Community discussions

MikroTik App
 
lamaral
just joined
Topic Author
Posts: 3
Joined: Fri Jul 23, 2021 1:14 am

VRF traffic isolation

Fri Jul 23, 2021 1:26 am

Hello guys,

I am trying to setup a VRF on my RB750gr3 (7.1beta6) to isolate tunneled traffic from the underlay of the tunnel.

What I did so far is:
/ip vrf
add list=VRF name=vrf

/interface list
add name=WAN
add name=VRF
/interface list member
add interface=vlan178 list=WAN
add interface=vlan10 list=VRF
add interface=vlan202 list=VRF
add interface=lo list=VRF
add interface=gre6-tunnel1 list=VRF
The tunnel works and from the router on the other side of the tunnel I can ping the address on lo just fine.

The problem is that from that same router on the other side of the tunnel, I can also reach addresses on the subnet associated to vlan178. I expected that it would be impossible to reach anything behind vlan178, as the interface is not part of the VRF, but that turned out not to be true.

When checking my route entries, they seem to be in the correct VRF/table:
[admin@MikroTik] > /ip/route/print 
Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, o - OSPF, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
  #        DST-ADDRESS        GATEWAY                           DIS
  0   As   0.0.0.0/0          192.168.178.1                     100
     DAc   192.168.178.0/24   vlan178                             0
     DAc   44.xxx.xxx.22/32   lo@vrf1                             0
     DAc   44.xxx.xxx.232/30  gre6-tunnel1@vrf1                   0

I have also tried setting policy routing to force a lookup only on the vrf1 table, but that didn't change anything.
[admin@MikroTik] > /routing/rule/export
/routing rule
add action=lookup-only-in-table disabled=no interface=gre6-tunnel1 src-address=/0 table=vrf1
add action=lookup-only-in-table disabled=no interface=gre6-tunnel1 src-address=0.0.0.0/0 table=vrf1

Am I doing something wrong, are VRFs broken on ROSv7 or is this expected behavior?

Thanks,
Luiz
 
aglabs
newbie
Posts: 39
Joined: Mon Dec 28, 2020 1:05 am

Re: VRF traffic isolation

Sun Jul 25, 2021 8:28 am

I was going to make a post myself on this until I saw this thread. I seem to be in the same boat. The local IP's configured on the device are all ping-able regardless of what vrf the endpoint is in and interface IP is in. Worth nothing in my experience nothing routes past the interface IP address of the router. i.e. VRF-a endpoint on 192.168.1.1/24 can ping VRF-b SVI 172.16.1.1, but not a server on that subnet such as 172.16.1.10. - never the less this is still a bit odd that all router's local IP addresses are accessible regardless of VRF membership.

Behavior seems to be consistent across a few models I've personally tested (CSR2004, RB4011, and a few others).
 
verbylab
newbie
Posts: 35
Joined: Sat Jun 26, 2021 4:30 pm

Re: VRF traffic isolation

Mon Jul 26, 2021 11:51 pm

Same experience here. All of the router's IP addresses are pingable from all my VRFs/VLANs (using v7.1beta6).
 
dragon2611
Member Candidate
Member Candidate
Posts: 179
Joined: Fri Sep 25, 2009 12:06 am

Re: VRF traffic isolation

Tue Jul 27, 2021 8:37 pm

I suspect VRF is broken in 7.1b5 and 7.1b6, I ended up using routing tables and then routing rules to achieve a similar effect but VRF would be a lot cleaner.
 
rplant
Member Candidate
Member Candidate
Posts: 282
Joined: Fri Sep 29, 2017 11:42 am

Re: VRF traffic isolation

Thu Jul 29, 2021 2:58 am

From memory, VRF in Mikrotik is a special form of policy routing.
Once you have hit the router, and the IP address is on the router, there is kind of no routing involved.
When I used it (a while ago now) V6 also responded when hitting any router IP address on a VRF interface
I imagine you could add firewall rules to block this traffic.
Bit difficult if you (as a device) want to talk via the VRF to another device that has a same IP address as one of the routers
IP Addresses though.
 
lamaral
just joined
Topic Author
Posts: 3
Joined: Fri Jul 23, 2021 1:14 am

Re: VRF traffic isolation

Fri Aug 27, 2021 6:33 pm

So an update on this:
I did the same setup on Linux and got the issue of being able to reach other addresses not belonging to the VRF but on the same host.
Then after checking "ip ru li", a sudden realization came:
# ip ru li
0:	from all lookup local
1000:	from all lookup [l3mdev-table]
32766:	from all lookup main
32767:	from all lookup default
The lookup local rule is before the l3mdev-table, which looks up local routes before the actual VRF.

Then I did
# ip rule add prio 32765 from all lookup local
# ip rule del prio 0
and problem solved.

On Mikrotik, that doesn't seem possible to be changed. And there is still the problem of the VRFs just being completely ignored anyway.

Who is online

Users browsing this forum: No registered users and 26 guests