Hey, since a few month I use VyOS as router. A few days ago I expand my network with a clue. Now I just have external interfaces which are assigned to VRFs. There is no external interface without a VRF to setup tunnels correctly. Also setting up a static route with leak to default VRF does not help to establish the connections of the tunnel.
To get a familiar setup I requested a third interface with a “normal” uplink to just establish tunnel connections which was declined. Now I try to figure out how I should use a loopback interface or dummy interface to bind the tunnel…but without any ethernet port which is not in any VRF.
Can anyone help me to understand how it can be done anyway?
If the one interface which is also used as uplink via BGP is not in a VRF the tunnel works fine, so it seems not be an issue with the tunnel itself. I use ip6gretap for encapsulation of the tunnel.
ip6gretap seems bad for debugging…I just can debug if it works but not why it does not work…or has anyone a hint how to debug ip6gretap tunnel why the connection can not be established?
It is funny that both can reach each others endpoint normally…so it is very hard to understand why the tunnel breaks.
That is still the complete nonworking configuration.
I have 2 interfaces: eth0 (bgp uplink) and eth1 (IXP) I need a tunnel to my own network over physical eth0…but after I set eth0 into vrf the tunnel breaks. eth0 is required in VRF for BGP…so my description is an configuration independent question to understand in what way it is possible to configure as it seems outside my understanding of VRF. I really do not understand why the tunnel breaks even if both endpoints can reach each other.
I meant set config
But anyway I think I could read it more or less.
to summarize:
tunnel 11 with encapsulation ip6gretap
routing should go out on interface eth0
Eth1 for this use case not relevant
What is in your BGP table for vrf net
What is in your route table for vrf net
I dont see any RD and Route-targets configured for your vrf
IMHO you need them for BGP and vrf
You mean the summarize of BGP? It just shows that BGP on uplink is configured and all internal connections to core and other gateways are down…
The routing table for vrf net is too large with over 200k prefixes but they are all “valid and best” as there is just one bgp uplink still available. But that does not have anything to do with the general question.
I have already tried much more like set up a second VRF, bind tunnel to loopback interface and also tried to make a bridge between loopback and eth0 but it can not be established because eth0 is in a VRF and VyOS declined it. The current configuration can be non helping anyway as I try everytime some other clues to make it possible. But now I do not have any idea about the two questions below:
WHY does a tunnel break if the physical interface where the tunnel is bind to, is in a VRF?
How can I use a tunnel if all ethernet interfaces are in any vrf? They said they recommend if I create the tunnel through loopback as it is not in a VRF but I still do not understand how I bind the loopback interface to the correct ethernet interface…as they can not be bridged…
Edit: It can not be caused by routing itself as both endpoints can reach each other without any issues. Only the tunnel breaks if the ethernet interface is in a VRF.
The tunnel will source its traffic from the default VRF unless a source-interface is defined. So the tunnel is trying to source traffic from a table that doesn’t know about the routes in vrf net.
You would want to define a source-interface (dev in linux) for that traffic, which you’ve probably seen isn’t allowed for encapsulation ip6gretap. Do you need to use that encap, or is ip6gre fine? That will allow you to set the source-interface. If you specifically need the bridging of ip6gretap, then you can use a vxlan interface, which also allows the source-interface to be set.
Like I mentioned above, you can change the encap to ip6gre or use a vxlan interface, which will allow you to set the source-interface. If you have to use ip6gretap, then you have a couple of options:
Create a task on vyos.dev and request relaxing that constraint, but it may have been added for a specific reason.
Remove that constraint yourself in the code, but you’d need to do that every time you upgrade to a new VyOS version.
Use route leaking or a veth pair to route traffic between the default VRF and vrf net.
That solved this issue, the tunnel is able to be used with ip6gre and ip6ip6. Now I can figure out how to bring iBGP up on the tunnel with real debugging.
