VRF traffic isolation
Posted: Fri Jul 23, 2021 1:26 am
Hello guys,
I am trying to setup a VRF on my RB750gr3 (7.1beta6) to isolate tunneled traffic from the underlay of the tunnel.
What I did so far is:
The tunnel works and from the router on the other side of the tunnel I can ping the address on lo just fine.
The problem is that from that same router on the other side of the tunnel, I can also reach addresses on the subnet associated to vlan178. I expected that it would be impossible to reach anything behind vlan178, as the interface is not part of the VRF, but that turned out not to be true.
When checking my route entries, they seem to be in the correct VRF/table:
I have also tried setting policy routing to force a lookup only on the vrf1 table, but that didn't change anything.
Am I doing something wrong, are VRFs broken on ROSv7 or is this expected behavior?
Thanks,
Luiz
I am trying to setup a VRF on my RB750gr3 (7.1beta6) to isolate tunneled traffic from the underlay of the tunnel.
What I did so far is:
Code: Select all
/ip vrf
add list=VRF name=vrf
/interface list
add name=WAN
add name=VRF
/interface list member
add interface=vlan178 list=WAN
add interface=vlan10 list=VRF
add interface=vlan202 list=VRF
add interface=lo list=VRF
add interface=gre6-tunnel1 list=VRF
The problem is that from that same router on the other side of the tunnel, I can also reach addresses on the subnet associated to vlan178. I expected that it would be impossible to reach anything behind vlan178, as the interface is not part of the VRF, but that turned out not to be true.
When checking my route entries, they seem to be in the correct VRF/table:
Code: Select all
[admin@MikroTik] > /ip/route/print
Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, o - OSPF, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DIS
0 As 0.0.0.0/0 192.168.178.1 100
DAc 192.168.178.0/24 vlan178 0
DAc 44.xxx.xxx.22/32 lo@vrf1 0
DAc 44.xxx.xxx.232/30 gre6-tunnel1@vrf1 0
I have also tried setting policy routing to force a lookup only on the vrf1 table, but that didn't change anything.
Code: Select all
[admin@MikroTik] > /routing/rule/export
/routing rule
add action=lookup-only-in-table disabled=no interface=gre6-tunnel1 src-address=/0 table=vrf1
add action=lookup-only-in-table disabled=no interface=gre6-tunnel1 src-address=0.0.0.0/0 table=vrf1
Am I doing something wrong, are VRFs broken on ROSv7 or is this expected behavior?
Thanks,
Luiz