The documentation recommends using bgp vpn to leak routes between VRFs.
This works but the imported routes are non-functional as their gateway is vrf@vrf.
In my example, I have many interfaces in vrf-main and another vrf-wwan which only contains the internet uplink. For my vrf-main to be able to access the internet, I am leaking the default gateway via static route. However, for the return packets, vrf-wwan needs to know all my prefixes from vrf-main, right?
In this example, I am configuring the BGP routes to export all connected routes from vrf-main and importing them into vrf-wwan:
[admin@SunGate2] /routing/bgp/vpn> export
# 2025-11-16 01:25:04 by RouterOS 7.21beta7
# system id = 4266Dgl372D
#
/routing bgp vpn
add disabled=no export.redistribute=connected import.route-targets=1:100 instance=bgp-virtual-instance label-allocation-policy=\
per-prefix name=bgp-mpls-vpn-1 route-distinguisher=1:1 vrf=vrf-wwan
add disabled=no export.redistribute=connected .route-targets=1:100 instance=bgp-virtual-instance label-allocation-policy=per-prefix \
name=bgp-mpls-vpn-2 route-distinguisher=1:1 vrf=vrf-main
This works. However, I cannot ping any internet address from vrf-main. The issue is that all my routes are imported as vrf-main@vrf-main gateway. This is total BS! With the packet sniffer I can see the router sending the packet into interface “vrf-main” but that’s wrong, it must go into vlan4!!
If I manually create the route it works.
[admin@SunGate2] /ip/route> print without-paging
Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP, y - BGP-MPLS-VPN; + - ECMP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
# DST-ADDRESS GATEWAY ROUTING-TABLE DISTANCE
[...]
DAy 10.227.4.0/24 vrf-main@vrf-main vrf-wwan 200
DAy 10.227.4.254/32 vrf-main@vrf-main vrf-wwan 200
[...]
DAc 10.227.4.0/24 vlan4@vrf-main vrf-main 0
DAc 10.227.4.254/32 vrrp4@vrf-main vrf-main 0
[...]
What is the issue?