ROSv7 Services: Access from multiple VRFs ?

slocomptech · February 9, 2023, 3:12pm

Hi,
I would like to configure Mikrotik router (ROS v7.7) so services could be accessed from multiple VRFs. Currently you must only set exacly one VRF to each service in /ip/services menu, which is unfortunate for me. I did a little bit of searching and found post that are connected to this problem:

Before we go any further, I would like to describe my problem… I have 2 VRFs on each of two routers, we will focus on one of the routers (virt-vinarium), because on both routers I have same problem. First VRF if main second VRF is vrf-s5net. I would like to enable access to services like Winbox, SSH, API to devices from both VRFs, problem is that we can only assign service to one of them. Each of routers have two OSPF instances one for each VRFs. Both routers exchange routing info via link (which has VLANs) between them.

First unsuccesfull attempt to solve the issue for ssh: (see files below for configuration)

Preroute mangle rule: mark connection
Preroute mangle rule: change routing mark (put into different VRF) for marked conenction
Do dst-nat to change destination IP to one of IP on interface that is in destination VRF

Results for testing ssh from virt-kocjan to virt-vinarum on 44.150.248.33:

router returns ICMP type 3 code 1: Host not reachable
based on logs even with correctly translated destination IP by dst-nat, router decision is WRONG (packets end up in forwarding chain instead of input chain)
Looks like router for VRF main doesn’t look at local interfaced before looking into routing table, so it tries to route packet out at correct interface

virt-vinarium2.rsc (6.49 KB)
virt-kocjan2.rsc (4.63 KB)
Based on post specified above I also tried to abandon VRF main for custom VRF vrf-main, so I:

Created VRF vrf-main
Moved all interfaces that are not in vrf-s5net there
Moved services into vrf-main

Results:

Router correctly puts packets into input chain
Router correctly forms and forwards response packet
Router responds with TCP RST if from packet incorrected VRF

File for changed config:
virt-vinarium3.rsc (6.77 KB)
Possible solutions for this problem are:

for services ability to choose one ore all VRFs
for services ability to choose multiple VRFs

Has anyone found a working solution for this problem ?

pe1chl · February 9, 2023, 3:26pm

For the reasons you describe, I do not use VRF in our local AMPRnet network, but rather use the “manual” approach of having separate routing tables and ip rules to select the correct table.
I make a rule for each input interface that is on the AMPRnet, plus a rule for the local addresses of the router on AMPRnet, to select the AMPRnet table (which is maintained by BGP).
The separation may be a bit less, but at least you can control what is happening and where services are available (via networks set in services, and of course also via the firewall).

sirbryan · February 9, 2023, 4:48pm

Same. I gave up on VRF’s and went with multiple tables, OSPF/BGP instances, and routing rules to support failing traffic over to Wireguard tunnels via third-party Internet connections. It’s a lot less cumbersome, especially if you lose connectivity to the management VRF.

slocomptech · February 9, 2023, 4:51pm

I looked into Policy Routing with multiple routing tables. I have to dynamically leak some route between tables because of DAC routes. Have you managed to configure dynamic route leaking with BGP ? Some time ago I tried, but couldn’t create two instances of BGP on 127.0.0.1 because local and remote port aren’t doing anything at the moment.

pe1chl · February 9, 2023, 5:04pm

I manually copy DAC routes between the main and auxiliary tables. Indeed that is a bit of a nuisance, it would be nice when there was an option in /routing/tables to dynamically import DAC routes.
Other than that, I have no issues.