Community discussions

MikroTik App
just joined
Topic Author
Posts: 2
Joined: Sat Mar 16, 2013 10:39 pm

Traceroute in vrf not working as expected

Mon Dec 25, 2017 8:54 pm


I have a setup where a Mikrotik RB951 forwards traffic in a vrf between two links, one link is the ethernet link towards the customer ether2, the other link is an openvpn tunnel ovpn1 on the ethernet link ether1 going to a not-by-me-controlled router with Internet access. I want to isolate traffic flowing from the openvpn tunnel to the customer as strict as possible from traffic coming untunneled from the not-by-me-controlled router as I really don't know what's happening there.


For troubleshooting reasons, it would be nice to have traceroute working as expected.

At the moment, the traceroute from the customers smartphone or laptop (from the right side of the scheme above to the left) looks like this:
1:     avg:37.926ms   last:35.883ms   loss:0%     sent:3
2: ??              avg:0.000ms    last:0.000ms    loss:100%   sent:3
3:      avg:69.130ms   last:69.321ms   loss:0%     sent:3

Hop 1 is the Ubuntu-OpenVPN-Server
Hop 3 is the customer-device

So I miss the Mikrotik router responding as Hop 2.

I sniffed with /tools sniffing quick and found out that the ICMP time exceeded packet created by the Mikrotik router has a source address of ether1 ( instead of ovpn1 ( which causes the unexpected behaviour.

Is there a configuration which does what I expect or is this a missing feature in Mikrotik or is it even a bug in Mikrotik?
I'm working with 6.38.7 (bugfix) as there is an openvpn bug in 6.39.3 (in topology net30, the network mask of ifconfig-push is configured as IP address of the opposite tunnel end instead of taking it as a network mask, see also viewtopic.php?f=21&t=126694#p624297)

My configuration on the Mikrotik right now:
/interface ovpn-client
add connect-to=<domain-of-ubuntu-openvpn-server> name=ovpn1 (...more options)
/ip address
add address= interface=ether2
add address= interface=ether1
/ip firewall mangle
add action=mark-routing chain=output connection-mark=CONN-CUST1 new-routing-mark=VPN-CUST1 passthrough=no
add action=mark-connection chain=prerouting connection-mark=!CONN-CUST1 new-connection-mark=CONN-CUST1 passthrough=no routing-mark=VPN-CUST1
/ip route
add dst-address= gateway=ovpn1 pref-src= routing-mark=VPN-CUST1
add dst-address= gateway=
/ip route vrf
add interfaces=ether2,ovpn1 routing-mark=VPN-CUST1

I'm not sure but if I have a look at it seems that I'm using what's described as Routing adjustment "this is a workaround that allows to set-up policy routing in mangle chain output" and that it is a missing feature or a bug that only the routing is policed means changed, but not the source address of the packet?

Many thanks in advance for every help possible!

You do not have the required permissions to view the files attached to this post.
just joined
Topic Author
Posts: 2
Joined: Sat Mar 16, 2013 10:39 pm

Re: Traceroute in vrf not working as expected

Sat Jan 20, 2018 3:15 pm

Does nobody else have this problem?

I would be just happy if you guess if this is more of a missing feature in RouterOS, a bug or if I should contact a consultant listed on the Mikrotik homepage or if it is justifiable to open a support ticket which has relevance and which is not refused within seconds?

Who is online

Users browsing this forum: Amazon [Bot], Google [Bot], Maggiore81, viggen and 31 guests