Need help with VRF-leak and NAT

RouterOS Forwarding Protocols
1

Part of my job is configuring replacement router for customer. I work from home and my home routeur is a Mikrotik router. In my workflow, I preconfigure routeur to be drop in replacement. If customer router need a static IP, or a PPPoE, my home router act has the “fake” ISP, to allow customer router access to Internet through NAT on my own ISP

Example

My WAN IP: 50.x.x.187/24
My WAN GW: 50.x.x.1/24
Customer WAN IP: 60.x.x.2/30
Customer WAN GW: 60.x.x.1/30

image
image1361×1287 46.3 KB

Work great but with limitation. When I configure that “fake” 60.x.x.x/30 subnet on my router, I can not reach old router on that “real” 60.x.x.x/30 because of that “fake” direct connect IP on br-fake-isp-static.

Here come VRF…

Why not having a “lab” VRF where “fake” 60.x.x.x/30 is only valid on “vrf-lab”, not affecting default vrf-main. So I can still reach “real” 60.x.x.x/30

/ip address
add address=10.100.10.1/24 interface=bridge-lan
add address=50.x.x.187/24 interface=ether1-WAN
add address=60.x.x.1/30 interface=bridge-fake-isp-static

/ip vrf
add interfaces=bridge-fake-isp-dhcp,bridge-fake-isp-static name=vrf-lab

/ip route
add gateway=50.x.x.1/24
add gateway=50.x.x.1/24@main routing-table=vrf-lab

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

VRF leak work as expected, ping request is NATed egress, problem is when ping reply get back is properly NATed back to 60.x.x.2 but on VRF-main instead of VRF-lab so it is forwarded to ether-WAN instead of bridge-fake-isp-static back to customer router. Shoud my route leakeage done different ?

[admin@rt101.home.loc] /ip/vrf> /tool/sniffer/quick ip-address=1.1.1.1
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE               TIME   NUM  DIR  SRC-MAC            DST-MAC            SRC-ADDRESS      DST-ADDRESS      PROTOCOL  SIZE  CPU
bridge-fake-isp-static  2.302    2  <-   C8:4F:86:FC:xx:xx  C4:AD:34:EA:xx:xx  60.x.x.2         1.1.1.1          ip:icmp     98    0
ether1-WAN              2.303    3  ->   C4:AD:34:EA:xx:xx  00:EB:D5:ED:xx:xx  50.x.x.187       1.1.1.1          ip:icmp     98    0
ether1-WAN              2.321    4  <-   00:EB:D5:ED:xx:xx  C4:AD:34:EA:xx:xx  1.1.1.1          50.x.x.187       ip:icmp     98    7
ether1-WAN              2.321    5  ->   C4:AD:34:EA:xx:xx  00:EB:D5:ED:xx:xx  1.1.1.1          60.x.x.2         ip:icmp     98    7

Any idea how to allow my home network to reach “real” 60.x.x.2/30 but still allow “fake” 60.x.x.2/30 to reach Internet through NAT ? Mangle with route-mark ? Routing rules ?

2

This is my combo lab just concentrate on P and C1 and C2 ignore the rest

image
image671×564 31.8 KB

image
image1211×423 92.3 KB

3

@loloski Thanks !

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=lab_conn passthrough=no src-address=60.x.x.0/30
add action=mark-routing chain=prerouting connection-mark=lab_conn in-interface-list=WAN new-routing-mark=vrf-lab

In my case, I use my bridge interface, so I do not need to modify mangle when configuring a router for another customer

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new in-interface=bridge-fake-isp-static new-connection-mark=lab_conn passthrough=no
add action=mark-routing chain=prerouting connection-mark=lab_conn in-interface-list=WAN new-routing-mark=vrf-lab
4

anytime no worries :slight_smile: honestly routing rules works too try it :slight_smile: