Community discussions

MikroTik App
 
H01001000
just joined
Topic Author
Posts: 5
Joined: Mon Jun 27, 2022 12:04 pm

How to setup vrf to prevent bridges access each others IP

Mon Jun 27, 2022 12:11 pm

I want to set up my network where the ROS (core switch) has two subnet, where it forward inter VLAN traffic to my pfsense (firewall) and back to the switch, instead of direct of the bridge directly route between two bridges. The problem is I am quite new to ROS, and even if I set up one bridge to another vrf, it still forwards the traffic. Can someone teach me step by step how to do it?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to setup vrf to prevent bridges access each others IP

Tue Jun 28, 2022 8:25 am

If we indeed talk about core switch, we should not mention subnets at all. So the easiest way would be that the Mikrotik device would not attach any IP configuration to the VLANs, and the pfSense would be the default gateway for the devices connected to those VLANs.

If the Mikrotik device should actually be a router providing internet connectivity to both subnets residing in the VLANs, and the pfSense should only handle traffic between the VLANs, it cannot be done using plain VRF because routings of individual VRFs are completely isolated from one another, so you cannot have a common internet uplink for both VRFs. So instead, you have to use "policy routing", where you use additional routing tables for just part of the traffic, something like

/ip route
add dst-address=sub.net.in.vlan2/mask routing-mark=via-pfSense gateway=pfSense.ip.in.vlan1
add dst-address=sub.net.in.vlan1/mask routing-mark=via-pfSense gateway=pfSense.ip.in.vlan2
/ip route rule
add interface=vlan1 dst-address=sub.net.in.vlan2 action=lookup-only-in-table table=via-pfSense
add interface=vlan2 dst-address=sub.net.in.vlan1 action=lookup-only-in-table table=via-pfSense


But the above may not match your actual topology as you haven't described it in sufficient detail. Also, the syntax is a RouterOS 6 one, for RouterOS 7, it is slightly different.
 
H01001000
just joined
Topic Author
Posts: 5
Joined: Mon Jun 27, 2022 12:04 pm

Re: How to setup vrf to prevent bridges access each others IP

Tue Jun 28, 2022 8:33 am

Thank for your reply, It works using that way, but I need to assign the IP to the bridge because in both VLAN there's a server peer with the CRS via BGP, what I think might work maybe I add switch rule where if src addr from vlan 1 net, dst addr: vlan 2 net, set new dst port to pfsense's port and vise versa, do you think will work?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to setup vrf to prevent bridges access each others IP

Tue Jun 28, 2022 10:15 am

It works using that way
Which way? Pure switch or a router with additional routing tables chosen using routing rules depending on input interface and destination?

It doesn't matter whether the CRS must act as a router towards internet or towards some other set of addresses or subnets, we have to accept as a fact that the CRS has to be a router. So the question is what is the routing table on the devices connected to the VLANs, and whether the pfSense has an address in each of the subnets that live in this VLAN.

The device connected to the CRS obtains a MAC address of the gateway; if you use bridge filter to prevent frames carrying packets with destination IP addresses of the other VLAN subnet from reaching the IP stack of the Mikrotik, these frames will simply not get anywhere because the pfSense has another MAC address. So you would instead have to use /interface bridge nat rules to rewrite the destination MAC address of these frames. But the solution with routing rules should be better - if the pfSense does have an address in each VLAN/subnet, the CRS will send ICMP redirects to the devices if they send a packet for the other VLAN subnet. If it is connected using some other subnet, the CRS will just forward the traffic to the pfSense.
 
H01001000
just joined
Topic Author
Posts: 5
Joined: Mon Jun 27, 2022 12:04 pm

Re: How to setup vrf to prevent bridges access each others IP

Tue Jun 28, 2022 7:15 pm

But the solution with routing rules should be better - if the pfSense does have an address in each VLAN/subnet, the CRS will send ICMP redirects to the devices if they send a packet for the other VLAN subnet. If it is connected using some other subnet, the CRS will just forward the traffic to the pfSense.
How?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to setup vrf to prevent bridges access each others IP

Tue Jun 28, 2022 8:52 pm

Why do you respond with questions instead of answers? I don't know the actual network topology, and I won't waste time on giving you a detailed description of every possible scenario I can imagine. Answer my questions regarding the actual setup and I can give you a configration script to match it.
 
H01001000
just joined
Topic Author
Posts: 5
Joined: Mon Jun 27, 2022 12:04 pm

Re: How to setup vrf to prevent bridges access each others IP

Wed Jun 29, 2022 4:23 am

vlan.1 is 10.0.0.0/24
vlan.10 is 10.10.0.0/24 (route mark: k8s)

pfsense is 10.0.0.1 and 10.10.0.1 connected at sfp+.1 (accesss vlan 1) and sfp+.2 (access vlan 10) at crs
crs has10.0.0.3 and 10.10.0.3 on bridge

sfp+.4-8 is on vlan 1 with ip 10.0.0.10 - 10.0.0.14 peer with 10.0.0.0.3, crs is RR
sfp+9-12 is on vlan 10 with ip 10.10.0.10 - 10.10.0.14 peer with 10.10.0.0.3, crs is RR
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to setup vrf to prevent bridges access each others IP

Wed Jun 29, 2022 8:22 am

OK then. So if you could configure the following routes on all hosts (expressed using Mikrotik syntax, it is clear that the actual one will be different at the hosts), you would have no issue, right?
dst-address=0.0.0.0/0 gateway=10.x.0.3
dst-address=10.y.0.0/24 gateway=10.x.0.1


Leaving aside dynamic routing protocols, there is a way to do this using DHCP if the hosts support that - there's the Option 121 and Option 249 (because Microsoft always knows better), the difference is that Option 121 replaces (and even supersedes) Option 3 whereas Option 249 complements it. You can configure both, the server only responds with options the client asks for so each client will only receive the options it understands.

But if that is also impossible, there's still the ICMP redirect - if a router receives a packet and finds out that the gateway to the destination is in the same subnet like the sender of the packet, it forwards the packet but it also tells the sender by means of an ICMP redirect message that a better gateway exists in the same subnet. Hosts typically do respect the ICMP redirect. But unlike with dynamic routing protocols, routes added this way are usually not shown in routing tables.

So once you add the routing table and routing rules I gave several posts earlier, each host will send the first packet for a destination address in the other VLAN subnet to the CRS, the CRS will forward it to the pfSense rather than directly to the destination and notify the sender host about the availability of pfSense as a better gateway; the host will then send subsequent packets directly to pfSense.

You could get the same final result using /interface bridge nat rule, but in order that it worked, you'd have to disable hardware switching, i.e. the throughput would fall down to the CPU capabilities.

Who is online

Users browsing this forum: Ahrefs [Bot], hribowwwc, InfraErik, kolopeter, Semrush [Bot], syslog and 99 guests