VRF ROS 7.2

guletz · April 18, 2022, 12:57pm

Hello,

I start only to scratch this subject.

What I have do:

On [Router]:

# apr/18/2022 12:29:37 by RouterOS 7.2.1
# software id = 
#
/interface ethernet
set [ find default-name=ether3 ] comment=ether3 disable-running-check=no name=ether1
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether1 ] comment=ether1 disable-running-check=no name=public
/disk
set sata1 disabled=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool_cust_b ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=yes interface=ether1 name=dhcp1
add address-pool=dhcp_pool_cust_b disabled=yes interface=ether2 name=cust_b
/ip vrf
add interfaces=ether1 name=cust_a
add interfaces=ether2 name=cust_b
/port
set 0 name=serial0
/ip address
add address=172.16.1.2/24 interface=public network=172.16.1.0
add address=192.168.2.1/24 comment=cust_b interface=ether2 network=192.168.2.0
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add interface=public
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 dns-server=0.0.0.0 gateway=192.168.2.1 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.1.254 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add gateway=172.16.1.254@main routing-table=cust_a
add gateway=172.16.1.254@main routing-table=cust_b
/system identity
set name=Router
/tool romon
set enabled=yes

On ether2 I have connected, a MKT_cust_b:
ip: 192.168.2.10/24
def gw: 192.168.2.1

From MKT_cust_b I can ping/traceroute 192.168.2.1, but I can not ping/traceroute to 172.16.1.2 or to 172.16.1.254
From [Router] I can ping to 172.16.1.254 or even traceoute using vrf_custb.

So the question is, what I miss … so in the end I will be able to make traceroute from MKT_cust_b to 172.16.1.254.

Thx in advance !

adcre · April 18, 2022, 2:02pm

I think you need some mangle rules to have that nat with vrf.

see: https://wiki.mikrotik.com/wiki/Manual:Internet_access_from_VRF_with_NAT

Best Regards,

Diego

guletz · April 18, 2022, 2:12pm

Thx. a lot Diego,

I have seen this link, but is dificult to “translate” from pre-ROS 7.x to ROS 7.2. I will try.

mrz · April 21, 2022, 7:59am

You need to ensure that replies from the internet can reach correct VRFs.
You can do this by marking new connections originated from the customers and then mark routing based on that connection mark for incoming packets on “public” interface.