Page 1 of 1
v7 inter VRF route leak doesn't work for local IPs
Posted: Sun Jan 02, 2022 6:49 pm
by mainTAP
Hi,
A static route to a different VRF doesn't seem to work when pointing to local IP.
I'm trying to reach the loopback 10.0.0.1 which is in vrf2 from the main vrf, but there is no response :
[admin@MikroTik] > ping 10.0.0.1 vrf=main
SEQ HOST SIZE TTL TIME STATUS
0 10.0.0.1 timeout
1 10.0.0.1 timeout
2 10.0.0.1 timeout
3 10.0.0.1 84 64 125ms520us host unreachable
sent=5 received=0 packet-loss=100
[admin@MikroTik] > ip route/print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - copy; H - hw-offloaded;
+ - ecmp
0 As dst-address=10.0.0.1/32 routing-table=main pref-src="" gateway=loopback0@vrf2 immediate-gw=loopback0 distance=1 scope=30 target-scope=10 suppress-hw-offload=no
DAc dst-address=192.168.5.0/24 routing-table=main gateway=ether1 immediate-gw=ether1 distance=0 scope=10 suppress-hw-offload=no local-address=192.168.5.23%ether1
DAc dst-address=10.0.0.0/24 routing-table=vrf2 gateway=loopback0@vrf2 immediate-gw=loopback0 distance=0 scope=10 suppress-hw-offload=no
local-address=10.0.0.1%loopback0@vrf2
[admin@MikroTik] > export
# jan/02/2022 16:39:24 by RouterOS 7.1.1
# software id =
#
/interface bridge
add name=loopback0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip vrf
add interfaces=loopback0 name=vrf2
/ip address
add address=10.0.0.1/24 interface=loopback0 network=10.0.0.0
/ip dhcp-client
add add-default-route=no interface=ether1
/ip route
add disabled=no distance=1 dst-address=10.0.0.1/32 gateway=loopback0@vrf2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
Is this a bug ?
I'm running 7.1.1
Thank you.
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Mon Jan 03, 2022 5:19 pm
by emunt6
HI!
Thats normal, you can find more about: "linux namespace"
If you want "interconnect" the VRF you have following options:
- Physically connect the cable the to the Interfaces ( each interface is a different VRF, so need "link" ),
- Exchange routes, assign each VRF to an RD, import/export routers between the them ( M-BGP ).
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Mon Jan 03, 2022 6:45 pm
by mainTAP
Thank you, why would routes exchanged by BGP work and static ones not ?
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Tue Jan 11, 2022 3:49 am
by slackR
I tried to add routes to a management VRF for NTP time sync and I also could not get the local NTP server to reply. I even tried broadcast and multicast NTP server. Ended up forwarding NTP to another server.
I can use route leaking to forward management traffic to public but not to local NTP server.
I would like to see local services multi VRF aware. It is nice to see that winbox, etc. can now be assigned to a VRF.
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Tue Jan 11, 2022 11:18 am
by Nissarin
On Linux VRF is implemented by (among other things) placing routing rule to search special table "l3mdev-table". By default this rule is placed with pref value of 1000, while one of the default rules - local - have pref value of 0, meaning it's associated routing table is searched first. As a result if you try to reach any directly connected route from any interface it will always go through local table (i.e. VRF won't work). Normally you can 'fix' this by changing pref for local, so I suppose you'll have to make support ticket for MT to fix it, as a alternative you can place everything in separate VRF and avoid using 'main'.
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Sun Jul 24, 2022 11:43 pm
by mafiosa
Hi,
A static route to a different VRF doesn't seem to work when pointing to local IP.
I'm trying to reach the loopback 10.0.0.1 which is in vrf2 from the main vrf, but there is no response :
[admin@MikroTik] > ping 10.0.0.1 vrf=main
SEQ HOST SIZE TTL TIME STATUS
0 10.0.0.1 timeout
1 10.0.0.1 timeout
2 10.0.0.1 timeout
3 10.0.0.1 84 64 125ms520us host unreachable
sent=5 received=0 packet-loss=100
[admin@MikroTik] > ip route/print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - copy; H - hw-offloaded;
+ - ecmp
0 As dst-address=10.0.0.1/32 routing-table=main pref-src="" gateway=loopback0@vrf2 immediate-gw=loopback0 distance=1 scope=30 target-scope=10 suppress-hw-offload=no
DAc dst-address=192.168.5.0/24 routing-table=main gateway=ether1 immediate-gw=ether1 distance=0 scope=10 suppress-hw-offload=no local-address=192.168.5.23%ether1
DAc dst-address=10.0.0.0/24 routing-table=vrf2 gateway=loopback0@vrf2 immediate-gw=loopback0 distance=0 scope=10 suppress-hw-offload=no
local-address=10.0.0.1%loopback0@vrf2
[admin@MikroTik] > export
# jan/02/2022 16:39:24 by RouterOS 7.1.1
# software id =
#
/interface bridge
add name=loopback0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip vrf
add interfaces=loopback0 name=vrf2
/ip address
add address=10.0.0.1/24 interface=loopback0 network=10.0.0.0
/ip dhcp-client
add add-default-route=no interface=ether1
/ip route
add disabled=no distance=1 dst-address=10.0.0.1/32 gateway=loopback0@vrf2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
Is this a bug ?
I'm running 7.1.1
Thank you.
This works on v7.4 stable
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Mon Aug 01, 2022 1:15 am
by emunt6
Thank you, why would routes exchanged by BGP work and static ones not ?
VRF needs "physical/loopback" interface to make the "transit" to work.
I checked the "RouterOS 6.x" what vrf implementation had, that was "bunch of hacks/route-marking" as it seemed like VRF (but far from the true VRF).
It was not mature enough like other vendors: Cisco, HPE Comware, Juniper, ... -'s implementation.
The network industry standard is to create a route-table (RD), you can add static/dynamic routes, and assign interface/ interfaces to the VRF.
( BGP only used for RD -s assigment and no more - locally exchanging the routes within the router )
This is the minimum config for example:
(this is not Mikrotik)
!
BGP 65001
router-id 1.1.1.1
!
vrf definition RED
rd 65001:1100
rt-import 65001:1100
rt-export 65001:1100
exit
!
vrf definition BLUE
rd 65001:1200
rt-import 65001:1200
rt-export 65001:1200
exit
!
vrf definition TRANSIT
rd 65001:1300
rt-import 65001:1100 65001:1200
rt-export 65001:1300
exit
!
interface GigE1/0/1
vrf forwarding RED
ipv4 address 10.1.1.1 255.255.255.0
exit
!
interface GigE1/0/2
vrf forwarding BLUE
ipv4 address 10.2.2.1 255.255.255.0
exit
!
show ip route vrf RED
> 10.1.1.1/24 dev GigE1/0/1
show ip route vrf BLUE
> 10.2.2.1/24 dev GigE1/0/2
show ip route vrf TRANSIT
> 10.1.1.1/24 dev GigE1/0/1
> 10.2.2.1/24 dev GigE1/0/2
That's all, this is way more simple than the RouterOS 6.x way.
I do not know the "RouterOS 7.x" VRF implementation.
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Mon Sep 04, 2023 4:10 pm
by spippan
Thank you, why would routes exchanged by BGP work and static ones not ?
This is the minimum config for example:
(this is not Mikrotik)
....
That's all, this is way more simple than the RouterOS 6.x way.
I do not know the "RouterOS 7.x" VRF implementation.
still not working as far as i tested VRF route import-export on v7
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Thu Dec 28, 2023 7:00 pm
by spippan
version is 7.14beta3 now and what am i missing here?
mikrotikVRFv7import-export-via-RD.png
how to import ip routing infos from one VRF into another VRF?
something which was possible in v6 (
https://wiki.mikrotik.com/index.php?tit ... te_Leaking)
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Thu Dec 28, 2023 11:04 pm
by nz_monkey
Maris, how can we achieve route leaking in RouterOS v7 ?
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Fri Dec 29, 2023 3:50 am
by spippan
Maris, how can we achieve route leaking in RouterOS v7 ?
maris?
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Fri Dec 29, 2023 4:46 am
by nichky
same as v6 e.g.
/ip route
0.0.0.0/0
1.2.3.4@main
routing/rule/
add routing-mark=local src-address=192.168.88.0/24 table=main
add dst-address=192.168.88.0/24 table=local
@nz_monkey - have u tryed that?
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Fri Dec 29, 2023 4:50 am
by nichky
@shippan - are you trying to achieve vpn4? - That works well as well.
What is not working on v7 - U cant get default gateway via VRF.
I have raised a ticket and Maris Is already confirmed that.
If you mean to originate the default route from vrf into vpnv4 then currently this feature does not exist. You are linked to a feature request and will receive an update when this feature is implemented.
Māris B.
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Fri Dec 29, 2023 11:43 am
by spippan
@shippan - are you trying to achieve vpn4? - That works well as well.
What is not working on v7 - U cant get default gateway via VRF.
I have raised a ticket and Maris Is already confirmed that.
If you mean to originate the default route from vrf into vpnv4 then currently this feature does not exist. You are linked to a feature request and will receive an update when this feature is implemented.
Māris B.
nb: username is without an "h"
yes vpnv4. inter-VRF route leaking (dynamically) via BGP VPN RD import/export of defined RD definitions (
screenshot in post #9)
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Fri Dec 29, 2023 1:39 pm
by nichky
vpnv4 - works well, show us your config.
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Fri Dec 29, 2023 2:05 pm
by spippan
EDIT: opened ticket SUP-138970
6 months in testing, asking and trying are
definetly a strechted time for patience now
vpnv4 - works well, show us your config.
please consider post #9
i have 2 VRFs with RD set
i want to route-leak each VRF to the other (on that same router)
what is missing to achieve that? do i have to manually setup a local/internal bgp session on that router.
winbox screenshot at the bottom!
# 2023-12-29 13:00:36 by RouterOS 7.14beta3
/interface bridge add name=Lo10 protocol-mode=none
/interface bridge add name=Lo11 protocol-mode=none
/interface bridge add name=Lo12 protocol-mode=none
/interface bridge add name=Lo20 protocol-mode=none
/interface bridge add name=Lo21 protocol-mode=none
/interface bridge add name=Lo22 protocol-mode=none
/interface bridge add name=Lo30 protocol-mode=none
/interface bridge add name=Lo31 protocol-mode=none
/interface bridge add name=Lo32 protocol-mode=none
/interface bridge add admin-mac=18:FD:74:xx:xx:xx auto-mac=no ingress-filtering=no name=br0 port-cost-mode=short priority=0x4000 pvid=10 vlan-filtering=yes
/interface ethernet set [ find default-name=ether2 ] disabled=yes
/interface ethernet set [ find default-name=ether3 ] disabled=yes
/interface ethernet set [ find default-name=ether4 ] disabled=yes
/interface ethernet set [ find default-name=ether5 ] disabled=yes
/interface vlan add interface=br0 name=vlan10 vlan-id=10
/interface vlan add interface=br0 name=vlan20 vlan-id=20
/interface vlan add interface=br0 name=vlan30 vlan-id=30
/interface vlan add interface=br0 name=vlan31 vlan-id=31
/interface vlan add interface=br0 name=vlan99 vlan-id=99
/interface list add name=WB
/interface list add name=ND
/interface list add name=LAN
/ip vrf add interfaces=Lo30,Lo31,Lo32 name=vrf30
/ip vrf add interfaces=Lo20,Lo21,Lo22 name=vrf20
/ip vrf add interfaces=Lo10,Lo11,Lo12 name=vrf10
/routing bgp template set default as=65000 disabled=yes routing-table=main
/interface bridge port add bridge=br0 interface=ether1 internal-path-cost=10 path-cost=10 pvid=10 trusted=yes
/interface bridge port add bridge=br0 interface=ether2 internal-path-cost=10 path-cost=10 pvid=10
/interface bridge port add bridge=br0 interface=ether3 internal-path-cost=10 path-cost=10 pvid=10
/interface bridge port add bridge=br0 disabled=yes interface=ether4 internal-path-cost=10 path-cost=10 pvid=10
/interface bridge port add bridge=br0 interface=wlan2G internal-path-cost=10 path-cost=10 pvid=10
/interface bridge port add bridge=br0 interface=wlan5G internal-path-cost=10 path-cost=10 pvid=10
/interface bridge port add bridge=br0 edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=wlan-cam internal-path-cost=10 path-cost=10 point-to-point=no pvid=30
/interface bridge port add bridge=br0 edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=wlan-homeauto internal-path-cost=10 path-cost=10 point-to-point=no pvid=30
/interface bridge vlan add bridge=br0 tagged=br0,ether1 vlan-ids=10
/interface bridge vlan add bridge=br0 tagged=br0,ether1 vlan-ids=30
/interface bridge vlan add bridge=br0 tagged=br0,ether1 vlan-ids=31
/interface bridge vlan add bridge=br0 tagged=br0,ether1 vlan-ids=99
/interface list member add interface=br0 list=WB
/interface list member add interface=ether5 list=WB
/interface list member add interface=vlan10 list=WB
/interface list member add interface=vlan99 list=WB
/interface list member add interface=vlan10 list=ND
/interface list member add interface=vlan99 list=ND
/interface list member add interface=ether1 list=ND
/interface list member add interface=wlan5G list=WB
/ip address add address=192.168.77.7/24 interface=vlan10 network=192.168.77.0
/ip address add address=192.168.10.1/24 interface=Lo10 network=192.168.10.0
/ip address add address=192.168.11.1/24 interface=Lo11 network=192.168.11.0
/ip address add address=192.168.12.1/24 interface=Lo12 network=192.168.12.0
/ip address add address=192.168.20.1/24 interface=Lo20 network=192.168.20.0
/ip address add address=192.168.21.1/24 interface=Lo21 network=192.168.21.0
/ip address add address=192.168.22.1/24 interface=Lo22 network=192.168.22.0
/ip address add address=192.168.30.1/24 interface=Lo30 network=192.168.30.0
/ip address add address=192.168.31.1/24 interface=Lo31 network=192.168.31.0
/ip address add address=192.168.32.1/24 interface=Lo32 network=192.168.32.0
/ip route add disabled=no distance=110 dst-address=0.0.0.0/0 gateway=192.168.77.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
# static routes are working to ping 192.168.32.1 (which resides in VRF30) from VRF10 and VRF20 -> so as src-interfaces chosen from VRF10 or VRF20 for testing
# without those 2 static routes -> no reachability
/ip route add disabled=no distance=1 dst-address=192.168.32.0/24 gateway=vrf30 pref-src="" routing-table=vrf10 scope=10 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.32.0/24 gateway=vrf30 pref-src="" routing-table=vrf20 scope=10 suppress-hw-offload=no target-scope=10
/routing bgp vpn add disabled=no export.redistribute=connected .route-targets=65650:10 import.route-targets=65650:10,65650:20,65650:30 label-allocation-policy=per-prefix name=bgp-mpls-vpn-1 route-distinguisher=65650:10 vrf=vrf10
/routing bgp vpn add disabled=no export.redistribute=connected .route-targets=65650:20 import.route-targets=65650:20,65650:10 label-allocation-policy=per-prefix name=bgp-mpls-vpn-2 route-distinguisher=65650:20 vrf=vrf20
/routing bgp vpn add disabled=no export.redistribute=connected .route-targets=65650:30 import.route-targets=65650:30,65650:10 label-allocation-policy=per-prefix name=bgp-mpls-vpn-3 route-distinguisher=65650:30 vrf=vrf30
/routing ospf interface-template add area=bkk dead-interval=10s disabled=no hello-interval=5s interfaces=vlan99 priority=0 use-bfd=yes
/system identity set name=hAPacLite-Cellar
/system ntp client set enabled=yes
/system ntp client servers add address=192.168.77.1
/system ntp client servers add address=10.20.2.1
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=WB
/tool mac-server mac-winbox set allowed-interface-list=WB
rosv7-interVRF-RL-Lo.png
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Fri Dec 29, 2023 3:19 pm
by spippan
@nichky
FYI - THAT is the whole silverline which should be accomplished as a BARE MINIMUM for a serious implementation of VRFs in rOS!
(quote from user "emunt6")
The network industry standard is to create a route-table (RD), you can add static/dynamic routes, and assign interface/ interfaces to the VRF.
( BGP only used for RD -s assigment and no more - locally exchanging the routes within the router )
This is the minimum config for example:
(this is not Mikrotik)
!
BGP 65001
router-id 1.1.1.1
!
vrf definition RED
rd 65001:1100
rt-import 65001:1100
rt-export 65001:1100
exit
!
vrf definition BLUE
rd 65001:1200
rt-import 65001:1200
rt-export 65001:1200
exit
!
vrf definition TRANSIT
rd 65001:1300
rt-import 65001:1100 65001:1200
rt-export 65001:1300
exit
!
interface GigE1/0/1
vrf forwarding RED
ipv4 address 10.1.1.1 255.255.255.0
exit
!
interface GigE1/0/2
vrf forwarding BLUE
ipv4 address 10.2.2.1 255.255.255.0
exit
!
show ip route vrf RED
> 10.1.1.1/24 dev GigE1/0/1
show ip route vrf BLUE
> 10.2.2.1/24 dev GigE1/0/2
show ip route vrf TRANSIT
> 10.1.1.1/24 dev GigE1/0/1
> 10.2.2.1/24 dev GigE1/0/2
That's all, this is way more simple than the RouterOS 6.x way.
I do not know the "RouterOS 7.x" VRF implementation.
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Fri Dec 29, 2023 4:17 pm
by mrz
As it was already mentioned in other topics, there never was a mechanism to automatically leak connected routes from other VRFs, like in the provided cisco config in this topic.
For that static config is required, and starting from 7.14 where loopbacks are exposed it is even easier:
/interface bridge
add name=dummy1
add name=dummy2
/ip vrf
add interfaces=dummy2 name=vrf2
add interfaces=dummy1 name=vrf1
/ip address
add address=1.1.1.1 interface=dummy1 network=1.1.1.1
add address=1.1.1.2 interface=dummy2 network=1.1.1.2
/ip route
add dst-address=1.1.1.2 gateway=vrf2 routing-table=vrf1
add dst-address=1.1.1.1 gateway=vrf1 routing-table=vrf2
[admin@rack1_b35_CCR1036] /ip/route> /ping 1.1.1.1 src-address=1.1.1.2 vrf=vrf2
SEQ HOST SIZE TTL TIME STATUS
0 1.1.1.1 56 64 177us
1 1.1.1.1 56 64 148us
2 1.1.1.1 56 64 155us
Now from here you can establish any routing protocol session between vrfs that is capable of running in vrf to distribute other routes between vrfs.
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Fri Dec 29, 2023 8:52 pm
by spippan
bummer. but at least it is somewhat to build a kind-of-workaround
thanks for the example to which i can further test this for a prod approach
EDIT:
are there any hopes or plans for an implementation to be able to achieve this dynamically (well via BGP) like most systems support it?
would be great because the fundamentals are layed out already (/routing/bgp/vpn/) with import/export
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Fri Dec 29, 2023 11:38 pm
by jaclaz
@mrz
Do you happen to know (and if yes, please share this info) if your example runs also on earlier systems or is it only starting from 7.14?
I quickly tried it in CHR/GNS3 (7.11.2) but vrf1 and vrf2 are not accepted as gateway.
The dac routes use dummy1@vrf1 and dummy2@vrf2, using them for the static rules make them AS but the ping does not work.
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Sat Dec 30, 2023 12:46 pm
by mrz
this exact example works only in 7.14 because loopback and vrf interfaces are exposed only starting from this version.
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Sat Dec 30, 2023 3:08 pm
by jaclaz
Excuse me, but that means that the functionality is only starting with 7.14 or that there is (was) another method working on previous releases?
If the latter, can you post the corresponding example with the "old" method?
Maybe it is just me, but 7.14 is still a bit too new/experimental to be put on real installations.
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Sat Dec 30, 2023 4:48 pm
by spippan
Excuse me, but that means that the functionality is only starting with 7.14 or that there is (was) another method working on previous releases?
If the latter, can you post the corresponding example with the "old" method?
Maybe it is just me, but 7.14 is still a bit too new/experimental to be put on real installations.
try creating dummy interfaces in each VRF to which you point in the static routes
something like:
Lo10 => VRF10
Lo20 => VRF20
Lo30 => VRF30
and use the LoXY as gateway for static routes
currently i am not able to test but this idea just came up
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Sat Dec 30, 2023 7:45 pm
by jaclaz
@spippan
Thank you
, but you are seemingly the one that cannot have this working
(though your issue seems like being related to BGP, whooosh[1]).
mrz posted a working example specific to 7.14 (which, if I get it right is in beta right now) while giving the impression that vrf route leaking is easier in 7.14 (because interfaces are directly exposed or whatever) but that it was possible in earlier versions (with some more complex configuration/some different Mikrotik magic spell).
I am asking if my impression is correct and - if yes - we can have a surely working example for earlier versions, possibly I unintentionally sort of hi-jacked the thread, sorry.
The issue I am trying to understand/solve (I already found a workaround for it) is DNS and NTP access from vrf, I am (still?) in the "absolute beginner" category, JFYI:
viewtopic.php?p=1043616#p1043382
[1] that is the sound of BGP passing over my head, very similar to the sound VPNV4 made while doing the same
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Sat Jan 13, 2024 7:02 pm
by spippan
it somehow worked in v7.4
even the static route in VRF10 got redistributed to VRF20 and VRF30
interVRF-ROS7.4.png.png
as soon as i go e.g. to 7.12.1 it stops working:
interVRF-ROS7.12.1.png
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Sat Jan 20, 2024 5:15 pm
by spippan
answer to SUP-138970
it will come in future releases. up until now, no time information WHEN though
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Wed Jan 24, 2024 11:46 am
by spippan
What's new in 7.14beta8 (2024-Jan-22 21:07):
*) bgp - allow to leak routes between local VRFs;
YES. tests will follow
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Wed Jan 24, 2024 2:27 pm
by spippan
and it does not work. despite there are routes to 192.168.10.0/24 in VRF20 and VRF30 clients in either of these VRFs can reach any 192.168.10.x/24 IP
[admin@RT1] > export hide-sensitive
# 2024-01-24 12:19:25 by RouterOS 7.14beta8
# software id =
#
/interface vlan
add interface=ether1 name=ether1.100 vlan-id=100
add interface=ether1 name=ether1.200 vlan-id=200
add interface=ether1 name=ether1.300 vlan-id=300
add interface=ether1 name=ether1.999 vlan-id=999
/ip pool
add name=dhcp_pool0 ranges=192.168.10.20-192.168.10.254
add name=dhcp_pool1 ranges=192.168.20.20-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.20-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether1.100 name=dhcp1
add address-pool=dhcp_pool1 interface=ether1.200 name=dhcp2
add address-pool=dhcp_pool2 interface=ether1.300 name=dhcp3
/ip smb smb-user
set [ find default=yes ] read-only=yes
/ip vrf
add interfaces=ether1.300 name=vrf30
add interfaces=ether1.200 name=vrf20
add interfaces=ether1.100 name=vrf10
/port
set 0 name=serial0
/ip address
add address=192.168.10.1/24 interface=ether1.100 network=192.168.10.0
add address=10.0.2.1 interface=lo network=10.0.2.1
add address=192.168.20.1/24 interface=ether1.200 network=192.168.20.0
add address=192.168.30.1/24 interface=ether1.300 network=192.168.30.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.30.251 client-id=1:0:50:79:66:68:a mac-address=00:50:79:66:68:0A server=dhcp3
add address=192.168.30.250 client-id=1:0:50:79:66:68:9 mac-address=00:50:79:66:68:09 server=dhcp3
add address=192.168.20.20 client-id=1:0:50:79:66:68:8 mac-address=00:50:79:66:68:08 server=dhcp2
add address=192.168.20.21 client-id=1:0:50:79:66:68:7 mac-address=00:50:79:66:68:07 server=dhcp2
add address=192.168.10.20 client-id=1:0:50:79:66:68:6 mac-address=00:50:79:66:68:06 server=dhcp1
add address=192.168.10.21 client-id=1:0:50:79:66:68:5 mac-address=00:50:79:66:68:05 server=dhcp1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.77.1 pref-src="" routing-table=vrf10 scope=30 suppress-hw-offload=no target-scope=10
/routing bgp vpn
add disabled=no export.redistribute=connected,static .route-targets=65650:10 import.route-targets=65650:20,65650:30 label-allocation-policy=per-prefix name=bgp-mpls-vpn-1 \
route-distinguisher=65650:10 vrf=vrf10
add disabled=no export.redistribute=connected,static .route-targets=65650:20 import.route-targets=65650:10 label-allocation-policy=per-prefix name=bgp-mpls-vpn-2 route-distinguisher=\
65650:20 vrf=vrf20
add disabled=no export.redistribute=connected,static .route-targets=65650:30 import.route-targets=65650:10 label-allocation-policy=per-prefix name=bgp-mpls-vpn-3 route-distinguisher=\
65650:30 vrf=vrf30
/system identity
set name=RT1
/system note
set show-at-login=no
/tool romon
set enabled=yes
The Setup:
Screenshot from 2024-01-24 13-17-09.png
Clients in VRF20 and VRF30 trying to reach 192.168.10.1 (GW IP in VRF10)
(NB: clients also cannot reach any other clients in VRF10)
Screenshot from 2024-01-24 13-18-47.png
winbox view:
Screenshot from 2024-01-24 13-19-00.png
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Thu Feb 08, 2024 5:08 am
by artificialexit
@spippan There must have been a change in 7.14beta10 maybe the following line?
*) route - fixed gateways of locally imported vpnv4 routes;
I can now ping endpoints between different VRFs using the route import/export.
I can't ping another VRFs gateway address but I can ping hosts on other VRFs
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Thu Feb 08, 2024 8:53 am
by mrz
Currently, Local addresses will not be reachable, because BGP VPN sets interface@vrf gateways. There are plans to change it in the future.
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Thu Feb 08, 2024 1:02 pm
by nichky
@spippan
Let me understate, the issue that you are expiring, is that you are not able to learn the route between different VRFs
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Fri Feb 09, 2024 1:55 pm
by mrz
probably can be used as vrf loopback.
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Tue Feb 13, 2024 2:02 pm
by spippan
@spippan
Let me understate, the issue that you are expiring, is that you are not able to learn the route between different VRFs
that was the problem at first yes. which now works as far as VRFs get to learn imported routes (via RD)
have a look at
post #28
(EDIT: added link to post#28)
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Sun Feb 18, 2024 8:44 pm
by spippan
@spippan There must have been a change in 7.14beta10 maybe the following line?
*) route - fixed gateways of locally imported vpnv4 routes;
I can now ping endpoints between different VRFs using the route import/export.
I can't ping another VRFs gateway address but I can ping hosts on other VRFs
it is now working with route-leaking and forwarding between different VRFs
tested it yesterday
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Sun Mar 03, 2024 11:13 pm
by jsa97
@spippan There must have been a change in 7.14beta10 maybe the following line?
I can now ping endpoints between different VRFs using the route import/export.
I can't ping another VRFs gateway address but I can ping hosts on other VRFs
it is now working with route-leaking and forwarding between different VRFs
tested it yesterday
Hi, you mean that you can now ping local gateway between leaked VRF imported via MBGP ?
I'm not able to get this working, could you please send your working config ?
Thanks !
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Mon Mar 04, 2024 9:58 am
by mrz
Local addresses will be reachable starting from v7.15beta
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Mon Mar 04, 2024 10:52 pm
by spippan
Hi, you mean that you can now ping local gateway between leaked VRF imported via MBGP ?
I'm not able to get this working, could you please send your working config ?
Thanks !
no i meant reachability between clients in different VRFs
e.g. "ClientA" in VFR "RED" can reach "ClientB" in VRF "BLUE" as long as those 2 VRFs learn (leak) routes from/to each other
cannot reach the router address in a "foreign" VRF (ClientA in RED cannot reach GW address in BLUE)
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Mon Mar 11, 2024 2:30 am
by nichky
@mrz
this is the plan for v7.15?
/ip route
add dst-address=10.11.0.0/24 gateway=vrfTest1@vrfTest1 routing-table=vrfTest2
add dst-address=10.12.0.0/24 gateway=vrfTest2@vrfTest2 routing-table=vrfTest1
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Mon Mar 11, 2024 9:42 am
by mrz
Yes
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Wed May 01, 2024 6:24 am
by nichky
has this been above removed from the wiki?
Re: v7 inter VRF route leak doesn't work for local IPs
Posted: Thu May 02, 2024 9:57 am
by mrz
Probably was removed by mistake, it should be reverted now.