I have multiple VRFs configured. One is an “internet transit” table that contains a default route to the internet. I have others that serve as security boundaries, namely a “user” VRF and a “mgmt” VRF.
I leak the default route from the internet transit VRF to the user and mgmt VRFs; I also leak the routes of the user and mgmt VRFs back to the internet transit table.
This keeps the user and mgmt VRFs separate from each other, but allows them a route to the internet and back.
The odd behavior I’m seeing is that IPv6 traffic that I expect to be caught by the forwardchain is instead being caught by the output chain! Any traffic ingressing from the internet, like this:
internet transit VRF → user VRF
is actually caught by the output chain.
This doesn’t make sense to me; I’d expect that the output chain applies only to traffic originated by the router itself, not traffic that is forwarded from one VRF to another. Any ideas?
