I have two locations with eBGP to upstream ISPs as well as private networks behind NAT. I need to exchange routes on both the external side as well as the private internal side. Currently this is done with two iBGP instances on the routers at both locations - one instance dedicated to public internet routes, the other to the private routes. These are in separate VRFs so there is no chance of “leaking” internal traffic to the outside.
Previously we used a dedicated firewall / vpn at both sites and it was connected to both of these VRFs (2 interfaces), doing NAT + FW duties. it was also the default route for any internet-bound traffic at that site (masquerade).
So now I want to get rid of that extra FW/VPN and just replace it with firewall / mangle rules. If everything was in the same VRF this would be easy, just slap in rules.. but I have VRFs and getting rid of them would be a big redo of the network.
Can I set up some kind of virtual point-to-point link where one end is in another VRF than the other? That would probably be the cleanest option.. as an alternative, I know it’s possible to leak routes between VRFs and I’ve done it once on older 6.x as well as non-mikrotik boxes.. but it’s pretty messy and I’ve no idea what is the best way to do it in 7.16.