Mikrotik as LNS role and adding PPP session routes into a VRF.

RouterOS General
1

Hi, we are evaluating a Mikrotik CCR2116-12G-4s+ to replace our Cisco routers in an LNS role. One issue we have encountered is trying to place a PPP session’s routes into a VRF, based on a RADIUS reply attribute. Similar to this forum entry.

http://forum.mikrotik.com/t/put-pppoe-server-client-in-vrf/162536/1

It is understood that Mikrotik do not support an equivalent RADIUS attribute such as Cisco’s AV Pairs. But the Mikrotik-Group attribute can be sent in the RADIUS reply to override the default PPP profile for that user’s session.
We have tried to use this feature to apply a non-default PPP profile (ppp-profile-vrf1) to a user. This non-default PPP profile has an associated interface-list which has been added to a VRF (vrf1). This seems to work as expected with the dynamic PPP interface being added to the interface-list.
1 L2TP server.png
4 PPP session.png
3 VRF.png
2 PPP profiles.png
Though we have noticed some of the PPP session’s routes on the LNS are added to the VRF and some are not. In our case the Framed-IP-Address and Delegated IPv6-Prefix routes have been added to the VRF, but the Framed-Route and the Framed-IPv6-Prefix have not.
See the diagram below showing the topology and the ip and ipv6 route print outputs.

Routes in purple in VRF as expected. Routes in red not in VRF.
5 Topology and routes.png
The route print detail output is below. I have noticed the routes not present in the VRF are marked as inactive and have a missing immediate-gw.

[admin@lns3] > /ip/route/print det  
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn; H - hw-offloaded; + - ecmp 
   DAb   dst-address=81.145.120.14/32 routing-table=main gateway=192.0.2.34 immediate-gw=192.0.2.34%vlan1184 distance=20 scope=40 target-scope=10 suppress-hw-offload=no 
   DAb   dst-address=81.145.120.15/32 routing-table=main gateway=192.0.2.34 immediate-gw=192.0.2.34%vlan1184 distance=20 scope=40 target-scope=10 suppress-hw-offload=no 
   DAb   dst-address=91.151.11.253/32 routing-table=main gateway=192.0.2.34 immediate-gw=192.0.2.34%vlan1184 distance=20 scope=40 target-scope=10 suppress-hw-offload=no 
   DAb   dst-address=91.151.11.254/32 routing-table=main gateway=192.0.2.34 immediate-gw=192.0.2.34%vlan1184 distance=20 scope=40 target-scope=10 suppress-hw-offload=no 
   DAc   dst-address=192.0.2.0/28 routing-table=main gateway=sfp-sfpplus2 immediate-gw=sfp-sfpplus2 distance=0 scope=10 suppress-hw-offload=no local-address=192.0.2.5%sfp-sfpplus2 
   DAc   dst-address=192.0.2.32/30 routing-table=main gateway=vlan1184 immediate-gw=vlan1184 distance=0 scope=10 suppress-hw-offload=no local-address=192.0.2.33%vlan1184 
   DAc   dst-address=192.0.2.49/32 routing-table=vrf1 gateway=<l2tp-testppp01@mt-lab.net>@vrf1 
   immediate-gw=<l2tp-testppp01@mt-lab.net> distance=0 scope=10 suppress-hw-offload=no 
   local-address=192.0.2.241%<l2tp-testppp01@mt-lab.net>@vrf1 
   DIvH  dst-address=192.0.2.64/28 routing-table=main pref-src="" gateway=<l2tp-testppp01@mt-lab.net> 
   immediate-gw="" distance=1 scope=30 target-scope=10 suppress-hw-offload=no 
   DAc   dst-address=192.0.2.240/32 routing-table=main gateway=Loopback0 immediate-gw=Loopback0 distance=0 scope=10 suppress-hw-offload=no local-address=192.0.2.240%Loopback0 
   DIcH  dst-address=192.168.88.0/24 routing-table=main gateway=ether13 distance=0 scope=10 suppress-hw-offload=no local-address=192.168.88.3%ether13 
   DAc   dst-address=192.0.2.241/32 routing-table=vrf1 gateway=Loopback1@vrf1 immediate-gw=Loopback1 distance=0 scope=10 suppress-hw-offload=no local-address=192.0.2.241%Loopback1@vrf1 

[admin@lns3] > /ipv6/route/print det
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, g - slaac, y - bgp-mpls-vpn; H - hw-offloaded; + - ecmp 
   DAc   dst-address=2001:db8:2:2::/64 routing-table=main gateway=sfp-sfpplus2 immediate-gw=sfp-sfpplus2 distance=0 scope=10 
   DIvH  dst-address=2001:db8:8:4::/64 routing-table=main gateway=<l2tp-testppp01@mt-lab.net> immediate-gw="" 
   distance=1 scope=30 target-scope=10 
   DAd   dst-address=2001:db8:100:300::/56 routing-table=vrf1 gateway=fe80::36ed:1bff:fe85:f380%<l2tp-testppp01@mt-lab.net>@vrf1 
   immediate-gw=fe80::36ed:1bff:fe85:f380%<l2tp-testppp01@mt-lab.net> distance=1 scope=30 target-scope=10 
         vrf-interface=<l2tp-testppp01@mt-lab.net>
   DAc   dst-address=fe80::%sfp-sfpplus2/64 routing-table=main gateway=sfp-sfpplus2 immediate-gw=sfp-sfpplus2 distance=0 scope=10 
   DAc   dst-address=fe80::%sfp-sfpplus4/64 routing-table=main gateway=sfp-sfpplus4 immediate-gw=sfp-sfpplus4 distance=0 scope=10 
   DAc   dst-address=fe80::%<l2tp-testppp01@mt-lab.net>/64 routing-table=vrf1 gateway=<l2tp-testppp01@mt-lab.net>@vrf1 
   immediate-gw=<l2tp-testppp01@mt-lab.net> distance=0 scope=10 
   DAc   dst-address=fe80::%Loopback0/64 routing-table=main gateway=Loopback0 immediate-gw=Loopback0 distance=0 scope=10 
   DAc   dst-address=fe80::%vlan1184/64 routing-table=main gateway=vlan1184 immediate-gw=vlan1184 distance=0 scope=10 
   DAc   dst-address=fe80::%Loopback1/64 routing-table=vrf1 gateway=Loopback1@vrf1 immediate-gw=Loopback1 distance=0 scope=10

My questions are :-

  1. Is this a supported configuration - LNS server placing PPP session in a VRF ? I have not found a definitive response in the forums to confirm this can be achieved with the current software. It would be great to understand if this is or is not supported yet. If it is, could you point me in the right direction where I am going wrong in the supplied config below. I have raised a ticket with Mikrotik support but no response so far.
  2. Can this be made to work as intended. I have seen scripts being used in the forums during the ppp up and down stages to achieve specific goals. But am not sure if this can be achieved or what is required to add the missing routes into the VRF. I am relatively new to the Mikrotik platform.

From the following post it seems VRF traffic is not hardware offloaded currently, so even if this was working as expected this platform would not scale for this purpose. Though hardware offloaded VRF traffic is intended to be offered in a future release.
http://forum.mikrotik.com/t/unable-to-get-routing-on-multi-vrf-setup-working-routes-marked-as-inactive/156967/1

Any comments or pointers would be gratefully received.

Many thanks for your help.

Mikrotik CCR2116-12G-4s+ config. Tested with RouterOS 7.11.
lns3-config.txt (2.32 KB)
Cisco CPE config
cpe-config.txt (667 Bytes)

2

I got a reply today from Mikrotik support re this functionality.

MikroTik support #[SUP-126171]: LNS role - Add PPP session routes into a VRF
Hello, James.
No, currently this feature is not supported to set VRF from RADIUS, and at least your described process is more workaround or hack how to achieve few options.

3

Have you tested v7.12? I opened a ticket for the same (but with static vrf assignments) and they recommended to test with 7.12.
Unfortunately I had no time to test it. #SUP-121505

But I’d really appreciate a VRF attribute too, which should not be too hard to implement.

4

Update:

Hello,
At the moment address and route will be added to main VRF. We will see how this can be improved in the future. Thanks for the report.
Best regards,

5

We have exactly the same issue.

did anyone tested with 7.16beta4?
*) route - place static route in the correct VRF when vrf-interface parameter is used;

6

Still broken in 7,17