Skip to Content.

rare-dev - Re: [rare-dev] [freertr] [RARE-users] Routing Internet by tunnel configuration

Subject: Rare project developers

List archive


Re: [rare-dev] [freertr] [RARE-users] Routing Internet by tunnel configuration


Chronological Thread 
    < Chronological >      < Thread >
  • From: Frédéric LOUI <>
  • To: Gabriel Tetzner <>
  • Cc: , ,
  • Subject: Re: [rare-dev] [freertr] [RARE-users] Routing Internet by tunnel configuration
  • Date: Sat, 19 Nov 2022 08:16:47 +0100
  • Dkim-filter: OpenDKIM Filter v2.10.3 zmtaauth04.partage.renater.fr 8D1361C004D
You can try to use:

show access-list

And combine it with ping x.y.z.t vrf my_vrf repeat 111111111 timeout 11

In order to check if packet matched which rule and see if one counter is
incrementing MUCH more than the others



> Le 19 nov. 2022 à 05:00, Gabriel Tetzner
> <> a écrit :
>
> Hello Frédéric,
> I saw your e-mail thank you,
> but I did not complete the e-mail I was making
> sorry for the delay,
> I need some hints,
> I think I managed to get vrf to recognize the gateway output.
>
> I did with hairpin11 and hairpin12 and established a vrf VXLAN route to
> 1.1.1.1, which would be my egress port:
>
> interface hairpin11
>
> vrf forwarding inet
>
> ipv4 address 1.1.1.1 255.255.255.0
>
> ipv6 address 1234::1 ffff::
>
> no shutdown
>
> no log-link-change
>
> exit
>
> !
> interface hairpin12
>
> vrf forwarding vxlan
>
> ipv4 address 1.1.1.2 255.255.255.0
>
> ipv6 address 1234::2 ffff::
>
> no shutdown
>
> no log-link-change
>
> exit
>
> !
> ipv4 route vxlan 0.0.0.0 0.0.0.0 1.1.1.1
> !
>
> output:
>
> vcpe1#ping 8.8.8.8 vrf vxlan
>
> pinging 8.8.8.8, src=null, vrf=vxlan, cnt=5, len=64, df=false, tim=1000,
> gap=0, ttl=255, tos=0, sgt=0, flow=0, fill=0, alrt=-1, sweep=false,
> multi=false
> !!!!!
> result=100.0%, recv/sent/lost/err=5/5/0/0, took 64, min/avg/max/dev
> rtt=12/12.4/13/0.2, ttl 117/117/117/0.0, tos 0/0.0/0/0.0
>
> vcpe1#show ipv4 route inet
>
> typ prefix metric iface hop time
> DEF 0.0.0.0/0 0/2 ethernet1 200.x.x.x 00:00:34
> C 1.1.1.0/24 0/0 hairpin11 null 00:06:45
> LOC 1.1.1.1/32 0/1 hairpin11 null 00:06:45
> C 10.255.255.0/24 0/0 ethernet20001 null 00:06:45
> LOC 10.255.255.254/32 0/1 ethernet20001 null 00:06:45
> C 200.x.x.x/28 0/0 ethernet1 null 00:00:34
> REM 200.x.x.x/32 0/0 ethernet1 200.137.68.65 00:00:34
> LOC 200.x.x.x/32 0/1 ethernet1 null 00:00:34
>
> vcpe1#show ipv4 route vxlan
>
> typ prefix metric iface hop time
> S 0.0.0.0/0 1/0 hairpin12 1.1.1.1 00:06:31
> C 1.1.1.0/24 0/0 hairpin12 null 00:06:39
> LOC 1.1.1.2/32 0/1 hairpin12 null 00:06:39
> C 10.0.0.0/24 0/0 tunnel2 null 00:06:39
> LOC 10.0.0.2/32 0/1 tunnel2 null 00:06:39
> D 10.10.10.0/24 90/20 tunnel1 124.0.2.1 00:06:31
> D 20.20.20.0/24 90/10 tunnel1 124.0.2.1 00:06:31
> D 30.30.30.0/24 90/30 tunnel1 124.0.2.1 00:06:31
> C 124.0.2.0/28 0/0 tunnel1 null 00:06:39
> LOC 124.0.2.2/32 0/1 tunnel1 null 00:06:39
> S 200.x.x.x/28 1/0 hairpin12 1.1.1.1 00:06:31
>
> You have helped a lot by revealing these tips, now I am trying to make my
> vrf vxlan ping an internal network, in this case 200.137.68.64/28, I put an
> output on the vrf vxlan, however I think this is an access-list issue:
>
> object-group network host4
> sequence 10 10.255.255.0 255.255.255.0
> sequence 20 124.0.2.0 255.255.255.240
> sequence 30 10.0.0.0 255.255.255.0
> sequence 40 1.1.1.0 255.255.255.0
> sequence 50 200.x.x.x 255.255.255.240
> exit
> !
> access-list nat4
> sequence 10 deny all obj lloc4 all any all
> sequence 20 deny all any all obj mcast4 all
> sequence 30 deny all obj host4 all obj host4 all
> sequence 40 permit all obj host4 all any all
> exit
> !
> access-list nat6
> sequence 10 deny all obj lloc6 all any all
> sequence 20 deny all any all obj mcast6 all
> sequence 30 deny all obj host6 all obj host6 all
> sequence 40 permit all obj host6 all any all
> exit
> !
>
> output:
> vcpe1#ping 200.x.x.76 vrf vxlan
> pinging 200.137.68.76, src=null, vrf=vxlan, cnt=5, len=64, df=false,
> tim=1000, gap=0, ttl=255, tos=0, sgt=0, flow=0, fill=0, alrt=-1,
> sweep=false, multi=false
> .....
> result=0.0%, recv/sent/lost/err=0/5/5/0, took 5007, min/avg/max/dev
> rtt=10000/0.0/0/0.0, ttl 256/0.0/0/0.0, tos 256/0.0/0/0.0
> vcpe1#
>
> I would like some tips on how to achieve this.
>
> Yours truly,
> Gabriel Tetzner Menegueti
>
> Em sex., 18 de nov. de 2022 às 16:47, Gabriel Tetzner via groups.io
> <> escreveu:
> Hello Frédéric,
>
> Eu acho que consegui fazer a vrf reconhecer a saída gateway
>
> Fiz com hairpin11 e hairpin12 e acertei uma rota da vrf VXLAnN para 1.1.1.1
> que seria minha saída gateway:
>
>
>
> Em ter., 15 de nov. de 2022 às 18:01, Frédéric LOUI
> <> escreveu:
> Hi,
>
> What you are referring is called inter-VRF routing.
> You have multiple ways to achieve that.
>
> For example you can use:
>
> 1- multiple MPLS route-target and from a site connected to a PE that
> import both RT, you can do the inter-VRF routing.
> 2- freeRtr has a nice feature feature in order to bon VRF locally that is
> called hairpin. Juniper calls this feature logical-tunnel interface)
> 3- Other method, such as route redistribution between VRF etc.
>
> -2- is good if you are not familiar with service provider MPLS CORE. (I’m
> not sure about your design choice)
>
> Take a look at this test case:
> http://docs.freertr.org/guides/reference/md/conn-hairpin01.tst/
>
> It binds v1 to hairpin11 and v2 to hairpin12, routing is done through this
> interface.
>
> The cool thing is that you can apply ACL on hairpin11 and hairpin12 in
> order to filter traffic.
>
> Not sure if I understood and answered your question though :-/
>
> I’ll let mc36 elaborate more if need.
>
> All the best
> Frederic
>
> > Le 15 nov. 2022 à 17:30, Gabriel Tetzner
> > <> a écrit :
> >
> > Hi all,
> >
> > sorry for the inconvenience and I know that everyone must be busy,
> >
> > I managed to make a wireguard client recognize our vxlan's tunnel
> > infrastructure and reach another router from another available network,
> > but I need to advance in one thing...
> >
> > Everything I am doing is separated into a vrf called VXLAN, but there is
> > a global vrf called INET that freeRouter creates when it is installed in
> > the virtual machine.
> >
> > This my global INET vrf has output to the Internet via an Ethernet1
> > interface that points to an outbound gateway, now consider that I want my
> > other VXLAN vrf to have output to the Internet so that I have in my
> > routes the external connectivity.
> >
> > I thought about creating a second eth2 interface and linking it with
> > pcapInt afterwards, I haven't done that yet as I tried using a tapInt by
> > default and within my research, I saw that you have a way to import the
> > routes from one vrf to the other is what they kind of call leaking, not
> > sure.
> >
> > Well, my question is: how can I make this vrf VXLAN communicate with the
> > output (gateway), using some means that is possible for this?
> >
> > And on that note...
> > The context of this ẽ́ that I am looking for isolation of my network and
> > for it to point to the Internet afterwards, I need this to do tests with
> > SD-WAN as well, since I believe vpdn needs an output to reach the
> > destination target of the sd-wan server.
> >
> > Here are some configurations:
> >
> > prefix-list vrf_inet
> > sequence 10 permit 0.0.0.0/0 ge 0 le 0
> > exit
> > !
> > route-map VRF_TO_NET
> > sequence 10 action permit
> > sequence 10 match prefix-list vrf_inet
> > !
> > exit
> > !
> > route-map VRFINET_TO_VXLAN
> > sequence 10 action permit
> > sequence 10 match prefix-list vrf_inet
> > !
> > exit
> > !
> > vrf definition inet
> > rd 200:200
> > import4map VRF_TO_NET
> > export4map VRFINET_TO_VXLAN
> > exit
> > !
> > vrf definition vxlan
> > description vxlan vrf isolation
> > rd 100:100
> > import4map VRFINET_TO_VXLAN
> > export4map VRF_TO_NET
> > exit
> > !
> > interface ethernet1
> > description uplink
> > vrf forwarding inet
> > ipv4 address dynamic dynamic
> > ipv4 gateway-prefix all4
> > ipv4 dhcp-client enable
> > ipv4 dhcp-client early
> > ipv6 address dynamic dynamic
> > ipv6 gateway-prefix all6
> > ipv6 slaac-client enable
> > ipv6 prefix-suppress
> > router eigrp4 2 enable
> > no shutdown
> > no log-link-change
> > exit
> > !
> > vcpe1#show ipv4 route inet
> >
> > typ prefix metric iface hop time
> > DEF 0.0.0.0/0 0/2 ethernet1 200.x.x.65 00:00:21
> > C 10.255.255.0/24 0/0 ethernet20001 null 12:05:01
> > LOC 10.255.255.254/32 0/1 ethernet20001 null 12:05:01
> > C 200.x.x.64/28 0/0 ethernet1 null 00:00:21
> > REM 200.x.x.65/32 0/0 ethernet1 200.x.x.65 00:00:21
> > LOC 200.x.x.69/32 0/1 ethernet1 null 00:00:21
> >
> > vcpe1#show ipv4 route vxlan
> >
> > typ prefix metric iface hop time
> > C 10.0.0.0/24 0/0 tunnel2 null 12:09:08
> > LOC 10.0.0.2/32 0/1 tunnel2 null 12:09:08
> > C 124.0.2.0/28 0/0 tunnel1 null 12:09:08
> > LOC 124.0.2.2/32 0/1 tunnel1 null 12:09:08
> > C 200.x.x.85/32 0/0 ethernet2 null 11:27:19
> >
> > This ethernet2 is the interface I tried to create ;)
> >
> > Best regards,Gabriel Tetzner Menegueti.
> >
>
> _._,_._,_
> Groups.io Links:
> You receive all messages sent to this group.
>
> View/Reply Online (#841) | Reply To Group | Reply To Sender | Mute This
> Topic | New Topic
> Your Subscription | Contact Group Owner | Unsubscribe
> []
>
> _._,_._,_
>
>


Archive powered by MHonArc 2.6.19.

Top of Page