Damien, I know this is hijacking the thread, but have you tried doing something like this to overcome your PMTUD issue: /ip firewall mangle add action=mark-routing chain=output dst-address=172.16.0.0/24 new-routing-mark=vrf1 Dst-address being your subnet inside the VRF, or use an address-list if there are a few. Regards, Philip -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 January 2017 4:54 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik You go into IP route VRF, and put the interfaces that should be on the VRF, into the VRF with your selected routing mark. Then those IP's don't appear in the global routing table, and instead appear on the chosen routing mark. Then nothing can talk to the IP's on those interfaces unless you have an ip firewall mangle rule which tags packets/connections/whatever coming in on another interface, INTO that routing mark. The IP's on the interfaces in the VRF have no access to anything NOT on the VRF, unless you add a route to allow them to. (For example, if your normal default route is 1.2.3.1, you can add a route with routing-mark=MY_VRF and gateway=1.2.3.1@main to push traffic from the VRF out via 1.2.3.1 in the main routing table. The only hassle I have found with VRF's on mikrotik, is that administrative replies (i.e. ttl expired in transit for traceroutes, and packet too large ICMP's when going over tunnel interfaces, etc), get lost and don't make it back to the devices inside the VRF (or devices outside). This is killing me at the moment at home, as PMTUD does not work for devices inside the VRF, so I've had to set my LAN mtu on the firewall I use at the datacenter to 1450 so that traffic over EOIP to home inside the VRF still works :\ ) On 9 January 2017 at 16:46, Alex Samad - Yieldbroker < Alex.Samad@yieldbroker.com> wrote:
Hi
I asked earlier, thought I would just double check.
CCR1036 - looking at using this as my exterior WAN connector / Router. But I want to setup a management port (actually a VLAN) so I want to place that interface and some routes into its own VRF.
I have just setup some arista switches which I have done the same - so all the management traffic traverses 1 port.
I can see in /ip route vrf
I can add routes to a route mark name space. How do I add all packet coming in on a specific interface to a VRF, do I use the firewall mangle table, and basically mark all the packet with the route mark I want to use.
Is that it ??
Thanks Alex
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au