Community discussions

MUM Europe 2020
 
rudidxc
just joined
Topic Author
Posts: 13
Joined: Mon Aug 27, 2018 10:27 am

Can't browse through VRF

Tue Jan 14, 2020 12:06 pm

Hi.

I've got a curios issue. When interfaces and corresponding routes are placed in a VRF, users can't browse at all. They can ping, traceroute, resolve names etc, but browsing does not work at all. The moment I move all the interfaces and routes back to the main routing table, everything works fine. I'm at a loss as I've configured VRF's a thousand times before and never ran into this issue.

RB2011 running 6.46.1

Relevant config:

/ip route
add distance=1 gateway=100.64.18.106 routing-mark=CLIENT-CORP
/ip route vrf
add interfaces=vlan10-corp-internet-outside,vlan100-corp-lan route-distinguisher=2:2 routing-mark=CLIENT-CORP
/ip firewall nat
add action=src-nat chain=srcnat out-interface=vlan10-corp-internet-outside src-address=10.98.100.0/24 to-addresses=public.ip.comes.here

Any guidance would be greatly appreciated.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1175
Joined: Fri Jul 28, 2017 2:53 pm

Re: Can't browse through VRF

Tue Jan 14, 2020 12:24 pm

Hey. Try to add "ip rotue rule" for you vrf to lookup global dst address you want in main table.
 
rudidxc
just joined
Topic Author
Posts: 13
Joined: Mon Aug 27, 2018 10:27 am

Re: Can't browse through VRF

Tue Jan 14, 2020 12:29 pm

Thanks I'll try it.

The thing is I don't really need the main table. I only use it for management/monitoring so there's only routing in the main table for monitoring systems.

Internet traffic should be going via the CLIENT-CORP VRF via VLAN10
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1175
Joined: Fri Jul 28, 2017 2:53 pm

Re: Can't browse through VRF

Tue Jan 14, 2020 12:47 pm

But there is has to be a lookup in a main table or vrf import of global routes in that vrf (route leak) otherwise you can't go to Internet via this vrf.
 
rudidxc
just joined
Topic Author
Posts: 13
Joined: Mon Aug 27, 2018 10:27 am

Re: Can't browse through VRF

Tue Jan 14, 2020 12:49 pm

There is a default route in the vrf.

/ip route
add distance=1 gateway=100.64.18.106 routing-mark=CLIENT-CORP

The users can traceroute to the internet, and sometimes web pages load, but very slowly (takes 3 minutes to load Google). The moment I take interfaces and routes out of VRF, it works fine.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1175
Joined: Fri Jul 28, 2017 2:53 pm

Re: Can't browse through VRF

Tue Jan 14, 2020 1:07 pm

Seems like it's a forwarding bug. Do you have stable ROS packages or long-term? What is cpu utilization of a router?
 
rudidxc
just joined
Topic Author
Posts: 13
Joined: Mon Aug 27, 2018 10:27 am

Re: Can't browse through VRF

Tue Jan 14, 2020 1:20 pm

CPU sitting at 3%.
I tried on 6.44.5 as well as 6.46.1 software and firmware versions.
That said I've never done this on an RB2011, only on CCR and 3011 routers. I don't know if the architecture is causing issues at all.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1175
Joined: Fri Jul 28, 2017 2:53 pm

Re: Can't browse through VRF

Tue Jan 14, 2020 1:24 pm

Better wait for devs respons I think.
 
rudidxc
just joined
Topic Author
Posts: 13
Joined: Mon Aug 27, 2018 10:27 am

Re: Can't browse through VRF

Tue Jan 14, 2020 2:52 pm

Will do, thanks for your time.
 
rudidxc
just joined
Topic Author
Posts: 13
Joined: Mon Aug 27, 2018 10:27 am

Re: Can't browse through VRF

Thu Jan 16, 2020 9:13 am

Anyone?
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1175
Joined: Fri Jul 28, 2017 2:53 pm

Re: Can't browse through VRF

Thu Jan 16, 2020 12:48 pm

What is your channel bandwidth from ISP?
 
rudidxc
just joined
Topic Author
Posts: 13
Joined: Mon Aug 27, 2018 10:27 am

Re: Can't browse through VRF

Tue Jan 21, 2020 9:44 am

I am the ISP. This is a 100mbps link.
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1092
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: Can't browse through VRF

Tue Jan 21, 2020 9:49 am

The behavior you described sounds a lot like an MTU problem. Have you tried pinging from a user computer with the DF bit set to see if you can get 1500 bytes through?
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com

Who is online

Users browsing this forum: No registered users and 70 guests