Community discussions

 
markmcn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Wed Mar 03, 2010 2:15 am

PPPoE & VRF

Wed Mar 02, 2016 6:22 pm

I'm planning on running multiple PPPoE connections from a RB to the same provider.
I wondering does router os support putting PPPoE client interfaces into a VRF?

Thanks in advance
Mark
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: PPPoE & VRF

Wed Mar 02, 2016 10:10 pm

Since the client creates an interface, you should be able to add that interface to a VRF.

Mikrotik doesn't support automatically adding pppoe clients to a vrf when the Mikrotik is the PPPoE server, though.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
floaty
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: PPPoE & VRF

Thu Nov 01, 2018 3:08 pm

Yepp, were still waiting for a mikrotik radius-attribute like 'mikrotik-user-vrf' ...
Till santa puts that under the tree, we can try with these humble scripts I've tweaked.
Made these with open-vpn, but it should also work with other ppp-based stuff

To get it work you will need a couple helper files and config-snippets in your box.
The VRF and the static-interface/s you try to dial to, must be preconfigured.
The scripts grab a radius-realm from the username. So radius-realmname=vrf-name ...

"fury@ponnyhof" will dial to vrf 'ponnyhof'
"fury@mezgerei" will dial to vrf 'mezgerei'

### it is presumed that fury has access-rights to both realms on your radiusd ###

ppp-up
:local localAddr $"local-address"
:local remoteAddr $"remote-address"
:local callerId $"caller-id"
:local calledId $"called-id"
:local interfaceName [/interface get $interface name]
:local calledRealm [:pick $user ([:find $user "@" ]+1) 60]
:local vrfId [/ip route vrf find where routing-mark=$calledRealm]
/ip route vrf print terse file=($calledRealm."Members") where routing-mark=$calledRealm
:local actualVrfIfs [/file get ($calledRealm."Members") contents] ;
:local actualExistentIfs [:pick $actualVrfIfs ([:find $actualVrfIfs "interfaces=" ]+11) ([:find $actualVrfIfs "route-distinguisher=" ]-1)]
/ip route vrf set $vrfId interfaces="$actualExistentIfs,$interfaceName"
:log info "$user (srcIp=$callerId, dstIp=$calledId) connected: was given $remoteAddr IP (GW $localAddr) and assigned to $interfaceName interface in VRF $calledRealm"
/file set ($calledRealm."Members") contents=""
/ip route vrf print terse file=($calledRealm."Members") where routing-mark=$calledRealm
...
ppp-down
:local localAddr $"local-address"
:local remoteAddr $"remote-address"
:local callerId $"caller-id"
:local calledId $"called-id"
:local interfaceName [/interface get $interface name]
:local calledRealm [:pick $user ([:find $user "@" ]+1) 60]
:local vrfId [/ip route vrf find where routing-mark=$calledRealm]
/ip route vrf print terse file=($calledRealm."CleanUpMembers") where routing-mark=$calledRealm
:local cleanUpVrfIfs [/file get ($calledRealm."CleanUpMembers") contents] ;
:local lenInterfaceName [:len $interfaceName]
:local cleanUpExistentIfs ([:pick $cleanUpVrfIfs ([:find $cleanUpVrfIfs "interfaces=" ]+11) ([:find $cleanUpVrfIfs (",".$interfaceName) ] +0)]. \
[:pick $cleanUpVrfIfs ([:find $cleanUpVrfIfs $interfaceName ] + $lenInterfaceName) ([:find $cleanUpVrfIfs "route-distinguisher=" ]-1)])
:put $cleanUpExistentIfs
:put $lenInterfaceName
/ip route vrf set $vrfId interfaces="$cleanUpExistentIfs"
/file set ($calledRealm."CleanUpMembers") contents=""
/file set ($calledRealm."Members") contents=""
/ip route vrf print terse file=($calledRealm."Members") where routing-mark=$calledRealm
...
Guess a global scheduled cleanup-script would also be usefull, to eleminate abandoned interfaces from failed log-on's and log-off's and 'poisoned' 'lock-file' content.
I'm not really the son of scripting-man ... so enhancements, opinions and testresults are highly appretiated.

######
some log-stuff:

[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
13:18:00 echo: ovpn,info TCP connection established from 192.168.67.92
[admin@CHR_v6432] > 
13:18:01 echo: ovpn,info : using encoding - AES-256-CBC/SHA1
13:18:01 echo: ovpn,info,account fury-0@ponnyhof logged in, 172.23.24.19
[admin@CHR_v6432] > 
13:18:01 echo: ovpn,info <ovpn-fury-0@ponnyhof>: connected
13:18:01 echo: system,info vrf ponnyhof changed
13:18:01 echo: script,info fury-0@ponnyhof (srcIp=192.168.67.92, dstIp=192.168.67.152) connected: was given 172.23.24.19 IP (GW 172.23.24.4) and assigned to <ovpn-fury-0@ponnyhof> interface in VRF ponnyhof
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > /ip route vrf print terse                                                                     
 0   comment=ponnyhof routing-mark=ponnyhof interfaces=vlan666,<ovpn-fury-0@ponnyhof> route-distinguisher=1.1.1.6:66 
 1   comment=metzgerei routing-mark=metzgerei interfaces=vlan667 route-distinguisher=1.1.1.7:67 
 2   comment=neue routing-mark=neue interfaces="" 

[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
13:18:49 echo: ovpn,info <ovpn-fury-0@ponnyhof>: terminating... - peer disconnected
13:18:49 echo: system,info vrf ponnyhof changed
[admin@CHR_v6432] > 
13:18:50 echo: ovpn,info,account fury-0@ponnyhof logged out, 49 10783 16 65 1
13:18:50 echo: ovpn,info <ovpn-fury-0@ponnyhof>: disconnected
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
13:20:16 echo: ovpn,info TCP connection established from 192.168.67.92
[admin@CHR_v6432] > 
13:20:17 echo: ovpn,info : using encoding - AES-256-CBC/SHA1
13:20:17 echo: ovpn,info,account fury-0@metzgerei logged in, 172.23.24.29
13:20:17 echo: ovpn,info <ovpn-fury-0@metzgerei>: connected
13:20:17 echo: system,info vrf metzgerei changed
13:20:17 echo: script,info fury-0@metzgerei (srcIp=192.168.67.92, dstIp=192.168.67.152) connected: was given 172.23.24.29 IP (GW 172.23.24.3) and assigned to <ovpn-fury-0@metzgerei> interface in VRF metzgerei
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > /ip route vrf print terse                                                                     
 0   comment=ponnyhof routing-mark=ponnyhof interfaces=vlan666 route-distinguisher=1.1.1.6:66 
 1   comment=metzgerei routing-mark=metzgerei interfaces=vlan667,<ovpn-fury-0@metzgerei> route-distinguisher=1.1.1.7:67 
 2   comment=neue routing-mark=neue interfaces="" 

[admin@CHR_v6432] > 
13:20:50 echo: ovpn,info <ovpn-fury-0@metzgerei>: terminating... - peer disconnected
13:20:50 echo: ovpn,info,account fury-0@metzgerei logged out, 33 10165 16 53 1
13:20:50 echo: ovpn,info <ovpn-fury-0@metzgerei>: disconnected
13:20:50 echo: system,info vrf metzgerei changed
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
13:21:54 echo: ovpn,info TCP connection established from 192.168.100.120
13:21:55 echo: ovpn,info : using encoding - AES-256-CBC/SHA1
13:21:55 echo: ovpn,info,account fury-1@ponnyhof logged in, 172.23.24.19
[admin@CHR_v6432] > 
13:21:55 echo: ovpn,info <ovpn-fury-1@ponnyhof>: connected
13:21:55 echo: system,info vrf ponnyhof changed
13:21:55 echo: script,info fury-1@ponnyhof (srcIp=192.168.100.120, dstIp=192.168.67.152) connected: was given 172.23.24.19 IP (GW 172.23.24.6) and assigned to <ovpn-fury-1@ponnyhof> interface in VRF ponnyhof
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > /ip route vrf print terse                                                                     
 0   comment=ponnyhof routing-mark=ponnyhof interfaces=vlan666,<ovpn-fury-1@ponnyhof> route-distinguisher=1.1.1.6:66 
 1   comment=metzgerei routing-mark=metzgerei interfaces=vlan667 route-distinguisher=1.1.1.7:67 
 2   comment=neue routing-mark=neue interfaces="" 

[admin@CHR_v6432] > 
13:22:35 echo: ovpn,info TCP connection established from 192.168.67.92
[admin@CHR_v6432] > 
13:22:37 echo: ovpn,info : using encoding - AES-256-CBC/SHA1
13:22:37 echo: ovpn,info,account fury-0@ponnyhof logged in, 172.23.24.18
13:22:37 echo: ovpn,info <ovpn-fury-0@ponnyhof>: connected
13:22:37 echo: system,info vrf ponnyhof changed
13:22:37 echo: script,info fury-0@ponnyhof (srcIp=192.168.67.92, dstIp=192.168.67.152) connected: was given 172.23.24.18 IP (GW 172.23.24.4) and assigned to <ovpn-fury-0@ponnyhof> interface in VRF ponnyhof
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > /ip route vrf print terse                                                                     
 0   comment=ponnyhof routing-mark=ponnyhof interfaces=vlan666,<ovpn-fury-1@ponnyhof>,<ovpn-fury-0@ponnyhof> route-distinguisher=1.1.1.6:66 
 1   comment=metzgerei routing-mark=metzgerei interfaces=vlan667 route-distinguisher=1.1.1.7:67 
 2   comment=neue routing-mark=neue interfaces="" 

[admin@CHR_v6432] > 
13:23:08 echo: ovpn,info <ovpn-fury-1@ponnyhof>: terminating... - peer disconnected
13:23:08 echo: system,info vrf ponnyhof changed
[admin@CHR_v6432] > 
13:23:09 echo: ovpn,info,account fury-1@ponnyhof logged out, 74 3928 32 55 2
[admin@CHR_v6432] > 
13:23:09 echo: ovpn,info <ovpn-fury-1@ponnyhof>: disconnected
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > /ip route vrf print terse                                                                     
 0   comment=ponnyhof routing-mark=ponnyhof interfaces=vlan666,<ovpn-fury-0@ponnyhof> route-distinguisher=1.1.1.6:66 
 1   comment=metzgerei routing-mark=metzgerei interfaces=vlan667 route-distinguisher=1.1.1.7:67 
 2   comment=neue routing-mark=neue interfaces="" 

[admin@CHR_v6432] > 
13:23:25 echo: ovpn,info <ovpn-fury-0@ponnyhof>: terminating... - peer disconnected
13:23:25 echo: ovpn,info,account fury-0@ponnyhof logged out, 48 10160 16 53 1
13:23:25 echo: ovpn,info <ovpn-fury-0@ponnyhof>: disconnected
13:23:25 echo: system,info vrf ponnyhof changed
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > 
[admin@CHR_v6432] > /ip route vrf print terse
 0   comment=ponnyhof routing-mark=ponnyhof interfaces=vlan666 route-distinguisher=1.1.1.6:66 
 1   comment=metzgerei routing-mark=metzgerei interfaces=vlan667 route-distinguisher=1.1.1.7:67 
 2   comment=neue routing-mark=neue interfaces="" 

[admin@CHR_v6432] >
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
User avatar
floaty
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: PPPoE & VRF

Sat Nov 03, 2018 2:23 pm

Testing with pppoe was not so golden ... the session-setup and close in pppoe is to fast to grab the named interface-name.
Figured that it's better to put a delay before reading the interface-name on a ppp-down-event and then to kill the whole shebang in the name of the zombie.
If you wanna use pppoe you should give a PADO-delay (around 1sec) for session-initiation, so grandpa is able to step into his scuffs.
The updatet ppp-down script works (for me) also with open-vpn, l2tp and sstp, mixed use is possible (had to copy the ppp-profile ... when I've used the same profile for different services I got quirky results).
.
ppp-down:
:local localAddr $"local-address"
:local remoteAddr $"remote-address"
:local callerId $"caller-id"
:local calledId $"called-id"
:local interfaceName [/interface get $interface name]
:local calledRealm [:pick $user ([:find $user "@" ]+1) 60]
:local vrfId [/ip route vrf find where routing-mark=$calledRealm]
:delay 2
/ip route vrf print terse file=($calledRealm."CleanUpMembersSec") where routing-mark=$calledRealm
:local cleanUpVrfIfsSec [/file get ($calledRealm."CleanUpMembersSec") contents] ;
:local cleanUpExistentIfsSec ([:pick $cleanUpVrfIfsSec ([:find $cleanUpVrfIfsSec "interfaces=" ]+11) ([:find $cleanUpVrfIfsSec F00 ] -2)]. \
[:pick $cleanUpVrfIfsSec ([:find $cleanUpVrfIfsSec F00 ] + 6) ([:find $cleanUpVrfIfsSec "route-distinguisher=" ]-1)])
:put $cleanUpExistentIfsSec
/ip route vrf set $vrfId interfaces="$cleanUpExistentIfsSec"
/file set ($calledRealm."CleanUpMembersSec") contents=""
/file set ($calledRealm."Members") contents=""
/ip route vrf print terse file=($calledRealm."Members") where routing-mark=$calledRealm
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
User avatar
floaty
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: PPPoE & VRF

Mon Nov 05, 2018 7:30 pm

Just learned, that the radius-attribute "Mikrotik-Group" is 'ppp-aware'.
So ... it seems Santa stays frosty up in Lappland this year, because you can (if you want) realize a radius-based VRF-selection with "Mikrotik-Group".
You have to skip the user-decidable realm-selection in the ppp-up/down scripts and then define the realm-(vrf-)name static in there.
Copy a profile for every VRF and adjust the realm-(vrf-)name -> ppp-profile-name corresponds with the radius-configured Mikrotik-Group attribute.
On your favorite radiusd configure the respective users with their respective "Mikrotik-Group"-attribute ( ... and all other things you need ... fw-chain-selector, specific address-pool) ... dun!
.
user-attributes ... or respective user-profile your favorite radiusd selects on basis of a wise policy for that user:
 	Type				Name						Value	 	
1.	Radius:IETF			Termination-Action			=	RADIUS-Request (1)	
2.	Radius:Mikrotik			Mikrotik-Group				=	metzgerei	
3.	Radius:IETF			Framed-Pool				=	metzgerei-pool	
4.	Radius:IETF			Filter-Id				=	metzgerei-in.in	
5.	Click to add...	 	 	
.
.
comment out the realm-picker in ppp-up & -down and define the realm static
#:local calledRealm [:pick $user ([:find $user "@" ]+1) 60]
:local calledRealm metzgerei
.
If you plan to use the radius-based profile-selection, it should be possible to use a global variable to store the currently used interfaces in ppp-up & -down, because there's no need of a variable named reminder-space any longer and you can get rid of the helper-files.
~~
We know what happens to people who stay in the middle of the road. They get run over.

Who is online

Users browsing this forum: No registered users and 15 guests