Static route from default vrf to other vrf

gerryw · September 13, 2023, 3:25am

Hello All,

I’m trying to port a junos config to vyos. The junos config uses 3 routing instances to ecapsulate 3 Internet/ISP connections and some associated ipsec tunnels. Static routes are used in the default vrf to route traffic to the other vrf’s via the junos “next-table” vs the typical next-hop. Is there a way to accomplish this in vyos?

I’m using the 1.4 rolling release

Thanks,
-G

I-n-d-y · September 13, 2023, 5:39am

Hi,

I haven’t tried it myself but there is an example in the documentation which hopefully helps: Configuration Guide » VRF or here Configuration Blueprints » Inter-VRF Routing over VRF Lite

gerryw · September 13, 2023, 8:56am

Hi,

@I-n-d-y thanks for the links. I actually saw those. However, there isn’t anything there about a simple static route from the default vrf to another vrf. I’m also a little confused about static routes in general. If I add a static route without specifying a vrf, I would expect it to show up when I do a “show ip route”. However, it does not. I can’t get it to show up with any of the “show ip route” variations. I’m a total vyos newbie, so I may have missed something.

Thanks,
-G

I-n-d-y · September 14, 2023, 6:18am

Regarding the example in the docs a static route from the default vrf to another vrf should be configured like this:

set protocols static route 10.20.0.0/24 interface eth2 vrf 'blue'
set protocols static route 10.30.0.0/24 interface br10 vrf 'red'

show ip route

A static route from another vrf to the default vrf is done like this:

set vrf name blue protocols static route 10.0.0.0/24 interface eth1 vrf 'default'
set vrf name red protocols static route 10.0.0.0/24 interface eth1 vrf 'default'

show ip route vrf red

Is this what you are looking for? Unfortunately, I don’t have any VRF in my own configuration yet so I have no real examples.

gerryw · September 14, 2023, 10:06am

Hi I-n-d-y,

Thanks again for the info. I have tried this, but it doesn’t work. However, I have a nat rule configured in the vrf. Perhaps that doesn’t work. I’m still trying to figure out if nat should work in this case.

Thanks,
-G

fernando · September 14, 2023, 11:23am

what version are you using ? we’ve solved a old known issues related nat+route leaking with vrf . this configuration i’ve tested and it works :

set interfaces ethernet eth0 address '172.16.50.12/24'
set interfaces ethernet eth0 description 'RED'
set interfaces ethernet eth0 vrf 'RED'
set interfaces ethernet eth1 address '192.168.130.100/24'
set interfaces ethernet eth1 description 'BLUE'
set interfaces ethernet eth1 vrf 'BLUE'

set nat destination rule 110 description 'NAT ssh- INSIDE'
set nat destination rule 110 destination port '2022'
set nat destination rule 110 inbound-interface 'eth0'
set nat destination rule 110 protocol 'tcp'
set nat destination rule 110 translation address '192.168.130.40'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 protocol 'all'
set nat source rule 100 source address '192.168.130.0/24'
set nat source rule 100 translation address 'masquerade'
set vrf bind-to-all
set vrf name BLUE protocols static route 0.0.0.0/0 next-hop 172.16.50.1 vrf 'RED'
set vrf name BLUE protocols static route 172.16.50.0/24 interface eth0 vrf 'RED'
set vrf name BLUE table '1010'
set vrf name RED protocols static route 0.0.0.0/0 next-hop 172.16.50.1
set vrf name RED protocols static route 192.168.130.0/24 interface eth1 vrf 'BLUE'
set vrf name RED table '2020'

here is the reference the case , you must upgrade the latest 1.5 where we have this fix. ⚓ T3655 NAT Problem with VRF

gerryw · September 14, 2023, 11:39am

Hi Fernando,

Thanks! I’ll try it out and let you know how it goes.

Thanks,
-G

gerryw · September 15, 2023, 5:18am

Hi Fernando,

I tried what you recommended, but it’s not working. Please fins config below.

set interfaces ethernet eth0 address 'x.x.x.25/24'
set interfaces ethernet eth0 vrf 'mgt-vrf'
set interfaces ethernet eth1 address 'y.y.y.124/25'
set interfaces ethernet eth5 address 'z.z.z.26/29'
set interfaces ethernet eth5 description 'ISP-1 interface'
set interfaces ethernet eth5 vrf 'isp1-vrf'

set nat source rule 500 outbound-interface 'eth5'
set nat source rule 500 protocol 'all'
set nat source rule 500 source address 'y.y.y.0/25'
set nat source rule 500 translation address 'masquerade'
set protocols static route 0.0.0.0/0 interface eth5 vrf 'isp1-vrf'

set vrf bind-to-all
set vrf name isp1-vrf description 'ISP-1 vrf'
set vrf name isp1-vrf protocols static route 0.0.0.0/0 next-hop z.z.z.30
set vrf name isp1-vrf protocols static route y.y.y.0/25 interface eth1 vrf 'default'
set vrf name isp1-vrf table '200'
set vrf name mgt-vrf description 'management vrf'
set vrf name mgt-vrf protocols static route 0.0.0.0/0 next-hop x.x.x.254
set vrf name mgt-vrf table '100'

Thanks,
Gerry

Apachez · September 15, 2023, 5:54am

Are you running the latest 1.5-rolling?

gerryw · September 15, 2023, 6:41am

Hi,

I’m running VyOS 1.5-rolling-202309130022.

Thanks,
-G

fernando · September 18, 2023, 11:44am

try to add the following :

set protocols static route z.z.z.0/29 interface eth5 vrf 'default

remove the nat , when you do the test to check it , it’s need use a host behind eth5 with a host eth1 ,don’t use vyos itself. So , if without nat doesn’t work , it’s possible you have another problem.

gerryw · September 19, 2023, 5:38am

Hi Fernando,

I guess I don’t understand the routing for this. I have the following:

A default route from the default vrf to the Internet vrf.
A default route in the internet vrf to the ISP gateway.
A return route from the internet vrf to the default vrf.

1. set protocols static route 0.0.0.0/0 interface eth5 vrf 'isp1-vrf'
2. set vrf name isp1-vrf protocols static route 0.0.0.0/0 next-hop z.z.z.30
3. set vrf name isp1-vrf protocols static route y.y.y.0/25 interface eth1 vrf 'default'

How does the route you recommended fit in? I don’t understand why the default vrf needs to know about the public address.

Thanks,
-G