Better VRF support
Open, NormalPublicFEATURE REQUEST
Actions

Assigned To

None

Authored By

	diodep
	Mar 28 2023, 7:21 AM

Description

In some core network, public Internet will be treated as a VRF in the router. But VyOS doesn't seem to have really good support on VRFs.

For example, you can't use IPsec/OpenVPN to punch a tunnel through a VRF (T5049, T4031). And NTP/DNS client can't correctly handle VRF.

e.g. If I set a public accessible DNS server, the dns service works only in ip vrf exec internet ping <some domain>, but not in ping <some domain>.

And source NAT is not working when I want to NAT between two VRFs, too (T3655). VyOS can correct translate the outbound packet in the source nat rule, but doesn't handle the reply (inbound) packet correctly.

Details

Difficulty level: Unknown (require assessment)
Version: 1.4-rolling-202303280317
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Unspecified (please specify)

Related Objects
Search...

Status	Subtype	Assigned	Task
Open	FEATURE REQUEST	None	T5116 Better VRF support
Open	BUG	None	T5371 "system name-server" is not vrf aware
Open	FEATURE REQUEST	None	T5425 enable VRF for conntrack-sync

Event Timeline

diodep triaged this task as Wishlist priority.Mar 28 2023, 7:21 AM

diodep created this task.

diodep created this object in space S1 VyOS Public.

diodep updated the task description. (Show Details)Mar 28 2023, 7:24 AM

pasik added a subscriber: pasik.Mar 28 2023, 8:24 AM

Viacheslav changed the subtype of this task from "Task" to "Feature Request".Mar 28 2023, 12:35 PM

Do you know how to tell Linux to use nameservers within a VRF?
What you mean IPSec/OpenVPN "punch a tunnel through a VRF" ? So the underlay should run via a VRF? source-interface binding does not work?

In T5116#147640, @c-po wrote:

Do you know how to tell Linux to use nameservers within a VRF?
What you mean IPSec/OpenVPN "punch a tunnel through a VRF" ? So the underlay should run via a VRF? source-interface binding does not work?

First, I don't know how to tell applications use a nameserver within a VRF, but maybe you can use dnsmasq to relay DNS server from a VRF to global, it solves problem but not pretty.

Secondly, the underlay network should run via a VRF, source-interface binding doesn't work, I have to change systemd charon service to run in a VRF (ip vrf exec ...), but it's too ugly too, and can't run multiple IPsec tunnel over different VRFs.

I think the only solution is to use network namespaces
https://docs.strongswan.org/docs/5.9/howtos/nameSpaces.html

In T5116#147654, @Viacheslav wrote:

I think the only solution is to use network namespaces
https://docs.strongswan.org/docs/5.9/howtos/nameSpaces.html

Well, use VRF can implement this, but we have to figure out a proper way to start bunch of strongswan in different VRFs.

Because I tried ip vrf exec internet_vrf charon and it worked out, maybe I should say acceptable. But if I doing this, IPsec VPN's source interface have to in one of VRF, not all VRFs.

eronlloyd added a subscriber: eronlloyd.Jul 11 2023, 1:05 AM

n.fort mentioned this in T5371: "system name-server" is not vrf aware.Jul 19 2023, 6:23 PM

Out of the blue it seems like "network namespaces" would solve alot of current VRF compatability issues within VyOS:

https://linuxhint.com/use-linux-network-namespace/

dmbaturin raised the priority of this task from Wishlist to Normal.Jan 9 2024, 6:03 PM

dmbaturin added a subtask: T5371: "system name-server" is not vrf aware.

dmbaturin added a subtask: T5425: enable VRF for conntrack-sync.

SrividyaA added a subscriber: SrividyaA.Jan 29 2024, 6:30 AM

I-n-d-y added a subscriber: I-n-d-y.Feb 5 2024, 6:15 AM

hsw0 added a subscriber: hsw0.Feb 17 2024, 12:41 PM

dmbaturin edited projects, added VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta.Fri, Apr 12, 1:54 PM