Community discussions

MikroTik App
 
Sob
Forum Guru
Forum Guru
Topic Author
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

VRF and hidden interfaces

Tue Dec 14, 2021 9:11 pm

I'm trying to make friends with VRF, because unlike many other parts of RouterOS, I'm not familar with it yet. So far so good, but I came across something... let's say unexpected. This is simple config for testing (RouterOS 7.1):
/ip vrf
add interfaces=guest name=vrf-guest
/ip address
add address=192.168.82.123/24 interface=guest
Add few extra logging rules:
/ip firewall mangle
add action=log chain=prerouting protocol=icmp
add action=log chain=input protocol=icmp
add action=log chain=output protocol=icmp
add action=log chain=postrouting protocol=icmp
Now I ping 192.168.82.123 from other machine and I see this:
firewall,info prerouting: in:guest out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 50
firewall,info prerouting: in:(unknown 22) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 50
firewall,info input: in:(unknown 22) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 50
firewall,info output: in:(unknown 0) out:(unknown 22), proto ICMP (type 0, code 0), 192.168.82.123->192.168.82.1, len 50
firewall,info postrouting: in:(unknown 0) out:(unknown 22), proto ICMP (type 0, code 0), 192.168.82.123->192.168.82.1, len 50
firewall,info output: in:(unknown 0) out:guest, proto ICMP (type 0, code 0), 192.168.82.123->192.168.82.1, len 50
firewall,info postrouting: in:(unknown 22) out:guest, proto ICMP (type 0, code 0), 192.168.82.123->192.168.82.1, len 50
What's interface (unknown 22)? Ok, maybe it's something internal, no big deal. Or is it? What if I wanted to, for example, allow pings only from selected interfaces? Like this:
/ip firewall filter
add action=accept chain=input in-interface=guest log=yes log-prefix=allow protocol=icmp
add action=drop chain=input log=yes log-prefix=drop protocol=icmp
Ping again, there's timeout and in the log I see:
firewall,info prerouting: in:guest out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 50
firewall,info prerouting: in:(unknown 22) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 50
firewall,info input: in:(unknown 22) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 50
firewall,info drop input: in:(unknown 22) out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 50
Not really a surprise, but certainly not great, don't you think? What am I missing?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VRF and hidden interfaces

Tue Dec 14, 2021 10:05 pm

VRF - Very Rude Foreigners?

Actually I have been asking myself the same question why all the excitement about VRF.
Reading the wiki, what is interesting is the difference between 'normal' routes and VRF routes, which seem to rely solely upon their own table and have nothing to do with the main table,
almost like one was making a route rule with Action: Lookup ONLY in Table.

Other than that, I cannot really suss out the purpose of VRFs......., perhaps its a step beyond what a homeowner, SMB would use??
 
Sob
Forum Guru
Forum Guru
Topic Author
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: VRF and hidden interfaces

Tue Dec 14, 2021 10:51 pm

@anav: Nope, it's not a social club for you. It's for router to more easily separate things. Some of it could be done with different routing tables and rules, but this should be easier. Don't expect many details from me right now, I'm still getting into it.

Right now I'm curious about this hidden interface. I don't mind that it exists, but I think that I should be able to work with it in firewall, i.e. it should not be hidden. It's not the only one, we all know that router has loopback interface, also currenly hidden, and I think that it's not right either.
 
Sob
Forum Guru
Forum Guru
Topic Author
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: VRF and hidden interfaces

Wed Dec 15, 2021 2:02 am

Looking how Linux does it, there's interface for each VRF, which is basically a dedicated loopback for that VRF. In RouterOS it's my mysterious (unknown 22). Packet flow through iptables is also the same. So the case of hidden interfaces is solved.

But how come that Linux gives me interface and RouterOS doesn't? I'm sure I'd be able to come up with something useful to do with it! :)
 
Sob
Forum Guru
Forum Guru
Topic Author
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: VRF and hidden interfaces

Fri Jul 01, 2022 3:06 pm

What's new in 7.4beta2 (2022-Jun-07 12:08)

*) firewall - properly handle interface matcher when VRF interface is specified;
Quick test with 7.4beta5 now shows:
firewall,info prerouting: in:guest out:(unknown 0), connection-state:new src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 56
firewall,info prerouting: in:guest out:(unknown 0), connection-state:new src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 56
firewall,info input: in:guest out:(unknown 0), connection-state:new src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 8, code 0), 192.168.82.1->192.168.82.123, len 56
firewall,info output: in:(unknown 0) out:(unknown 1358), connection-state:established proto ICMP (type 0, code 0), 192.168.82.123->192.168.82.1, len 56
firewall,info postrouting: in:(unknown 0) out:(unknown 1358), connection-state:established proto ICMP (type 0, code 0), 192.168.82.123->192.168.82.1, len 56
firewall,info output: in:(unknown 0) out:guest, connection-state:established proto ICMP (type 0, code 0), 192.168.82.123->192.168.82.1, len 56
firewall,info postrouting: in:(unknown 1358) out:guest, connection-state:established proto ICMP (type 0, code 0), 192.168.82.123->192.168.82.1, len 56
So in-interface works (but in-interface-list doesn't) and shows incoming interface as user would expect. Outgoing interface is still the hidden one. I also wonder if the same packet going through prerouting twice like this could cause any problems (I can't say it does, it's just a suspicion).
 
Sob
Forum Guru
Forum Guru
Topic Author
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: VRF and hidden interfaces

Wed Dec 27, 2023 5:49 pm

Fun with interfaces, 2023 edition.

Original version, shows how it's processed internally, but hides names of interfaces:

prerouting: in:guest out:(unknown 0), 192.168.82.1->192.168.82.123
prerouting: in:(unknown 22) out:(unknown 0), 192.168.82.1->192.168.82.123
input: in:(unknown 22) out:(unknown 0), 192.168.82.1->192.168.82.123
output: in:(unknown 0) out:(unknown 22), 192.168.82.123->192.168.82.1
postrouting: in:(unknown 0) out:(unknown 22), 192.168.82.123->192.168.82.1
output: in:(unknown 0) out:guest, 192.168.82.123->192.168.82.1
postrouting: in:(unknown 22) out:guest, 192.168.82.123->192.168.82.1

7.4beta5, fakes incoming interfaces:

prerouting: in:guest out:(unknown 0), 192.168.82.1->192.168.82.123
prerouting: in:guest out:(unknown 0), 192.168.82.1->192.168.82.123
input: in:guest out:(unknown 0), 192.168.82.1->192.168.82.123
output: in:(unknown 0) out:(unknown 1358), 192.168.82.123->192.168.82.1
postrouting: in:(unknown 0) out:(unknown 1358), 192.168.82.123->192.168.82.1
output: in:(unknown 0) out:guest, 192.168.82.123->192.168.82.1
postrouting: in:(unknown 1358) out:guest, 192.168.82.123->192.168.82.1

7.14beta3, shows real outgoing VRF interfaces:

prerouting: in:guest out:(unknown 0), 192.168.82.1->192.168.82.123
prerouting: in:guest out:(unknown 0), 192.168.82.1->192.168.82.123
input: in:guest out:(unknown 0), 192.168.82.1->192.168.82.123
output: in:(unknown 0) out:vrf-guest, 192.168.82.123->192.168.82.1
postrouting: in:(unknown 0) out:vrf-guest, 192.168.82.123->192.168.82.1
output: in:(unknown 0) out:guest, 192.168.82.123->192.168.82.1
postrouting: in:vrf-guest out:guest, 192.168.82.123->192.168.82.1

So what's next? Keep this weird inconsitent state? Revert the fake interfaces from 7.4 and show real VRF ones?
 
Simonej
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Sun Aug 22, 2021 3:34 am

Re: VRF and hidden interfaces

Wed Dec 27, 2023 6:04 pm

Interesting... thanks for sharing!

OT: (from an old post)
If MikroTik didn't hide loopback interface for no good reason (we know it's there!)...
RouterOS version 7.14beta:
*) system - expose "lo" interface;

Who is online

Users browsing this forum: No registered users and 23 guests