Currently running 1.4 20220226 nightly
I have configured a set of routers with the identical VRF config (router-id is different) to separate the internet failsafe default route from the ADMIN network, which should use ospf default-information route learned from upstream routers to connect to the internet (not the default vrf 0.0.0.0/0 next hop)
After configuring this, I am not able to establish a neighbor relationship or ping each router’s own IP on a VRF interface, nor eachother or other hosts on br1.2 or br1.1023. Am I missing something or is this a bug with VRF and bridge vlans?
ping 10.255.2.2 vrf ADMIN results in no responce
if I run tcpdump on either interface, I’m able to see OSPFv2/v3 hellos from all 4 routers as well as ping request, but no reply.
set interfaces bridge br1 vif 2 vrf 'ADMIN'
set interfaces bridge br1 vif 1023 vrf 'ADMIN'
set protocols static route 0.0.0.0/0 next-hop 1xx.8xxx vrf 'default'
set vrf bind-to-all
set vrf name ADMIN protocols ospf area 0.0.0.0 network '10.255.0.0/24'
set vrf name ADMIN protocols ospf area 0.0.0.0 network '10.255.2.0/24'
set vrf name ADMIN protocols ospf area 0.0.0.4 network '10.255.0.8/30'
set vrf name ADMIN protocols ospf interface br1.2 cost '1'
set vrf name ADMIN protocols ospf interface br1.2 dead-interval '6'
set vrf name ADMIN protocols ospf interface br1.2 hello-interval '1'
set vrf name ADMIN protocols ospf interface br1.2 passive disable
set vrf name ADMIN protocols ospf interface br1.1023 cost '100'
set vrf name ADMIN protocols ospf interface br1.1023 dead-interval '6'
set vrf name ADMIN protocols ospf interface br1.1023 hello-interval '1'
set vrf name ADMIN protocols ospf interface br1.1023 passive disable
set vrf name ADMIN protocols ospf parameters router-id '0.0.0.255'
set vrf name ADMIN protocols ospf redistribute connected route-map 'ospf-connected'
set vrf name ADMIN protocols ospfv3 interface br1.2 area '0.0.0.0'
set vrf name ADMIN protocols ospfv3 interface br1.2 cost '1'
set vrf name ADMIN protocols ospfv3 interface br1.2 dead-interval '6'
set vrf name ADMIN protocols ospfv3 interface br1.2 hello-interval '1'
set vrf name ADMIN protocols ospfv3 interface br1.1023 area '0.0.0.0'
set vrf name ADMIN protocols ospfv3 interface br1.1023 cost '100'
set vrf name ADMIN protocols ospfv3 interface br1.1023 dead-interval '6'
set vrf name ADMIN protocols ospfv3 interface br1.1023 hello-interval '1'
set vrf name ADMIN protocols ospfv3 parameters router-id '0.0.0.255'
set vrf name ADMIN protocols ospfv3 redistribute connected route-map 'ospfv3-connected'
set vrf name ADMIN table '200'
I also have firewall zone-policy set for LOCAL, WAN, and ADMIN. WAN to ADMIN is dropped by default, but LOCAL to ADMIN and ADMIN to LOCAL is allowed by default. (br1.2 and br1.1023 are both in the ADMIN zone)
The end result I’m looking for will only allow traffic to connect to the server ADMIN network (on br1.2) if I’m coming in from br1.1023 OR I’m ssh directly from a router in a disaster recovery scenario.