Hi guys,
I m actually having a few problems with my mkt.
I m trying to make my MKT a VPN server, authentification done by connecting to a radius i have.
But i have 2 problems :
- How can i tell my radius, to use the VRF i setup, this bitch is using my main routing table, and i don’t want that… i have a VRF for it
- How can i tell my vpn to dynamically create themselves in that vrf too ? i can setup ONE to be manually added, but i can’t do that for 1K users… how can i do that dynamically?
Thanks a lot
Regards
Andy
for the radius communication there’s how:
- by default routeros will use the main routing table, for communication.
- as of 6.13 if it receives a radius reply in a vrf, it doesn’t matter, it will process it
- the request will still go through the main rt, so they will fail
- you can set up mangle rules to move the packets to the vrf of your choice
as these packets are generated by the router itself, you need to hijack them in the output chain,
and it should only match the radius packets. of course you have to make sure the radius server is
reachable in that vrf 
add chain=output action=mark-routing new-routing-mark=the-vrf-of-my-choice proto=udp dst-address=radius.server.ip.address dst-port=1812,1813 (or 1645,1646)
for radius src address in /radius you should use the ip address of the router in the “radius vrf”.
not 100% sure, but by default the vpn tunnels will be created always in the global RT.
i am not aware of any “template” attributes that could influence it by any means.
you can do some ip address based mangle rules (prerouting) to steer packets as if
they were in the vrf. but that sucks if you use cross routing-table overlapping IPs.
or - as you said - you can create entries under /interface l2tp-server for each user
with a unique interface name, and then place those interfaces into a vrf…
but thats everything else but dynamic 
We need a proper RADIUS reply attribute to set the VRF to add dynamic interfaces to. Cisco supports this.