0ms
    sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms

I suspect I need to enable management inside a routing-table but I don’t know how to tell RouterOS to do this.

Thanks
-davidc

jarda · November 14, 2017, 7:45pm

Isn’t fasttrack on?

tangram · November 15, 2017, 12:06pm

Hi,

just a thought, if i remember correctly you need at least one route in main routing table in order for the other routing tables to be active. Add something to populate the routing table, or try to connect using mac address.

davidcx · November 15, 2017, 2:18pm

@tangram - thanks, unfortunately adding a route to the default table didn’t help:

[admin@MikroTik] /ip route vrf> set 0 disabled=no
[admin@MikroTik] /ip route vrf> /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  192.168.88.0/24    192.168.88.1    ether1-mgmt               0
 1 A S  0.0.0.0/0                          77.73.145.193             1
 2 ADC  77.73.145.192/26   77.73.145.194   sfp-sfpplus16             0
[admin@MikroTik] /ip route vrf> /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 0 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=ether1-mgmt
        gateway-status=ether1-mgmt reachable distance=0 scope=10 routing-mark=mgmt

 1 A S  dst-address=0.0.0.0/0 gateway=77.73.145.193
        gateway-status=77.73.145.193 reachable via  sfp-sfpplus16 distance=1 scope=30
        target-scope=10

 2 ADC  dst-address=77.73.145.192/26 pref-src=77.73.145.194 gateway=sfp-sfpplus16
        gateway-status=sfp-sfpplus16 reachable distance=0 scope=10

Like I say, l3 connectivity is fine, I can ping both ways, I suppose I just need a way to enable management services within this vrf/routing table.

@jarda - I don’t have any firewall rules. If relevant, even with the routing-mark removed, while I am connected via winbox, no connection is tracked:

[admin@MikroTik] /ip firewall connection> print
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack,
s - srcnat, d - dstnat
 #          PR.. SRC-ADDRESS           DST-ADDRESS           TCP-STATE   TIMEOUT     ORIG-RATE
[admin@MikroTik] /ip firewall connection>

Need to find a solution, it’s not just the loss of local-only management, but I suspect this problem will also prevent them being managed from within our management L3VPN.

davidcx · November 18, 2017, 4:51pm

Well I have a definitive answer from Mikrotik support:

Yes, that is currently the behavior of VRFs, management can be done only if address is in main table.

Sigh. How many ISPs out there are going to allow management of their routers from the global table?

Engitech · November 18, 2017, 11:01pm

try do add this:
/ip firewall mangle
add action=mark-routing chain=output new-routing-mark=mgmt src-address=192.168.88.1

i did a little test and seems to work

tangram · November 21, 2017, 12:04pm

Would it be possible to do it the other way around ? I mean use main for management and vrf for everything else ?