VRF and hidden interfaces

Sob · December 14, 2021, 7:11pm

I’m trying to make friends with VRF, because unlike many other parts of RouterOS, I’m not familar with it yet. So far so good, but I came across something… let’s say unexpected. This is simple config for testing (RouterOS 7.1):

/ip vrf
add interfaces=guest name=vrf-guest
/ip address
add address=192.168.82.123/24 interface=guest

Add few extra logging rules:

/ip firewall mangle
add action=log chain=prerouting protocol=icmp
add action=log chain=input protocol=icmp
add action=log chain=output protocol=icmp
add action=log chain=postrouting protocol=icmp

Now I ping 192.168.82.123 from other machine and I see this:

firewall,info prerouting: in:guest out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 50
firewall,info prerouting: in:(unknown 22) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 50
firewall,info input: in:(unknown 22) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 50
firewall,info output: in:(unknown 0) out:(unknown 22), proto ICMP (type 0, code 0), 192.168.82.123->192.168.82.1, len 50
firewall,info postrouting: in:(unknown 0) out:(unknown 22), proto ICMP (type 0, code 0), 192.168.82.123->192.168.82.1, len 50
firewall,info output: in:(unknown 0) out:guest, proto ICMP (type 0, code 0), 192.168.82.123->192.168.82.1, len 50
firewall,info postrouting: in:(unknown 22) out:guest, proto ICMP (type 0, code 0), 192.168.82.123->192.168.82.1, len 50

What’s interface (unknown 22)? Ok, maybe it’s something internal, no big deal. Or is it? What if I wanted to, for example, allow pings only from selected interfaces? Like this:

/ip firewall filter
add action=accept chain=input in-interface=guest log=yes log-prefix=allow protocol=icmp
add action=drop chain=input log=yes log-prefix=drop protocol=icmp

Ping again, there’s timeout and in the log I see:

firewall,info prerouting: in:guest out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 50
firewall,info prerouting: in:(unknown 22) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 50
firewall,info input: in:(unknown 22) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 50
firewall,info drop input: in:(unknown 22) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 50

Not really a surprise, but certainly not great, don’t you think? What am I missing?

anav · December 14, 2021, 8:05pm

VRF - Very Rude Foreigners?

Actually I have been asking myself the same question why all the excitement about VRF.
Reading the wiki, what is interesting is the difference between ‘normal’ routes and VRF routes, which seem to rely solely upon their own table and have nothing to do with the main table,
almost like one was making a route rule with Action: Lookup ONLY in Table.

Other than that, I cannot really suss out the purpose of VRFs…, perhaps its a step beyond what a homeowner, SMB would use??

Sob · December 14, 2021, 8:51pm

@anav: Nope, it’s not a social club for you. It’s for router to more easily separate things. Some of it could be done with different routing tables and rules, but this should be easier. Don’t expect many details from me right now, I’m still getting into it.

Right now I’m curious about this hidden interface. I don’t mind that it exists, but I think that I should be able to work with it in firewall, i.e. it should not be hidden. It’s not the only one, we all know that router has loopback interface, also currenly hidden, and I think that it’s not right either.

Sob · December 15, 2021, 12:02am

Looking how Linux does it, there’s interface for each VRF, which is basically a dedicated loopback for that VRF. In RouterOS it’s my mysterious (unknown 22). Packet flow through iptables is also the same. So the case of hidden interfaces is solved.

But how come that Linux gives me interface and RouterOS doesn’t? I’m sure I’d be able to come up with something useful to do with it!

Sob · July 1, 2022, 12:06pm

What’s new in 7.4beta2 (2022-Jun-07 12:08)

*) firewall - properly handle interface matcher when VRF interface is specified;

Quick test with 7.4beta5 now shows:

firewall,info prerouting: in:guest out:(unknown 0), connection-state:new src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 56
firewall,info prerouting: in:guest out:(unknown 0), connection-state:new src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 56
firewall,info input: in:guest out:(unknown 0), connection-state:new src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 56
firewall,info output: in:(unknown 0) out:(unknown 1358), connection-state:established proto ICMP (type 0, code 0), 192.168.82.123->192.168.82.1, len 56
firewall,info postrouting: in:(unknown 0) out:(unknown 1358), connection-state:established proto ICMP (type 0, code 0), 192.168.82.123->192.168.82.1, len 56
firewall,info output: in:(unknown 0) out:guest, connection-state:established proto ICMP (type 0, code 0), 192.168.82.123->192.168.82.1, len 56
firewall,info postrouting: in:(unknown 1358) out:guest, connection-state:established proto ICMP (type 0, code 0), 192.168.82.123->192.168.82.1, len 56

So in-interface works (but in-interface-list doesn’t) and shows incoming interface as user would expect. Outgoing interface is still the hidden one. I also wonder if the same packet going through prerouting twice like this could cause any problems (I can’t say it does, it’s just a suspicion).

Sob · December 27, 2023, 3:49pm

Fun with interfaces, 2023 edition.

Original version, shows how it’s processed internally, but hides names of interfaces:

prerouting: in:guest out:(unknown 0), 192.168.82.1->192.168.82.123
prerouting: in:(unknown 22) out:(unknown 0), 192.168.82.1->192.168.82.123
input: in:(unknown 22) out:(unknown 0), 192.168.82.1->192.168.82.123
output: in:(unknown 0) out:(unknown 22), 192.168.82.123->192.168.82.1
postrouting: in:(unknown 0) out:(unknown 22), 192.168.82.123->192.168.82.1
output: in:(unknown 0) out:guest, 192.168.82.123->192.168.82.1
postrouting: in:(unknown 22) out:guest, 192.168.82.123->192.168.82.1

7.4beta5, fakes incoming interfaces:

prerouting: in:guest out:(unknown 0), 192.168.82.1->192.168.82.123
prerouting: in:guest out:(unknown 0), 192.168.82.1->192.168.82.123
input: in:guest out:(unknown 0), 192.168.82.1->192.168.82.123
output: in:(unknown 0) out:(unknown 1358), 192.168.82.123->192.168.82.1
postrouting: in:(unknown 0) out:(unknown 1358), 192.168.82.123->192.168.82.1
output: in:(unknown 0) out:guest, 192.168.82.123->192.168.82.1
postrouting: in:(unknown 1358) out:guest, 192.168.82.123->192.168.82.1

7.14beta3, shows real outgoing VRF interfaces:

prerouting: in:guest out:(unknown 0), 192.168.82.1->192.168.82.123
prerouting: in:guest out:(unknown 0), 192.168.82.1->192.168.82.123
input: in:guest out:(unknown 0), 192.168.82.1->192.168.82.123
output: in:(unknown 0) out:vrf-guest, 192.168.82.123->192.168.82.1
postrouting: in:(unknown 0) out:vrf-guest, 192.168.82.123->192.168.82.1
output: in:(unknown 0) out:guest, 192.168.82.123->192.168.82.1
postrouting: in:vrf-guest out:guest, 192.168.82.123->192.168.82.1

So what’s next? Keep this weird inconsitent state? Revert the fake interfaces from 7.4 and show real VRF ones?

Simonej · December 27, 2023, 4:04pm

Interesting… thanks for sharing!

OT: (from an old post)

RouterOS version 7.14beta:
*) system - expose “lo” interface;