Community discussions

 
SplitHorizon
just joined
Topic Author
Posts: 11
Joined: Tue Feb 09, 2016 10:56 am

VRF Issues in RouterOS

Thu Apr 28, 2016 2:42 pm

Have any of you ever had issues with RouterOS looking in the main routing table for entries that are in a VRF?
e.g. After creating a bgp instance and specifying the routing table to use and also having the interface in a VRF, when i try to bring up the peer, it gets stuck on connect. Logs reveal "there is no route to host"... meaning its looking for the peer in the main routing table instead of in the VRF. This a /30 address i can ping the two routers over the VRF but somehow BGP though the VRF has been specified in the instance, still looks in the main Routing Table. :(

Had a similar problem after changing the next-hop address of a route learnt via VPNv4 to be that of the tunnel interface on the other end of the VRF. Next-hop is added and exists in the VRF routing table, but RouterOS still tries to look for the nexthop in the main routing table instead of the VRF table.

All this works flawlessly on Cisco IoS :(
 
pe1chl
Forum Guru
Forum Guru
Posts: 5923
Joined: Mon Jun 08, 2015 12:09 pm

Re: VRF Issues in RouterOS

Thu Apr 28, 2016 9:12 pm

This is a known limitation of VRF on RouterOS v6
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: VRF Issues in RouterOS

Thu Apr 28, 2016 9:17 pm

The router pretty much uses the main table for anything it generates from the control plane, regardless of vrf.
It would be nice to place the entire control plane into a VRF, but that's just not doable with ROS.

(I wonder if a list of routing rules could be used to work around the issue - never tried it)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
SplitHorizon
just joined
Topic Author
Posts: 11
Joined: Tue Feb 09, 2016 10:56 am

Re: VRF Issues in RouterOS

Wed Oct 12, 2016 7:51 pm

The router pretty much uses the main table for anything it generates from the control plane, regardless of vrf.
It would be nice to place the entire control plane into a VRF, but that's just not doable with ROS.

(I wonder if a list of routing rules could be used to work around the issue - never tried it)
Ahh i ended up having to use mangle rules in the output chain to fix this. Not ideal at all.. but "it works"
Mangle rule essentially says anything destined for this IP place in the VRF routing table
Yes the ROS should know this by virtue of interfaces being in a VRF but it doesn't :(
Mikrotik, maybe add some lines of code that do this in the back ground for us that affect the output chain i.e...

*if the routing protocol requires a TCP connection e.g BGP, and if the destination IP is in the same subnet as a directly connected interface/VLAN and if the source IP is from the directly connected interface/VLAN, then set the routing mark to the VRF of the directly connected interface*

Remember i see no problems using OSPF or RIP in a vrf just when using BGP. Pakcet captures and Interface Torches confirm what Zero Byte suggests but only with regards to BGP. OSPF works perfectly. However we still cannot log in to a Router via the VRF IP address... i lost access once in the most embarrassing way
This actually works, try it
 
User avatar
Splash
Member Candidate
Member Candidate
Posts: 151
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: VRF Issues in RouterOS

Thu Oct 13, 2016 11:25 am

You could also use the IP Route Rules option to tell the route to look up the destination in another routing table. This saves you from having to use the firewall mangle rules.

Example:
/ip route rule
add dst-address=10.188.120.2/32 table=DN42
MTCNA, MTCRE, MTCINE, MTCTCE, MTCIPv6E, MTCUME
 
SplitHorizon
just joined
Topic Author
Posts: 11
Joined: Tue Feb 09, 2016 10:56 am

Re: VRF Issues in RouterOS

Thu Oct 13, 2016 5:42 pm

You could also use the IP Route Rules option to tell the route to look up the destination in another routing table. This saves you from having to use the firewall mangle rules.

Example:
/ip route rule
add dst-address=10.188.120.2/32 table=DN42
Ahh nice, hadn't thought of that, but i'm curious, what if you have overlapping subnets for which you are using VRF's to separate customer traffic.... won't the route rule result in some not so fun stuff..
Infact i have never actually tried this on Mikrotik considering VRF's are not completely logically separated as they are when using Cisco
I wonder what the effect of having two VRF'S with the same subnet would be...
Thanks Splash
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: VRF Issues in RouterOS

Thu Oct 13, 2016 6:20 pm

You could use src-address in the route rule and specify the management IP of the router. That would be much less likely to overlap with any of the vpnv4 route tables.
Otherwise, I suppose a src-address rule in the output chain of the mangle table would be the most precise fix.
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: No registered users and 112 guests