VRF OSPF routes leaking

ggs331 · Mon Sep 05, 2022 9:41 am

Hello,

I have multiple VRF on the same ROS router, and I would like to leak OSPF route between all VRFs. Accoring to the documents, it seems the import/export only support BGP routes, but not OSPF routes. Is there any other way to exchange OSPF routers between VRFs? BTW, I am thingking if ROS can support set up a veth or other logical tunnel between VRF, then OSPF can be ran on the interface as well as the traffic. I have use veth on frr router, and I saw that ROS can support veth as well, but it seems different from the Linux veth.

https://help.mikrotik.com/docs/pages/vi ... eId=328206

sindy · Mon Sep 05, 2022 10:46 am

The only kind of tunnels you can use for hairpin connections (i.e. two tunnel interfaces connected to each other on the same Mikrotik) is currently the IPIP (ip-encap) one.

/interface bridge add name=br-lo protocol-mode=none

/ip address
add address=127.0.0.2/32 interface=br-lo
add address=127.0.0.3/32 interface=br-lo

/interface ipip
add name=ipip-1-a local-address=127.0.0.2 remote-address=127.0.0.3
add name=ipip-1-b local-address=127.0.0.3 remote-address=127.0.0.2

ggs331 · Mon Sep 05, 2022 7:10 pm

Thank you @sindy

CTassisF · Wed Jan 04, 2023 3:53 pm

Hello @ggs331,

Did you manage to get this working?

I'm following the "Leaking routes between VRFs" instructions but it's not working for me, it never shows any neighbors.

nichky · Thu Jan 05, 2023 5:00 am

what are you trying to achieve?

nichky · Thu Jan 05, 2023 5:16 am

basically @sindy is giving solution to be able to leak the traffic from one to one to another VRF.

how you are doing that, and how u are thsting?

fyi: in case if u have one subnet in one VRF, and other one is on the main routing table tha you can play with ip firewall mangle/ip route rule

CTassisF · Thu Jan 05, 2023 5:19 pm

what are you trying to achieve?

I have a RB5009UG as my home router. I connect to the Internet via PPPoE and get my IPv6 block (/64) via DHCPv6-PD. I use NAT only for IPv4. All of this happens in the main VRF.

I also have a Wireguard tunnel and I forward some traffic through this tunnel using a different routing table (not VRF) called "vpn". To make this work I also do NAT for IPv6 when out-interface=vpn.

Here's a snippet of my config:

# Some configs are not shown here, like Firewall Filters to avoid FastTrack when connection-mark=warp
/interface wireguard add listen-port=51820 mtu=1432 name=vpn
/routing table add fib name=vpn
/ip firewall nat add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface=pppoe-client
/ip firewall nat add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface=vpn
/ip route add distance=10 dst-address=0.0.0.0/0 gateway=vpn routing-table=vpn
/ipv6 route add distance=10 dst-address=::/0 gateway=vpn routing-table=vpn
/ipv6 firewall nat add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface=vpn
/routing rule add action=lookup-only-in-table comment=Private dst-address=10.0.0.0/8 table=main
/routing rule add action=lookup-only-in-table comment=Private dst-address=100.64.0.0/10 table=main
/routing rule add action=lookup-only-in-table comment=Private dst-address=169.254.0.0/16 table=main
/routing rule add action=lookup-only-in-table comment=Private dst-address=172.16.0.0/12 table=main
/routing rule add action=lookup-only-in-table comment=Private dst-address=192.168.0.0/16 table=main
/routing rule add action=lookup comment=VPN dst-address=192.0.2.0/24 table=vpn
/routing rule add action=lookup-only-in-table comment=Private dst-address=fc00::/7 table=main
/routing rule add action=lookup-only-in-table comment=Private dst-address=fe80::/10 table=main
/routing rule add action=lookup comment=VPN dst-address=2001:db8::/32 table=vpn

This works just fine. Both IPv4 and IPv6 work for any destination (main table and vpn table). IPv6 NAT is done only for traffic with routing-mark=warp (as expected).

Problem is this setup stops working when I change it to a VRF (VRF name=vpn with interfaces=vpn). From what I was able to troubleshoot the problem is in the return route for IPv6. The packet seems to go out just fine through the vpn VRF, but when it comes back the router is confused and does not change the packet to the main VRF (where it originated from).

I can't add a static routing rule for IPv6 (as I did for IPv4) because the packet is originated by clients using a dynamic IPv6 /64 block I get from my ISP via DHCPv6-PD (this prefix is not static, it changes every time I reconnect). That is why I would like to leak routes from one VRF to the other, that way the correct return route will be always there.

I tried the config provided by MikroTik but it didn't work. I literally copied and pasted that setup with its dummy interfaces but /routing/ospf/neighbor would show nothing. I also tried @sindy suggestion but it didn't work either.

That is why I asked @ggs331 if they managed to get this working, because sadly I didn't

nichky · Fri Jan 06, 2023 11:40 am

what has been advised above will not fit into your config you need to play something like that

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=subnet_in_main new-routing-mark=vpn passthrough=yes src-address=subnet_in_vrf
add action=mark-routing chain=prerouting dst-address=subnet_in_vrf new-routing-mark=main passthrough=no src-address=subnet_in_main

VRF OSPF routes leaking

VRF OSPF routes leaking

Re: VRF OSPF routes leaking

Re: VRF OSPF routes leaking

Re: VRF OSPF routes leaking

Re: VRF OSPF routes leaking

Re: VRF OSPF routes leaking

Re: VRF OSPF routes leaking

Re: VRF OSPF routes leaking

Who is online