Hello, I have a vrf ‘data-vrf’, which works fine if firewall is set to blanket accept. However I need to filter incoming traffic so I have rules like this (this seems to be the way, if I need to match by incoming interface in a vrf):
/ip firewall filter
[…]
add action=accept chain=forward comment="allow icmp" protocol=icmp
add action=accept chain=forward comment="allow established and related" connection-state=established,related
add action=jump chain=forward comment="check upstream traffic" connection-mark=upstream in-interface=data-vrf jump-target=from-all-to-lan
add action=accept chain=forward comment="allow local traffic" connection-mark=local in-interface=data-vrf
add action=drop chain=forward comment="block the rest (if any)"
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new in-interface=br-lan new-connection-mark=local
add action=mark-connection chain=prerouting connection-state=new in-interface=sfp1 new-connection-mark=upstream
The moment the mangle rules are added, while everything works as expected on that very “session”, on the next reboot, and then about 1/4 of the reboots, it gets in a state where no traffic goes through the vrf interfaces (not even ARP), firewall counters aren’t counting matches, interfaces are. Can’t even ping the router’s address on the vrf.
Reboot, works, reboot again, doesn’t.
Tried several variations on the theme, changed ordering, moving rules around, as long as there are the mangle and jump, it will happen at random.
Matching by address isn’t an option, unfortunately. The issue seem to have been appearing in latest v7, not sure I can track back when. Hardware is HAP AC, happens with or without fasttrack.