Re: [MT-AU Public] vrf on mikrotik

11 Jan 2017

      Hi Damien,

That's great news that you solved it. I hadn't thought of using connection marking - I should remember that feature more often!

Alex, did you manage to get your management VRF working how you would like?

-----Original Message-----
From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr
Sent: Tuesday, 10 January 2017 9:38 PM
To: MikroTik Australia Public List <public@talk.mikrotik.com.au>
Subject: Re: [MT-AU Public] vrf on mikrotik

G'day Phillip,

Thanks, after a bit of messing around tonight, we figured it out.  Need to have rules incoming on all interfaces which are part of the VRF, to mark-connection=vrf1_connection, and then a mangle rule on output chain to match the connection, and mark-routing into the vrf  Looks something like
this:

/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-connection chain=prerouting in-interface=eoip-vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-routing chain=output connection-mark=kids-mark new-routing-mark=kids-vrf passthrough=yes

Now I just need to figure out how to NAT the router's own IP outbound on those interfaces, so it uses the IP of the interface for replies, and not the loopback IP of the router (though that's more a 'nice traceroutes'
issue, than anything..  It looks to have fixed PMTUD as well as the missing hops in traceroutes :)

Also as a somewhat side curiosity..  The HP Microserver N36L cpu's are not at all suited to doing pppoe...  RouterOS VM doing PPPOE over NBN, 20mbps of traffic, with both CPU cores at 99%! (It's a dual core 1.2GHZ AMD Neo) Reconfigured the CRS-109 (600MHz single-core) in the living room (which is just operating as a switch anyway..) to do our internet PPPOE, and voila, 50mbps at 2% cpu.  That blew me away a little :D

On 10 January 2017 at 08:37, Philip Loenneker < Philip.Loenneker@tasmanet.com.au> wrote:
...
Damien,
I know this is hijacking the thread, but have you tried doing 
something like this to overcome your PMTUD issue:
/ip firewall mangle add action=mark-routing chain=output dst-address=
172.16.0.0/24 new-routing-mark=vrf1
Dst-address being your subnet inside the VRF, or use an address-list 
if there are a few.
Regards,
Philip
-----Original Message-----
From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of 
Damien Gardner Jnr
Sent: Monday, 9 January 2017 4:54 PM
To: MikroTik Australia Public List <public@talk.mikrotik.com.au>
Subject: Re: [MT-AU Public] vrf on mikrotik
You go into IP route VRF, and put the interfaces that should be on the 
VRF, into the VRF with your selected routing mark.  Then those IP's 
don't appear in the global routing table, and instead appear on the 
chosen routing mark.
Then nothing can talk to the IP's on those interfaces unless you have 
an ip firewall mangle rule which tags packets/connections/whatever 
coming in on another interface, INTO that routing mark.
The IP's on the interfaces in the VRF have no access to anything NOT 
on the VRF, unless you add a route to allow them to. (For example, if 
your normal default route is 1.2.3.1, you can add a route with 
routing-mark=MY_VRF and gateway=1.2.3.1@main to push traffic from the 
VRF out via 1.2.3.1 in the main routing table.
The only hassle I have found with VRF's on mikrotik, is that 
administrative replies (i.e. ttl expired in transit for traceroutes, 
and packet too large ICMP's when going over tunnel interfaces, etc), 
get lost and don't make it back to the devices inside the VRF (or devices outside).
This is killing me at the moment at home, as PMTUD does not work for 
devices inside the VRF, so I've had to set my LAN mtu on the firewall 
I use at the datacenter to 1450 so that traffic over EOIP to home 
inside the VRF still works :\ )
On 9 January 2017 at 16:46, Alex Samad - Yieldbroker < 
Alex.Samad@yieldbroker.com> wrote:
...
Hi
I asked earlier, thought I would just double check.
CCR1036 - looking at using this as my exterior WAN connector / Router.
But I want to setup a management port (actually a VLAN) so I want to 
place that interface and some routes into its own VRF.
I have just setup some arista switches which I have done the same - 
so all the management traffic traverses 1 port.
I can see in
/ip route vrf
I can add routes to a route mark name space. How do I add all packet 
coming in on a specific interface to a VRF, do I use the firewall 
mangle table, and basically mark all the packet with the route mark 
I want to use.
Is that it ??
Thanks
Alex
_______________________________________________
Public mailing list
Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
--
Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
rendrag@rendrag.net -  http://www.rendrag.net/
--
We rode on the winds of the rising storm,  We ran to the sounds of thunder.
We danced among the lightning bolts,
 and tore the world asunder
_______________________________________________
Public mailing list
Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
_______________________________________________
Public mailing list
Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.
au
-- 

Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
rendrag@rendrag.net -  http://www.rendrag.net/
--
We rode on the winds of the rising storm,  We ran to the sounds of thunder.
We danced among the lightning bolts,
 and tore the world asunder
_______________________________________________
Public mailing list
Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au