Community discussions

just joined
Topic Author
Posts: 20
Joined: Sun May 02, 2010 11:57 pm

RouterOS side-carring traffic

Sun Feb 10, 2019 8:01 pm

Here's a wierd one for the day folks....

I've got a couple of MT machiens -- one is the trusty RB1100AH that needs to be replaced soon. (That's going to a young person who wants to learn this stuff...) The other is a VM isntance of a CHR. I've even convinced a hard-core ASAer to look at Mikrotik. (Cisco licenses usually do that.) Still, there are some things we just can't do easily with Router OS. For example, we want a ZeroTier bridge and/or a VXLAN. Sometimes we need VTI(4,6) interfaces. And of course, there are all of the side-car needs like OpenFlow, IDS, IPS etc. I looked at other Linux alternatives but Linux and its firewall stack are in flux right now -- do we stick with iptables, nftables, eBPF? Then I wondered if this would work -- at least on the CHS instance.

Can I either set up the VM's CHS instance (I'd have to expose VT-features) or use an X86 instance on real hardware, and have RouterOS serve as the "edge router" front end. It takes in thepacket and uses KVM to "side-car" certain traffic off-to, or in-from, another Linux instance that does what RouterOS can't do. The traffic then flows back over the software virutal interface (either VMWare's or RouterOS's virtual interface) and back into RouterOS which does it's noirmal stuff with it. We did something similar to this on a large cellular packet gateway -- traffic would flow in, get diverted to the side-car interface for special treatment, and flow back and then out.

I can see things like:

* Sending traffic through an IDS/IPS
* Handling ZeroTier or VXLANs
* VTIs
* Handling OpenVPN better than RouterOS does

This has the advantages of:
* The router does its job as an edge router. It doesn't have to worry about traffic grooming
* The various grooming services don't see the router -- we can change them without touching the router
* Adding services is easy because we just add anohter service to the sidecar virtual switch

Something like this:
---- Internet --- RouterOS ---- Internal 
                  |       |       |   |
               IDS  IPS  Tunnels                        
The tricks would be:
* RouterOS has to sometimes virtual-route layer-2, not just layer-3. We may want to process frames
* If on a VM, expose can I expose VT so KVM doesn't get upset, or just let VMWare handle it all
* We are of course, transitting frames around a loop quite a bit

Any thoughts? I can see an ESXI VM for it. NOTE: Can someone update that old CHS image -- VMWare hasn't use that for a very long time.

Who is online

Users browsing this forum: krafg, mozerd and 32 guests