Subject: Rare project developers
List archive
- From: Gabriel Tetzner <>
- To: Frédéric LOUI <>
- Cc: , ,
- Subject: Re: [rare-dev] [freertr] [RARE-users] Routing Internet by tunnel configuration
- Date: Sun, 20 Nov 2022 17:50:58 -0300
Hi Frédéric and all,
Now I have a SD-WAN topology separated by vrf and working perfectly, I wanted to know if it is possible to activate a dynamic routing protocol like eigrp between the vpdn's of the sd-wan created? I tried to do this and it did not work very well, I activated it in the dialer interface of each vpdn; and it seems that in my neighbor it is not activated, maybe it is some configuration that I forgot to do or a lack of knowledge on the subject.
I managed to make it work by releasing the access-list, I feel that I am advancing more and more.
Now I have a SD-WAN topology separated by vrf and working perfectly, I wanted to know if it is possible to activate a dynamic routing protocol like eigrp between the vpdn's of the sd-wan created? I tried to do this and it did not work very well, I activated it in the dialer interface of each vpdn; and it seems that in my neighbor it is not activated, maybe it is some configuration that I forgot to do or a lack of knowledge on the subject.
Yours truly,
Gabriel Tetzner Menegueti
Gabriel Tetzner Menegueti
Em sáb., 19 de nov. de 2022 às 04:16, Frédéric LOUI <> escreveu:
You can try to use:
show access-list
And combine it with ping x.y.z.t vrf my_vrf repeat 111111111 timeout 11
In order to check if packet matched which rule and see if one counter is incrementing MUCH more than the others
> Le 19 nov. 2022 à 05:00, Gabriel Tetzner <> a écrit :
>
> Hello Frédéric,
> I saw your e-mail thank you,
> but I did not complete the e-mail I was making
> sorry for the delay,
> I need some hints,
> I think I managed to get vrf to recognize the gateway output.
>
> I did with hairpin11 and hairpin12 and established a vrf VXLAN route to 1.1.1.1, which would be my egress port:
>
> interface hairpin11
> vrf forwarding inet
> ipv4 address 1.1.1.1 255.255.255.0
> ipv6 address 1234::1 ffff::
> no shutdown
> no log-link-change
> exit
> !
> interface hairpin12
> vrf forwarding vxlan
> ipv4 address 1.1.1.2 255.255.255.0
> ipv6 address 1234::2 ffff::
> no shutdown
> no log-link-change
> exit
> !
> ipv4 route vxlan 0.0.0.0 0.0.0.0 1.1.1.1
> !
>
> output:
>
> vcpe1#ping 8.8.8.8 vrf vxlan
> pinging 8.8.8.8, src="null," vrf=vxlan, cnt=5, len=64, df=false, tim=1000, gap=0, ttl=255, tos=0, sgt=0, flow=0, fill=0, alrt=-1, sweep=false, multi=false
> !!!!!
> result=100.0%, recv/sent/lost/err=5/5/0/0, took 64, min/avg/max/dev rtt=12/12.4/13/0.2, ttl 117/117/117/0.0, tos 0/0.0/0/0.0
>
> vcpe1#show ipv4 route inet
> typ prefix metric iface hop time
> DEF 0.0.0.0/0 0/2 ethernet1 200.x.x.x 00:00:34
> C 1.1.1.0/24 0/0 hairpin11 null 00:06:45
> LOC 1.1.1.1/32 0/1 hairpin11 null 00:06:45
> C 10.255.255.0/24 0/0 ethernet20001 null 00:06:45
> LOC 10.255.255.254/32 0/1 ethernet20001 null 00:06:45
> C 200.x.x.x/28 0/0 ethernet1 null 00:00:34
> REM 200.x.x.x/32 0/0 ethernet1 200.137.68.65 00:00:34
> LOC 200.x.x.x/32 0/1 ethernet1 null 00:00:34
>
> vcpe1#show ipv4 route vxlan
> typ prefix metric iface hop time
> S 0.0.0.0/0 1/0 hairpin12 1.1.1.1 00:06:31
> C 1.1.1.0/24 0/0 hairpin12 null 00:06:39
> LOC 1.1.1.2/32 0/1 hairpin12 null 00:06:39
> C 10.0.0.0/24 0/0 tunnel2 null 00:06:39
> LOC 10.0.0.2/32 0/1 tunnel2 null 00:06:39
> D 10.10.10.0/24 90/20 tunnel1 124.0.2.1 00:06:31
> D 20.20.20.0/24 90/10 tunnel1 124.0.2.1 00:06:31
> D 30.30.30.0/24 90/30 tunnel1 124.0.2.1 00:06:31
> C 124.0.2.0/28 0/0 tunnel1 null 00:06:39
> LOC 124.0.2.2/32 0/1 tunnel1 null 00:06:39
> S 200.x.x.x/28 1/0 hairpin12 1.1.1.1 00:06:31
>
> You have helped a lot by revealing these tips, now I am trying to make my vrf vxlan ping an internal network, in this case 200.137.68.64/28, I put an output on the vrf vxlan, however I think this is an access-list issue:
>
> object-group network host4
> sequence 10 10.255.255.0 255.255.255.0
> sequence 20 124.0.2.0 255.255.255.240
> sequence 30 10.0.0.0 255.255.255.0
> sequence 40 1.1.1.0 255.255.255.0
> sequence 50 200.x.x.x 255.255.255.240
> exit
> !
> access-list nat4
> sequence 10 deny all obj lloc4 all any all
> sequence 20 deny all any all obj mcast4 all
> sequence 30 deny all obj host4 all obj host4 all
> sequence 40 permit all obj host4 all any all
> exit
> !
> access-list nat6
> sequence 10 deny all obj lloc6 all any all
> sequence 20 deny all any all obj mcast6 all
> sequence 30 deny all obj host6 all obj host6 all
> sequence 40 permit all obj host6 all any all
> exit
> !
>
> output:
> vcpe1#ping 200.x.x.76 vrf vxlan
> pinging 200.137.68.76, src="null," vrf=vxlan, cnt=5, len=64, df=false, tim=1000, gap=0, ttl=255, tos=0, sgt=0, flow=0, fill=0, alrt=-1, sweep=false, multi=false
> .....
> result=0.0%, recv/sent/lost/err=0/5/5/0, took 5007, min/avg/max/dev rtt=10000/0.0/0/0.0, ttl 256/0.0/0/0.0, tos 256/0.0/0/0.0
> vcpe1#
>
> I would like some tips on how to achieve this.
>
> Yours truly,
> Gabriel Tetzner Menegueti
>
> Em sex., 18 de nov. de 2022 às 16:47, Gabriel Tetzner via groups.io <gabrieltetznermenegueti16=> escreveu:
> Hello Frédéric,
>
> Eu acho que consegui fazer a vrf reconhecer a saída gateway
>
> Fiz com hairpin11 e hairpin12 e acertei uma rota da vrf VXLAnN para 1.1.1.1 que seria minha saída gateway:
>
>
>
> Em ter., 15 de nov. de 2022 às 18:01, Frédéric LOUI <> escreveu:
> Hi,
>
> What you are referring is called inter-VRF routing.
> You have multiple ways to achieve that.
>
> For example you can use:
>
> 1- multiple MPLS route-target and from a site connected to a PE that import both RT, you can do the inter-VRF routing.
> 2- freeRtr has a nice feature feature in order to bon VRF locally that is called hairpin. Juniper calls this feature logical-tunnel interface)
> 3- Other method, such as route redistribution between VRF etc.
>
> -2- is good if you are not familiar with service provider MPLS CORE. (I’m not sure about your design choice)
>
> Take a look at this test case:
> http://docs.freertr.org/guides/reference/md/conn-hairpin01.tst/
>
> It binds v1 to hairpin11 and v2 to hairpin12, routing is done through this interface.
>
> The cool thing is that you can apply ACL on hairpin11 and hairpin12 in order to filter traffic.
>
> Not sure if I understood and answered your question though :-/
>
> I’ll let mc36 elaborate more if need.
>
> All the best
> Frederic
>
> > Le 15 nov. 2022 à 17:30, Gabriel Tetzner <> a écrit :
> >
> > Hi all,
> >
> > sorry for the inconvenience and I know that everyone must be busy,
> >
> > I managed to make a wireguard client recognize our vxlan's tunnel infrastructure and reach another router from another available network, but I need to advance in one thing...
> >
> > Everything I am doing is separated into a vrf called VXLAN, but there is a global vrf called INET that freeRouter creates when it is installed in the virtual machine.
> >
> > This my global INET vrf has output to the Internet via an Ethernet1 interface that points to an outbound gateway, now consider that I want my other VXLAN vrf to have output to the Internet so that I have in my routes the external connectivity.
> >
> > I thought about creating a second eth2 interface and linking it with pcapInt afterwards, I haven't done that yet as I tried using a tapInt by default and within my research, I saw that you have a way to import the routes from one vrf to the other is what they kind of call leaking, not sure.
> >
> > Well, my question is: how can I make this vrf VXLAN communicate with the output (gateway), using some means that is possible for this?
> >
> > And on that note...
> > The context of this ẽ́ that I am looking for isolation of my network and for it to point to the Internet afterwards, I need this to do tests with SD-WAN as well, since I believe vpdn needs an output to reach the destination target of the sd-wan server.
> >
> > Here are some configurations:
> >
> > prefix-list vrf_inet
> > sequence 10 permit 0.0.0.0/0 ge 0 le 0
> > exit
> > !
> > route-map VRF_TO_NET
> > sequence 10 action permit
> > sequence 10 match prefix-list vrf_inet
> > !
> > exit
> > !
> > route-map VRFINET_TO_VXLAN
> > sequence 10 action permit
> > sequence 10 match prefix-list vrf_inet
> > !
> > exit
> > !
> > vrf definition inet
> > rd 200:200
> > import4map VRF_TO_NET
> > export4map VRFINET_TO_VXLAN
> > exit
> > !
> > vrf definition vxlan
> > description vxlan vrf isolation
> > rd 100:100
> > import4map VRFINET_TO_VXLAN
> > export4map VRF_TO_NET
> > exit
> > !
> > interface ethernet1
> > description uplink
> > vrf forwarding inet
> > ipv4 address dynamic dynamic
> > ipv4 gateway-prefix all4
> > ipv4 dhcp-client enable
> > ipv4 dhcp-client early
> > ipv6 address dynamic dynamic
> > ipv6 gateway-prefix all6
> > ipv6 slaac-client enable
> > ipv6 prefix-suppress
> > router eigrp4 2 enable
> > no shutdown
> > no log-link-change
> > exit
> > !
> > vcpe1#show ipv4 route inet
> > typ prefix metric iface hop time
> > DEF 0.0.0.0/0 0/2 ethernet1 200.x.x.65 00:00:21
> > C 10.255.255.0/24 0/0 ethernet20001 null 12:05:01
> > LOC 10.255.255.254/32 0/1 ethernet20001 null 12:05:01
> > C 200.x.x.64/28 0/0 ethernet1 null 00:00:21
> > REM 200.x.x.65/32 0/0 ethernet1 200.x.x.65 00:00:21
> > LOC 200.x.x.69/32 0/1 ethernet1 null 00:00:21
> >
> > vcpe1#show ipv4 route vxlan
> > typ prefix metric iface hop time
> > C 10.0.0.0/24 0/0 tunnel2 null 12:09:08
> > LOC 10.0.0.2/32 0/1 tunnel2 null 12:09:08
> > C 124.0.2.0/28 0/0 tunnel1 null 12:09:08
> > LOC 124.0.2.2/32 0/1 tunnel1 null 12:09:08
> > C 200.x.x.85/32 0/0 ethernet2 null 11:27:19
> >
> > This ethernet2 is the interface I tried to create ;)
> >
> > Best regards,Gabriel Tetzner Menegueti.
> >
>
> _._,_._,_
> Groups.io Links:
> You receive all messages sent to this group.
>
> View/Reply Online (#841) | Reply To Group | Reply To Sender | Mute This Topic | New Topic
> Your Subscription | Contact Group Owner | Unsubscribe []
>
> _._,_._,_
>
>
- [rare-dev] Routing Internet by tunnel configuration, Gabriel Tetzner, 11/15/2022
- Re: [rare-dev] Routing Internet by tunnel configuration, Frédéric LOUI, 11/15/2022
- Re: [rare-dev] Routing Internet by tunnel configuration, Gabriel Tetzner, 11/18/2022
- Re: [rare-dev] Routing Internet by tunnel configuration, Frédéric LOUI, 11/18/2022
- Message not available
- Re: [rare-dev] [freertr] [RARE-users] Routing Internet by tunnel configuration, Gabriel Tetzner, 11/19/2022
- Re: [rare-dev] [freertr] [RARE-users] Routing Internet by tunnel configuration, Frédéric LOUI, 11/19/2022
- Re: [rare-dev] [freertr] [RARE-users] Routing Internet by tunnel configuration, Gabriel Tetzner, 11/20/2022
- Message not available
- Re: [rare-dev] [freertr] [RARE-users] Routing Internet by tunnel configuration, Gabriel Tetzner, 11/22/2022
- Re: [rare-dev] [freertr] [RARE-users] Routing Internet by tunnel configuration, Frédéric LOUI, 11/19/2022
- Re: [rare-dev] [freertr] [RARE-users] Routing Internet by tunnel configuration, Gabriel Tetzner, 11/19/2022
- Re: [rare-dev] Routing Internet by tunnel configuration, Gabriel Tetzner, 11/18/2022
- Re: [rare-dev] Routing Internet by tunnel configuration, Frédéric LOUI, 11/15/2022
Archive powered by MHonArc 2.6.19.