Can't ping/tracert with WAN interface in VRF

I’m trying to get a simple vrf isolation for my WAN interface on an edge router. I have an upstream router that peers with ospf and advertises a default route which is currently within the default vrf. through that I can ping to the internet just fine and traceroute confirms that is the path it takes.

However, when I select the wan vrf to ping, etc… no replies are received and tracert doesn’t even hit the first hop.

I have to be missing something, because I tried using vrf in the same way a couple years ago and had similar issues

tech@router:~$ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  10.255.0.251 (10.255.0.251)  2.242 ms  1.992 ms  1.789 ms
 2  x.x.x.10 (x.x.x.10)  1.694 ms  1.486 ms  1.392 ms
 3  x.x.x.1 (x.x.x.1)  1.326 ms  1.272 ms  1.209 ms
 4  gigabitethernet1-1-6.switch57.fmt2.he.net (216.218.159.53)  1.289 ms  1.464 ms  1.750 ms
 5  * * *
 6  * * port-channel4.core4.sjc2.he.net (72.52.92.246)  10.369 ms
 7  198.32.176.171 (198.32.176.171)  2.769 ms  3.298 ms equinix-sanjose.as13335.net (206.223.116.237)  1.791 ms
 8  * 172.68.188.72 (172.68.188.72)  19.813 ms 172.68.188.80 (172.68.188.80)  19.742 ms
 9  * * *
10  * one.one.one.one (1.1.1.1)  2.099 ms  2.104 ms
tech@router:~$ traceroute 1.1.1.1 vrf wan
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * *^Ctech@router:~$ sh conf com|grep vrf
set interfaces bridge br1 vif 1024 vrf 'wan'
set interfaces ethernet eth1 vrf 'wan'
set service ssh vrf 'default'
set service ssh vrf 'wan'
set vrf name wan protocols static route 0.0.0.0/0 next-hop x.x.x.1
set vrf name wan protocols static route x.x.x.11/32 interface br1.1024
set vrf name wan protocols static route x.x.x.12/32 interface br1.1024
set vrf name wan protocols static route x.x.x.13/32 interface br1.1024
set vrf name wan protocols static route x.x.x.14/32 interface br1.1024
set vrf name wan protocols static route6 f:f:f:f::11/128 interface br1.1024
set vrf name wan protocols static route6 f:f:f:f::12/128 interface br1.1024
set vrf name wan protocols static route6 f:f:f:f::13/128 interface br1.1024
set vrf name wan protocols static route6 f:f:f:f::14/128 interface br1.1024
set vrf name wan table '100'
tech@router:~$ sh ip route vrf wan
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF wan:
S>* 0.0.0.0/0 [1/0] via x.x.x.1, eth1, weight 1, 00:09:53
C>* x.x.x.0/24 is directly connected, eth1, 00:10:12
tech@router:~$ sh ver
Version:          VyOS 1.5-rolling-202412160007
Release train:    current
Release flavor:   generic

Built by:         [email protected]
Built on:         Mon 16 Dec 2024 00:07 UTC
Build UUID:       b8cd31f7-b8e3-443a-98da-45b4cfa867c2
Build commit ID:  64737049995158

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal
Secure Boot:      n/a (BIOS)

Hardware vendor:  PC Engines
Hardware model:   APU2
Hardware S/N:     1163897
Hardware UUID:    Unknown

Copyright:        VyOS maintainers and contributors

is your next-hop ip x.x.x.1 part of wan vrf ?

if its part of default then i think you may have to mention the vrf name to use in the route as below

set vrf name wan protocols static route 0.0.0.0/0 next-hop x.x.x.1 vrf default