VRF suggestions

An5teifo · February 19, 2025, 11:54am

Dear fellow members,

I am currently struggeling to steer my traffic and looking for some advise.
My current setup is an internet facing CCR2004 which is also the endpoint of several VPN tunnels and does DNAT as well.
After that I have placed a firewall for IDS, Layer7 inspection and such things.
Then there is a CCR2116 which does my interVLAN routing.

All three devices are connected via OSPF within the 0.0.0.0 area.

My intention is to have all VPN traffic bypass the firewall and go to CCR2116 directly. To do that I have a dedicated connection between CCR2004 and 2116 but as soon as this is up and running any traffic will go over this new connection including WAN traffic which should be directed via the firewall.

Currently I have set the interface costs to a higher value for traffic steering but this also includes that VPN traffic goes via firewall.

So far I have also tried to setup VRFs but as soon as I do that my CCR2004 is no longer reachable via CCR2116.
I can see that they exchange routes via OSPF but are losing connection - this process repeats until forever.
On CCR2004 I can see that it would know each network twice - 1x via main table & 1x via vrf.

Unfortunately I do not know how to continue my journey to steer the traffic.

spippan · February 19, 2025, 11:59am

also hi from AT
to help the forum understand your setup better:

provide your configs (sanitized!) ( /export hide-sensitive file=somename )
a (schematic) network diagram of your setup also helps, if done properly, a lot

An5teifo · February 19, 2025, 12:44pm

Servus!

I have attached my two configs and removed the non necessary stuff and also the diagram.
Unbenanntes Diagramm.drawio.png
CCR2116.rsc (19.6 KB)
CCR2004.rsc (53.3 KB)

An5teifo · February 19, 2025, 1:07pm

This would be my current layout

rplant · February 20, 2025, 3:11am

Hi,

By my thought would be to use some routing rules at both ends.
(Though your environment looks complicated)

Assuming vlan502, 10.0.3.0/30 is your direct path.

For wg_roadwarrior

On the 2004 Something like:

/routing rule
add action=lookup comment=“min-prefix=0, all except 0.0.0.0/0” disabled=no min-prefix=0 src-address=10.0.81.0/24 table=direct2116
** Not sure how this (min-prefix=0) behaves with routes that can change… **
** You might need a few rules that cover all local networks

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.3.2 routing-table=direct2116 suppress-hw-offload=no

**Maybe need something like vlan502%10.0.3.2 for endpoint ?? **

On the 2116

/routing rule
add action=lookup disabled=no dst-address=10.0.81.0/24 table=direct2004

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.3.1 routing-table=direct2004 suppress-hw-offload=no

rplant · February 20, 2025, 4:20am

An ordinary static route should be fine on the 2116 end.

/ip route
add disabled=no dst-address=10.0.81.0/24 gateway=10.0.3.1 routing-table=main suppress-hw-offload=no

An5teifo · February 20, 2025, 6:03am

Thanks @rplant for your suggestion.
So the only way to do that would be to use some static routes?

Isn’t there any chance to get this working via dynamic routing protocols?

rplant · February 21, 2025, 7:15am

Sorry, I don’t know.

You can probably add a ping check to the 2 static routes, so if that link fails, it will fall back to
dynamic routing.