MikroTik

Guys, we are looking to implement a new network using the attached design and was hoping to get some advise on configuration options and assistance with how to set it up. Forgive me if this is the wrong forum.
We are going to be terminating L2TP tunnels from our carrier which will deliver our DSL tails to our router directly. We then want to run multiple private networks with the ability to use overlapping subnets or the same subnet multiple times. I can find plenty of information about how to do this with MPLS but it all seems to revolve around having multiple routers in an MPLS network, however we only have 1 router which terminates the DSL tails and then needs to handle the routing. I thought VRF's were what we needed, but just can't seem to get my head around how it would all work in this scenario.

I would really appreciate it if somebody could have a look at this configuration and advise on the correct configuration to use on the Mikrotik core router. I know it could be done with EOIP and bridges, but it's not scalable and really not the right way to do it.

Thanks in advance.

Regards
Paul

I use similiar scenario, where my dsl clients l2tp into my core router and i create each one their unqiue vrf's on the mpls network, if its on one router, u dont need mpls , just the vrf

i have problem where i lose my vrf interface from dynamic l2tp client, so i make the l2tp client to the dsl client ( in reverse) bit uglier but works

S

Would you have any sort of example you could show me or explain ?
With you losing your VRF interfaces, couldn't you just define a L2TP server interface for each DSL client terminating on your router ?

Regards
Paul

Paul, you a champion, tested it now and works, cant believe i overlooked it, now i can use my radius accounting as well, bump now i have to redo all my clients

I would suggest look at the ip route vrf examples, also look at routing bgp instance vrf , make sure u on 3.25 as the previous version had invalid lables

its more simpler than u think

1) add the interface into a vrf with unique RD
2) add the vrf to a bgp instance, make sure to redistribute-connected

u good to go, if u want to extrend it to a mpls cloud, then u need look at MP-BGP where u use vpnv4-route, i had previous example on the forum with my config , may help some syntax, make sure your bgp peers is your lobridge ip and not WAN ip

once u go vrf u wont go back, u will want to call your future kids mpls, vrf and bgp

hope this helps

S

LOL, glad I could help, it's often the simple things we overlook more often than not.

I have to learn how to do the VRF and BGP stuff, then all this will probably fall into place, unfortunately I have never done any advanced routing, so this is a baptism of fire for me, once I figure out how to do it I'm sure it will be plain sailing from there.

So when you so lobridge, you mean a loopback interface, yes ?

- So I receive the L2TP session into a L2TP server interface
- I add that interface into a VRF (say VRF1)
- Add the VRF into a BGP instance (somehow:-))
- Make sure I have BGP redistribute set to on (I have seen this option)

Presto, all should be good, so the routing table is populated from whatever the client puts on their end correct, I assume I have to enable BGP on the interface at the client router end using the same BGP instance ID?

Does this sound mildly correct ?

Regards
Paul

yes very close

lobridge is the loopback interface, but u will use this only if u use mpls further, at the moment u dont need it

also u dont need bgp peering as u have one router, the client has very little config

let me copy and paste u some config

my VRF on a tower

routing-mark=test interfaces=pppoe-in-test
route-distinguisher=1.1.1.1:11 import-route-targets=1.1.1.1:11 export-route-targets=1.1.1.1:11

my bgp instance vrf

0 instance=default routing-mark=test redistribute-connected=yes redistribute-static=yes
redistribute-rip=no redistribute-ospf=no redistribute-other-bgp=no out-filter=""

thats all u need, notice i have set redistribute staic to yes, so if u add a static routei into the vrf it will show

dst-address=192.168.16.0/24 gateway=pppoe-in-test reachable distance=1 scope=30
target-scope=10 routing-mark=test

on the client just route the remote network through the vpn and u good to go

now when u extend your backbone (say wireless like mine) u need mpls and lobridge and bgp peering to be able to add other clients into the same vrf's, but for now u dont need it

hope this helps

Consider adding a second router, just for redundancy. If you do so, you should consider running basic MPLS there...

Thanks for the suggestion on that, I have considered that but am not sure how I would handle the termination of the L2TP sessions to automatically go to the backup router, is there something obvious there which I should be doing which is straight forward as I would rather be running two routers for redundancy.

Regards
Paul

OK, I have got the VRF stuff working amazingly....
I have two subnets the same running through the same test core router and I can ping from end to end within the customer networks, so all is good there.
I ended up using OSPF whether that is the best way or not it's what I learnt first So I am using that to distribute the routes for the local networks on the CE routers back into the VRF routing tables.

How do I allow a customer to get out of their VRF and route out to the Internet for example ?
I realise I will have to use NAT for them, but I am bound to need to do this and should understand the concepts before doing any more I think.

Thanks
Paul

Is anybody able to help with getting the customer out of their VRF to another gateway for Internet access ??

Also, if I am terminating my DSL tails with a L2TP tunnel onto the router, how do you use dynamic interfaces for this so that they get added into the customers VRF automatically ??
I assume that you need to be able to do this to have redundancy for the termination of the DSL tails across MPLS and multiple routers, yes ?

Regards
Paul

Can't help you with your L2TP issue, but I can help with the route leaking.
There is an excellent wiki article on it here: http://wiki.mikrotik.com/wiki/Internet_access_from_VRF.
You might also consider my wiki article on VRF route-leaking, if you need to leak routes from one VRF to a shared VRF securely: http://wiki.mikrotik.com/wiki/VRF_Route_Leaking.

Thanks very much for your help, I will check both of those out.

Regards
Paul

Eising, in the first wiki, the line: "/ip route add routing-mark=cust-one gateway=10.0.0.1@main" is used but there is not an IP on the diagram showing that gateway address, rather the gateway is shown as 10.5.5.2 (loopback address ??).

Am I missing something obvious is is that a typo ?

Also, a question about loopback interfaces, I assume that you are only able to reach a loopback adapter when you are using OSPF or similar to distribute routes, is that correct ?
I am still to get my head around the loopback concept

Regards
Paul

Yes, I get your point. The first wiki wasn't as excellent as I wanted it to be, but it shows the basic concept of leaking routes to the main table. There are several issues here that aren't properly addressed, such as NAT.
I hate to tell you this, but I can only suggest that you experiment with these concepts in a lab, as many MPLS concepts essentially aren't really documented yet.

I haven't had the time to explore this topic myself, as it's not very important to my own MPLS implementation. We tunnel all our internet traffic to a virtualised firewall, thus avoiding the need of doing MPLS NAT.
Essentially, you would want your internet gateway/PE router configured so that each customer's has a subnet that doesn't overlap, so you can leak it and allow the return traffic. Most larger service providers use public addressing entirely in their infrastructure, but since ipv4 addressing has become sparse, it's not really scalable for us smaller isp's.

Regarding your loopback question: A loopback interface is a software-only interface. In RouterOS it's a bridge without physical interfaces and will therefore need to be redistributed via your routing protocol.
The primary argument for using loopbacks, is to allow forwarding protocols to bind to an interface that never goes down, adding a little stability to your network. It's considered the best practice to peer your IBGP routers using the loopback address, and distribute the information about the loopback addresses using an IGP such as static routing or OSPF.

By the way, I think that wiki article refers to a gateway not visible in the topology drawing that is the actual internet gateway used by the provider, so /ip route add routing-mark=cust-one gateway=10.0.0.1@main refers to 10.0.0.1 which is also the default gateway of the internet-pe.

Thanks for that.

So in my case I need overlapping networks on the network, hence the requirements for VRF's, so would a source-nat rule allow you to define the source routing mark or something to help with the NAT process ?

Regards
Paul

/ip firewall nat has a routing-mark option. You could try and experiment with that. I haven't tried myself.

Will do, thanks !

Regards
Paul

I was wondering if you have had any luck with this so far?
I'm starting to see a need for this in the network I'm building, so if you have had any luck so far, I'd like to hear about it!

Hi, yes I have the VRF's working with OSPF doing the route propogation, however I haven't had the chance to go back to the Internet access part as yet.

Unfortunately though I have learned that the Mikrotik L2TP implementation can't terminate L2TP tunnels from my DSL provider as it doesn't support being a LNS which is a shame. Most of the work I have now done is useless but I will probably keep the lab together and try and get this internet piece working though.

If I do I will post back up here.

Regards
Paul

Did you try to contact MikroTik with this as a feature request?
Anyway, I'm going to do this in a lab as well, so if you get stuck with yours, let me know, we might be able to find out something.

Great, sounds good let me know how you go.

Yes there are a lot of requests for this feature so I'm not sure if they will do it or not.

regards
Paul

I got per-VRF NAT for internet access working in the lab today. I'll write a wiki some time during the weekend.

Excellent, that would be great !

Regards
Paul

Here you go: http://wiki.mikrotik.com/wiki/Internet_ ... F_with_NAT
If you have anything to add or change, please let me know

Hi everyone .. !!
It is a very interesting settings.
I'm trying to make a very similar settings, could you help me please.

best regards
Héctor