Have any of you ever had issues with RouterOS looking in the main routing table for entries that are in a VRF?
e.g. After creating a bgp instance and specifying the routing table to use and also having the interface in a VRF, when i try to bring up the peer, it gets stuck on connect. Logs reveal “there is no route to host”… meaning its looking for the peer in the main routing table instead of in the VRF. This a /30 address i can ping the two routers over the VRF but somehow BGP though the VRF has been specified in the instance, still looks in the main Routing Table.
Had a similar problem after changing the next-hop address of a route learnt via VPNv4 to be that of the tunnel interface on the other end of the VRF. Next-hop is added and exists in the VRF routing table, but RouterOS still tries to look for the nexthop in the main routing table instead of the VRF table.
The router pretty much uses the main table for anything it generates from the control plane, regardless of vrf.
It would be nice to place the entire control plane into a VRF, but that’s just not doable with ROS.
(I wonder if a list of routing rules could be used to work around the issue - never tried it)
Ahh i ended up having to use mangle rules in the output chain to fix this. Not ideal at all.. but “it works”
Mangle rule essentially says anything destined for this IP place in the VRF routing table
Yes the ROS should know this by virtue of interfaces being in a VRF but it doesn’t
Mikrotik, maybe add some lines of code that do this in the back ground for us that affect the output chain i.e…
if the routing protocol requires a TCP connection e.g BGP, and if the destination IP is in the same subnet as a directly connected interface/VLAN and if the source IP is from the directly connected interface/VLAN, then set the routing mark to the VRF of the directly connected interface
Remember i see no problems using OSPF or RIP in a vrf just when using BGP. Pakcet captures and Interface Torches confirm what Zero Byte suggests but only with regards to BGP. OSPF works perfectly. However we still cannot log in to a Router via the VRF IP address… i lost access once in the most embarrassing way
This actually works, try it
You could also use the IP Route Rules option to tell the route to look up the destination in another routing table. This saves you from having to use the firewall mangle rules.
Ahh nice, hadn’t thought of that, but i’m curious, what if you have overlapping subnets for which you are using VRF’s to separate customer traffic… won’t the route rule result in some not so fun stuff..
Infact i have never actually tried this on Mikrotik considering VRF’s are not completely logically separated as they are when using Cisco
I wonder what the effect of having two VRF’S with the same subnet would be…
Thanks Splash
You could use src-address in the route rule and specify the management IP of the router. That would be much less likely to overlap with any of the vpnv4 route tables.
Otherwise, I suppose a src-address rule in the output chain of the mangle table would be the most precise fix.
