ROSv7: OSPF on another VRF problems

slocomptech · June 23, 2022, 10:59am

Hi,
on my RBD52G-5HacD2HnD, where I’m using router OS 7.3.1, I configured OSPF instance which worked fine on my main VRF. But when I tried to move OSPF to secondary VRF, it stopped working. It just doesn’t form connection with neighbors, I enabled logging (/system logging add topics=ospf,!raw) and it prints that instance is sending hello, but thats it. No OSPF neighbours are shown on the list.

VRF:

/ip vrf
add interfaces=zone-1 name=vrf-1

OSPF configuration:

/routing ospf instance
add comment="OSPF 1" disabled=no in-filter-chain=chain-1-in name=\
    ospf-1 out-filter-chain=chain-1-out router-id=10.0.76.1 \
    routing-table=vrf-1 vrf=vrf-1
/routing ospf area
add disabled=no instance=ospf-1 name=ospf-area-1-backbone
/routing ospf interface-template
add area=ospf-area-1-backbone disabled=no interfaces=zone-1 networks=\
    10.0.0.0/16 type=ptp

I also checked the firewall, but I couldn’t determine, that problem was there.

StubArea51 · June 24, 2022, 6:17am

Tried this in my lab on 7.4beta4 and interestingly enough, it works fine with IPv6 but not IPv4

@MikroTik - is this a known bug?

R1

[zuul@ccr2116-01.test.lab.ipa.net] > routing/ospf/neighbor/print 
Flags: V - virtual; D - dynamic 
 0  D instance=ospf-instance-v3-ipv6 area=ospf-area-0-ipv6 address=fe80::de2c:6eff:fe8a:982d%vlan3100 
      priority=128 router-id=1.1.1.2 dr=0.0.0.0 bdr=0.0.0.0 state="Full" state-changes=6 adjacency=3m44s 
      timeout=35s 


/routing ospf instance
add disabled=no name=ospf-instance-v3-ipv6 router-id=1.1.1.1 routing-table=\
    vrf-a version=3 vrf=vrf-a
add disabled=no name=ospf-instance-v2-ipv4 router-id=1.1.1.1 routing-table=\
    vrf-a vrf=vrf-a
/routing ospf area
add disabled=no instance=ospf-instance-v3-ipv6 name=ospf-area-0-ipv6
add disabled=no instance=ospf-instance-v2-ipv4 name=ospf-area-0-ipv4

R2

[zuul@ccr2004-2splus-01.test.lab.ipa] > routing/ospf/neighbor/print 
Flags: V - virtual; D - dynamic 
 0  D instance=ospf-instance-v3-ipv6 area=ospf-area-0-ipv6 address=fe80::de2c:6eff:fe7a:d0e6%vlan3100 
      router-id=1.1.1.1 state="Full" state-changes=5 adjacency=2m56s timeout=34s 


/routing ospf instance
add disabled=no name=ospf-instance-v2-ipv4 router-id=1.1.1.2 routing-table=vrf-a vrf=vrf-a
add disabled=no name=ospf-instance-v3-ipv6 router-id=1.1.1.2 routing-table=vrf-a version=3 vrf=vrf-a
/routing ospf area
add disabled=no instance=ospf-instance-v2-ipv4 name=ospf-area-0-ipv4
add disabled=no instance=ospf-instance-v3-ipv6 name=ospf-area-0-ipv6

mrz · June 27, 2022, 6:54am

It works in our test setup with both OSPF v3 and OSPF v2 instances. Send a supout file from that router to support.

slocomptech · June 27, 2022, 2:30pm

Thanks, just submitted ticket to the support.

slocomptech · July 1, 2022, 8:00am

Hello,
I resolved issue with the support. I’m writing here for anyone having similar problems…

Problem is with in-interface and in-interface list parameter in firewall when VRF is used. Current solution is to upgrade RouterOS to 7.4beta5 and add firewall rule to allow OSPF from specific interface (in-interface), rule where in-interface list is specified for allowing OSPF traffic is not fixed yet.

pe1chl · July 11, 2022, 7:34am

Thank you, I hit a similar problem when I converted my setup from manually configured routing rules into VRF configuration.
Lots of problems with the firewall, it apparently is caused by my extensive use of interface lists in the firewall, and they indeed do not work for VRF interfaces.
Waiting for next version then…