VPN (l2tp for instance) clients assigned to VRF can't ping it's gateway, and address any services deployed on it (such as DNS)
I've spend quite some time with torch and Wireshark TZSP but I simply couldn't figure out to where does the router send packets addressed to clients.
After a while, ol'good mangle action=passthrough chain=output log output showed me this:
output: in:(unknown 0) out:(unknown 317), connection-state:established proto ICMP (type 0, code 0), 10.77.1.1->10.77.1.60, len 60
What's interesting, this issue seen to affect only output chain, while forwarding works fine.
Any guess what might be the issue?
# 2024-03-02 01:54:33 by RouterOS 7.12.1
#
# model = RB4011iGS+5HacQ2HnD
/interface list
add name=VPN
/ip pool
add name=VPN_private ranges=10.77.1.2-10.77.1.62
/ip vrf
add interfaces=VPN name=VPN
/ppp profile
add change-tcp-mss=yes dns-server=10.77.1.1 interface-list=VPN local-address=10.77.1.1 name=Private only-one=no rate-limit=25M/50M remote-address=VPN_private use-encryption=required use-ipv6=no use-mpls=no
/interface l2tp-server server
set allow-fast-path=yes enabled=yes max-mru=1400 max-mtu=1400 use-ipsec=required
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=10.99.99.99,10.88.88.88
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.88.88.88@main pref-src="" routing-table=VPN scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.99.99.99@main pref-src="" routing-table=VPN scope=30 suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup-only-in-table disabled=no dst-address=10.77.1.0/26 table=VPN