Hi I asked earlier, thought I would just double check. CCR1036 - looking at using this as my exterior WAN connector / Router. But I want to setup a management port (actually a VLAN) so I want to place that interface and some routes into its own VRF. I have just setup some arista switches which I have done the same - so all the management traffic traverses 1 port. I can see in /ip route vrf I can add routes to a route mark name space. How do I add all packet coming in on a specific interface to a VRF, do I use the firewall mangle table, and basically mark all the packet with the route mark I want to use. Is that it ?? Thanks Alex
You go into IP route VRF, and put the interfaces that should be on the VRF, into the VRF with your selected routing mark. Then those IP's don't appear in the global routing table, and instead appear on the chosen routing mark. Then nothing can talk to the IP's on those interfaces unless you have an ip firewall mangle rule which tags packets/connections/whatever coming in on another interface, INTO that routing mark. The IP's on the interfaces in the VRF have no access to anything NOT on the VRF, unless you add a route to allow them to. (For example, if your normal default route is 1.2.3.1, you can add a route with routing-mark=MY_VRF and gateway=1.2.3.1@main to push traffic from the VRF out via 1.2.3.1 in the main routing table. The only hassle I have found with VRF's on mikrotik, is that administrative replies (i.e. ttl expired in transit for traceroutes, and packet too large ICMP's when going over tunnel interfaces, etc), get lost and don't make it back to the devices inside the VRF (or devices outside). This is killing me at the moment at home, as PMTUD does not work for devices inside the VRF, so I've had to set my LAN mtu on the firewall I use at the datacenter to 1450 so that traffic over EOIP to home inside the VRF still works :\ ) On 9 January 2017 at 16:46, Alex Samad - Yieldbroker < Alex.Samad@yieldbroker.com> wrote:
Hi
I asked earlier, thought I would just double check.
CCR1036 - looking at using this as my exterior WAN connector / Router. But I want to setup a management port (actually a VLAN) so I want to place that interface and some routes into its own VRF.
I have just setup some arista switches which I have done the same - so all the management traffic traverses 1 port.
I can see in /ip route vrf
I can add routes to a route mark name space. How do I add all packet coming in on a specific interface to a VRF, do I use the firewall mangle table, and basically mark all the packet with the route mark I want to use.
Is that it ??
Thanks Alex
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder
Damien, I know this is hijacking the thread, but have you tried doing something like this to overcome your PMTUD issue: /ip firewall mangle add action=mark-routing chain=output dst-address=172.16.0.0/24 new-routing-mark=vrf1 Dst-address being your subnet inside the VRF, or use an address-list if there are a few. Regards, Philip -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 January 2017 4:54 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik You go into IP route VRF, and put the interfaces that should be on the VRF, into the VRF with your selected routing mark. Then those IP's don't appear in the global routing table, and instead appear on the chosen routing mark. Then nothing can talk to the IP's on those interfaces unless you have an ip firewall mangle rule which tags packets/connections/whatever coming in on another interface, INTO that routing mark. The IP's on the interfaces in the VRF have no access to anything NOT on the VRF, unless you add a route to allow them to. (For example, if your normal default route is 1.2.3.1, you can add a route with routing-mark=MY_VRF and gateway=1.2.3.1@main to push traffic from the VRF out via 1.2.3.1 in the main routing table. The only hassle I have found with VRF's on mikrotik, is that administrative replies (i.e. ttl expired in transit for traceroutes, and packet too large ICMP's when going over tunnel interfaces, etc), get lost and don't make it back to the devices inside the VRF (or devices outside). This is killing me at the moment at home, as PMTUD does not work for devices inside the VRF, so I've had to set my LAN mtu on the firewall I use at the datacenter to 1450 so that traffic over EOIP to home inside the VRF still works :\ ) On 9 January 2017 at 16:46, Alex Samad - Yieldbroker < Alex.Samad@yieldbroker.com> wrote:
Hi
I asked earlier, thought I would just double check.
CCR1036 - looking at using this as my exterior WAN connector / Router. But I want to setup a management port (actually a VLAN) so I want to place that interface and some routes into its own VRF.
I have just setup some arista switches which I have done the same - so all the management traffic traverses 1 port.
I can see in /ip route vrf
I can add routes to a route mark name space. How do I add all packet coming in on a specific interface to a VRF, do I use the firewall mangle table, and basically mark all the packet with the route mark I want to use.
Is that it ??
Thanks Alex
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
G'day Phillip, Thanks, after a bit of messing around tonight, we figured it out. Need to have rules incoming on all interfaces which are part of the VRF, to mark-connection=vrf1_connection, and then a mangle rule on output chain to match the connection, and mark-routing into the vrf Looks something like this: /ip firewall mangle add action=mark-connection chain=prerouting in-interface=vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-connection chain=prerouting in-interface=eoip-vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-routing chain=output connection-mark=kids-mark new-routing-mark=kids-vrf passthrough=yes Now I just need to figure out how to NAT the router's own IP outbound on those interfaces, so it uses the IP of the interface for replies, and not the loopback IP of the router (though that's more a 'nice traceroutes' issue, than anything.. It looks to have fixed PMTUD as well as the missing hops in traceroutes :) Also as a somewhat side curiosity.. The HP Microserver N36L cpu's are not at all suited to doing pppoe... RouterOS VM doing PPPOE over NBN, 20mbps of traffic, with both CPU cores at 99%! (It's a dual core 1.2GHZ AMD Neo) Reconfigured the CRS-109 (600MHz single-core) in the living room (which is just operating as a switch anyway..) to do our internet PPPOE, and voila, 50mbps at 2% cpu. That blew me away a little :D On 10 January 2017 at 08:37, Philip Loenneker < Philip.Loenneker@tasmanet.com.au> wrote:
Damien,
I know this is hijacking the thread, but have you tried doing something like this to overcome your PMTUD issue: /ip firewall mangle add action=mark-routing chain=output dst-address= 172.16.0.0/24 new-routing-mark=vrf1
Dst-address being your subnet inside the VRF, or use an address-list if there are a few.
Regards, Philip
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 January 2017 4:54 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik
You go into IP route VRF, and put the interfaces that should be on the VRF, into the VRF with your selected routing mark. Then those IP's don't appear in the global routing table, and instead appear on the chosen routing mark.
Then nothing can talk to the IP's on those interfaces unless you have an ip firewall mangle rule which tags packets/connections/whatever coming in on another interface, INTO that routing mark.
The IP's on the interfaces in the VRF have no access to anything NOT on the VRF, unless you add a route to allow them to. (For example, if your normal default route is 1.2.3.1, you can add a route with routing-mark=MY_VRF and gateway=1.2.3.1@main to push traffic from the VRF out via 1.2.3.1 in the main routing table.
The only hassle I have found with VRF's on mikrotik, is that administrative replies (i.e. ttl expired in transit for traceroutes, and packet too large ICMP's when going over tunnel interfaces, etc), get lost and don't make it back to the devices inside the VRF (or devices outside). This is killing me at the moment at home, as PMTUD does not work for devices inside the VRF, so I've had to set my LAN mtu on the firewall I use at the datacenter to 1450 so that traffic over EOIP to home inside the VRF still works :\ )
On 9 January 2017 at 16:46, Alex Samad - Yieldbroker < Alex.Samad@yieldbroker.com> wrote:
Hi
I asked earlier, thought I would just double check.
CCR1036 - looking at using this as my exterior WAN connector / Router. But I want to setup a management port (actually a VLAN) so I want to place that interface and some routes into its own VRF.
I have just setup some arista switches which I have done the same - so all the management traffic traverses 1 port.
I can see in /ip route vrf
I can add routes to a route mark name space. How do I add all packet coming in on a specific interface to a VRF, do I use the firewall mangle table, and basically mark all the packet with the route mark I want to use.
Is that it ??
Thanks Alex
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder
Hi Damien, That's great news that you solved it. I hadn't thought of using connection marking - I should remember that feature more often! Alex, did you manage to get your management VRF working how you would like? -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Tuesday, 10 January 2017 9:38 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik G'day Phillip, Thanks, after a bit of messing around tonight, we figured it out. Need to have rules incoming on all interfaces which are part of the VRF, to mark-connection=vrf1_connection, and then a mangle rule on output chain to match the connection, and mark-routing into the vrf Looks something like this: /ip firewall mangle add action=mark-connection chain=prerouting in-interface=vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-connection chain=prerouting in-interface=eoip-vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-routing chain=output connection-mark=kids-mark new-routing-mark=kids-vrf passthrough=yes Now I just need to figure out how to NAT the router's own IP outbound on those interfaces, so it uses the IP of the interface for replies, and not the loopback IP of the router (though that's more a 'nice traceroutes' issue, than anything.. It looks to have fixed PMTUD as well as the missing hops in traceroutes :) Also as a somewhat side curiosity.. The HP Microserver N36L cpu's are not at all suited to doing pppoe... RouterOS VM doing PPPOE over NBN, 20mbps of traffic, with both CPU cores at 99%! (It's a dual core 1.2GHZ AMD Neo) Reconfigured the CRS-109 (600MHz single-core) in the living room (which is just operating as a switch anyway..) to do our internet PPPOE, and voila, 50mbps at 2% cpu. That blew me away a little :D On 10 January 2017 at 08:37, Philip Loenneker < Philip.Loenneker@tasmanet.com.au> wrote:
Damien,
I know this is hijacking the thread, but have you tried doing something like this to overcome your PMTUD issue: /ip firewall mangle add action=mark-routing chain=output dst-address= 172.16.0.0/24 new-routing-mark=vrf1
Dst-address being your subnet inside the VRF, or use an address-list if there are a few.
Regards, Philip
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 January 2017 4:54 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik
You go into IP route VRF, and put the interfaces that should be on the VRF, into the VRF with your selected routing mark. Then those IP's don't appear in the global routing table, and instead appear on the chosen routing mark.
Then nothing can talk to the IP's on those interfaces unless you have an ip firewall mangle rule which tags packets/connections/whatever coming in on another interface, INTO that routing mark.
The IP's on the interfaces in the VRF have no access to anything NOT on the VRF, unless you add a route to allow them to. (For example, if your normal default route is 1.2.3.1, you can add a route with routing-mark=MY_VRF and gateway=1.2.3.1@main to push traffic from the VRF out via 1.2.3.1 in the main routing table.
The only hassle I have found with VRF's on mikrotik, is that administrative replies (i.e. ttl expired in transit for traceroutes, and packet too large ICMP's when going over tunnel interfaces, etc), get lost and don't make it back to the devices inside the VRF (or devices outside). This is killing me at the moment at home, as PMTUD does not work for devices inside the VRF, so I've had to set my LAN mtu on the firewall I use at the datacenter to 1450 so that traffic over EOIP to home inside the VRF still works :\ )
On 9 January 2017 at 16:46, Alex Samad - Yieldbroker < Alex.Samad@yieldbroker.com> wrote:
Hi
I asked earlier, thought I would just double check.
CCR1036 - looking at using this as my exterior WAN connector / Router. But I want to setup a management port (actually a VLAN) so I want to place that interface and some routes into its own VRF.
I have just setup some arista switches which I have done the same - so all the management traffic traverses 1 port.
I can see in /ip route vrf
I can add routes to a route mark name space. How do I add all packet coming in on a specific interface to a VRF, do I use the firewall mangle table, and basically mark all the packet with the route mark I want to use.
Is that it ??
Thanks Alex
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Still planning and testing phase - about to head out on leave :) I find it best to keep thinking how I would do it on a multihomed linux box.. I find that helps and then to translate it to ROS A -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Philip Loenneker Sent: Wednesday, 11 January 2017 8:55 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Damien, That's great news that you solved it. I hadn't thought of using connection marking - I should remember that feature more often! Alex, did you manage to get your management VRF working how you would like? -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Tuesday, 10 January 2017 9:38 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik G'day Phillip, Thanks, after a bit of messing around tonight, we figured it out. Need to have rules incoming on all interfaces which are part of the VRF, to mark-connection=vrf1_connection, and then a mangle rule on output chain to match the connection, and mark-routing into the vrf Looks something like this: /ip firewall mangle add action=mark-connection chain=prerouting in-interface=vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-connection chain=prerouting in-interface=eoip-vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-routing chain=output connection-mark=kids-mark new-routing-mark=kids-vrf passthrough=yes Now I just need to figure out how to NAT the router's own IP outbound on those interfaces, so it uses the IP of the interface for replies, and not the loopback IP of the router (though that's more a 'nice traceroutes' issue, than anything.. It looks to have fixed PMTUD as well as the missing hops in traceroutes :) Also as a somewhat side curiosity.. The HP Microserver N36L cpu's are not at all suited to doing pppoe... RouterOS VM doing PPPOE over NBN, 20mbps of traffic, with both CPU cores at 99%! (It's a dual core 1.2GHZ AMD Neo) Reconfigured the CRS-109 (600MHz single-core) in the living room (which is just operating as a switch anyway..) to do our internet PPPOE, and voila, 50mbps at 2% cpu. That blew me away a little :D On 10 January 2017 at 08:37, Philip Loenneker < Philip.Loenneker@tasmanet.com.au> wrote:
Damien,
I know this is hijacking the thread, but have you tried doing something like this to overcome your PMTUD issue: /ip firewall mangle add action=mark-routing chain=output dst-address= 172.16.0.0/24 new-routing-mark=vrf1
Dst-address being your subnet inside the VRF, or use an address-list if there are a few.
Regards, Philip
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 January 2017 4:54 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik
You go into IP route VRF, and put the interfaces that should be on the VRF, into the VRF with your selected routing mark. Then those IP's don't appear in the global routing table, and instead appear on the chosen routing mark.
Then nothing can talk to the IP's on those interfaces unless you have an ip firewall mangle rule which tags packets/connections/whatever coming in on another interface, INTO that routing mark.
The IP's on the interfaces in the VRF have no access to anything NOT on the VRF, unless you add a route to allow them to. (For example, if your normal default route is 1.2.3.1, you can add a route with routing-mark=MY_VRF and gateway=1.2.3.1@main to push traffic from the VRF out via 1.2.3.1 in the main routing table.
The only hassle I have found with VRF's on mikrotik, is that administrative replies (i.e. ttl expired in transit for traceroutes, and packet too large ICMP's when going over tunnel interfaces, etc), get lost and don't make it back to the devices inside the VRF (or devices outside). This is killing me at the moment at home, as PMTUD does not work for devices inside the VRF, so I've had to set my LAN mtu on the firewall I use at the datacenter to 1450 so that traffic over EOIP to home inside the VRF still works :\ )
On 9 January 2017 at 16:46, Alex Samad - Yieldbroker < Alex.Samad@yieldbroker.com> wrote:
Hi
I asked earlier, thought I would just double check.
CCR1036 - looking at using this as my exterior WAN connector / Router. But I want to setup a management port (actually a VLAN) so I want to place that interface and some routes into its own VRF.
I have just setup some arista switches which I have done the same - so all the management traffic traverses 1 port.
I can see in /ip route vrf
I can add routes to a route mark name space. How do I add all packet coming in on a specific interface to a VRF, do I use the firewall mangle table, and basically mark all the packet with the route mark I want to use.
Is that it ??
Thanks Alex
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg Click here to report this message as spam: https://console.mailguard.com.au/ras/1Q2hIls0HF/5evArEs0HpYUYtKUzQ2w7Z/0.2
Hi Given it a bit of a go /interface ethernet set [ find default-name=sfp-sfpplus1 ] l2mtu=9216 mtu=9000 set [ find default-name=sfp-sfpplus2 ] l2mtu=9216 mtu=9000 /interface bonding add mode=802.3ad mtu=9000 name=switch slaves=sfp-sfpplus1,sfp-sfpplus2 transmit-hash-policy=layer-2-and-3 /interface vlan add interface=switch name=Management vlan-id=80 /ip address add address=10.32.80.72/24 comment="Management IP" interface=Management network=10.32.80.0 add address=192.168.0.1/24 interface=ether1 network=192.168.0.0 /ip firewall mangle add action=mark-connection chain=prerouting in-interface=Management new-connection-mark=Management passthrough=yes add action=mark-routing chain=output connection-mark=Management new-routing-mark=Management passthrough=yes /ip route add distance=250 gateway=10.32.80.1 routing-mark=Management /ip route vrf add interfaces=Management routing-mark=Management when I jump onto 10.32.80.7 I can ping 10.32.80.72, but when I try and ssh I can see the SYN packet but no reply ! /ip route print detail Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 0 A S dst-address=0.0.0.0/0 gateway=10.32.80.1 gateway-status=10.32.80.1 on Management reachable via Management distance=250 scope=30 target-scope=10 routing-mark=Management 1 ADC dst-address=10.32.80.0/24 pref-src=10.32.80.72 gateway=Management gateway-status=Management reachable distance=0 scope=10 routing-mark=Management 2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=10 Any suggestions ? Alex -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Wednesday, 11 January 2017 9:07 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Still planning and testing phase - about to head out on leave :) I find it best to keep thinking how I would do it on a multihomed linux box.. I find that helps and then to translate it to ROS A -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Philip Loenneker Sent: Wednesday, 11 January 2017 8:55 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Damien, That's great news that you solved it. I hadn't thought of using connection marking - I should remember that feature more often! Alex, did you manage to get your management VRF working how you would like? -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Tuesday, 10 January 2017 9:38 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik G'day Phillip, Thanks, after a bit of messing around tonight, we figured it out. Need to have rules incoming on all interfaces which are part of the VRF, to mark-connection=vrf1_connection, and then a mangle rule on output chain to match the connection, and mark-routing into the vrf Looks something like this: /ip firewall mangle add action=mark-connection chain=prerouting in-interface=vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-connection chain=prerouting in-interface=eoip-vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-routing chain=output connection-mark=kids-mark new-routing-mark=kids-vrf passthrough=yes Now I just need to figure out how to NAT the router's own IP outbound on those interfaces, so it uses the IP of the interface for replies, and not the loopback IP of the router (though that's more a 'nice traceroutes' issue, than anything.. It looks to have fixed PMTUD as well as the missing hops in traceroutes :) Also as a somewhat side curiosity.. The HP Microserver N36L cpu's are not at all suited to doing pppoe... RouterOS VM doing PPPOE over NBN, 20mbps of traffic, with both CPU cores at 99%! (It's a dual core 1.2GHZ AMD Neo) Reconfigured the CRS-109 (600MHz single-core) in the living room (which is just operating as a switch anyway..) to do our internet PPPOE, and voila, 50mbps at 2% cpu. That blew me away a little :D On 10 January 2017 at 08:37, Philip Loenneker < Philip.Loenneker@tasmanet.com.au> wrote:
Damien,
I know this is hijacking the thread, but have you tried doing something like this to overcome your PMTUD issue: /ip firewall mangle add action=mark-routing chain=output dst-address= 172.16.0.0/24 new-routing-mark=vrf1
Dst-address being your subnet inside the VRF, or use an address-list if there are a few.
Regards, Philip
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 January 2017 4:54 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik
You go into IP route VRF, and put the interfaces that should be on the VRF, into the VRF with your selected routing mark. Then those IP's don't appear in the global routing table, and instead appear on the chosen routing mark.
Then nothing can talk to the IP's on those interfaces unless you have an ip firewall mangle rule which tags packets/connections/whatever coming in on another interface, INTO that routing mark.
The IP's on the interfaces in the VRF have no access to anything NOT on the VRF, unless you add a route to allow them to. (For example, if your normal default route is 1.2.3.1, you can add a route with routing-mark=MY_VRF and gateway=1.2.3.1@main to push traffic from the VRF out via 1.2.3.1 in the main routing table.
The only hassle I have found with VRF's on mikrotik, is that administrative replies (i.e. ttl expired in transit for traceroutes, and packet too large ICMP's when going over tunnel interfaces, etc), get lost and don't make it back to the devices inside the VRF (or devices outside). This is killing me at the moment at home, as PMTUD does not work for devices inside the VRF, so I've had to set my LAN mtu on the firewall I use at the datacenter to 1450 so that traffic over EOIP to home inside the VRF still works :\ )
On 9 January 2017 at 16:46, Alex Samad - Yieldbroker < Alex.Samad@yieldbroker.com> wrote:
Hi
I asked earlier, thought I would just double check.
CCR1036 - looking at using this as my exterior WAN connector / Router. But I want to setup a management port (actually a VLAN) so I want to place that interface and some routes into its own VRF.
I have just setup some arista switches which I have done the same - so all the management traffic traverses 1 port.
I can see in /ip route vrf
I can add routes to a route mark name space. How do I add all packet coming in on a specific interface to a VRF, do I use the firewall mangle table, and basically mark all the packet with the route mark I want to use.
Is that it ??
Thanks Alex
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg Click here to report this message as spam: https://console.mailguard.com.au/ras/1Q2hIls0HF/5evArEs0HpYUYtKUzQ2w7Z/0.2 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
One thing that might be biting you is that you need a valid route in the main routing table. If you have a default route, that will cover it, but if you have no routes that cover the return path, then it won't be processed far enough to get to the mangle rule to move between VRFs. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Friday, 13 January 2017 3:14 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Given it a bit of a go /interface ethernet set [ find default-name=sfp-sfpplus1 ] l2mtu=9216 mtu=9000 set [ find default-name=sfp-sfpplus2 ] l2mtu=9216 mtu=9000 /interface bonding add mode=802.3ad mtu=9000 name=switch slaves=sfp-sfpplus1,sfp-sfpplus2 transmit-hash-policy=layer-2-and-3 /interface vlan add interface=switch name=Management vlan-id=80 /ip address add address=10.32.80.72/24 comment="Management IP" interface=Management network=10.32.80.0 add address=192.168.0.1/24 interface=ether1 network=192.168.0.0 /ip firewall mangle add action=mark-connection chain=prerouting in-interface=Management new-connection-mark=Management passthrough=yes add action=mark-routing chain=output connection-mark=Management new-routing-mark=Management passthrough=yes /ip route add distance=250 gateway=10.32.80.1 routing-mark=Management /ip route vrf add interfaces=Management routing-mark=Management when I jump onto 10.32.80.7 I can ping 10.32.80.72, but when I try and ssh I can see the SYN packet but no reply ! /ip route print detail Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 0 A S dst-address=0.0.0.0/0 gateway=10.32.80.1 gateway-status=10.32.80.1 on Management reachable via Management distance=250 scope=30 target-scope=10 routing-mark=Management 1 ADC dst-address=10.32.80.0/24 pref-src=10.32.80.72 gateway=Management gateway-status=Management reachable distance=0 scope=10 routing-mark=Management 2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=10 Any suggestions ? Alex -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Wednesday, 11 January 2017 9:07 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Still planning and testing phase - about to head out on leave :) I find it best to keep thinking how I would do it on a multihomed linux box.. I find that helps and then to translate it to ROS A -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Philip Loenneker Sent: Wednesday, 11 January 2017 8:55 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Damien, That's great news that you solved it. I hadn't thought of using connection marking - I should remember that feature more often! Alex, did you manage to get your management VRF working how you would like? -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Tuesday, 10 January 2017 9:38 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik G'day Phillip, Thanks, after a bit of messing around tonight, we figured it out. Need to have rules incoming on all interfaces which are part of the VRF, to mark-connection=vrf1_connection, and then a mangle rule on output chain to match the connection, and mark-routing into the vrf Looks something like this: /ip firewall mangle add action=mark-connection chain=prerouting in-interface=vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-connection chain=prerouting in-interface=eoip-vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-routing chain=output connection-mark=kids-mark new-routing-mark=kids-vrf passthrough=yes Now I just need to figure out how to NAT the router's own IP outbound on those interfaces, so it uses the IP of the interface for replies, and not the loopback IP of the router (though that's more a 'nice traceroutes' issue, than anything.. It looks to have fixed PMTUD as well as the missing hops in traceroutes :) Also as a somewhat side curiosity.. The HP Microserver N36L cpu's are not at all suited to doing pppoe... RouterOS VM doing PPPOE over NBN, 20mbps of traffic, with both CPU cores at 99%! (It's a dual core 1.2GHZ AMD Neo) Reconfigured the CRS-109 (600MHz single-core) in the living room (which is just operating as a switch anyway..) to do our internet PPPOE, and voila, 50mbps at 2% cpu. That blew me away a little :D On 10 January 2017 at 08:37, Philip Loenneker < Philip.Loenneker@tasmanet.com.au> wrote:
Damien,
I know this is hijacking the thread, but have you tried doing something like this to overcome your PMTUD issue: /ip firewall mangle add action=mark-routing chain=output dst-address= 172.16.0.0/24 new-routing-mark=vrf1
Dst-address being your subnet inside the VRF, or use an address-list if there are a few.
Regards, Philip
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 January 2017 4:54 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik
You go into IP route VRF, and put the interfaces that should be on the VRF, into the VRF with your selected routing mark. Then those IP's don't appear in the global routing table, and instead appear on the chosen routing mark.
Then nothing can talk to the IP's on those interfaces unless you have an ip firewall mangle rule which tags packets/connections/whatever coming in on another interface, INTO that routing mark.
The IP's on the interfaces in the VRF have no access to anything NOT on the VRF, unless you add a route to allow them to. (For example, if your normal default route is 1.2.3.1, you can add a route with routing-mark=MY_VRF and gateway=1.2.3.1@main to push traffic from the VRF out via 1.2.3.1 in the main routing table.
The only hassle I have found with VRF's on mikrotik, is that administrative replies (i.e. ttl expired in transit for traceroutes, and packet too large ICMP's when going over tunnel interfaces, etc), get lost and don't make it back to the devices inside the VRF (or devices outside). This is killing me at the moment at home, as PMTUD does not work for devices inside the VRF, so I've had to set my LAN mtu on the firewall I use at the datacenter to 1450 so that traffic over EOIP to home inside the VRF still works :\ )
On 9 January 2017 at 16:46, Alex Samad - Yieldbroker < Alex.Samad@yieldbroker.com> wrote:
Hi
I asked earlier, thought I would just double check.
CCR1036 - looking at using this as my exterior WAN connector / Router. But I want to setup a management port (actually a VLAN) so I want to place that interface and some routes into its own VRF.
I have just setup some arista switches which I have done the same - so all the management traffic traverses 1 port.
I can see in /ip route vrf
I can add routes to a route mark name space. How do I add all packet coming in on a specific interface to a VRF, do I use the firewall mangle table, and basically mark all the packet with the route mark I want to use.
Is that it ??
Thanks Alex
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg Click here to report this message as spam: https://console.mailguard.com.au/ras/1Q2hIls0HF/5evArEs0HpYUYtKUzQ2w7Z/0.2 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
You can't bind local services to anything but the global table. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Friday, 13 January 2017 2:14 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Given it a bit of a go /interface ethernet set [ find default-name=sfp-sfpplus1 ] l2mtu=9216 mtu=9000 set [ find default-name=sfp-sfpplus2 ] l2mtu=9216 mtu=9000 /interface bonding add mode=802.3ad mtu=9000 name=switch slaves=sfp-sfpplus1,sfp-sfpplus2 transmit-hash-policy=layer-2-and-3 /interface vlan add interface=switch name=Management vlan-id=80 /ip address add address=10.32.80.72/24 comment="Management IP" interface=Management network=10.32.80.0 add address=192.168.0.1/24 interface=ether1 network=192.168.0.0 /ip firewall mangle add action=mark-connection chain=prerouting in-interface=Management new-connection-mark=Management passthrough=yes add action=mark-routing chain=output connection-mark=Management new-routing-mark=Management passthrough=yes /ip route add distance=250 gateway=10.32.80.1 routing-mark=Management /ip route vrf add interfaces=Management routing-mark=Management when I jump onto 10.32.80.7 I can ping 10.32.80.72, but when I try and ssh I can see the SYN packet but no reply ! /ip route print detail Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 0 A S dst-address=0.0.0.0/0 gateway=10.32.80.1 gateway-status=10.32.80.1 on Management reachable via Management distance=250 scope=30 target-scope=10 routing-mark=Management 1 ADC dst-address=10.32.80.0/24 pref-src=10.32.80.72 gateway=Management gateway-status=Management reachable distance=0 scope=10 routing-mark=Management 2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=10 Any suggestions ? Alex -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Wednesday, 11 January 2017 9:07 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Still planning and testing phase - about to head out on leave :) I find it best to keep thinking how I would do it on a multihomed linux box.. I find that helps and then to translate it to ROS A -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Philip Loenneker Sent: Wednesday, 11 January 2017 8:55 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Damien, That's great news that you solved it. I hadn't thought of using connection marking - I should remember that feature more often! Alex, did you manage to get your management VRF working how you would like? -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Tuesday, 10 January 2017 9:38 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik G'day Phillip, Thanks, after a bit of messing around tonight, we figured it out. Need to have rules incoming on all interfaces which are part of the VRF, to mark-connection=vrf1_connection, and then a mangle rule on output chain to match the connection, and mark-routing into the vrf Looks something like this: /ip firewall mangle add action=mark-connection chain=prerouting in-interface=vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-connection chain=prerouting in-interface=eoip-vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-routing chain=output connection-mark=kids-mark new-routing-mark=kids-vrf passthrough=yes Now I just need to figure out how to NAT the router's own IP outbound on those interfaces, so it uses the IP of the interface for replies, and not the loopback IP of the router (though that's more a 'nice traceroutes' issue, than anything.. It looks to have fixed PMTUD as well as the missing hops in traceroutes :) Also as a somewhat side curiosity.. The HP Microserver N36L cpu's are not at all suited to doing pppoe... RouterOS VM doing PPPOE over NBN, 20mbps of traffic, with both CPU cores at 99%! (It's a dual core 1.2GHZ AMD Neo) Reconfigured the CRS-109 (600MHz single-core) in the living room (which is just operating as a switch anyway..) to do our internet PPPOE, and voila, 50mbps at 2% cpu. That blew me away a little :D On 10 January 2017 at 08:37, Philip Loenneker < Philip.Loenneker@tasmanet.com.au> wrote:
Damien,
I know this is hijacking the thread, but have you tried doing something like this to overcome your PMTUD issue: /ip firewall mangle add action=mark-routing chain=output dst-address= 172.16.0.0/24 new-routing-mark=vrf1
Dst-address being your subnet inside the VRF, or use an address-list if there are a few.
Regards, Philip
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 January 2017 4:54 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik
You go into IP route VRF, and put the interfaces that should be on the VRF, into the VRF with your selected routing mark. Then those IP's don't appear in the global routing table, and instead appear on the chosen routing mark.
Then nothing can talk to the IP's on those interfaces unless you have an ip firewall mangle rule which tags packets/connections/whatever coming in on another interface, INTO that routing mark.
The IP's on the interfaces in the VRF have no access to anything NOT on the VRF, unless you add a route to allow them to. (For example, if your normal default route is 1.2.3.1, you can add a route with routing-mark=MY_VRF and gateway=1.2.3.1@main to push traffic from the VRF out via 1.2.3.1 in the main routing table.
The only hassle I have found with VRF's on mikrotik, is that administrative replies (i.e. ttl expired in transit for traceroutes, and packet too large ICMP's when going over tunnel interfaces, etc), get lost and don't make it back to the devices inside the VRF (or devices outside). This is killing me at the moment at home, as PMTUD does not work for devices inside the VRF, so I've had to set my LAN mtu on the firewall I use at the datacenter to 1450 so that traffic over EOIP to home inside the VRF still works :\ )
On 9 January 2017 at 16:46, Alex Samad - Yieldbroker < Alex.Samad@yieldbroker.com> wrote:
Hi
I asked earlier, thought I would just double check.
CCR1036 - looking at using this as my exterior WAN connector / Router. But I want to setup a management port (actually a VLAN) so I want to place that interface and some routes into its own VRF.
I have just setup some arista switches which I have done the same - so all the management traffic traverses 1 port.
I can see in /ip route vrf
I can add routes to a route mark name space. How do I add all packet coming in on a specific interface to a VRF, do I use the firewall mangle table, and basically mark all the packet with the route mark I want to use.
Is that it ??
Thanks Alex
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg Click here to report this message as spam: https://console.mailguard.com.au/ras/1Q2hIls0HF/5evArEs0HpYUYtKUzQ2w7Z/0.2 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Tim - you can, but you have to have some matching routes and mangle rules to make it work. I've done it, and Damien replied in this thread saying he has done it too. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Tim Warnock Sent: Friday, 13 January 2017 3:58 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik You can't bind local services to anything but the global table. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Friday, 13 January 2017 2:14 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Given it a bit of a go /interface ethernet set [ find default-name=sfp-sfpplus1 ] l2mtu=9216 mtu=9000 set [ find default-name=sfp-sfpplus2 ] l2mtu=9216 mtu=9000 /interface bonding add mode=802.3ad mtu=9000 name=switch slaves=sfp-sfpplus1,sfp-sfpplus2 transmit-hash-policy=layer-2-and-3 /interface vlan add interface=switch name=Management vlan-id=80 /ip address add address=10.32.80.72/24 comment="Management IP" interface=Management network=10.32.80.0 add address=192.168.0.1/24 interface=ether1 network=192.168.0.0 /ip firewall mangle add action=mark-connection chain=prerouting in-interface=Management new-connection-mark=Management passthrough=yes add action=mark-routing chain=output connection-mark=Management new-routing-mark=Management passthrough=yes /ip route add distance=250 gateway=10.32.80.1 routing-mark=Management /ip route vrf add interfaces=Management routing-mark=Management when I jump onto 10.32.80.7 I can ping 10.32.80.72, but when I try and ssh I can see the SYN packet but no reply ! /ip route print detail Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 0 A S dst-address=0.0.0.0/0 gateway=10.32.80.1 gateway-status=10.32.80.1 on Management reachable via Management distance=250 scope=30 target-scope=10 routing-mark=Management 1 ADC dst-address=10.32.80.0/24 pref-src=10.32.80.72 gateway=Management gateway-status=Management reachable distance=0 scope=10 routing-mark=Management 2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=10 Any suggestions ? Alex -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Wednesday, 11 January 2017 9:07 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Still planning and testing phase - about to head out on leave :) I find it best to keep thinking how I would do it on a multihomed linux box.. I find that helps and then to translate it to ROS A -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Philip Loenneker Sent: Wednesday, 11 January 2017 8:55 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Damien, That's great news that you solved it. I hadn't thought of using connection marking - I should remember that feature more often! Alex, did you manage to get your management VRF working how you would like? -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Tuesday, 10 January 2017 9:38 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik G'day Phillip, Thanks, after a bit of messing around tonight, we figured it out. Need to have rules incoming on all interfaces which are part of the VRF, to mark-connection=vrf1_connection, and then a mangle rule on output chain to match the connection, and mark-routing into the vrf Looks something like this: /ip firewall mangle add action=mark-connection chain=prerouting in-interface=vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-connection chain=prerouting in-interface=eoip-vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-routing chain=output connection-mark=kids-mark new-routing-mark=kids-vrf passthrough=yes Now I just need to figure out how to NAT the router's own IP outbound on those interfaces, so it uses the IP of the interface for replies, and not the loopback IP of the router (though that's more a 'nice traceroutes' issue, than anything.. It looks to have fixed PMTUD as well as the missing hops in traceroutes :) Also as a somewhat side curiosity.. The HP Microserver N36L cpu's are not at all suited to doing pppoe... RouterOS VM doing PPPOE over NBN, 20mbps of traffic, with both CPU cores at 99%! (It's a dual core 1.2GHZ AMD Neo) Reconfigured the CRS-109 (600MHz single-core) in the living room (which is just operating as a switch anyway..) to do our internet PPPOE, and voila, 50mbps at 2% cpu. That blew me away a little :D On 10 January 2017 at 08:37, Philip Loenneker < Philip.Loenneker@tasmanet.com.au> wrote:
Damien,
I know this is hijacking the thread, but have you tried doing something like this to overcome your PMTUD issue: /ip firewall mangle add action=mark-routing chain=output dst-address= 172.16.0.0/24 new-routing-mark=vrf1
Dst-address being your subnet inside the VRF, or use an address-list if there are a few.
Regards, Philip
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 January 2017 4:54 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik
You go into IP route VRF, and put the interfaces that should be on the VRF, into the VRF with your selected routing mark. Then those IP's don't appear in the global routing table, and instead appear on the chosen routing mark.
Then nothing can talk to the IP's on those interfaces unless you have an ip firewall mangle rule which tags packets/connections/whatever coming in on another interface, INTO that routing mark.
The IP's on the interfaces in the VRF have no access to anything NOT on the VRF, unless you add a route to allow them to. (For example, if your normal default route is 1.2.3.1, you can add a route with routing-mark=MY_VRF and gateway=1.2.3.1@main to push traffic from the VRF out via 1.2.3.1 in the main routing table.
The only hassle I have found with VRF's on mikrotik, is that administrative replies (i.e. ttl expired in transit for traceroutes, and packet too large ICMP's when going over tunnel interfaces, etc), get lost and don't make it back to the devices inside the VRF (or devices outside). This is killing me at the moment at home, as PMTUD does not work for devices inside the VRF, so I've had to set my LAN mtu on the firewall I use at the datacenter to 1450 so that traffic over EOIP to home inside the VRF still works :\ )
On 9 January 2017 at 16:46, Alex Samad - Yieldbroker < Alex.Samad@yieldbroker.com> wrote:
Hi
I asked earlier, thought I would just double check.
CCR1036 - looking at using this as my exterior WAN connector / Router. But I want to setup a management port (actually a VLAN) so I want to place that interface and some routes into its own VRF.
I have just setup some arista switches which I have done the same - so all the management traffic traverses 1 port.
I can see in /ip route vrf
I can add routes to a route mark name space. How do I add all packet coming in on a specific interface to a VRF, do I use the firewall mangle table, and basically mark all the packet with the route mark I want to use.
Is that it ??
Thanks Alex
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg Click here to report this message as spam: https://console.mailguard.com.au/ras/1Q2hIls0HF/5evArEs0HpYUYtKUzQ2w7Z/0.2 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hmmmm that's going to be annoying ... I wanted to isolate my management traffic and if my other OSPF/BGP isn't up then I will have no default route ... I am bit wary of putting management into the default table .. A -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Philip Loenneker Sent: Friday, 13 January 2017 4:05 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Tim - you can, but you have to have some matching routes and mangle rules to make it work. I've done it, and Damien replied in this thread saying he has done it too. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Tim Warnock Sent: Friday, 13 January 2017 3:58 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik You can't bind local services to anything but the global table. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Friday, 13 January 2017 2:14 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Given it a bit of a go /interface ethernet set [ find default-name=sfp-sfpplus1 ] l2mtu=9216 mtu=9000 set [ find default-name=sfp-sfpplus2 ] l2mtu=9216 mtu=9000 /interface bonding add mode=802.3ad mtu=9000 name=switch slaves=sfp-sfpplus1,sfp-sfpplus2 transmit-hash-policy=layer-2-and-3 /interface vlan add interface=switch name=Management vlan-id=80 /ip address add address=10.32.80.72/24 comment="Management IP" interface=Management network=10.32.80.0 add address=192.168.0.1/24 interface=ether1 network=192.168.0.0 /ip firewall mangle add action=mark-connection chain=prerouting in-interface=Management new-connection-mark=Management passthrough=yes add action=mark-routing chain=output connection-mark=Management new-routing-mark=Management passthrough=yes /ip route add distance=250 gateway=10.32.80.1 routing-mark=Management /ip route vrf add interfaces=Management routing-mark=Management when I jump onto 10.32.80.7 I can ping 10.32.80.72, but when I try and ssh I can see the SYN packet but no reply ! /ip route print detail Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 0 A S dst-address=0.0.0.0/0 gateway=10.32.80.1 gateway-status=10.32.80.1 on Management reachable via Management distance=250 scope=30 target-scope=10 routing-mark=Management 1 ADC dst-address=10.32.80.0/24 pref-src=10.32.80.72 gateway=Management gateway-status=Management reachable distance=0 scope=10 routing-mark=Management 2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=10 Any suggestions ? Alex -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Wednesday, 11 January 2017 9:07 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Still planning and testing phase - about to head out on leave :) I find it best to keep thinking how I would do it on a multihomed linux box.. I find that helps and then to translate it to ROS A -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Philip Loenneker Sent: Wednesday, 11 January 2017 8:55 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Damien, That's great news that you solved it. I hadn't thought of using connection marking - I should remember that feature more often! Alex, did you manage to get your management VRF working how you would like? -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Tuesday, 10 January 2017 9:38 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik G'day Phillip, Thanks, after a bit of messing around tonight, we figured it out. Need to have rules incoming on all interfaces which are part of the VRF, to mark-connection=vrf1_connection, and then a mangle rule on output chain to match the connection, and mark-routing into the vrf Looks something like this: /ip firewall mangle add action=mark-connection chain=prerouting in-interface=vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-connection chain=prerouting in-interface=eoip-vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-routing chain=output connection-mark=kids-mark new-routing-mark=kids-vrf passthrough=yes Now I just need to figure out how to NAT the router's own IP outbound on those interfaces, so it uses the IP of the interface for replies, and not the loopback IP of the router (though that's more a 'nice traceroutes' issue, than anything.. It looks to have fixed PMTUD as well as the missing hops in traceroutes :) Also as a somewhat side curiosity.. The HP Microserver N36L cpu's are not at all suited to doing pppoe... RouterOS VM doing PPPOE over NBN, 20mbps of traffic, with both CPU cores at 99%! (It's a dual core 1.2GHZ AMD Neo) Reconfigured the CRS-109 (600MHz single-core) in the living room (which is just operating as a switch anyway..) to do our internet PPPOE, and voila, 50mbps at 2% cpu. That blew me away a little :D On 10 January 2017 at 08:37, Philip Loenneker < Philip.Loenneker@tasmanet.com.au> wrote:
Damien,
I know this is hijacking the thread, but have you tried doing something like this to overcome your PMTUD issue: /ip firewall mangle add action=mark-routing chain=output dst-address= 172.16.0.0/24 new-routing-mark=vrf1
Dst-address being your subnet inside the VRF, or use an address-list if there are a few.
Regards, Philip
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 January 2017 4:54 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik
You go into IP route VRF, and put the interfaces that should be on the VRF, into the VRF with your selected routing mark. Then those IP's don't appear in the global routing table, and instead appear on the chosen routing mark.
Then nothing can talk to the IP's on those interfaces unless you have an ip firewall mangle rule which tags packets/connections/whatever coming in on another interface, INTO that routing mark.
The IP's on the interfaces in the VRF have no access to anything NOT on the VRF, unless you add a route to allow them to. (For example, if your normal default route is 1.2.3.1, you can add a route with routing-mark=MY_VRF and gateway=1.2.3.1@main to push traffic from the VRF out via 1.2.3.1 in the main routing table.
The only hassle I have found with VRF's on mikrotik, is that administrative replies (i.e. ttl expired in transit for traceroutes, and packet too large ICMP's when going over tunnel interfaces, etc), get lost and don't make it back to the devices inside the VRF (or devices outside). This is killing me at the moment at home, as PMTUD does not work for devices inside the VRF, so I've had to set my LAN mtu on the firewall I use at the datacenter to 1450 so that traffic over EOIP to home inside the VRF still works :\ )
On 9 January 2017 at 16:46, Alex Samad - Yieldbroker < Alex.Samad@yieldbroker.com> wrote:
Hi
I asked earlier, thought I would just double check.
CCR1036 - looking at using this as my exterior WAN connector / Router. But I want to setup a management port (actually a VLAN) so I want to place that interface and some routes into its own VRF.
I have just setup some arista switches which I have done the same - so all the management traffic traverses 1 port.
I can see in /ip route vrf
I can add routes to a route mark name space. How do I add all packet coming in on a specific interface to a VRF, do I use the firewall mangle table, and basically mark all the packet with the route mark I want to use.
Is that it ??
Thanks Alex
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg Click here to report this message as spam: https://console.mailguard.com.au/ras/1Q2hIls0HF/5evArEs0HpYUYtKUzQ2w7Z/0.2 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg Click here to report this message as spam: https://console.mailguard.com.au/ras/1Q3enmmuXY/3bgKUSuGHxldu8dyXfMruM/0.2
Okay added dgw and it started to work ! I will try testing with a dgw in to black hole ! Alex -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Friday, 13 January 2017 4:20 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hmmmm that's going to be annoying ... I wanted to isolate my management traffic and if my other OSPF/BGP isn't up then I will have no default route ... I am bit wary of putting management into the default table .. A -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Philip Loenneker Sent: Friday, 13 January 2017 4:05 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Tim - you can, but you have to have some matching routes and mangle rules to make it work. I've done it, and Damien replied in this thread saying he has done it too. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Tim Warnock Sent: Friday, 13 January 2017 3:58 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik You can't bind local services to anything but the global table. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Friday, 13 January 2017 2:14 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Given it a bit of a go /interface ethernet set [ find default-name=sfp-sfpplus1 ] l2mtu=9216 mtu=9000 set [ find default-name=sfp-sfpplus2 ] l2mtu=9216 mtu=9000 /interface bonding add mode=802.3ad mtu=9000 name=switch slaves=sfp-sfpplus1,sfp-sfpplus2 transmit-hash-policy=layer-2-and-3 /interface vlan add interface=switch name=Management vlan-id=80 /ip address add address=10.32.80.72/24 comment="Management IP" interface=Management network=10.32.80.0 add address=192.168.0.1/24 interface=ether1 network=192.168.0.0 /ip firewall mangle add action=mark-connection chain=prerouting in-interface=Management new-connection-mark=Management passthrough=yes add action=mark-routing chain=output connection-mark=Management new-routing-mark=Management passthrough=yes /ip route add distance=250 gateway=10.32.80.1 routing-mark=Management /ip route vrf add interfaces=Management routing-mark=Management when I jump onto 10.32.80.7 I can ping 10.32.80.72, but when I try and ssh I can see the SYN packet but no reply ! /ip route print detail Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 0 A S dst-address=0.0.0.0/0 gateway=10.32.80.1 gateway-status=10.32.80.1 on Management reachable via Management distance=250 scope=30 target-scope=10 routing-mark=Management 1 ADC dst-address=10.32.80.0/24 pref-src=10.32.80.72 gateway=Management gateway-status=Management reachable distance=0 scope=10 routing-mark=Management 2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=10 Any suggestions ? Alex -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Wednesday, 11 January 2017 9:07 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Still planning and testing phase - about to head out on leave :) I find it best to keep thinking how I would do it on a multihomed linux box.. I find that helps and then to translate it to ROS A -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Philip Loenneker Sent: Wednesday, 11 January 2017 8:55 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Damien, That's great news that you solved it. I hadn't thought of using connection marking - I should remember that feature more often! Alex, did you manage to get your management VRF working how you would like? -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Tuesday, 10 January 2017 9:38 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik G'day Phillip, Thanks, after a bit of messing around tonight, we figured it out. Need to have rules incoming on all interfaces which are part of the VRF, to mark-connection=vrf1_connection, and then a mangle rule on output chain to match the connection, and mark-routing into the vrf Looks something like this: /ip firewall mangle add action=mark-connection chain=prerouting in-interface=vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-connection chain=prerouting in-interface=eoip-vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-routing chain=output connection-mark=kids-mark new-routing-mark=kids-vrf passthrough=yes Now I just need to figure out how to NAT the router's own IP outbound on those interfaces, so it uses the IP of the interface for replies, and not the loopback IP of the router (though that's more a 'nice traceroutes' issue, than anything.. It looks to have fixed PMTUD as well as the missing hops in traceroutes :) Also as a somewhat side curiosity.. The HP Microserver N36L cpu's are not at all suited to doing pppoe... RouterOS VM doing PPPOE over NBN, 20mbps of traffic, with both CPU cores at 99%! (It's a dual core 1.2GHZ AMD Neo) Reconfigured the CRS-109 (600MHz single-core) in the living room (which is just operating as a switch anyway..) to do our internet PPPOE, and voila, 50mbps at 2% cpu. That blew me away a little :D On 10 January 2017 at 08:37, Philip Loenneker < Philip.Loenneker@tasmanet.com.au> wrote:
Damien,
I know this is hijacking the thread, but have you tried doing something like this to overcome your PMTUD issue: /ip firewall mangle add action=mark-routing chain=output dst-address= 172.16.0.0/24 new-routing-mark=vrf1
Dst-address being your subnet inside the VRF, or use an address-list if there are a few.
Regards, Philip
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 January 2017 4:54 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik
You go into IP route VRF, and put the interfaces that should be on the VRF, into the VRF with your selected routing mark. Then those IP's don't appear in the global routing table, and instead appear on the chosen routing mark.
Then nothing can talk to the IP's on those interfaces unless you have an ip firewall mangle rule which tags packets/connections/whatever coming in on another interface, INTO that routing mark.
The IP's on the interfaces in the VRF have no access to anything NOT on the VRF, unless you add a route to allow them to. (For example, if your normal default route is 1.2.3.1, you can add a route with routing-mark=MY_VRF and gateway=1.2.3.1@main to push traffic from the VRF out via 1.2.3.1 in the main routing table.
The only hassle I have found with VRF's on mikrotik, is that administrative replies (i.e. ttl expired in transit for traceroutes, and packet too large ICMP's when going over tunnel interfaces, etc), get lost and don't make it back to the devices inside the VRF (or devices outside). This is killing me at the moment at home, as PMTUD does not work for devices inside the VRF, so I've had to set my LAN mtu on the firewall I use at the datacenter to 1450 so that traffic over EOIP to home inside the VRF still works :\ )
On 9 January 2017 at 16:46, Alex Samad - Yieldbroker < Alex.Samad@yieldbroker.com> wrote:
Hi
I asked earlier, thought I would just double check.
CCR1036 - looking at using this as my exterior WAN connector / Router. But I want to setup a management port (actually a VLAN) so I want to place that interface and some routes into its own VRF.
I have just setup some arista switches which I have done the same - so all the management traffic traverses 1 port.
I can see in /ip route vrf
I can add routes to a route mark name space. How do I add all packet coming in on a specific interface to a VRF, do I use the firewall mangle table, and basically mark all the packet with the route mark I want to use.
Is that it ??
Thanks Alex
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg Click here to report this message as spam: https://console.mailguard.com.au/ras/1Q2hIls0HF/5evArEs0HpYUYtKUzQ2w7Z/0.2 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg Click here to report this message as spam: https://console.mailguard.com.au/ras/1Q3enmmuXY/3bgKUSuGHxldu8dyXfMruM/0.2 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Alex - can you put management in Main and all other traffic within VRFs? Note that you need a route, and it needs to be active (ie valid) but it doesn't need to go anywhere... I don't know if you can send it to a loopback/bridge on the same device, but any IP that has direct connectivity should be fine, even if there is nothing using that IP. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Friday, 13 January 2017 4:20 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hmmmm that's going to be annoying ... I wanted to isolate my management traffic and if my other OSPF/BGP isn't up then I will have no default route ... I am bit wary of putting management into the default table .. A -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Philip Loenneker Sent: Friday, 13 January 2017 4:05 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Tim - you can, but you have to have some matching routes and mangle rules to make it work. I've done it, and Damien replied in this thread saying he has done it too. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Tim Warnock Sent: Friday, 13 January 2017 3:58 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik You can't bind local services to anything but the global table. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Friday, 13 January 2017 2:14 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Given it a bit of a go /interface ethernet set [ find default-name=sfp-sfpplus1 ] l2mtu=9216 mtu=9000 set [ find default-name=sfp-sfpplus2 ] l2mtu=9216 mtu=9000 /interface bonding add mode=802.3ad mtu=9000 name=switch slaves=sfp-sfpplus1,sfp-sfpplus2 transmit-hash-policy=layer-2-and-3 /interface vlan add interface=switch name=Management vlan-id=80 /ip address add address=10.32.80.72/24 comment="Management IP" interface=Management network=10.32.80.0 add address=192.168.0.1/24 interface=ether1 network=192.168.0.0 /ip firewall mangle add action=mark-connection chain=prerouting in-interface=Management new-connection-mark=Management passthrough=yes add action=mark-routing chain=output connection-mark=Management new-routing-mark=Management passthrough=yes /ip route add distance=250 gateway=10.32.80.1 routing-mark=Management /ip route vrf add interfaces=Management routing-mark=Management when I jump onto 10.32.80.7 I can ping 10.32.80.72, but when I try and ssh I can see the SYN packet but no reply ! /ip route print detail Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 0 A S dst-address=0.0.0.0/0 gateway=10.32.80.1 gateway-status=10.32.80.1 on Management reachable via Management distance=250 scope=30 target-scope=10 routing-mark=Management 1 ADC dst-address=10.32.80.0/24 pref-src=10.32.80.72 gateway=Management gateway-status=Management reachable distance=0 scope=10 routing-mark=Management 2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=10 Any suggestions ? Alex -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Wednesday, 11 January 2017 9:07 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Still planning and testing phase - about to head out on leave :) I find it best to keep thinking how I would do it on a multihomed linux box.. I find that helps and then to translate it to ROS A -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Philip Loenneker Sent: Wednesday, 11 January 2017 8:55 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Damien, That's great news that you solved it. I hadn't thought of using connection marking - I should remember that feature more often! Alex, did you manage to get your management VRF working how you would like? -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Tuesday, 10 January 2017 9:38 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik G'day Phillip, Thanks, after a bit of messing around tonight, we figured it out. Need to have rules incoming on all interfaces which are part of the VRF, to mark-connection=vrf1_connection, and then a mangle rule on output chain to match the connection, and mark-routing into the vrf Looks something like this: /ip firewall mangle add action=mark-connection chain=prerouting in-interface=vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-connection chain=prerouting in-interface=eoip-vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-routing chain=output connection-mark=kids-mark new-routing-mark=kids-vrf passthrough=yes Now I just need to figure out how to NAT the router's own IP outbound on those interfaces, so it uses the IP of the interface for replies, and not the loopback IP of the router (though that's more a 'nice traceroutes' issue, than anything.. It looks to have fixed PMTUD as well as the missing hops in traceroutes :) Also as a somewhat side curiosity.. The HP Microserver N36L cpu's are not at all suited to doing pppoe... RouterOS VM doing PPPOE over NBN, 20mbps of traffic, with both CPU cores at 99%! (It's a dual core 1.2GHZ AMD Neo) Reconfigured the CRS-109 (600MHz single-core) in the living room (which is just operating as a switch anyway..) to do our internet PPPOE, and voila, 50mbps at 2% cpu. That blew me away a little :D On 10 January 2017 at 08:37, Philip Loenneker < Philip.Loenneker@tasmanet.com.au> wrote:
Damien,
I know this is hijacking the thread, but have you tried doing something like this to overcome your PMTUD issue: /ip firewall mangle add action=mark-routing chain=output dst-address= 172.16.0.0/24 new-routing-mark=vrf1
Dst-address being your subnet inside the VRF, or use an address-list if there are a few.
Regards, Philip
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 January 2017 4:54 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik
You go into IP route VRF, and put the interfaces that should be on the VRF, into the VRF with your selected routing mark. Then those IP's don't appear in the global routing table, and instead appear on the chosen routing mark.
Then nothing can talk to the IP's on those interfaces unless you have an ip firewall mangle rule which tags packets/connections/whatever coming in on another interface, INTO that routing mark.
The IP's on the interfaces in the VRF have no access to anything NOT on the VRF, unless you add a route to allow them to. (For example, if your normal default route is 1.2.3.1, you can add a route with routing-mark=MY_VRF and gateway=1.2.3.1@main to push traffic from the VRF out via 1.2.3.1 in the main routing table.
The only hassle I have found with VRF's on mikrotik, is that administrative replies (i.e. ttl expired in transit for traceroutes, and packet too large ICMP's when going over tunnel interfaces, etc), get lost and don't make it back to the devices inside the VRF (or devices outside). This is killing me at the moment at home, as PMTUD does not work for devices inside the VRF, so I've had to set my LAN mtu on the firewall I use at the datacenter to 1450 so that traffic over EOIP to home inside the VRF still works :\ )
On 9 January 2017 at 16:46, Alex Samad - Yieldbroker < Alex.Samad@yieldbroker.com> wrote:
Hi
I asked earlier, thought I would just double check.
CCR1036 - looking at using this as my exterior WAN connector / Router. But I want to setup a management port (actually a VLAN) so I want to place that interface and some routes into its own VRF.
I have just setup some arista switches which I have done the same - so all the management traffic traverses 1 port.
I can see in /ip route vrf
I can add routes to a route mark name space. How do I add all packet coming in on a specific interface to a VRF, do I use the firewall mangle table, and basically mark all the packet with the route mark I want to use.
Is that it ??
Thanks Alex
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg Click here to report this message as spam: https://console.mailguard.com.au/ras/1Q2hIls0HF/5evArEs0HpYUYtKUzQ2w7Z/0.2 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg Click here to report this message as spam: https://console.mailguard.com.au/ras/1Q3enmmuXY/3bgKUSuGHxldu8dyXfMruM/0.2 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Cool, I will have to have a think about it. My concern is that a miss config in one of the other vrf's and suddenly all the traffic ends up in main which is connected to my management network .. A -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Philip Loenneker Sent: Friday, 13 January 2017 4:27 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Alex - can you put management in Main and all other traffic within VRFs? Note that you need a route, and it needs to be active (ie valid) but it doesn't need to go anywhere... I don't know if you can send it to a loopback/bridge on the same device, but any IP that has direct connectivity should be fine, even if there is nothing using that IP. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Friday, 13 January 2017 4:20 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hmmmm that's going to be annoying ... I wanted to isolate my management traffic and if my other OSPF/BGP isn't up then I will have no default route ... I am bit wary of putting management into the default table .. A -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Philip Loenneker Sent: Friday, 13 January 2017 4:05 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Tim - you can, but you have to have some matching routes and mangle rules to make it work. I've done it, and Damien replied in this thread saying he has done it too. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Tim Warnock Sent: Friday, 13 January 2017 3:58 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik You can't bind local services to anything but the global table. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Friday, 13 January 2017 2:14 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Given it a bit of a go /interface ethernet set [ find default-name=sfp-sfpplus1 ] l2mtu=9216 mtu=9000 set [ find default-name=sfp-sfpplus2 ] l2mtu=9216 mtu=9000 /interface bonding add mode=802.3ad mtu=9000 name=switch slaves=sfp-sfpplus1,sfp-sfpplus2 transmit-hash-policy=layer-2-and-3 /interface vlan add interface=switch name=Management vlan-id=80 /ip address add address=10.32.80.72/24 comment="Management IP" interface=Management network=10.32.80.0 add address=192.168.0.1/24 interface=ether1 network=192.168.0.0 /ip firewall mangle add action=mark-connection chain=prerouting in-interface=Management new-connection-mark=Management passthrough=yes add action=mark-routing chain=output connection-mark=Management new-routing-mark=Management passthrough=yes /ip route add distance=250 gateway=10.32.80.1 routing-mark=Management /ip route vrf add interfaces=Management routing-mark=Management when I jump onto 10.32.80.7 I can ping 10.32.80.72, but when I try and ssh I can see the SYN packet but no reply ! /ip route print detail Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 0 A S dst-address=0.0.0.0/0 gateway=10.32.80.1 gateway-status=10.32.80.1 on Management reachable via Management distance=250 scope=30 target-scope=10 routing-mark=Management 1 ADC dst-address=10.32.80.0/24 pref-src=10.32.80.72 gateway=Management gateway-status=Management reachable distance=0 scope=10 routing-mark=Management 2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=10 Any suggestions ? Alex -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Wednesday, 11 January 2017 9:07 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Still planning and testing phase - about to head out on leave :) I find it best to keep thinking how I would do it on a multihomed linux box.. I find that helps and then to translate it to ROS A -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Philip Loenneker Sent: Wednesday, 11 January 2017 8:55 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik Hi Damien, That's great news that you solved it. I hadn't thought of using connection marking - I should remember that feature more often! Alex, did you manage to get your management VRF working how you would like? -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Tuesday, 10 January 2017 9:38 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik G'day Phillip, Thanks, after a bit of messing around tonight, we figured it out. Need to have rules incoming on all interfaces which are part of the VRF, to mark-connection=vrf1_connection, and then a mangle rule on output chain to match the connection, and mark-routing into the vrf Looks something like this: /ip firewall mangle add action=mark-connection chain=prerouting in-interface=vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-connection chain=prerouting in-interface=eoip-vlan102 new-connection-mark=kids-mark passthrough=yes add action=mark-routing chain=output connection-mark=kids-mark new-routing-mark=kids-vrf passthrough=yes Now I just need to figure out how to NAT the router's own IP outbound on those interfaces, so it uses the IP of the interface for replies, and not the loopback IP of the router (though that's more a 'nice traceroutes' issue, than anything.. It looks to have fixed PMTUD as well as the missing hops in traceroutes :) Also as a somewhat side curiosity.. The HP Microserver N36L cpu's are not at all suited to doing pppoe... RouterOS VM doing PPPOE over NBN, 20mbps of traffic, with both CPU cores at 99%! (It's a dual core 1.2GHZ AMD Neo) Reconfigured the CRS-109 (600MHz single-core) in the living room (which is just operating as a switch anyway..) to do our internet PPPOE, and voila, 50mbps at 2% cpu. That blew me away a little :D On 10 January 2017 at 08:37, Philip Loenneker < Philip.Loenneker@tasmanet.com.au> wrote:
Damien,
I know this is hijacking the thread, but have you tried doing something like this to overcome your PMTUD issue: /ip firewall mangle add action=mark-routing chain=output dst-address= 172.16.0.0/24 new-routing-mark=vrf1
Dst-address being your subnet inside the VRF, or use an address-list if there are a few.
Regards, Philip
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Damien Gardner Jnr Sent: Monday, 9 January 2017 4:54 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] vrf on mikrotik
You go into IP route VRF, and put the interfaces that should be on the VRF, into the VRF with your selected routing mark. Then those IP's don't appear in the global routing table, and instead appear on the chosen routing mark.
Then nothing can talk to the IP's on those interfaces unless you have an ip firewall mangle rule which tags packets/connections/whatever coming in on another interface, INTO that routing mark.
The IP's on the interfaces in the VRF have no access to anything NOT on the VRF, unless you add a route to allow them to. (For example, if your normal default route is 1.2.3.1, you can add a route with routing-mark=MY_VRF and gateway=1.2.3.1@main to push traffic from the VRF out via 1.2.3.1 in the main routing table.
The only hassle I have found with VRF's on mikrotik, is that administrative replies (i.e. ttl expired in transit for traceroutes, and packet too large ICMP's when going over tunnel interfaces, etc), get lost and don't make it back to the devices inside the VRF (or devices outside). This is killing me at the moment at home, as PMTUD does not work for devices inside the VRF, so I've had to set my LAN mtu on the firewall I use at the datacenter to 1450 so that traffic over EOIP to home inside the VRF still works :\ )
On 9 January 2017 at 16:46, Alex Samad - Yieldbroker < Alex.Samad@yieldbroker.com> wrote:
Hi
I asked earlier, thought I would just double check.
CCR1036 - looking at using this as my exterior WAN connector / Router. But I want to setup a management port (actually a VLAN) so I want to place that interface and some routes into its own VRF.
I have just setup some arista switches which I have done the same - so all the management traffic traverses 1 port.
I can see in /ip route vrf
I can add routes to a route mark name space. How do I add all packet coming in on a specific interface to a VRF, do I use the firewall mangle table, and basically mark all the packet with the route mark I want to use.
Is that it ??
Thanks Alex
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg Click here to report this message as spam: https://console.mailguard.com.au/ras/1Q2hIls0HF/5evArEs0HpYUYtKUzQ2w7Z/0.2 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg Click here to report this message as spam: https://console.mailguard.com.au/ras/1Q3enmmuXY/3bgKUSuGHxldu8dyXfMruM/0.2 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Alex, Under /ip router vrf you can also attach interfaces (VLANs, ports, tunnels, whatever) so that all traffic from them is automatically inside the VRF. No mangle rules required. Be mindful though that all management traffic is by default in the main routing table. If you want them accessible inside a VRF, you will need to use a mangle rule for that. I had to do that so customers could do SNMP queries against our routers, and also for DHCP relays to work correctly inside a VRF. With that in mind, would it be possible to have all customer traffic inside a VRF, and leave your management traffic in Main? It might be less troublesome. Regards, Philip -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Monday, 9 January 2017 4:47 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] vrf on mikrotik Hi I asked earlier, thought I would just double check. CCR1036 - looking at using this as my exterior WAN connector / Router. But I want to setup a management port (actually a VLAN) so I want to place that interface and some routes into its own VRF. I have just setup some arista switches which I have done the same - so all the management traffic traverses 1 port. I can see in /ip route vrf I can add routes to a route mark name space. How do I add all packet coming in on a specific interface to a VRF, do I use the firewall mangle table, and basically mark all the packet with the route mark I want to use. Is that it ?? Thanks Alex _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (4)
-
Alex Samad - Yieldbroker
-
Damien Gardner Jnr
-
Philip Loenneker
-
Tim Warnock