VRF and Router Management

stevenjacobs · November 4, 2015, 4:21pm

Hi guys,

I have a setup using interconnecting MikroTik routers over GRE tunnel interfaces secured with IPSec. Over these interfaces routes are being redistributed using OSPF. So far so good.

The management IP address, as well as the public IP addresses are configured in the main routing table (no routing mark set). The tunnel interfaces and VLANs are assigned to the appropriate VRFs.

When I try to manage the routers, I notice that I cannot manage the routers on their management IP addresses if the routers in question are in the path of my connection. Even though the management interface is in the default VRF, and I am coming in through an interface belonging to another VRF, traffic is not routed through the next hop defined for that particular VRF, but is instead sent to the IP in the default routing table.

Using ping, I can see that I’m not routed through the VRF onto the next hop to reach the management network. Instead, the router responds directly to the ping as if it was in the same VRF.

For example, reaching another MikroTik which is not in the path, this is the output of mtr:

           172.23.2.1 -    0 |   52 |   52 |    3 |    3 |    7 |    3 |
No response from host -  100 |   11 |    0 |    0 |    0 |    0 |    0 |
No response from host -  100 |   11 |    0 |    0 |    0 |    0 |    0 |
         172.29.12.65 -    0 |   52 |   52 |   10 |   10 |   17 |   11 |
        172.29.21.119 -    0 |   52 |   52 |    9 |   14 |   43 |   12 |
        172.30.126.33 -    3 |   48 |   47 |    0 |   13 |   34 |   12 |
         10.250.7.170 -    0 |   52 |   52 |   13 |   18 |   39 |   14 |

And this is what happens when I try to reach another router which is in the path of my connectivity:

           172.23.2.1 -    0 |    8 |    8 |    3 |    3 |    4 |    4 |
No response from host -  100 |    1 |    0 |    0 |    0 |    0 |    0 |
         10.250.7.171 -   25 |    4 |    3 |    0 |   11 |   11 |   11 |

This traffic should follow the exact same path as the first MTR.

As a consequence, I am unable to manage the router in the path of connectivity, as traffic cannot get back to the source.

This is also a big problem, as the management IP belongs to a network that is also in the routing table for a particular VRF. Lets say that I’m trying to reach 10.250.7.171 via the green VRF, we expect to see another hop in the mtr output.

Is there any way I can fix this?

Thanks in advance!

Steven