Hi Yep thats about it. SNAT seems to work for locally generated packets .. DNS request, NTP request, just not ICMP - difference probably is one is application level and one is kernel. Just ran into another interesting thing ... I am testing the flow of packets. I have setup a test box on the Internet VRF interface and I use the ccr as DGW. I try and ping addresses in the Vendor VRF... all good, the internet interface uses the DGW and tried to send it out to the internet .. Put when i try and ping an interface on Vendor VRF... it responds, but the packet goes out the Vendor interface .... strange ! But i guess sort of in line with the above, the ICMP is generated by the kernel. tried to ssh .... it accepts the packet and it also tries to send it out the Vendor interface .... I think from memory there is a way to stop a local ip address responding on a different local interface ... ( some switch in linux) seems like there is a lot of work need on vrf... Alex On 6 March 2017 at 13:33, Philip Loenneker <Philip.Loenneker@tasmanet.com.au
wrote:
Alex,
Am I right in understanding that the ICMP responses are sent out the correct VRF, it's just that the source IP is not correct?
Looking at this page: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow Output chain has Mangle and Filter processing, but not NAT. However I think you said you were NATing other Output chain traffic, so I'm not sure how accurate that is.
This would be ugly, and I have NO idea if it would work or not, but it might be worth trying to route the traffic back to the router itself and then NAT on a Forwarded packet instead.
Regards, Philip Loenneker | Network Engineer | TasmaNet
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Wednesday, 1 March 2017 3:25 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: [MT-AU Public] multi VRF
Hi
Asking the list again, sorry my google skill on archive search is letting me down.
So a quick recap
ccr1036 & ccr1072
I have
Interface Xfer - bridge port onto eth1, this was the interface is also up , 192.168.1.1/24 Management - vlan 8 Vendor - vlan 7 Internet - vlan 6
My default routing table is 192.168.1.0/24 Xfer Dgw 192.168.1.2
My internet I have vrf internet and I use BGP with routing tag internet Same for vendor and same for management
So management routing table is basically Local attached network 10.10.10.80/24 Dgw 10.10.10.1
I have the appropriate ip route vrf and ip route rule lines and I also have mangle lines that mark inbound packets and re applies marking on the outbound packets
What happens is any ICMP generate locally ... host / net unreachable are generated with src address 192.168.1.1 not the right src address for the vrf.
I have tried snat lines basically saying if src address = 192.168.1.1 and out interface = management then change to the 10.10.10.80 << this doesn't work.
I seem to remember somebody saying they had fixed this some how? If so can you please repost.
I have chatted with support... basically they say yes bug, will not be fixed until V7 .. maybe next century ...
Any one know of any work arounds ?
Thanks Alex
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au