Which services/features of Mikrotik (RouterOS) still lacks VRF-support?

Apachez · July 4, 2024, 3:08pm

Looking through the list over at https://help.mikrotik.com/docs/pages/viewpage.action?pageId=328206 I have currently located these services as missing proper VRF-support, that is when you for example create a VRF such as “VRF-MGMT” and expect the service to only exist at VRF-MGMT rather than the default main VRF:

/ip/dns is missing proper VRF-support. Changelog claims feature were added in 7.15 stable but its malfunctioning.
Remote logging through “/system logging action set 3 remote=192.0.2.1” is not VRF-aware which means if you want your Mikrotik to be able to send remote syslog on MGMT the MGMT interface must be placed in VRF=main.
/ip/service FTP is still missing VRF-capabilities. Workaround here if you need to upload/download files to/from your Mikrotik device over VRF-MGMT is to use scp (and have /ip/service SSH enabled).

Workaround for all above is to utilize VRF=main as your MGMT VRF but that is just wrong:

https://xkcd.com/386/

Anyone who knows if Mikrotik is working on the above features to become VRF-aware or do you know other services that is lacking proper VRF-support today?

Edit:

NTP-client doesnt work with FQDN due to the malfunctioning VRF-support of /ip/dns service. Workaround is to use IP-address instead of FQDN when defining upstream NTP-server to timesync against.

Edit2:

L3HW offloading cannot be used along with VRF. Only the main routing table gets offloaded. If VRF is used together with L3HW and packets arrive on a switch port with l3-hw-offloading=yes, packets can be incorrectly routed through the main routing table. To avoid this, disable L3HW on needed switch ports or use ACL rules to redirect specific traffic to the CPU.

jaclaz · July 4, 2024, 5:05pm

Only as a note, since dns is not working, also NTP is a problem, as you need DNS resolving to use servers such as pool.ntp.org.

Apachez · July 4, 2024, 10:05pm

Thanks, added it to the original post.

chechito · July 4, 2024, 10:28pm

L3 Hardware Offloading

L3HW Feature Support

VRF N/A Only the main routing table gets offloaded. If VRF is used together with L3HW and packets arrive on a switch port with l3-hw-offloading=yes, packets can be incorrectly routed through the main routing table. To avoid this, disable L3HW on needed switch ports or use ACL rules to redirect specific traffic to the CPU.

https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-L3HWFeatureSupport

Apachez · July 4, 2024, 10:38pm

Shouldnt this be safe if you run your Mikrotiks in MLAG pairs since that will have L3HW offloading disabled aswell?

But yeah seems like another bad behaviour of Mikrotik RouterOS when you want to utilize VRFs.

jaclaz · July 5, 2024, 8:39am

Ah, before I forget, for the same reason (DNS not working) I couldn’t update the RoS from a internet connected VRF and had to go through “main” (that was on 7.12.1, but if things have not changed (yet) with 7.15.x, the issue should remain the same.

Apachez · July 5, 2024, 7:02pm

Yes, that seems related to the broken VRF-support of /ip/dns.

Since the box cannot resolve the IP of the update server it fails to fetch any changelog and therefor any firmwares which must be uploaded manually instead.