I'm kinda losing my marbles, but I've run into this problem on 4 devices running 7.1.1.
The premise:
A customer has an enterprise campus site with a couple of vrfs (printers, voip, etc). But they are now expanding to other sites and wish to have those vrfs there as well and have the central ngfw filter the traffic. On their side they run ospf since they only have a couple of cisco L3 switches, but like a bajillion vlans, because the campus has a lot of buildings and departments.
Now they are expanding to other sites where there is no direct fiber connection and have to use vpns to connect them to the intranet.
The problem:
I've tried to create a site-to-site transport mode ipsec between 2 mikrotik routers (works) and run EoIP (works) inside it.
Then have tagged vlans carry the vrf traffic, where the interfaces are not bridged, but directly used as a routed interface running ospf between the two devices.
Traffic itself works. As in the two routers can ping eachother, but ospf adjacency does not establish.
After setting the default rule of
Code: Select all
chain=input action=accept protocol=icmp
Code: Select all
chain=input action=accept protocol=icmp log=yes
Code: Select all
add chain=input action=accept protocol=ospf in-interface-list=ospfallowed
add chain=input action=drop log=yes log-prefix="Drop at end of INPUT chain"
Code: Select all
14:07:51 firewall,info input: in:(unknown 1913) out:(unknown 0), src-mac fe:30:04:a4:aa:d2, proto ICMP (type 8, code 0), 10.0.104.201->10.0.104.202, len 56
14:07:53 firewall,info Drop at end of INPUT chain inpu: in:(unknown 1913) out:(unknown 0), src-mac fe:30:04:a4:aa:d2, proto 89, 10.0.104.201->224.0.0.5, len 68
I've ran into this problem on 2 ccr1009s, 1 ccr1036 and 1 ccr1072.
Questions:
1. Has anyone else ran into this?
2. Could this be because the kernel doesnt know what to do with the vlan interfaces inside the EoIP tunnel?
(Bonus): Is it possible to run multiple EoIP tunnels between the same 2 local and remote addresses, but with different tunnel-id? This is a side question, I have a hunch that there are many other scenarios where the interface can't be identified by the kernel(netfilter).