Community discussions

MikroTik App
 
benbgg
just joined
Topic Author
Posts: 5
Joined: Sat Mar 28, 2020 11:41 am

Radius management vrf

Tue Dec 21, 2021 11:00 am

Hi,
I've just run upgraded our spare NAS to 7.1 and successfully placed ssh and winbox inside a management vrf, which has the following definition:

/ip vrf print detail
Flags: X - disabled; * - builtin
0 name="mgmt" interfaces=MGMT
1 * name="main" interfaces=all
I've add a static default route within the management vrf and I can now connect successfully - great!

However:

When I define my radius client pointing to a server within that vrf, even if I specify a the source address of my MGMT interface, NO requests go out.

Is this expected behaviour?



Thanks in advance
 
benbgg
just joined
Topic Author
Posts: 5
Joined: Sat Mar 28, 2020 11:41 am

Re: Radius management vrf

Tue Jan 18, 2022 1:03 pm

Hi
I anyone going to reply to this *ever* - even if it's just to say "that's a stupid question" or "post on another forum"?
Hi,
I've just run upgraded our spare NAS to 7.1 and successfully placed ssh and winbox inside a management vrf, which has the following definition:

/ip vrf print detail
Flags: X - disabled; * - builtin
0 name="mgmt" interfaces=MGMT
1 * name="main" interfaces=all
I've add a static default route within the management vrf and I can now connect successfully - great!

However:

When I define my radius client pointing to a server within that vrf, even if I specify a the source address of my MGMT interface, NO requests go out.

Is this expected behaviour?



Thanks in advance
 
pe1chl
Forum Guru
Forum Guru
Posts: 10185
Joined: Mon Jun 08, 2015 12:09 pm

Re: Radius management vrf

Tue Jan 18, 2022 3:11 pm

I think the answer is that it is "the expected behavior" i.e. that it is not possible to specify VRF for router-originated traffic.
Probably the only way to get this working for now is to have the "main" VRF handle the management traffic and have specific VRF(s) for the data traffic.
But I cannot give a definitive answer as I have not used VRF, but rather have used manually configured policy routing setups where of course you can fix this with the appropriate mangle rules.
 
icosasupport
newbie
Posts: 29
Joined: Fri Oct 13, 2017 8:37 pm

Re: Radius management vrf

Wed Jan 26, 2022 9:45 pm

Seems to me after numerous years of working on Ros 7 there would be an incentive for Mikrotik to at least get management VRF's working correctly. I mean you can VRF the IP services (ssh, www, winbox etc) why not RADIUS? Who would want their RADIUS to go out over non private addresses :O

At the very least some convention to use a RADIUS server via x.x.x.x%management-vrf would even do.
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: Radius management vrf

Wed Jan 26, 2022 11:31 pm

The management services in a VRF is only a new addition, its likely they haven't done RADIUS yet and might be something they do in a future release. They call 7.1 a stable release but it is not fully featured yet.

The better recommendation is to run management via vrf 'main' and use extra vrfs for customer traffic.
 
icosasupport
newbie
Posts: 29
Joined: Fri Oct 13, 2017 8:37 pm

Re: Radius management vrf

Wed Jan 26, 2022 11:45 pm

I just foresee that when a properly completed VRF config allows for real management isolation that I myself would not want to rebuild 100+ configs to accommodate that, since I currently have a greenfield project in the works. Seeing as we've all waited over many years for the glorious version 7, I guess waiting a few more for it to be "officially" completed is par for the course. Meanwhile in other routing platforms these are already well established and tested features. And while I do currently have a management in main VRF/extra VRF type setup it's lead to some funky NAT/Mangle rules to work with that when traffic originates from the router itself, when the goal would be to try and simplify such madness.
 
marekm
Member
Member
Posts: 379
Joined: Tue Feb 01, 2011 11:27 pm

Re: Radius management vrf

Wed Nov 23, 2022 9:31 pm

With RouterOS 7.7 coming soon (currently in beta), what is the current status of non-default VRF support in the RADIUS client?
It would be really useful to separate data traffic ("main" VRF with public IP addresses) from management traffic (not just RADIUS but also Winbox, SSH, SNMP, NTP, syslog etc. - all put in a non-default VRF and private address space), reducing attack surface from the outside world looks like a good security practice.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10185
Joined: Mon Jun 08, 2015 12:09 pm

Re: Radius management vrf

Wed Nov 23, 2022 10:11 pm

 
marekm
Member
Member
Posts: 379
Joined: Tue Feb 01, 2011 11:27 pm

Re: Radius management vrf

Fri Nov 25, 2022 2:34 pm

OK, so according to the docs it should all work fine now. I don't see VRF option for RADIUS (except Incoming) in Winbox, but if it works from the CLI, that's good enough - thanks!
Using "main" (default VRF) for most of the traffic and non-default for management is preferable as I also have some VyOS routers which currently have a limitation that dynamic routing protocols only work in the default VRF, only static routes in non-default VRF which is good enough for the simple management network.

Who is online

Users browsing this forum: dmitris and 90 guests