Hi Team, While I already understand that RouterOS does not listen on VRF interfaces for IP services (Winbox, SSH etc) - I am interested to know if anyone has put together some janky mangle rules to make this work? Cheers, Dave
Hi Dave, I have indeed done this, mainly so that customers within a VRF can do SNMP queries on the device. I also needed to so this for DHCP Relay to function correctly. I can possibly dig up the config, but in short I believe it was as simple as 2 mangle rules: One on Input chain to identify traffic coming in on a VRF, and apply a connection mark to it One on Output chain that matches the connection mark and applies the route table rule If you keep the first rule fairly broad it should be able to respond to most traffic coming in and out, but it will not cover traffic initiated by the router itself. Also note that Fastpath may skip the rules. Alternatively I've had some luck with use Route Rules to control which route tables are used in various circumstances, but I think I went with the mangle rules in the end. Regards, Philip Loenneker | Senior Network Engineer | TasmaNet -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Dave Browning Sent: Thursday, 25 June 2020 8:27 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Winbox from a VRF Interface Hi Team, While I already understand that RouterOS does not listen on VRF interfaces for IP services (Winbox, SSH etc) - I am interested to know if anyone has put together some janky mangle rules to make this work? Cheers, Dave _______________________________________________ Public mailing list Public@talk.mikrotik.com.au https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftalk.mikrot...
Yep, that's exactly how you have to setup every VRF you have on a mikrotik if you want them to work properly. I was a little confused at Dave's email about Winbox/SSH not working in a VRF, as it works perfectly.. But of course, if you've missed the mangle rules that you need to setup to MAKE a VRF work correctly, then of course it's not going to work :D (And by 'correctly', I mean you need the two rules so that you don't have a completely missing hop in your traceroutes, miss ICMP frag needed type packets generated from the mikrotik, etc etc. I'm not sure why that's not in MT's documentation for VRF's, it took me a lot of messing about initially to get it sorted out so it worked correctly.) Every VRF you have will need the following two mangle rules: chain=prerouting action=mark-connection new-connection-mark=KIDS_MARK passthrough=yes in-interface-list=KIDS chain=output action=mark-routing new-routing-mark=KIDS_ROUTING passthrough=yes connection-mark=KIDS_MARK where KIDS_MARK is the connection mark you'll be using, KIDS is the interface list you'll put all the interfaces involved in the VRF, and KIDS_ROUTING is the routing table being used for routes inside the VRF. Note: things like Traceroute hops, and ICMP unreachable will generate from the IP that would generate for the route of the destination in the DEFAULT routing table, then it is marked into the VRF's routing table, so if the mikrotik is 192.168.12.57 inside the VRF, and 27.50.65.2 on its public interface, and only has no specific route in the default routing table for 192.168.12.57 so picks 0/0 to route via its public interface, replies for newly generated packets inside the VRF will come from (eg) 27.60.65.2, which will look funny in a traceroute. (But normal replies, e.g. Syn/Ack to a Syn sent to 192.168.12.57 inside the VRF will come from 192.167.12.57 correctly). Cheers, DG On Thu, 25 Jun 2020 at 11:33, Philip Loenneker < Philip.Loenneker@tasmanet.com.au> wrote:
Hi Dave,
I have indeed done this, mainly so that customers within a VRF can do SNMP queries on the device. I also needed to so this for DHCP Relay to function correctly.
I can possibly dig up the config, but in short I believe it was as simple as 2 mangle rules: One on Input chain to identify traffic coming in on a VRF, and apply a connection mark to it One on Output chain that matches the connection mark and applies the route table rule
If you keep the first rule fairly broad it should be able to respond to most traffic coming in and out, but it will not cover traffic initiated by the router itself. Also note that Fastpath may skip the rules.
Alternatively I've had some luck with use Route Rules to control which route tables are used in various circumstances, but I think I went with the mangle rules in the end.
Regards, Philip Loenneker | Senior Network Engineer | TasmaNet
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Dave Browning Sent: Thursday, 25 June 2020 8:27 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Winbox from a VRF Interface
Hi Team,
While I already understand that RouterOS does not listen on VRF interfaces for IP services (Winbox, SSH etc) - I am interested to know if anyone has put together some janky mangle rules to make this work?
Cheers, Dave _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftalk.mikrot...
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder
Cheers lads, got it working with Philip's nudge in the right direction. Cheers, Dave On 25/06/2020 1:04 pm, Damien Gardner Jnr wrote:
Yep, that's exactly how you have to setup every VRF you have on a mikrotik if you want them to work properly. I was a little confused at Dave's email about Winbox/SSH not working in a VRF, as it works perfectly.. But of course, if you've missed the mangle rules that you need to setup to MAKE a VRF work correctly, then of course it's not going to work :D (And by 'correctly', I mean you need the two rules so that you don't have a completely missing hop in your traceroutes, miss ICMP frag needed type packets generated from the mikrotik, etc etc. I'm not sure why that's not in MT's documentation for VRF's, it took me a lot of messing about initially to get it sorted out so it worked correctly.)
Every VRF you have will need the following two mangle rules:
chain=prerouting action=mark-connection new-connection-mark=KIDS_MARK passthrough=yes in-interface-list=KIDS chain=output action=mark-routing new-routing-mark=KIDS_ROUTING passthrough=yes connection-mark=KIDS_MARK
where KIDS_MARK is the connection mark you'll be using, KIDS is the interface list you'll put all the interfaces involved in the VRF, and KIDS_ROUTING is the routing table being used for routes inside the VRF.
Note: things like Traceroute hops, and ICMP unreachable will generate from the IP that would generate for the route of the destination in the DEFAULT routing table, then it is marked into the VRF's routing table, so if the mikrotik is 192.168.12.57 inside the VRF, and 27.50.65.2 on its public interface, and only has no specific route in the default routing table for 192.168.12.57 so picks 0/0 to route via its public interface, replies for newly generated packets inside the VRF will come from (eg) 27.60.65.2, which will look funny in a traceroute. (But normal replies, e.g. Syn/Ack to a Syn sent to 192.168.12.57 inside the VRF will come from 192.167.12.57 correctly).
Cheers,
DG
On Thu, 25 Jun 2020 at 11:33, Philip Loenneker < Philip.Loenneker@tasmanet.com.au> wrote:
Hi Dave,
I have indeed done this, mainly so that customers within a VRF can do SNMP queries on the device. I also needed to so this for DHCP Relay to function correctly.
I can possibly dig up the config, but in short I believe it was as simple as 2 mangle rules: One on Input chain to identify traffic coming in on a VRF, and apply a connection mark to it One on Output chain that matches the connection mark and applies the route table rule
If you keep the first rule fairly broad it should be able to respond to most traffic coming in and out, but it will not cover traffic initiated by the router itself. Also note that Fastpath may skip the rules.
Alternatively I've had some luck with use Route Rules to control which route tables are used in various circumstances, but I think I went with the mangle rules in the end.
Regards, Philip Loenneker | Senior Network Engineer | TasmaNet
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Dave Browning Sent: Thursday, 25 June 2020 8:27 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Winbox from a VRF Interface
Hi Team,
While I already understand that RouterOS does not listen on VRF interfaces for IP services (Winbox, SSH etc) - I am interested to know if anyone has put together some janky mangle rules to make this work?
Cheers, Dave _______________________________________________ Public mailing list Public@talk.mikrotik.com.au
https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftalk.mikrot...
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (3)
-
Damien Gardner Jnr
-
Dave Browning
-
Philip Loenneker