Community discussions

MikroTik App
 
mlacomb
just joined
Topic Author
Posts: 12
Joined: Wed Aug 17, 2022 10:01 pm

OSPF / VLANs / VRRP / hw-offload CRS312-4C+8XG 7.6

Fri Nov 11, 2022 11:36 pm

OSPF issues - wondering if I have an issue in my use of VLANs, VRRP and hardware offloading. Long story short, OSPF doesn't work. I have 2 firewalls and a Mikrotik switch; firewalls OSPF neighbor properly across the switch. I "see" the switch send out OSPF packets to 224.0.0.5 on each firewall (tcpdump)... however it doesn't appear that the Mikrotik is listening, if that makes sense. Running 7.6 on a CRS312-4C+8XG

Layout: 2 sophos XG firewalls, LAN:

Firewall 1 - 10.6.4.254/23 (Port1)
Firewall 2 - 10.6.4.253/23 (Port2)

OSPF config on the Sophos firewall devices:
router ospf
 passive-interface Port8 ## this is just to negate the WAN path; prod will use passive-interface default + allow only the LAN port
 network 0.0.0.0/0 area 0.0.0.0

Mikrotik config:
/interface bridge
add name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan601 vlan-id=601
add interface=bridge name=vlan602 vlan-id=602
add interface=bridge name=vlan604 vlan-id=604
add interface=bridge name=vlan999 vlan-id=999
/interface vrrp
add interface=vlan601 name=vrrp601 priority=150 remote-address=10.6.1.3 \
    sync-connection-tracking=yes
add interface=vlan602 name=vrrp602 priority=150 remote-address=10.6.2.3 \
    sync-connection-tracking=yes
add interface=vlan604 name=vrrp604 priority=150 remote-address=10.6.4.3 \
    sync-connection-tracking=yes
add interface=vlan999 name=vrrp999 priority=150 remote-address=10.6.247.3 \
    sync-connection-tracking=yes
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface list
add name=LAN
/routing ospf instance
add disabled=no name=ospf-instance-1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=ospf-area-1
/interface bridge port
add bridge=bridge interface=ether1 pvid=604
add bridge=bridge interface=ether2 pvid=604
add bridge=bridge interface=ether3 pvid=604
add bridge=bridge interface=ether4 pvid=604
add bridge=bridge interface=ether5 pvid=604
add bridge=bridge interface=ether6 pvid=604
add bridge=bridge interface=ether7 pvid=999
add bridge=bridge interface=ether8 pvid=999
add bridge=bridge interface=combo1 pvid=602
add bridge=bridge interface=combo2 pvid=601
add bridge=bridge interface=combo3 pvid=601
add bridge=bridge frame-types=admit-only-vlan-tagged interface=combo4
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=bridge,combo4 untagged=\
    ether1,ether2,ether3,ether4,ether5,ether6 vlan-ids=604
add bridge=bridge tagged=bridge,combo4 untagged=ether7,ether8 vlan-ids=999
add bridge=bridge tagged=bridge,combo4 untagged=combo1 vlan-ids=602
add bridge=bridge tagged=bridge,combo4 untagged=combo2,combo3 vlan-ids=601
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=combo1 list=LAN
add interface=combo2 list=LAN
add interface=combo3 list=LAN
/ip address
add address=10.6.1.2/24 interface=vlan601 network=10.6.1.0
add address=10.6.2.2/24 interface=vlan602 network=10.6.2.0
add address=10.6.4.2/24 interface=vlan604 network=10.6.4.0
add address=10.6.247.2/24 interface=vlan999 network=10.6.247.0
add address=10.6.1.1 interface=vrrp601 network=10.6.1.1
add address=10.6.2.1 interface=vrrp602 network=10.6.2.1
add address=10.6.4.1 interface=vrrp604 network=10.6.4.1
add address=10.6.247.1 interface=vrrp999 network=10.6.247.1
/ip route
add dst-address=0.0.0.0/0 gateway=10.6.4.254
/routing ospf area range
add area=ospf-area-1 disabled=no prefix=0.0.0.0/0
/routing ospf interface-template
add area=ospf-area-1 disabled=no interfaces=vlan604 networks=0.0.0.0/0
#
#
# Enable full hardware routing on LAN ports
:foreach i in=[/interface/list/member/find where list=LAN] do={
    /interface/ethernet/switch/port set [/interface/list/member/get $i interface] l3-hw-offloading=yes
}
# Activate Layer 3 Hardware Offloading on the switch chip - in case it got turned off
/interface/ethernet/switch/set 0 l3-hw-offloading=yes
I've fired up the same equipment in the lab without vrrp or VLANs and ospf works like a champ....
 
mlacomb
just joined
Topic Author
Posts: 12
Joined: Wed Aug 17, 2022 10:01 pm

Re: OSPF / VLANs / VRRP / hw-offload CRS312-4C+8XG 7.6

Fri Nov 11, 2022 11:43 pm

I'm an absolute idiot. Always check your network masks... and if ospf doesn't come up, check the logs --- :)

Who is online

Users browsing this forum: No registered users and 4 guests