Multi-WAN & tunnels - VRF-based setup questions
Posted: Sun Apr 24, 2016 7:44 pm
Hello everyone,
I'm trying to harden and cleanse my current setup. It's all about distinguishing support connectivity from what flows inside tunnels.
Basically, I'd like to put the ISP provided WAN connectivity in dedicated VRFs in order to keep the main routing table clean, and establish tunnels to my own network over multiple available WAN connexions.
With a single CCR with two WAN connections, what I try to accomplish is to put each WAN connection's IP addresses (got by DHCP or PPPoE) inside dedicated VRFs, then establsh outgoing tunnels to other networks, with each tunnel beeing strictly attached to a VRF for it's outside framing, and to the main routing table for its endpoint (a third VRF isn't an option, I need dualstack inside tunnels).
Some documentation on the wiki mention the "@vrf_name" suffix to next-hop IP addresses in static routing setups. I can't get it to work in a tunnel (either GRE or L2TP) configuration.
Without the tunnel outside's addresses in a VRF, I'd have to had static more specific rules, which currently causes issues as pinning a tunnel to a WAN provider is mandatory, and in some cases, both tunnels over both WAN connections have the same destination.
How could I circumvent this behaviour and strictly pin a tunnel to a WAN link ?
Thanks !
I'm trying to harden and cleanse my current setup. It's all about distinguishing support connectivity from what flows inside tunnels.
Basically, I'd like to put the ISP provided WAN connectivity in dedicated VRFs in order to keep the main routing table clean, and establish tunnels to my own network over multiple available WAN connexions.
With a single CCR with two WAN connections, what I try to accomplish is to put each WAN connection's IP addresses (got by DHCP or PPPoE) inside dedicated VRFs, then establsh outgoing tunnels to other networks, with each tunnel beeing strictly attached to a VRF for it's outside framing, and to the main routing table for its endpoint (a third VRF isn't an option, I need dualstack inside tunnels).
Some documentation on the wiki mention the "@vrf_name" suffix to next-hop IP addresses in static routing setups. I can't get it to work in a tunnel (either GRE or L2TP) configuration.
Without the tunnel outside's addresses in a VRF, I'd have to had static more specific rules, which currently causes issues as pinning a tunnel to a WAN provider is mandatory, and in some cases, both tunnels over both WAN connections have the same destination.
How could I circumvent this behaviour and strictly pin a tunnel to a WAN link ?
Thanks !