Hello.
I have a setup with OSPF routing on my backbone, MPLS/VPLS from the core router to the Acces Points and BGP routing on the provider side.
I also have a management LAN for DUDE, Radius server ++ on a different interface.
I want the router to fastpath the traffic on the backbone network, and at the same time use firewall for my management LAN.
Is this possible? Or should i setup a new router for the management LAN.
How can i do this to make minimum stress on my router?
Will the firewall filter rules slow the rest of the network down?
Can i choose to skip the firewall on some interfaces?
What is best practice on a core router?
I am happy for all help 
MPLS doesn’t go through the firewall at all.
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6
I decided to put it to the test in a lab.
Starting with an empty configuration, I configured R1 ↔ R2 ↔ R3, with MPLS , LDP and OSPF as the IGP.
If I ping R1 from R3, it works and Wireshark confirms that there is an MPLS label on the packets as they leave R3.
In R2, I then put a forward chain rule to block all packets whose destination IP was R1.
The pings continued to work.
MPLS accelerates throughput because as soon as the router sees the label, it knows where to forward the traffic and immediately forwards the packet on its way.
The firewall did block packets if the destination IP was the link IP between R1 and R2…
R1 = 10.1.2.1
R2 = 10.1.2.2
So when I sent pings to 10.1.2.1 from R3, and had a firewall rule in R2 to filter this, then the filter worked, where a rule to block pings to 10.10.10.1 (R1’s loop IP) couldn’t block the packets.
This is because R2 was doing penultimate hop popping, and as the native IP packet was trying to leave R2 on its way to R1, the filter was able to see it and block it.
EDIT:
So I guess the answer to your question is “yes” - assuming that the management LAN is directly connected to your MPLS router. MPLS will fast track the backbone traffic for you (no firewall rules required / or even possible for that matter) and will filter the mgmt LAN.
Thank you for your time.
As I understand it here the traffic will only fastpath if it both enter and exit as a MPLS switched traffic.
From > http://wiki.mikrotik.com/wiki/Manual:Fast_Path
MPLS handler
MPLS fast path is automatically used for interfaces that support this feature.
Currently MPLS fast-path applies only to MPLS switched traffic (frames that enter router as MPLS and must leave router as MPLS) - MPLS ingress and egress (including VPLS tunnel endpoints that do VPLS encap/decap) will operate as before.
My management LAN is on the Core router (your R1)
This is the same router that routing the traffic from my provider to the MPLS/VPLS ingress point.
I guess the firewall filters are active for the traffic before it enter the MPLS/VPLS tunnel.
What do you think?
Yes - if your upstream interface isn’t MPLS-enabled (and it won’t be because an ISP isn’t going to let their MPLS network flow into a customer’s network) then packets are going to be arriving at your router as regular IPv4 packets - i.e. no fast path. Of course you could probably put a fasttrack action on the forwarding table which might speed things up (not sure if this will work with the egress requiring a label push…)
In general, you’re probably better off having your border routers be different routers than your core routers anyway - and this is just one reason. If you’re using MPLS, then make sure that your core is all P-routers. PE-routers have much higher CPU demands due to the encaps/decaps decision making.
Thanks again.
I guess I need to let my PE router stay without firewall filters for Fast Path to enable and buy another router for my management LAN where i can filter traffic. Its no point that customer traffic pass my firewall.
Do you agree?
Do you think its safe to let my PE router stay without any firewall filter. And only block access to the router management tru the service list.
Or is it a better way of doing this?
Or do i miss a big part here?
Do you know what is best practice?
No - MPLS fastpath and IP firewall are mutually exclusive - meaning that wherever one works, the other can’t. It’s not whether you enable one or the other, but because of how MPLS works.
If a packet enters a router as an MPLS-tagged packet, then you can’t firewall this packet. (as far as I can see from a little playing around in GNS3, and based on the packet flow diagram). So turning on firewall rules won’t break fast path - fast path “breaks” firewall.
A PE router can do firewall filtering and standard fast-track towards native IP interface. (non-mpls egress)
Mikrotik might need to weigh in on this next item: I don’t know whether fasttrack (the firewall filter/mangle action) will work for a packet that’s received as native IP, but whose next hop is MPLS. It is certainly able to be filtered by the firewall.
If you want to filter packets on the core router to limit management access to the router, that won’t affect your fastpath MPLS traffic because such packets will arrive at the router without MPLS tags on them anyway… so let your decision be made based on cost and logical network design principles, and not whether fastpath will work.
I think you are right.
Thank you. This was really helpfull
Performance-wise i guess its best to let my PE have the least firewall filters as possible and have a different router for my internal servers and management LAN.