RARE user and assistance email list

[Gabriel Tetzner <>]

Hello Frédéric,

I saw your e-mail thank you,
but I did not complete the e-mail I was making
sorry for the delay,
I need some hints,
I think I managed to get vrf to recognize the gateway output.

I did with hairpin11 and hairpin12 and established a vrf VXLAN route to 1.1.1.1, which would be my egress port:

interface hairpin11                                                            
 vrf forwarding inet                                                            
 ipv4 address 1.1.1.1 255.255.255.0                                            
 ipv6 address 1234::1 ffff::                                                                                                       
 no shutdown                                                                    
 no log-link-change                                                            
 exit                                                                          
!

interface hairpin12                                                            
 vrf forwarding vxlan                                                          
 ipv4 address 1.1.1.2 255.255.255.0                                            
 ipv6 address 1234::2 ffff::                                                    
 no shutdown                                                                    
 no log-link-change                                                            
 exit                                                                          
!  

ipv4 route vxlan 0.0.0.0 0.0.0.0 1.1.1.1

!

output:

vcpe1#ping 8.8.8.8 vrf vxlan                                                  
pinging 8.8.8.8, src="null," vrf=vxlan, cnt=5, len=64, df=false, tim=1000, gap=0, ttl=255, tos=0, sgt=0, flow=0, fill=0, alrt=-1, sweep=false, multi=false
!!!!!
result=100.0%, recv/sent/lost/err=5/5/0/0, took 64, min/avg/max/dev rtt=12/12.4/13/0.2, ttl 117/117/117/0.0, tos 0/0.0/0/0.0

vcpe1#show ipv4 route inet                                                    
typ  prefix             metric  iface          hop            time
DEF  0.0.0.0/0          0/2     ethernet1      200.x.x.x  00:00:34
C    1.1.1.0/24         0/0     hairpin11      null           00:06:45
LOC  1.1.1.1/32         0/1     hairpin11      null           00:06:45
C    10.255.255.0/24    0/0     ethernet20001  null           00:06:45
LOC  10.255.255.254/32  0/1     ethernet20001  null           00:06:45
C    200.x.x.x/28   0/0     ethernet1      null           00:00:34
REM  200.x.x.x/32   0/0     ethernet1      200.137.68.65  00:00:34
LOC  200.x.x.x/32   0/1     ethernet1      null           00:00:34

vcpe1#show ipv4 route vxlan                                                    
typ  prefix            metric  iface      hop        time
S    0.0.0.0/0         1/0     hairpin12  1.1.1.1    00:06:31
C    1.1.1.0/24        0/0     hairpin12  null       00:06:39
LOC  1.1.1.2/32        0/1     hairpin12  null       00:06:39
C    10.0.0.0/24       0/0     tunnel2    null       00:06:39
LOC  10.0.0.2/32       0/1     tunnel2    null       00:06:39
D    10.10.10.0/24     90/20   tunnel1    124.0.2.1  00:06:31
D    20.20.20.0/24     90/10   tunnel1    124.0.2.1  00:06:31
D    30.30.30.0/24     90/30   tunnel1    124.0.2.1  00:06:31
C    124.0.2.0/28      0/0     tunnel1    null       00:06:39
LOC  124.0.2.2/32      0/1     tunnel1    null       00:06:39
S    200.x.x.x/28  1/0     hairpin12  1.1.1.1    00:06:31

You have helped a lot by revealing these tips, now I am trying to make my vrf vxlan ping an internal network, in this case 200.137.68.64/28, I put an output on the vrf vxlan, however I think this is an access-list issue:

object-group network host4
 sequence 10 10.255.255.0 255.255.255.0
 sequence 20 124.0.2.0 255.255.255.240
 sequence 30 10.0.0.0 255.255.255.0
 sequence 40 1.1.1.0 255.255.255.0
 sequence 50 200.x.x.x 255.255.255.240
 exit              
!  

access-list nat4  
 sequence 10 deny all obj lloc4 all any all
 sequence 20 deny all any all obj mcast4 all
 sequence 30 deny all obj host4 all obj host4 all
 sequence 40 permit all obj host4 all any all
 exit              
!                  
access-list nat6  
 sequence 10 deny all obj lloc6 all any all
 sequence 20 deny all any all obj mcast6 all
 sequence 30 deny all obj host6 all obj host6 all
 sequence 40 permit all obj host6 all any all
 exit              
!

output:

vcpe1#ping 200.x.x.76 vrf vxlan                                            
pinging 200.137.68.76, src="null," vrf=vxlan, cnt=5, len=64, df=false, tim=1000, gap=0, ttl=255, tos=0, sgt=0, flow=0, fill=0, alrt=-1, sweep=false, multi=false
.....
result=0.0%, recv/sent/lost/err=0/5/5/0, took 5007, min/avg/max/dev rtt=10000/0.0/0/0.0, ttl 256/0.0/0/0.0, tos 256/0.0/0/0.0
vcpe1#    

I would like some tips on how to achieve this.

Yours truly,
Gabriel Tetzner Menegueti

Em sex., 18 de nov. de 2022 às 16:47, Gabriel Tetzner via groups.io <gabrieltetznermenegueti16=> escreveu:

Hello Frédéric,

Eu acho que consegui fazer a vrf reconhecer a saída gateway

Fiz com hairpin11 e hairpin12 e acertei uma rota da vrf VXLAnN para 1.1.1.1 que seria minha saída gateway:

Em ter., 15 de nov. de 2022 às 18:01, Frédéric LOUI <> escreveu:

Hi,

What you are referring is called inter-VRF routing.
You have multiple ways to achieve that.

For example you can use:

1- multiple MPLS route-target  and from a site connected to a PE that import both RT, you can do the inter-VRF routing.
2- freeRtr has a nice feature feature in order to bon VRF locally that is called hairpin.  Juniper calls this feature logical-tunnel interface)
3- Other method, such as route redistribution between VRF etc.

-2- is good if you are not familiar with service provider MPLS CORE. (I’m not sure about your design choice)

Take a look at this test case:
http://docs.freertr.org/guides/reference/md/conn-hairpin01.tst/

It binds v1 to hairpin11 and v2 to hairpin12, routing is done through this interface.

The cool thing is that you can apply ACL on hairpin11 and hairpin12 in order to filter traffic.

Not sure if I understood and answered your question though :-/

I’ll let mc36 elaborate more if need.

All the best
Frederic

> Le 15 nov. 2022 à 17:30, Gabriel Tetzner <> a écrit :
>
> Hi all,
>
> sorry for the inconvenience and I know that everyone must be busy,
>
> I managed to make a wireguard client recognize our vxlan's tunnel infrastructure and reach another router from another available network, but I need to advance in one thing...
>
> Everything I am doing is separated into a vrf called VXLAN, but there is a global vrf called INET that freeRouter creates when it is installed in the virtual machine.
>
> This my global INET vrf has output to the Internet via an Ethernet1 interface that points to an outbound gateway, now consider that I want my other VXLAN vrf to have output to the Internet so that I have in my routes the external connectivity.
>
> I thought about creating a second eth2 interface and linking it with pcapInt afterwards, I haven't done that yet as I tried using a tapInt by default and within my research, I saw that you have a way to import the routes from one vrf to the other is what they kind of call leaking, not sure.
>
> Well, my question is: how can I make this vrf VXLAN communicate with the output (gateway), using some means that is possible for this?
>
> And on that note...
> The context of this ẽ́ that I am looking for isolation of my network and for it to point to the Internet afterwards, I need this to do tests with SD-WAN as well, since I believe vpdn needs an output to reach the destination target of the sd-wan server.
>
> Here are some configurations:
>
> prefix-list vrf_inet
>  sequence 10 permit 0.0.0.0/0 ge 0 le 0
>  exit             
> !                 
> route-map VRF_TO_NET
>  sequence 10 action permit
>  sequence 10 match prefix-list vrf_inet
>  !                 
>  exit             
> !                 
> route-map VRFINET_TO_VXLAN
>  sequence 10 action permit
>  sequence 10 match prefix-list vrf_inet
>  !                 
>  exit             
> !         
>  vrf definition inet
>  rd 200:200       
>  import4map VRF_TO_NET
>  export4map VRFINET_TO_VXLAN
>  exit             
> !                             
> vrf definition vxlan
>  description vxlan vrf isolation
>  rd 100:100       
>  import4map VRFINET_TO_VXLAN
>  export4map VRF_TO_NET
>  exit             
> !
> interface ethernet1
>  description uplink     
>  vrf forwarding inet
>  ipv4 address dynamic dynamic
>  ipv4 gateway-prefix all4
>  ipv4 dhcp-client enable
>  ipv4 dhcp-client early
>  ipv6 address dynamic dynamic
>  ipv6 gateway-prefix all6
>  ipv6 slaac-client enable
>  ipv6 prefix-suppress
>  router eigrp4 2 enable
>  no shutdown       
>  no log-link-change
>  exit             
> !
> vcpe1#show ipv4 route inet                                                     
> typ  prefix             metric  iface          hop            time
> DEF  0.0.0.0/0          0/2     ethernet1      200.x.x.65  00:00:21
> C    10.255.255.0/24    0/0     ethernet20001  null           12:05:01
> LOC  10.255.255.254/32  0/1     ethernet20001  null           12:05:01
> C    200.x.x.64/28   0/0     ethernet1      null           00:00:21
> REM  200.x.x.65/32   0/0     ethernet1      200.x.x.65  00:00:21
> LOC  200.x.x.69/32   0/1     ethernet1      null           00:00:21
> 
> vcpe1#show ipv4 route vxlan                                                   
> typ  prefix            metric  iface      hop   time
> C    10.0.0.0/24       0/0     tunnel2    null  12:09:08
> LOC  10.0.0.2/32       0/1     tunnel2    null  12:09:08
> C    124.0.2.0/28      0/0     tunnel1    null  12:09:08
> LOC  124.0.2.2/32      0/1     tunnel1    null  12:09:08
> C    200.x.x.85/32  0/0     ethernet2  null  11:27:19
>
> This ethernet2 is the interface I tried to create ;)
>
> Best regards,Gabriel Tetzner Menegueti.
>

_._,_._,_

---

Groups.io Links:

You receive all messages sent to this group.

View/Reply Online (#841) | | | Mute This Topic | New Topic
Your Subscription | | Unsubscribe []

_._,_._,_