Package: linux-image-5.10.0-8-amd64 Version: 5.10.46-4
I have host device which is directly connected to debian router. On both sides there are interfaces enp0s9. Host device have default route, next hop is router. Router have three network interfaces: enp0s3 - connected to WAN, no VRF (default) enp0s9 - connected to end host, assigned to VRF vrf-routing dummy0 - assigned to vrf-routing When I ping from end host to dummy0 interface, everything works well. Issue is when I ping network from end host which is not in vrf-routing table on router, for example 8.8.8.8 . Then routing is leaked from vrf-routing table and jump to default table. Packet is then routed to WAN via default table on router. root@host:~# ip -4 a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 inet 192.168.10.2/24 brd 192.168.10.255 scope global enp0s9 valid_lft forever preferred_lft forever root@host:~# ip -4 r default via 192.168.10.1 dev enp0s9 192.168.10.0/24 dev enp0s9 proto kernel scope link src 192.168.10.2 root@host:~# ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 08:00:27:b1:8f:b6 brd ff:ff:ff:ff:ff:ff root@router:~# ip -4 a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3 valid_lft 85358sec preferred_lft 85358sec 4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vrf-routing state UP group default qlen 1000 inet 192.168.10.1/24 brd 192.168.10.255 scope global enp0s9 valid_lft forever preferred_lft forever 6: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue master vrf-routing state UNKNOWN group default qlen 1000 inet 192.168.255.255/32 scope global dummy0 valid_lft forever preferred_lft forever root@router:~# ip -4 r default via 10.0.2.2 dev enp0s3 10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 root@router:~# ip vrf Name Table ----------------------- vrf-routing 10 VRF routing works well: root@host:~# ping 192.168.255.255 PING 192.168.255.255 (192.168.255.255) 56(84) bytes of data. 64 bytes from 192.168.255.255: icmp_seq=1 ttl=64 time=0.438 ms 64 bytes from 192.168.255.255: icmp_seq=2 ttl=64 time=0.537 ms ^C --- 192.168.255.255 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1038ms rtt min/avg/max/mdev = 0.438/0.487/0.537/0.049 ms If I start ping on host to 8.8.8.8, then I see this packet leak from vrf vrf-routing and jump into default routing table: root@router:~# tcpdump -i enp0s3 ... 19:17:28.104547 IP 192.168.10.2 > dns.google: ICMP echo request, id 23874, seq 5, length 64 ... 19:17:29.123176 IP 192.168.10.2 > dns.google: ICMP echo request, id 23874, seq 6, length 64 ... Hotfix for this is issue is add unreachable route with highest metric: ip -4 route add vrf vrf-routing unreachable default metric 4278198272
