OSPF redistribute-connected in a VRF?
Hey Folks, So my project while on my week off from work has been to build Miss 7 a PC. Which takes a lot more work than you'd first think, since I want it behind something doing a LOT of filtering :D After a lot of playing, I ended up with a Sophos UTM. Those things are very cool, and they provide a free virtual appliance license for home use, so I ran it up in Xenserver, and it's working a treat. Finished the computer yesterday, and today I sat down to quickly run a VRF up between home and the DC (where the UTM is running). The kids now have their own vlan at home, instead of being mixed in with the missus and I, and all our various devices (you know, the usual, xbox, wii, various roku players, the bathroom scales, etc ;). We already have an EOIP tunnel with a few vlans between home and the DC, so I just created one more, popped it into a VRF, and created a new OSPF instance. And then things fell apart ;) So Home Router can see DC Router and vice versa over the EOIP Vlan, OSPF comes up. And then the connected routes on each end do not show. SHOULD this work? I can do static routes if I have to, but I want to do a mesh config with two routers at each end (VM's for pure tunnelling grunt, being backed up by the CRS-109's at each end when the VM's are down), so OSPF would make things easier.. I've disabled my default OSPF instance on both ends for now to make debugging easier. My config looks like: Home End: /interface eoip add allow-fast-path=no !keepalive local-address=<HOME_RTR_IP> name=EOIP_SY3_PRIMARY remote-address=<SYD_RTR_IP> tunnel-id=1 /interface vlan add interface=EOIP_SY3_PRIMARY loop-protect-disable-time=0s loop-protect-send-interval=0s name=VLAN_EOIP_SY3_KIDS vlan-id=42 /routing ospf instance add name=ospf_kids redistribute-connected=as-type-1 redistribute-static=as-type-1 \ router-id=192.168.12.18 routing-table=KIDS /routing ospf area add area-id=1.1.1.1 instance=ospf_kids name=area_kids /ip address add address=192.168.12.18/28 interface=KIDS network=192.168.12.16 add address=192.168.10.26/30 interface=VLAN_EOIP_SY3_KIDS network=192.168.10.24 /ip route vrf add export-route-targets=65535:102 import-route-targets=65535:102 interfaces=KIDS,VLAN_EOIP_SY3_KIDS route-distin 65535:102 routing-mark=KIDS /routing ospf interface add interface=VLAN_EOIP_SY3_KIDS network-type=broadcast /routing ospf network add area=area_kids network=192.168.10.24/30 DC End: /interface eoip add allow-fast-path=no !keepalive local-address=<SYD_RTR_IP> name=EOIP_WYONG_PRIMARY remote-address=<HOME_RTR_IP> tunnel-id=1 /interface vlan add interface=EOIP_WYONG_PRIMARY name=VLAN_EOIP_WYONG_KIDS vlan-id=42 add interface=vlan41 name=vlan42_KIDS vlan-id=42 /routing ospf instance add name=ospf_kids redistribute-connected=as-type-1 redistribute-static=\ as-type-1 router-id=192.168.10.25 routing-table=KIDS /routing ospf area add area-id=1.1.1.1 instance=ospf_kids name=area_kids /ip address add address=192.168.12.34/29 interface=vlan42_KIDS network=192.168.12.32 add address=192.168.10.25/30 interface=VLAN_EOIP_WYONG_KIDS network=\ 192.168.10.24 /ip route vrf add export-route-targets=65535:102 import-route-targets=65535:102 interfaces=\ vlan42_KIDS,VLAN_EOIP_WYONG_KIDS route-distinguisher=65535:102 \ routing-mark=KIDS /routing ospf network add area=area_kids network=192.168.10.24/30 If I show the OSPF routes on the sydney end, I only see the EOIP VLAN /30, and the local /29: [someguy@MikroTik] > /routing ospf route print detail 0 instance=ospf_kids dst-address=192.168.10.24/30 state=intra-area gateway=0.0.0.0 interface=VLAN_EOIP_WYONG_KIDS cost=10 area=area_kids 1 instance=ospf_kids dst-address=192.168.12.32/29 state=imported-ext-1 gateway="" interface="" cost=20 area=external Any thoughts? I've spent basically the entire day at it, and it's just not working :/ Thanks, Damien -- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder
Ahhh, figured it out when I built the last hop to the UTM and the Sydney /29 appeared at home. Seems it only redistributes connected routes if they are defined in ospf network. Now I just need to figure out why I don't see any of the mikrotik hops from inside the VRF while doing a traceroute, and it's all good :) On 29 December 2016 at 20:49, Damien Gardner Jnr <rendrag@rendrag.net> wrote:
Hey Folks,
So my project while on my week off from work has been to build Miss 7 a PC. Which takes a lot more work than you'd first think, since I want it behind something doing a LOT of filtering :D After a lot of playing, I ended up with a Sophos UTM. Those things are very cool, and they provide a free virtual appliance license for home use, so I ran it up in Xenserver, and it's working a treat.
Finished the computer yesterday, and today I sat down to quickly run a VRF up between home and the DC (where the UTM is running). The kids now have their own vlan at home, instead of being mixed in with the missus and I, and all our various devices (you know, the usual, xbox, wii, various roku players, the bathroom scales, etc ;). We already have an EOIP tunnel with a few vlans between home and the DC, so I just created one more, popped it into a VRF, and created a new OSPF instance.
And then things fell apart ;)
So Home Router can see DC Router and vice versa over the EOIP Vlan, OSPF comes up. And then the connected routes on each end do not show.
SHOULD this work? I can do static routes if I have to, but I want to do a mesh config with two routers at each end (VM's for pure tunnelling grunt, being backed up by the CRS-109's at each end when the VM's are down), so OSPF would make things easier..
I've disabled my default OSPF instance on both ends for now to make debugging easier.
My config looks like:
Home End: /interface eoip add allow-fast-path=no !keepalive local-address=<HOME_RTR_IP> name=EOIP_SY3_PRIMARY remote-address=<SYD_RTR_IP> tunnel-id=1 /interface vlan add interface=EOIP_SY3_PRIMARY loop-protect-disable-time=0s loop-protect-send-interval=0s name=VLAN_EOIP_SY3_KIDS vlan-id=42
/routing ospf instance add name=ospf_kids redistribute-connected=as-type-1 redistribute-static=as-type-1 \ router-id=192.168.12.18 routing-table=KIDS /routing ospf area add area-id=1.1.1.1 instance=ospf_kids name=area_kids /ip address add address=192.168.12.18/28 interface=KIDS network=192.168.12.16 add address=192.168.10.26/30 interface=VLAN_EOIP_SY3_KIDS network=192.168.10.24
/ip route vrf add export-route-targets=65535:102 import-route-targets=65535:102 interfaces=KIDS,VLAN_EOIP_SY3_KIDS route-distin 65535:102 routing-mark=KIDS /routing ospf interface add interface=VLAN_EOIP_SY3_KIDS network-type=broadcast /routing ospf network add area=area_kids network=192.168.10.24/30
DC End: /interface eoip add allow-fast-path=no !keepalive local-address=<SYD_RTR_IP> name=EOIP_WYONG_PRIMARY remote-address=<HOME_RTR_IP> tunnel-id=1 /interface vlan add interface=EOIP_WYONG_PRIMARY name=VLAN_EOIP_WYONG_KIDS vlan-id=42 add interface=vlan41 name=vlan42_KIDS vlan-id=42 /routing ospf instance add name=ospf_kids redistribute-connected=as-type-1 redistribute-static=\ as-type-1 router-id=192.168.10.25 routing-table=KIDS /routing ospf area add area-id=1.1.1.1 instance=ospf_kids name=area_kids /ip address add address=192.168.12.34/29 interface=vlan42_KIDS network=192.168.12.32 add address=192.168.10.25/30 interface=VLAN_EOIP_WYONG_KIDS network=\ 192.168.10.24 /ip route vrf add export-route-targets=65535:102 import-route-targets=65535:102 interfaces=\ vlan42_KIDS,VLAN_EOIP_WYONG_KIDS route-distinguisher=65535:102 \ routing-mark=KIDS /routing ospf network add area=area_kids network=192.168.10.24/30
If I show the OSPF routes on the sydney end, I only see the EOIP VLAN /30, and the local /29: [someguy@MikroTik] > /routing ospf route print detail 0 instance=ospf_kids dst-address=192.168.10.24/30 state=intra-area gateway=0.0.0.0 interface=VLAN_EOIP_WYONG_KIDS cost=10 area=area_kids
1 instance=ospf_kids dst-address=192.168.12.32/29 state=imported-ext-1 gateway="" interface="" cost=20 area=external
Any thoughts? I've spent basically the entire day at it, and it's just not working :/
Thanks,
Damien
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder
Sorry for the spam :) Seems PMTUD is broken inside VRF's the same as traceroute/pings are :\ Just had to hard-set the vlan in Syd to 1450 to allow it to send content back to the devices at home.. Any thoughts on how to get traceroute/ping/PMTUD working inside a VRF? :) On 30 December 2016 at 12:47, Damien Gardner Jnr <rendrag@rendrag.net> wrote:
Ahhh, figured it out when I built the last hop to the UTM and the Sydney /29 appeared at home. Seems it only redistributes connected routes if they are defined in ospf network.
Now I just need to figure out why I don't see any of the mikrotik hops from inside the VRF while doing a traceroute, and it's all good :)
On 29 December 2016 at 20:49, Damien Gardner Jnr <rendrag@rendrag.net> wrote:
Hey Folks,
So my project while on my week off from work has been to build Miss 7 a PC. Which takes a lot more work than you'd first think, since I want it behind something doing a LOT of filtering :D After a lot of playing, I ended up with a Sophos UTM. Those things are very cool, and they provide a free virtual appliance license for home use, so I ran it up in Xenserver, and it's working a treat.
Finished the computer yesterday, and today I sat down to quickly run a VRF up between home and the DC (where the UTM is running). The kids now have their own vlan at home, instead of being mixed in with the missus and I, and all our various devices (you know, the usual, xbox, wii, various roku players, the bathroom scales, etc ;). We already have an EOIP tunnel with a few vlans between home and the DC, so I just created one more, popped it into a VRF, and created a new OSPF instance.
And then things fell apart ;)
So Home Router can see DC Router and vice versa over the EOIP Vlan, OSPF comes up. And then the connected routes on each end do not show.
SHOULD this work? I can do static routes if I have to, but I want to do a mesh config with two routers at each end (VM's for pure tunnelling grunt, being backed up by the CRS-109's at each end when the VM's are down), so OSPF would make things easier..
I've disabled my default OSPF instance on both ends for now to make debugging easier.
My config looks like:
Home End: /interface eoip add allow-fast-path=no !keepalive local-address=<HOME_RTR_IP> name=EOIP_SY3_PRIMARY remote-address=<SYD_RTR_IP> tunnel-id=1 /interface vlan add interface=EOIP_SY3_PRIMARY loop-protect-disable-time=0s loop-protect-send-interval=0s name=VLAN_EOIP_SY3_KIDS vlan-id=42
/routing ospf instance add name=ospf_kids redistribute-connected=as-type-1 redistribute-static=as-type-1 \ router-id=192.168.12.18 routing-table=KIDS /routing ospf area add area-id=1.1.1.1 instance=ospf_kids name=area_kids /ip address add address=192.168.12.18/28 interface=KIDS network=192.168.12.16 add address=192.168.10.26/30 interface=VLAN_EOIP_SY3_KIDS network=192.168.10.24
/ip route vrf add export-route-targets=65535:102 import-route-targets=65535:102 interfaces=KIDS,VLAN_EOIP_SY3_KIDS route-distin 65535:102 routing-mark=KIDS /routing ospf interface add interface=VLAN_EOIP_SY3_KIDS network-type=broadcast /routing ospf network add area=area_kids network=192.168.10.24/30
DC End: /interface eoip add allow-fast-path=no !keepalive local-address=<SYD_RTR_IP> name=EOIP_WYONG_PRIMARY remote-address=<HOME_RTR_IP> tunnel-id=1 /interface vlan add interface=EOIP_WYONG_PRIMARY name=VLAN_EOIP_WYONG_KIDS vlan-id=42 add interface=vlan41 name=vlan42_KIDS vlan-id=42 /routing ospf instance add name=ospf_kids redistribute-connected=as-type-1 redistribute-static=\ as-type-1 router-id=192.168.10.25 routing-table=KIDS /routing ospf area add area-id=1.1.1.1 instance=ospf_kids name=area_kids /ip address add address=192.168.12.34/29 interface=vlan42_KIDS network=192.168.12.32 add address=192.168.10.25/30 interface=VLAN_EOIP_WYONG_KIDS network=\ 192.168.10.24 /ip route vrf add export-route-targets=65535:102 import-route-targets=65535:102 interfaces=\ vlan42_KIDS,VLAN_EOIP_WYONG_KIDS route-distinguisher=65535:102 \ routing-mark=KIDS /routing ospf network add area=area_kids network=192.168.10.24/30
If I show the OSPF routes on the sydney end, I only see the EOIP VLAN /30, and the local /29: [someguy@MikroTik] > /routing ospf route print detail 0 instance=ospf_kids dst-address=192.168.10.24/30 state=intra-area gateway=0.0.0.0 interface=VLAN_EOIP_WYONG_KIDS cost=10 area=area_kids
1 instance=ospf_kids dst-address=192.168.12.32/29 state=imported-ext-1 gateway="" interface="" cost=20 area=external
Any thoughts? I've spent basically the entire day at it, and it's just not working :/
Thanks,
Damien
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder
participants (1)
-
Damien Gardner Jnr