I need help with a particular setup where one MT router CCR2004 needs to be connected with multiple switches where a local lan is present with a fix subnet. In specific there are many identical subnet (each in a dedicate VLAN) with same overlapping IP subnet 192.168.1.0/24 - let’s call them the “devices (or dev) vlan”.
There are also several device in each of the identical VLAN with same IP address that cannot be modified. On top there is a service vlan (say 10.2.4.0/24) where my PC will be localted that needs to access each individual VLAN with a distinct IP.
My understanding is that, to achieve a working setup, VRF must be used in order to isolate routing of each individual VLAN with overlapping IP. Then mangle should be used to allow traffic from service vlan to and back from each dev vlan. NAT should then do the trick of converting a public IP reachable from main table (where service vlan is located) to the dev vlan in each VRF.
So far I was able to emulate this scenario in a simple EVE-NG lab as follows:
In this example:
Router is a CHR with ROS 7.14.2
Main is the serivce pc IP 10.2.4.10
PC30 is one of the device PC with IP 192.168.1.10 (VRF30)
PC40 is one of the device PC with IP 192.168.1.10 (VRF40)
I can get ping working from main PC to PC30 and PC40 if they are set on their “public IP” like 10.2.30.10 but cannot get it to translate if they are set to 192.168.1.10.
you are essentially creating two new routing tables called vrf30 and vrf40, to which - respectively - ether2 and ether3 belong to.
So interfaces to set as gateway should be either:
ether2@vrf30 and ether3@vrf40
or
10.2.30.1@vrf30 and 10.2.40.1@vrf40
Or did you attribute (outside the posted configuration) the vrf30 and vrf40 names to the interfaces? If you have done that, maybe you could change the naming as to avoid possible confusion.
vrf30 and vrf40 put in the ip/route are indeed the vrf created in ip/vrf/add
Adding vrfXX instead of the interface like ether2 or 3 is a practice mentioned in Mikrotik manual for “[url https://help.mikrotik.com/docs/pages/viewpage.action?pageId=328206]Static VRF-Lite Connected route leaking[/url]”. I could easily change the configuration but:
If I specify the interface like gateway=ether2@vrf30, it behaves in the exact same way and can ping the un-NATed IP like 10.2.40.10 (if these IP is set on the VirtPC)
If I specify the gateway address I get an inactive route on main losing the intermediate gateway
Here’s an example:
[admin@MikroTik] > ip route/pr detail
Flags: D - dynamic; X - disabled, I - inactive, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - >
H - hw-offloaded; + - ecmp
DAc dst-address=10.2.4.0/24 routing-table=main gateway=ether1
immediate-gw=ether1 distance=0 scope=10 suppress-hw-offload=no
local-address=10.2.4.1%ether1
0 IsH dst-address=10.2.30.0/24 routing-table=main pref-src=""
gateway=10.2.30.1@vrf30 immediate-gw="" distance=1 scope=30
target-scope=10 suppress-hw-offload=no
1 As dst-address=10.2.40.0/24 routing-table=main pref-src=""
gateway=ether3@vrf40 immediate-gw=ether3 distance=1 scope=30
target-scope=10 suppress-hw-offload=no
DAc dst-address=10.2.40.0/24 routing-table=vrf40 gateway=ether3@vrf40
immediate-gw=ether3 distance=0 scope=10 suppress-hw-offload=no
local-address=10.2.40.1%ether3@vrf40
DAc dst-address=10.2.30.0/24 routing-table=vrf30 gateway=ether2@vrf30
immediate-gw=ether2 distance=0 scope=10 suppress-hw-offload=no
local-address=10.2.30.1%ether2@vrf30
In no way I can reach the VirtPC on their native IP (i.e. 192.168.1.10) of course, after setting the virtPC on such IP.
I’ve tried applying dstnat and srcnat based on connection marking but this still doesn’t work.
Here’s the latest setup which, as before, works only on “non overlapping” and does not work with address translation to the local native IP of the device:
IMHO Sob’s posts should be printed, framed and hanged on the wall (or more simply collected in an index of some sort easily findable/browsable) as they more often than not contain exceptionally useful info, very well explained.
As a general note/comment, from the very little experience with Mikrotik/RouterOS, almost anything can be done in more than one way, so - as you stated - it would be very useful to get other members opinions on the methods used and possibly suggested alternatives, but for now, if it works, it works.
You still have in mangle lines with:
in-interface=vrf30
in-interface=vrf40
in-interface=vrf50
I still believe that in your configuration an interface called vrf30, vrf40 or vrf50 does not exist, so that mangle rule may be not applied. but it is entirely possible that there is a sort of (implicit) “aliasing” going on in the RouterOS internals.
As for the vrf* interfaces: when you program it via terminal the vrf* interface gets autocompleted with “tab” when as an in-interface option. Thus ROS knows it - not sure why - and should consider it. With that rule, it wasn’t working.
but it is entirely possible that there is a sort of (implicit) “aliasing” going on in the RouterOS internals.