Community discussions

MikroTik App
 
mainTAP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Tue Oct 02, 2012 4:01 am

v7 inter VRF route leak doesn't work for local IPs

Sun Jan 02, 2022 6:49 pm

Hi,

A static route to a different VRF doesn't seem to work when pointing to local IP.
I'm trying to reach the loopback 10.0.0.1 which is in vrf2 from the main vrf, but there is no response :
[admin@MikroTik] > ping 10.0.0.1 vrf=main
  SEQ HOST                                     SIZE TTL TIME       STATUS                         
    0 10.0.0.1                                                     timeout                        
    1 10.0.0.1                                                     timeout                        
    2 10.0.0.1                                                     timeout                        
    3 10.0.0.1                                   84  64 125ms520us host unreachable                                      
    sent=5 received=0 packet-loss=100
    
[admin@MikroTik] > ip route/print detail 
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - copy; H - hw-offloaded; 
+ - ecmp 
 0  As   dst-address=10.0.0.1/32 routing-table=main pref-src="" gateway=loopback0@vrf2 immediate-gw=loopback0 distance=1 scope=30 target-scope=10 suppress-hw-offload=no 

   DAc   dst-address=192.168.5.0/24 routing-table=main gateway=ether1 immediate-gw=ether1 distance=0 scope=10 suppress-hw-offload=no local-address=192.168.5.23%ether1 

   DAc   dst-address=10.0.0.0/24 routing-table=vrf2 gateway=loopback0@vrf2 immediate-gw=loopback0 distance=0 scope=10 suppress-hw-offload=no 
         local-address=10.0.0.1%loopback0@vrf2
  
[admin@MikroTik] > export 
# jan/02/2022 16:39:24 by RouterOS 7.1.1
# software id = 
#
/interface bridge
add name=loopback0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip vrf
add interfaces=loopback0 name=vrf2
/ip address
add address=10.0.0.1/24 interface=loopback0 network=10.0.0.0
/ip dhcp-client
add add-default-route=no interface=ether1
/ip route
add disabled=no distance=1 dst-address=10.0.0.1/32 gateway=loopback0@vrf2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

Is this a bug ?

I'm running 7.1.1

Thank you.
 
emunt6
Member Candidate
Member Candidate
Posts: 103
Joined: Fri Feb 02, 2018 7:00 pm

Re: v7 inter VRF route leak doesn't work for local IPs

Mon Jan 03, 2022 5:19 pm

HI!

Thats normal, you can find more about: "linux namespace"

If you want "interconnect" the VRF you have following options:
- Physically connect the cable the to the Interfaces ( each interface is a different VRF, so need "link" ),
- Exchange routes, assign each VRF to an RD, import/export routers between the them ( M-BGP ).
 
mainTAP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Tue Oct 02, 2012 4:01 am

Re: v7 inter VRF route leak doesn't work for local IPs

Mon Jan 03, 2022 6:45 pm

Thank you, why would routes exchanged by BGP work and static ones not ?
 
User avatar
slackR
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat May 23, 2009 1:46 pm
Location: Buffalo, New York, USA

Re: v7 inter VRF route leak doesn't work for local IPs

Tue Jan 11, 2022 3:49 am

I tried to add routes to a management VRF for NTP time sync and I also could not get the local NTP server to reply. I even tried broadcast and multicast NTP server. Ended up forwarding NTP to another server.

I can use route leaking to forward management traffic to public but not to local NTP server.

I would like to see local services multi VRF aware. It is nice to see that winbox, etc. can now be assigned to a VRF.
 
Nissarin
just joined
Posts: 19
Joined: Fri Feb 20, 2015 4:01 pm

Re: v7 inter VRF route leak doesn't work for local IPs

Tue Jan 11, 2022 11:18 am

On Linux VRF is implemented by (among other things) placing routing rule to search special table "l3mdev-table". By default this rule is placed with pref value of 1000, while one of the default rules - local - have pref value of 0, meaning it's associated routing table is searched first. As a result if you try to reach any directly connected route from any interface it will always go through local table (i.e. VRF won't work). Normally you can 'fix' this by changing pref for local, so I suppose you'll have to make support ticket for MT to fix it, as a alternative you can place everything in separate VRF and avoid using 'main'.
 
mafiosa
Member Candidate
Member Candidate
Posts: 266
Joined: Fri Dec 09, 2016 8:10 pm
Location: Kolkata, India
Contact:

Re: v7 inter VRF route leak doesn't work for local IPs

Sun Jul 24, 2022 11:43 pm

Hi,

A static route to a different VRF doesn't seem to work when pointing to local IP.
I'm trying to reach the loopback 10.0.0.1 which is in vrf2 from the main vrf, but there is no response :
[admin@MikroTik] > ping 10.0.0.1 vrf=main
  SEQ HOST                                     SIZE TTL TIME       STATUS                         
    0 10.0.0.1                                                     timeout                        
    1 10.0.0.1                                                     timeout                        
    2 10.0.0.1                                                     timeout                        
    3 10.0.0.1                                   84  64 125ms520us host unreachable                                      
    sent=5 received=0 packet-loss=100
    
[admin@MikroTik] > ip route/print detail 
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - copy; H - hw-offloaded; 
+ - ecmp 
 0  As   dst-address=10.0.0.1/32 routing-table=main pref-src="" gateway=loopback0@vrf2 immediate-gw=loopback0 distance=1 scope=30 target-scope=10 suppress-hw-offload=no 

   DAc   dst-address=192.168.5.0/24 routing-table=main gateway=ether1 immediate-gw=ether1 distance=0 scope=10 suppress-hw-offload=no local-address=192.168.5.23%ether1 

   DAc   dst-address=10.0.0.0/24 routing-table=vrf2 gateway=loopback0@vrf2 immediate-gw=loopback0 distance=0 scope=10 suppress-hw-offload=no 
         local-address=10.0.0.1%loopback0@vrf2
  
[admin@MikroTik] > export 
# jan/02/2022 16:39:24 by RouterOS 7.1.1
# software id = 
#
/interface bridge
add name=loopback0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip vrf
add interfaces=loopback0 name=vrf2
/ip address
add address=10.0.0.1/24 interface=loopback0 network=10.0.0.0
/ip dhcp-client
add add-default-route=no interface=ether1
/ip route
add disabled=no distance=1 dst-address=10.0.0.1/32 gateway=loopback0@vrf2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

Is this a bug ?

I'm running 7.1.1

Thank you.
This works on v7.4 stable
 
emunt6
Member Candidate
Member Candidate
Posts: 103
Joined: Fri Feb 02, 2018 7:00 pm

Re: v7 inter VRF route leak doesn't work for local IPs

Mon Aug 01, 2022 1:15 am

Thank you, why would routes exchanged by BGP work and static ones not ?
VRF needs "physical/loopback" interface to make the "transit" to work.
I checked the "RouterOS 6.x" what vrf implementation had, that was "bunch of hacks/route-marking" as it seemed like VRF (but far from the true VRF).
It was not mature enough like other vendors: Cisco, HPE Comware, Juniper, ... -'s implementation.

The network industry standard is to create a route-table (RD), you can add static/dynamic routes, and assign interface/ interfaces to the VRF.
( BGP only used for RD -s assigment and no more - locally exchanging the routes within the router )

This is the minimum config for example:
(this is not Mikrotik)
!
BGP 65001
router-id 1.1.1.1
!
vrf definition RED
rd 65001:1100
rt-import 65001:1100
rt-export 65001:1100
exit
!
vrf definition BLUE
rd 65001:1200
rt-import 65001:1200
rt-export 65001:1200
exit
!
vrf definition TRANSIT
rd 65001:1300
rt-import 65001:1100 65001:1200
rt-export 65001:1300
exit
!
interface GigE1/0/1
vrf forwarding RED
ipv4 address 10.1.1.1 255.255.255.0
exit
!
interface GigE1/0/2
vrf forwarding BLUE
ipv4 address 10.2.2.1 255.255.255.0
exit
!


show ip route vrf RED
> 10.1.1.1/24 dev GigE1/0/1

show ip route vrf BLUE
> 10.2.2.1/24 dev GigE1/0/2

show ip route vrf TRANSIT
> 10.1.1.1/24 dev GigE1/0/1
> 10.2.2.1/24 dev GigE1/0/2


That's all, this is way more simple than the RouterOS 6.x way.
I do not know the "RouterOS 7.x" VRF implementation.
 
User avatar
spippan
Member
Member
Posts: 334
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: v7 inter VRF route leak doesn't work for local IPs

Mon Sep 04, 2023 4:10 pm


Thank you, why would routes exchanged by BGP work and static ones not ?

This is the minimum config for example:
(this is not Mikrotik)
....

That's all, this is way more simple than the RouterOS 6.x way.
I do not know the "RouterOS 7.x" VRF implementation.
still not working as far as i tested VRF route import-export on v7
 
User avatar
spippan
Member
Member
Posts: 334
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: v7 inter VRF route leak doesn't work for local IPs

Thu Dec 28, 2023 7:00 pm

version is 7.14beta3 now and what am i missing here?
mikrotikVRFv7import-export-via-RD.png
how to import ip routing infos from one VRF into another VRF?
something which was possible in v6 (https://wiki.mikrotik.com/index.php?tit ... te_Leaking)
You do not have the required permissions to view the files attached to this post.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2100
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: v7 inter VRF route leak doesn't work for local IPs

Thu Dec 28, 2023 11:04 pm

Maris, how can we achieve route leaking in RouterOS v7 ?
 
User avatar
spippan
Member
Member
Posts: 334
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: v7 inter VRF route leak doesn't work for local IPs

Fri Dec 29, 2023 3:50 am

Maris, how can we achieve route leaking in RouterOS v7 ?
maris?
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1278
Joined: Tue Jun 23, 2015 2:35 pm

Re: v7 inter VRF route leak doesn't work for local IPs

Fri Dec 29, 2023 4:46 am

same as v6 e.g.

/ip route
0.0.0.0/0
1.2.3.4@main

routing/rule/
add routing-mark=local src-address=192.168.88.0/24 table=main
add dst-address=192.168.88.0/24 table=local

@nz_monkey - have u tryed that?
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1278
Joined: Tue Jun 23, 2015 2:35 pm

Re: v7 inter VRF route leak doesn't work for local IPs

Fri Dec 29, 2023 4:50 am

@shippan - are you trying to achieve vpn4? - That works well as well.

What is not working on v7 - U cant get default gateway via VRF.

I have raised a ticket and Maris Is already confirmed that.


If you mean to originate the default route from vrf into vpnv4 then currently this feature does not exist. You are linked to a feature request and will receive an update when this feature is implemented.

Māris B.
 
User avatar
spippan
Member
Member
Posts: 334
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: v7 inter VRF route leak doesn't work for local IPs

Fri Dec 29, 2023 11:43 am

@shippan - are you trying to achieve vpn4? - That works well as well.

What is not working on v7 - U cant get default gateway via VRF.

I have raised a ticket and Maris Is already confirmed that.


If you mean to originate the default route from vrf into vpnv4 then currently this feature does not exist. You are linked to a feature request and will receive an update when this feature is implemented.

Māris B.
nb: username is without an "h" ;)

yes vpnv4. inter-VRF route leaking (dynamically) via BGP VPN RD import/export of defined RD definitions (screenshot in post #9)
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1278
Joined: Tue Jun 23, 2015 2:35 pm

Re: v7 inter VRF route leak doesn't work for local IPs

Fri Dec 29, 2023 1:39 pm

vpnv4 - works well, show us your config.
 
User avatar
spippan
Member
Member
Posts: 334
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: v7 inter VRF route leak doesn't work for local IPs

Fri Dec 29, 2023 2:05 pm

EDIT: opened ticket SUP-138970
6 months in testing, asking and trying are 
definetly a strechted time for patience now


vpnv4 - works well, show us your config.

please consider post #9
i have 2 VRFs with RD set
i want to route-leak each VRF to the other (on that same router)
what is missing to achieve that? do i have to manually setup a local/internal bgp session on that router.

winbox screenshot at the bottom!
# 2023-12-29 13:00:36 by RouterOS 7.14beta3
/interface bridge add name=Lo10 protocol-mode=none
/interface bridge add name=Lo11 protocol-mode=none
/interface bridge add name=Lo12 protocol-mode=none
/interface bridge add name=Lo20 protocol-mode=none
/interface bridge add name=Lo21 protocol-mode=none
/interface bridge add name=Lo22 protocol-mode=none
/interface bridge add name=Lo30 protocol-mode=none
/interface bridge add name=Lo31 protocol-mode=none
/interface bridge add name=Lo32 protocol-mode=none
/interface bridge add admin-mac=18:FD:74:xx:xx:xx auto-mac=no ingress-filtering=no name=br0 port-cost-mode=short priority=0x4000 pvid=10 vlan-filtering=yes

/interface ethernet set [ find default-name=ether2 ] disabled=yes
/interface ethernet set [ find default-name=ether3 ] disabled=yes
/interface ethernet set [ find default-name=ether4 ] disabled=yes
/interface ethernet set [ find default-name=ether5 ] disabled=yes

/interface vlan add interface=br0 name=vlan10 vlan-id=10
/interface vlan add interface=br0 name=vlan20 vlan-id=20
/interface vlan add interface=br0 name=vlan30 vlan-id=30
/interface vlan add interface=br0 name=vlan31 vlan-id=31
/interface vlan add interface=br0 name=vlan99 vlan-id=99

/interface list add name=WB
/interface list add name=ND
/interface list add name=LAN

/ip vrf add interfaces=Lo30,Lo31,Lo32 name=vrf30
/ip vrf add interfaces=Lo20,Lo21,Lo22 name=vrf20
/ip vrf add interfaces=Lo10,Lo11,Lo12 name=vrf10

/routing bgp template set default as=65000 disabled=yes routing-table=main

/interface bridge port add bridge=br0 interface=ether1 internal-path-cost=10 path-cost=10 pvid=10 trusted=yes
/interface bridge port add bridge=br0 interface=ether2 internal-path-cost=10 path-cost=10 pvid=10
/interface bridge port add bridge=br0 interface=ether3 internal-path-cost=10 path-cost=10 pvid=10
/interface bridge port add bridge=br0 disabled=yes interface=ether4 internal-path-cost=10 path-cost=10 pvid=10
/interface bridge port add bridge=br0 interface=wlan2G internal-path-cost=10 path-cost=10 pvid=10
/interface bridge port add bridge=br0 interface=wlan5G internal-path-cost=10 path-cost=10 pvid=10
/interface bridge port add bridge=br0 edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=wlan-cam internal-path-cost=10 path-cost=10 point-to-point=no pvid=30
/interface bridge port add bridge=br0 edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=wlan-homeauto internal-path-cost=10 path-cost=10 point-to-point=no pvid=30

/interface bridge vlan add bridge=br0 tagged=br0,ether1 vlan-ids=10
/interface bridge vlan add bridge=br0 tagged=br0,ether1 vlan-ids=30
/interface bridge vlan add bridge=br0 tagged=br0,ether1 vlan-ids=31
/interface bridge vlan add bridge=br0 tagged=br0,ether1 vlan-ids=99

/interface list member add interface=br0 list=WB
/interface list member add interface=ether5 list=WB
/interface list member add interface=vlan10 list=WB
/interface list member add interface=vlan99 list=WB
/interface list member add interface=vlan10 list=ND
/interface list member add interface=vlan99 list=ND
/interface list member add interface=ether1 list=ND
/interface list member add interface=wlan5G list=WB

/ip address add address=192.168.77.7/24 interface=vlan10 network=192.168.77.0
/ip address add address=192.168.10.1/24 interface=Lo10 network=192.168.10.0
/ip address add address=192.168.11.1/24 interface=Lo11 network=192.168.11.0
/ip address add address=192.168.12.1/24 interface=Lo12 network=192.168.12.0
/ip address add address=192.168.20.1/24 interface=Lo20 network=192.168.20.0
/ip address add address=192.168.21.1/24 interface=Lo21 network=192.168.21.0
/ip address add address=192.168.22.1/24 interface=Lo22 network=192.168.22.0
/ip address add address=192.168.30.1/24 interface=Lo30 network=192.168.30.0
/ip address add address=192.168.31.1/24 interface=Lo31 network=192.168.31.0
/ip address add address=192.168.32.1/24 interface=Lo32 network=192.168.32.0

/ip route add disabled=no distance=110 dst-address=0.0.0.0/0 gateway=192.168.77.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

# static routes are working to ping 192.168.32.1 (which resides in VRF30) from VRF10 and VRF20 -> so as src-interfaces chosen from VRF10 or VRF20 for testing
# without those 2 static routes -> no reachability
/ip route add disabled=no distance=1 dst-address=192.168.32.0/24 gateway=vrf30 pref-src="" routing-table=vrf10 scope=10 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.32.0/24 gateway=vrf30 pref-src="" routing-table=vrf20 scope=10 suppress-hw-offload=no target-scope=10

/routing bgp vpn add disabled=no export.redistribute=connected .route-targets=65650:10 import.route-targets=65650:10,65650:20,65650:30 label-allocation-policy=per-prefix name=bgp-mpls-vpn-1 route-distinguisher=65650:10 vrf=vrf10
/routing bgp vpn add disabled=no export.redistribute=connected .route-targets=65650:20 import.route-targets=65650:20,65650:10 label-allocation-policy=per-prefix name=bgp-mpls-vpn-2 route-distinguisher=65650:20 vrf=vrf20
/routing bgp vpn add disabled=no export.redistribute=connected .route-targets=65650:30 import.route-targets=65650:30,65650:10 label-allocation-policy=per-prefix name=bgp-mpls-vpn-3 route-distinguisher=65650:30 vrf=vrf30

/routing ospf interface-template add area=bkk dead-interval=10s disabled=no hello-interval=5s interfaces=vlan99 priority=0 use-bfd=yes

/system identity set name=hAPacLite-Cellar

/system ntp client set enabled=yes
/system ntp client servers add address=192.168.77.1
/system ntp client servers add address=10.20.2.1

/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=WB
/tool mac-server mac-winbox set allowed-interface-list=WB
rosv7-interVRF-RL-Lo.png
You do not have the required permissions to view the files attached to this post.
Last edited by spippan on Fri Dec 29, 2023 3:32 pm, edited 3 times in total.
 
User avatar
spippan
Member
Member
Posts: 334
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: v7 inter VRF route leak doesn't work for local IPs

Fri Dec 29, 2023 3:19 pm

@nichky
FYI - THAT is the whole silverline which should be accomplished as a BARE MINIMUM for a serious implementation of VRFs in rOS!
(quote from user "emunt6")


The network industry standard is to create a route-table (RD), you can add static/dynamic routes, and assign interface/ interfaces to the VRF.
( BGP only used for RD -s assigment and no more - locally exchanging the routes within the router )

This is the minimum config for example:
(this is not Mikrotik)
!
BGP 65001
router-id 1.1.1.1
!
vrf definition RED
rd 65001:1100
rt-import 65001:1100
rt-export 65001:1100
exit
!
vrf definition BLUE
rd 65001:1200
rt-import 65001:1200
rt-export 65001:1200
exit
!
vrf definition TRANSIT
rd 65001:1300
rt-import 65001:1100 65001:1200
rt-export 65001:1300
exit
!
interface GigE1/0/1
vrf forwarding RED
ipv4 address 10.1.1.1 255.255.255.0
exit
!
interface GigE1/0/2
vrf forwarding BLUE
ipv4 address 10.2.2.1 255.255.255.0
exit
!


show ip route vrf RED
> 10.1.1.1/24 dev GigE1/0/1

show ip route vrf BLUE
> 10.2.2.1/24 dev GigE1/0/2

show ip route vrf TRANSIT
> 10.1.1.1/24 dev GigE1/0/1
> 10.2.2.1/24 dev GigE1/0/2


That's all, this is way more simple than the RouterOS 6.x way.
I do not know the "RouterOS 7.x" VRF implementation.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7051
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v7 inter VRF route leak doesn't work for local IPs

Fri Dec 29, 2023 4:17 pm

As it was already mentioned in other topics, there never was a mechanism to automatically leak connected routes from other VRFs, like in the provided cisco config in this topic.
For that static config is required, and starting from 7.14 where loopbacks are exposed it is even easier:
/interface bridge
add name=dummy1
add name=dummy2
/ip vrf
add interfaces=dummy2 name=vrf2
add interfaces=dummy1 name=vrf1

/ip address
add address=1.1.1.1 interface=dummy1 network=1.1.1.1
add address=1.1.1.2 interface=dummy2 network=1.1.1.2

/ip route
add dst-address=1.1.1.2 gateway=vrf2 routing-table=vrf1
add dst-address=1.1.1.1 gateway=vrf1 routing-table=vrf2

[admin@rack1_b35_CCR1036] /ip/route> /ping 1.1.1.1 src-address=1.1.1.2 vrf=vrf2
  SEQ HOST                                     SIZE TTL TIME       STATUS                               
    0 1.1.1.1                                    56  64 177us     
    1 1.1.1.1                                    56  64 148us     
    2 1.1.1.1                                    56  64 155us 

Now from here you can establish any routing protocol session between vrfs that is capable of running in vrf to distribute other routes between vrfs.
 
User avatar
spippan
Member
Member
Posts: 334
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: v7 inter VRF route leak doesn't work for local IPs

Fri Dec 29, 2023 8:52 pm

bummer. but at least it is somewhat to build a kind-of-workaround

thanks for the example to which i can further test this for a prod approach

EDIT:
are there any hopes or plans for an implementation to be able to achieve this dynamically (well via BGP) like most systems support it?
would be great because the fundamentals are layed out already (/routing/bgp/vpn/) with import/export
 
jaclaz
Long time Member
Long time Member
Posts: 614
Joined: Tue Oct 03, 2023 4:21 pm

Re: v7 inter VRF route leak doesn't work for local IPs

Fri Dec 29, 2023 11:38 pm

@mrz
Do you happen to know (and if yes, please share this info) if your example runs also on earlier systems or is it only starting from 7.14?
I quickly tried it in CHR/GNS3 (7.11.2) but vrf1 and vrf2 are not accepted as gateway.
The dac routes use dummy1@vrf1 and dummy2@vrf2, using them for the static rules make them AS but the ping does not work.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7051
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v7 inter VRF route leak doesn't work for local IPs

Sat Dec 30, 2023 12:46 pm

this exact example works only in 7.14 because loopback and vrf interfaces are exposed only starting from this version.
 
jaclaz
Long time Member
Long time Member
Posts: 614
Joined: Tue Oct 03, 2023 4:21 pm

Re: v7 inter VRF route leak doesn't work for local IPs

Sat Dec 30, 2023 3:08 pm

Excuse me, but that means that the functionality is only starting with 7.14 or that there is (was) another method working on previous releases?

If the latter, can you post the corresponding example with the "old" method?

Maybe it is just me, but 7.14 is still a bit too new/experimental to be put on real installations.
 
User avatar
spippan
Member
Member
Posts: 334
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: v7 inter VRF route leak doesn't work for local IPs

Sat Dec 30, 2023 4:48 pm

Excuse me, but that means that the functionality is only starting with 7.14 or that there is (was) another method working on previous releases?

If the latter, can you post the corresponding example with the "old" method?

Maybe it is just me, but 7.14 is still a bit too new/experimental to be put on real installations.
try creating dummy interfaces in each VRF to which you point in the static routes

something like:
Lo10 => VRF10
Lo20 => VRF20
Lo30 => VRF30

and use the LoXY as gateway for static routes
currently i am not able to test but this idea just came up
 
jaclaz
Long time Member
Long time Member
Posts: 614
Joined: Tue Oct 03, 2023 4:21 pm

Re: v7 inter VRF route leak doesn't work for local IPs

Sat Dec 30, 2023 7:45 pm

@spippan

Thank you :) , but you are seemingly the one that cannot have this working :( (though your issue seems like being related to BGP, whooosh[1]).

mrz posted a working example specific to 7.14 (which, if I get it right is in beta right now) while giving the impression that vrf route leaking is easier in 7.14 (because interfaces are directly exposed or whatever) but that it was possible in earlier versions (with some more complex configuration/some different Mikrotik magic spell).

I am asking if my impression is correct and - if yes - we can have a surely working example for earlier versions, possibly I unintentionally sort of hi-jacked the thread, sorry.

The issue I am trying to understand/solve (I already found a workaround for it) is DNS and NTP access from vrf, I am (still?) in the "absolute beginner" category, JFYI:
viewtopic.php?p=1043616#p1043382

[1] that is the sound of BGP passing over my head, very similar to the sound VPNV4 made while doing the same
 
User avatar
spippan
Member
Member
Posts: 334
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: v7 inter VRF route leak doesn't work for local IPs

Sat Jan 13, 2024 7:02 pm

it somehow worked in v7.4
even the static route in VRF10 got redistributed to VRF20 and VRF30
interVRF-ROS7.4.png.png


as soon as i go e.g. to 7.12.1 it stops working:
interVRF-ROS7.12.1.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
spippan
Member
Member
Posts: 334
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: v7 inter VRF route leak doesn't work for local IPs

Sat Jan 20, 2024 5:15 pm

answer to SUP-138970
it will come in future releases. up until now, no time information WHEN though
 
User avatar
spippan
Member
Member
Posts: 334
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: v7 inter VRF route leak doesn't work for local IPs

Wed Jan 24, 2024 11:46 am

What's new in 7.14beta8 (2024-Jan-22 21:07):

*) bgp - allow to leak routes between local VRFs;

YES. tests will follow
 
User avatar
spippan
Member
Member
Posts: 334
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: v7 inter VRF route leak doesn't work for local IPs

Wed Jan 24, 2024 2:27 pm

and it does not work. despite there are routes to 192.168.10.0/24 in VRF20 and VRF30 clients in either of these VRFs can reach any 192.168.10.x/24 IP
[admin@RT1] > export hide-sensitive 
# 2024-01-24 12:19:25 by RouterOS 7.14beta8
# software id = 
#
/interface vlan
add interface=ether1 name=ether1.100 vlan-id=100
add interface=ether1 name=ether1.200 vlan-id=200
add interface=ether1 name=ether1.300 vlan-id=300
add interface=ether1 name=ether1.999 vlan-id=999

/ip pool
add name=dhcp_pool0 ranges=192.168.10.20-192.168.10.254
add name=dhcp_pool1 ranges=192.168.20.20-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.20-192.168.30.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether1.100 name=dhcp1
add address-pool=dhcp_pool1 interface=ether1.200 name=dhcp2
add address-pool=dhcp_pool2 interface=ether1.300 name=dhcp3

/ip smb smb-user
set [ find default=yes ] read-only=yes

/ip vrf
add interfaces=ether1.300 name=vrf30
add interfaces=ether1.200 name=vrf20
add interfaces=ether1.100 name=vrf10

/port
set 0 name=serial0

/ip address
add address=192.168.10.1/24 interface=ether1.100 network=192.168.10.0
add address=10.0.2.1 interface=lo network=10.0.2.1
add address=192.168.20.1/24 interface=ether1.200 network=192.168.20.0
add address=192.168.30.1/24 interface=ether1.300 network=192.168.30.0

/ip dhcp-client
add interface=ether1

/ip dhcp-server lease
add address=192.168.30.251 client-id=1:0:50:79:66:68:a mac-address=00:50:79:66:68:0A server=dhcp3
add address=192.168.30.250 client-id=1:0:50:79:66:68:9 mac-address=00:50:79:66:68:09 server=dhcp3
add address=192.168.20.20 client-id=1:0:50:79:66:68:8 mac-address=00:50:79:66:68:08 server=dhcp2
add address=192.168.20.21 client-id=1:0:50:79:66:68:7 mac-address=00:50:79:66:68:07 server=dhcp2
add address=192.168.10.20 client-id=1:0:50:79:66:68:6 mac-address=00:50:79:66:68:06 server=dhcp1
add address=192.168.10.21 client-id=1:0:50:79:66:68:5 mac-address=00:50:79:66:68:05 server=dhcp1

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.77.1 pref-src="" routing-table=vrf10 scope=30 suppress-hw-offload=no target-scope=10

/routing bgp vpn
add disabled=no export.redistribute=connected,static .route-targets=65650:10 import.route-targets=65650:20,65650:30 label-allocation-policy=per-prefix name=bgp-mpls-vpn-1 \
    route-distinguisher=65650:10 vrf=vrf10
add disabled=no export.redistribute=connected,static .route-targets=65650:20 import.route-targets=65650:10 label-allocation-policy=per-prefix name=bgp-mpls-vpn-2 route-distinguisher=\
    65650:20 vrf=vrf20
add disabled=no export.redistribute=connected,static .route-targets=65650:30 import.route-targets=65650:10 label-allocation-policy=per-prefix name=bgp-mpls-vpn-3 route-distinguisher=\
    65650:30 vrf=vrf30

/system identity
set name=RT1
/system note
set show-at-login=no
/tool romon
set enabled=yes
The Setup:
Screenshot from 2024-01-24 13-17-09.png

Clients in VRF20 and VRF30 trying to reach 192.168.10.1 (GW IP in VRF10)
(NB: clients also cannot reach any other clients in VRF10)
Screenshot from 2024-01-24 13-18-47.png

winbox view:
Screenshot from 2024-01-24 13-19-00.png
You do not have the required permissions to view the files attached to this post.
 
artificialexit
just joined
Posts: 1
Joined: Wed Mar 01, 2023 2:21 am

Re: v7 inter VRF route leak doesn't work for local IPs

Thu Feb 08, 2024 5:08 am

@spippan There must have been a change in 7.14beta10 maybe the following line?
*) route - fixed gateways of locally imported vpnv4 routes;


I can now ping endpoints between different VRFs using the route import/export.
I can't ping another VRFs gateway address but I can ping hosts on other VRFs
Last edited by artificialexit on Thu Feb 08, 2024 5:14 am, edited 1 time in total.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7051
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v7 inter VRF route leak doesn't work for local IPs

Thu Feb 08, 2024 8:53 am

Currently, Local addresses will not be reachable, because BGP VPN sets interface@vrf gateways. There are plans to change it in the future.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1278
Joined: Tue Jun 23, 2015 2:35 pm

Re: v7 inter VRF route leak doesn't work for local IPs

Thu Feb 08, 2024 1:02 pm

@spippan

Let me understate, the issue that you are expiring, is that you are not able to learn the route between different VRFs
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7051
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v7 inter VRF route leak doesn't work for local IPs

Fri Feb 09, 2024 1:55 pm

probably can be used as vrf loopback.
 
User avatar
spippan
Member
Member
Posts: 334
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: v7 inter VRF route leak doesn't work for local IPs

Tue Feb 13, 2024 2:02 pm

@spippan

Let me understate, the issue that you are expiring, is that you are not able to learn the route between different VRFs
that was the problem at first yes. which now works as far as VRFs get to learn imported routes (via RD)

have a look at post #28
(EDIT: added link to post#28)
 
User avatar
spippan
Member
Member
Posts: 334
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: v7 inter VRF route leak doesn't work for local IPs

Sun Feb 18, 2024 8:44 pm

@spippan There must have been a change in 7.14beta10 maybe the following line?
*) route - fixed gateways of locally imported vpnv4 routes;


I can now ping endpoints between different VRFs using the route import/export.
I can't ping another VRFs gateway address but I can ping hosts on other VRFs

it is now working with route-leaking and forwarding between different VRFs
tested it yesterday
 
jsa97
just joined
Posts: 1
Joined: Sun Mar 03, 2024 11:11 pm

Re: v7 inter VRF route leak doesn't work for local IPs

Sun Mar 03, 2024 11:13 pm

@spippan There must have been a change in 7.14beta10 maybe the following line?





I can now ping endpoints between different VRFs using the route import/export.
I can't ping another VRFs gateway address but I can ping hosts on other VRFs

it is now working with route-leaking and forwarding between different VRFs
tested it yesterday
Hi, you mean that you can now ping local gateway between leaked VRF imported via MBGP ?
I'm not able to get this working, could you please send your working config ?

Thanks !
Last edited by jsa97 on Sun Mar 03, 2024 11:15 pm, edited 2 times in total.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7051
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v7 inter VRF route leak doesn't work for local IPs

Mon Mar 04, 2024 9:58 am

Local addresses will be reachable starting from v7.15beta
 
User avatar
spippan
Member
Member
Posts: 334
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: v7 inter VRF route leak doesn't work for local IPs

Mon Mar 04, 2024 10:52 pm


Hi, you mean that you can now ping local gateway between leaked VRF imported via MBGP ?
I'm not able to get this working, could you please send your working config ?

Thanks !
no i meant reachability between clients in different VRFs
e.g. "ClientA" in VFR "RED" can reach "ClientB" in VRF "BLUE" as long as those 2 VRFs learn (leak) routes from/to each other
cannot reach the router address in a "foreign" VRF (ClientA in RED cannot reach GW address in BLUE)
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1278
Joined: Tue Jun 23, 2015 2:35 pm

Re: v7 inter VRF route leak doesn't work for local IPs

Mon Mar 11, 2024 2:30 am

@mrz

this is the plan for v7.15?
/ip route
add dst-address=10.11.0.0/24 gateway=vrfTest1@vrfTest1 routing-table=vrfTest2
add dst-address=10.12.0.0/24 gateway=vrfTest2@vrfTest2 routing-table=vrfTest1
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7051
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v7 inter VRF route leak doesn't work for local IPs

Mon Mar 11, 2024 9:42 am

Yes

Who is online

Users browsing this forum: No registered users and 4 guests