Hi,
I built an approximation to this, but with no vxlans (just used another bridge, and ether2 as wan2)
It seemed to mostly work, but the vrf-wan2 being a vrf made it quite painful.
I seemed to need to reboot whenever I had done more than a couple of changes.
I was also unable to traceroute from the router using src-address=192.168.2.1
My laptop on 192.168.2.220 was fine, (though this is somewhat expected).
I turned vrf-wan2 into just routing table (in fib) entry and adjusted for that and it seemed to work quite a bit better and easier.
(You do lose some isolation, but you don’t seem to really need any in this instance)
Some (my) notes on routing, seem to be how it is currently working. (not really checked for vrf’s)
First:
If the packet has a routing mark on it, and there is a matching entry in the routing table.
(IP range, routing table matches routing mark) it WILL use that routing entry.
This means if there is an item like
add disabled=no distance=100 dst-address=192.168.2.0/24 gateway=lan pref-src=“” routing-table=
vrf-wan2 scope=30 suppress-hw-offload=no target-scope=10
It seems it will (attempt to) send the marked packet out the lan interface, even if it is going to 192.168.2.1
Next:
It will then use the Routing Rules table, (in order) and grab the first match, and do what it says.
Next2:
It will then process the packet through the routing table again, potentially with a different routing mark obtained from the rules table.
(But it seems perhaps a bit more lenient this time)
You can (and it works well) use the routing rules table with routing marks.
mangle:
mark selected packets with routing mark eg. rule-wan2
routing rule
action=lookup table=main dst-address=192.168.2.0/24
action=lookup table=vrf-wan2 routing-mark=rule-wan2