Community discussions

MikroTik App
just joined
Topic Author
Posts: 12
Joined: Wed Aug 17, 2022 10:01 pm

OSPF / VLANs / VRRP / hw-offload CRS312-4C+8XG 7.6

Fri Nov 11, 2022 11:36 pm

OSPF issues - wondering if I have an issue in my use of VLANs, VRRP and hardware offloading. Long story short, OSPF doesn't work. I have 2 firewalls and a Mikrotik switch; firewalls OSPF neighbor properly across the switch. I "see" the switch send out OSPF packets to on each firewall (tcpdump)... however it doesn't appear that the Mikrotik is listening, if that makes sense. Running 7.6 on a CRS312-4C+8XG

Layout: 2 sophos XG firewalls, LAN:

Firewall 1 - (Port1)
Firewall 2 - (Port2)

OSPF config on the Sophos firewall devices:
router ospf
 passive-interface Port8 ## this is just to negate the WAN path; prod will use passive-interface default + allow only the LAN port
 network area

Mikrotik config:
/interface bridge
add name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan601 vlan-id=601
add interface=bridge name=vlan602 vlan-id=602
add interface=bridge name=vlan604 vlan-id=604
add interface=bridge name=vlan999 vlan-id=999
/interface vrrp
add interface=vlan601 name=vrrp601 priority=150 remote-address= \
add interface=vlan602 name=vrrp602 priority=150 remote-address= \
add interface=vlan604 name=vrrp604 priority=150 remote-address= \
add interface=vlan999 name=vrrp999 priority=150 remote-address= \
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface list
add name=LAN
/routing ospf instance
add disabled=no name=ospf-instance-1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=ospf-area-1
/interface bridge port
add bridge=bridge interface=ether1 pvid=604
add bridge=bridge interface=ether2 pvid=604
add bridge=bridge interface=ether3 pvid=604
add bridge=bridge interface=ether4 pvid=604
add bridge=bridge interface=ether5 pvid=604
add bridge=bridge interface=ether6 pvid=604
add bridge=bridge interface=ether7 pvid=999
add bridge=bridge interface=ether8 pvid=999
add bridge=bridge interface=combo1 pvid=602
add bridge=bridge interface=combo2 pvid=601
add bridge=bridge interface=combo3 pvid=601
add bridge=bridge frame-types=admit-only-vlan-tagged interface=combo4
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=bridge,combo4 untagged=\
    ether1,ether2,ether3,ether4,ether5,ether6 vlan-ids=604
add bridge=bridge tagged=bridge,combo4 untagged=ether7,ether8 vlan-ids=999
add bridge=bridge tagged=bridge,combo4 untagged=combo1 vlan-ids=602
add bridge=bridge tagged=bridge,combo4 untagged=combo2,combo3 vlan-ids=601
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=combo1 list=LAN
add interface=combo2 list=LAN
add interface=combo3 list=LAN
/ip address
add address= interface=vlan601 network=
add address= interface=vlan602 network=
add address= interface=vlan604 network=
add address= interface=vlan999 network=
add address= interface=vrrp601 network=
add address= interface=vrrp602 network=
add address= interface=vrrp604 network=
add address= interface=vrrp999 network=
/ip route
add dst-address= gateway=
/routing ospf area range
add area=ospf-area-1 disabled=no prefix=
/routing ospf interface-template
add area=ospf-area-1 disabled=no interfaces=vlan604 networks=
# Enable full hardware routing on LAN ports
:foreach i in=[/interface/list/member/find where list=LAN] do={
    /interface/ethernet/switch/port set [/interface/list/member/get $i interface] l3-hw-offloading=yes
# Activate Layer 3 Hardware Offloading on the switch chip - in case it got turned off
/interface/ethernet/switch/set 0 l3-hw-offloading=yes
I've fired up the same equipment in the lab without vrrp or VLANs and ospf works like a champ....
just joined
Topic Author
Posts: 12
Joined: Wed Aug 17, 2022 10:01 pm

Re: OSPF / VLANs / VRRP / hw-offload CRS312-4C+8XG 7.6

Fri Nov 11, 2022 11:43 pm

I'm an absolute idiot. Always check your network masks... and if ospf doesn't come up, check the logs --- :)

Who is online

Users browsing this forum: No registered users and 4 guests