Network isolation using VRF?

Hello,

Is it possible to do network isolation using VRF?

Lets say u have 10.0.10.1 and 10.0.11.1 set up with all the bridges, networks, dhcp etc.
As far as I understand Mikrotik will do routing between them automatically.

So if u want them to be isolate, can u do it via VRF or do you need rules like a forward drops between them?

ps, sorry i know there are 100 post about network isolation, but id like to do the cleanest setup.

I ended up just making a routing rule that drops between both networks.

Seems to me the cleanest way to do this.

or just firewall drop rule(s)

but in general, I agree.

1. what is the difference wrt the load on the CPU for both methods.
2. if i basically in my forward chain simply allow lan to wan traffic and have a generic drop all rule last,

• does that stop traffic between bridges and thus don’t need many rules just one!

Some experience i had with some other routers, the general setup is that if u have 2 networks, they wont see each other until you do routing.

But Mikrotik for some reason does this for you. So to break this link all i did was:

/ip route rule
add action=drop dst-address=192.168.aa.0/24 src-address=192.168.bb.0/24
add action=drop dst-address=192.168.bb.0/24 src-address=192.168.aa.0/24

Done with no messy firewall rules, that clutter up the already busy firewall list.

Hope this helps someone in the future.

Regarding this, perhaps someone with some more in depth experience can explain, how the traffic goes trough the router.

So does it check firewall first than routing, or is it the other way around?

You can find this in the manual: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow

Nice try but I went over the diagrams and nothing is clear in terms of order.

As far as my knowledge goes, any router will automatically route between directly connected networks, including Cisco