SRCNAT not working for VRF subnets learned from BGP Neighbor

lewstherin · January 5, 2026, 6:17pm

Hello everyone first time posting so I apologize for any etiquette mistakes.

I’m building my first home lab and this is my first journey with Mikrotik. I have a RB5009 and I am using it to segment a bit of my home network. I have VRFs built and I am using an OPNsense firewall to be a security point between the VRFs and the main routing table.

Everything is working for the most part. I am using BGP to share routes and inter network traffic functions just fine. My problem is that once I move the networks/vlans from the main routing table to the vrf instance I no longer can get the traffic to hit any SRCNAT rules. Since it wont NAT the ISP router cannot get the traffic back.

Ill include the whole config but if that’s not generally liked let me know for future posts.

quick note that I do have fast path disabled as some posts mentioned that would not work with vrfs

2026-01-05 12:11:43 by RouterOS 7.18.2

# model = RB5009UG+S+
/interface bridge
add admin-mac=04:F4:1C:9B:C4:92 auto-mac=no comment=defconf name=bridge
add name=trunk01 vlan-filtering=yes
/interface vlan
add interface=ether3 name=fw_transit_dmz vlan-id=1099
add interface=ether3 name=fw_transit_home vlan-id=1010
add interface=ether3 name=fw_transit_office vlan-id=1333
add interface=ether3 name=fw_transit_server vlan-id=1050
add interface=ether3 name=fw_transit_work vlan-id=1020
add comment="Home Network" interface=trunk01 name=home vlan-id=10
add comment="DMZ Network" interface=trunk01 name=dmz vlan-id=99
add comment="Office Network" interface=trunk01 name=office vlan-id=333
add comment="Server Network" interface=trunk01 name=server vlan-id=50
add comment="Wireless Network" interface=trunk01 name=wireless vlan-id=100
add comment="Work Network" interface=trunk01 name=work vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add comment="Work Network DHCP" name=work_dhcp ranges=10.1.20.20-10.1.20.254
add comment="Home Network" name=home_dhcp ranges=10.1.10.20-10.1.10.254
add comment="Server Network" name=server_dhcp ranges=10.1.50.200-10.1.50.254
add comment="Wireless Network" name=wireless_dhcp ranges=192.168.4.10-192.168.7.254
add comment="Office Network" name=office_dhcp ranges=10.33.3.20-10.33.3.250
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=work_dhcp interface=work name="Work DHCP Network"
add address-pool=office_dhcp interface=office name="Office DHCP Network"
add address-pool=home_dhcp interface=home name="Home DHCP Network"
add address-pool=server_dhcp interface=server name="Server DHCP Network"
add address-pool=wireless_dhcp interface=wireless name="Wireless DHCP Network"
/ip vrf
add interfaces=fw_transit_office name=office_vrf
add interfaces=dmz,fw_transit_dmz name=dmz_vrf
add interfaces=fw_transit_server name=server_vrf
add interfaces=fw_transit_work name=work_vrf
add interfaces=fw_transit_home name=home_vrf
add interfaces=none name=inet_vrf
/routing bgp template
add as=65000 disabled=no name=eBGP_vrf_template nexthop-choice=force-self output.redistribute=connected,static,bgp
/routing table
add fib name=inet_vrf
add fib name=home_vrf
add fib name=work_vrf
add fib name=dmz_vrf
add fib name=office_vrf
add fib name=server_vrf
/routing bgp template
set default disabled=yes output.redistribute=connected,static,bgp routing-table=main
add as=65099 disabled=no name=eBGP_dmz_template nexthop-choice=force-self output.keep-sent-attributes=yes .redistribute=connected,static,bgp router-id=10.255.99.1 routing-table=\
    dmz_vrf vrf=dmz_vrf
add as=65010 disabled=no name=eBGP_home_template nexthop-choice=force-self output.redistribute=connected,static,bgp router-id=10.255.10.1 routing-table=home_vrf vrf=home_vrf
add as=65020 disabled=no name=eBGP_work_template nexthop-choice=force-self output.redistribute=connected,static,bgp router-id=10.255.20.1 routing-table=work_vrf vrf=work_vrf
add as=65050 disabled=no name=eBGP_server_template nexthop-choice=force-self output.redistribute=connected,static,bgp router-id=10.255.50.1 routing-table=server_vrf vrf=server_vrf
add as=65333 disabled=no name=eBGP_office_template nexthop-choice=force-self output.redistribute=connected,static,bgp router-id=10.255.3.1 routing-table=office_vrf vrf=office_vrf
add as=65000 disabled=no name=eBGP_main_template nexthop-choice=force-self output.redistribute=connected,static,bgp router-id=10.255.1.1 routing-table=main vrf=main
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=trunk01 frame-types=admit-only-vlan-tagged interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set allow-fast-path=no
/interface bridge vlan
add bridge=trunk01 tagged=trunk01,ether8 vlan-ids=10
add bridge=trunk01 tagged=trunk01,ether8 vlan-ids=20
add bridge=trunk01 tagged=trunk01,ether8 vlan-ids=50
add bridge=trunk01 tagged=trunk01,ether8 vlan-ids=99
add bridge=trunk01 tagged=trunk01,ether8 vlan-ids=100
add bridge=trunk01 tagged=trunk01,ether8 vlan-ids=333
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=Test interface=*F list=LAN
add comment="Home VLAN" interface=home list=LAN
add comment="Work VLAN" interface=work list=LAN
add comment="Office VLAN" interface=office list=LAN
add comment="Server VLAN" interface=server list=LAN
add comment="DMZ VLAN" interface=dmz list=LAN
add comment="Wireless VLAN" interface=wireless list=LAN
add interface=ether2 list=LAN
add comment="Home VRF transit" interface=fw_transit_home list=LAN
add comment="Work VRF transit" interface=fw_transit_work list=LAN
add comment="Server VRF transit" interface=fw_transit_server list=LAN
add comment="DMZ VRF transit" interface=fw_transit_dmz list=LAN
add comment="Office VRF transit" interface=fw_transit_office list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.1.10.1/24 comment="Home Network SVI" interface=home network=10.1.10.0
add address=10.1.20.1/24 comment="Work Network SVI" interface=work network=10.1.20.0
add address=10.1.50.1/24 comment="Server Network SVI" interface=server network=10.1.50.0
add address=10.1.99.1/24 comment="DMZ Network SVI" interface=dmz network=10.1.99.0
add address=192.168.4.1/22 comment="Wireless Network SVI" interface=wireless network=192.168.4.0
add address=10.33.3.1/24 comment="Office Network SVI" interface=office network=10.33.3.0
add address=10.255.1.1/30 interface=ether2 network=10.255.1.0
add address=10.255.10.1/30 interface=fw_transit_home network=10.255.10.0
add address=10.255.20.1/30 interface=fw_transit_work network=10.255.20.0
add address=10.255.50.1/30 interface=fw_transit_server network=10.255.50.0
add address=10.255.3.1/30 interface=fw_transit_office network=10.255.3.0
add address=10.255.99.1/30 comment="DMZ Network Transit" interface=fw_transit_dmz network=10.255.99.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.1.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.10.1
add address=10.1.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.20.1 netmask=24
add address=10.1.50.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.50.1
add address=10.33.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.33.3.1
add address=192.168.4.0/22 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.4.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=log chain=forward log-prefix=DMZ-FWD src-address=10.1.99.0/24
add action=accept chain=input comment="Allow BGP" dst-port=179 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=log chain=output log-prefix=AFTER-NAT out-interface=ether1
/ip firewall mangle
add action=log chain=prerouting log-prefix=DMZ-PRE src-address=10.1.99.0/24
add action=log chain=postrouting log-prefix=POST-NAT out-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN src-address=10.1.99.0/24
add action=masquerade chain=srcnat comment="Internal NAT via WAN" out-interface-list=WAN src-address=10.0.0.0/8
add action=log chain=srcnat log-prefix=SRCNAT-ALL
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=log chain=srcnat log-prefix=ALL-SRCNAT
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing bgp connection
add as=65099 connect=yes disabled=no listen=yes local.address=10.255.99.1 .role=ebgp name=bgp_dmz_vrf nexthop-choice=force-self output.keep-sent-attributes=yes .network=\
    10.1.99.0/24 .redistribute=connected,static,bgp remote.address=10.255.99.2/32 .as=65001 routing-table=dmz_vrf templates=eBGP_vrf_template vrf=dmz_vrf
add as=65020 connect=yes disabled=yes listen=yes local.address=10.255.20.1 .role=ebgp name=bgp_work_vrf nexthop-choice=force-self output.redistribute=connected,static,bgp \
    remote.address=10.255.20.2/32 .as=65001 router-id=10.255.20.1 routing-table=work_vrf templates=eBGP_work_template vrf=work_vrf
add as=65333 connect=yes disabled=yes listen=yes local.address=10.255.3.1 .role=ebgp name=bgp_office_vrf nexthop-choice=force-self output.redistribute=connected,static,bgp \
    remote.address=10.255.3.2/32 .as=65001 router-id=10.255.3.1 routing-table=office_vrf templates=eBGP_office_template vrf=office_vrf
add as=65050 connect=yes disabled=yes listen=yes local.address=10.255.50.1 .role=ebgp name=bgp_server_vrf nexthop-choice=force-self output.redistribute=connected,static,bgp \
    remote.address=10.255.50.2/32 .as=65001 router-id=10.255.50.1 routing-table=server_vrf templates=eBGP_server_template vrf=server_vrf
add as=65010 connect=yes disabled=yes listen=yes local.address=10.255.10.1 .role=ebgp name=bgp_home_vrf nexthop-choice=force-self output.redistribute=connected,static,bgp \
    remote.address=10.255.10.2/32 .as=65001 router-id=10.255.10.1 routing-table=home_vrf templates=eBGP_home_template vrf=home_vrf
add as=65000 connect=yes disabled=no listen=yes local.address=10.255.1.1 .role=ebgp name=bgp_main_vrf nexthop-choice=force-self output.default-originate=if-installed \
    .redistribute=connected,static,bgp remote.address=10.255.1.2/32 .as=65001 router-id=10.255.1.1 routing-table=main templates=eBGP_main_template vrf=main
/routing filter rule
add chain=test
/system clock
set time-zone-name=America/Chicago
/system identity
set name=BTNetCore
/system logging
add topics=bgp,!packet,!raw
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether1 filter-ip-protocol=icmp

jaclaz · January 5, 2026, 6:54pm

Not only it is liked, it is actually suggested.

BUT, please enclose the configuration in CODE tags, the button with </> will do, though ideally it should be three backticks +RouterOS before the configuration and three backtick at the end.
Here I replaced backticks with single quotes:
'''RouterOS

'''
It will look like:

<your configuration>
#imagine this is a comment
/interface bridge
add admin-mac=04:F4:1C:9B:C4:92 auto-mac=no comment=defconf name=bridge
...

lewstherin · January 5, 2026, 6:58pm

Thanks! Updated and agreed that is much better.

CGGXANNX · January 6, 2026, 3:36am

Can you post the output of:

/ip route print proplist=dst-address,gateway,immediate-gw,routing-table,vrf-interface,scope,target-scope,distance

after you do this:

?

lurker888 · January 6, 2026, 3:53am

I think you should describe particular behaviors that are unexpected and try to explain them individually, perhaps with help on the forum.

One thing that stands out immediately is that in RouterOS, filter in/out-interface filters don't match physical interfaces, but the vrf interface, as described in the documentation. You even get a nice warning reminding you of this, but only if it's not done through interface lists - oh, the fun!

CGGXANNX · January 6, 2026, 9:34am

Does it also apply to the NAT table? I think it only applies to the filter table. In the doc the mangle rules for example can freely use in-interface (so that they can apply connection mark to later be used in filter).

I just tested and in-interface= with interface being member of VRF still works as expected for NAT rules.

Also, in OP's config ether1 is part of @main anyway.

My guess is that in OP's case the default route installed by DHCP client that uses ether1 as interface is present in none of the VRF routing tables.

lewstherin · January 6, 2026, 4:40pm

Here is the output you requested.

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, b - BGP, d - DHCPColumns: DST-ADDRESS, GATEWAY, IMMEDIATE-GW, ROUTING-TABLE, VRF-INTERFACE, SCOPE, TARGET-SCOPE, DISTANCEDST-ADDRESS      GATEWAY                       IMMEDIATE-GW                   ROUTING-TABLE  VRF-INTERFACE  SCOPE  TARGET-SCOPE  DISTANCEDAd 0.0.0.0/0        192.168.1.1                   192.168.1.1%ether1             main           ether1            30            10         1DAb 192.168.4.0/22   10.255.1.2                    10.255.1.2%ether2              main                             40            10        20DAb 10.1.10.0/24     10.255.1.2                    10.255.1.2%ether2              main                             40            10        20DAb 10.1.20.0/24     10.255.1.2                    10.255.1.2%ether2              main                             40            10        20DAb 10.1.50.0/24     10.255.1.2                    10.255.1.2%ether2              main                             40            10        20DAb 10.1.99.0/24     10.255.1.2                    10.255.1.2%ether2              main                             40            10        20DAb 10.33.3.0/24     10.255.1.2                    10.255.1.2%ether2              main                             40            10        20DAc 192.168.1.0/24   ether1                        ether1                         main                             10             5         0DAc 192.168.88.0/24  bridge                        bridge                         main                             10             5         0DAc 10.255.1.0/30    ether2                        ether2                         main                             10             5         0DAb 10.255.3.0/30    10.255.1.2                    10.255.1.2%ether2              main                             40            10        20DAb 10.255.10.0/30   10.255.1.2                    10.255.1.2%ether2              main                             40            10        20DAb 10.255.20.0/30   10.255.1.2                    10.255.1.2%ether2              main                             40            10        20DAb 10.255.50.0/30   10.255.1.2                    10.255.1.2%ether2              main                             40            10        20DAb 10.255.99.0/30   10.255.1.2                    10.255.1.2%ether2              main                             40            10        20DAb 0.0.0.0/0        10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20DAc 192.168.4.0/22   wireless@home_vrf             wireless                       home_vrf                         10             5         0DAc 10.1.10.0/24     home@home_vrf                 home                           home_vrf                         10             5         0DAb 10.1.20.0/24     10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20DAb 10.1.50.0/24     10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20DAb 10.1.99.0/24     10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20DAb 10.33.3.0/24     10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20DAb 192.168.1.0/24   10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20DAb 192.168.88.0/24  10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20DAb 10.255.1.0/30    10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20DAb 10.255.3.0/30    10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20DAc 10.255.10.0/30   fw_transit_home@home_vrf      fw_transit_home                home_vrf                         10             5         0DAb 10.255.20.0/30   10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20DAb 10.255.50.0/30   10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20DAb 10.255.99.0/30   10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20DAb 0.0.0.0/0        10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20DAb 192.168.4.0/22   10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20DAb 10.1.10.0/24     10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20DAc 10.1.20.0/24     work@work_vrf                 work                           work_vrf                         10             5         0DAb 10.1.50.0/24     10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20DAb 10.1.99.0/24     10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20DAb 10.33.3.0/24     10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20DAb 192.168.1.0/24   10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20DAb 192.168.88.0/24  10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20DAb 10.255.1.0/30    10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20DAb 10.255.3.0/30    10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20DAb 10.255.10.0/30   10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20DAc 10.255.20.0/30   fw_transit_work@work_vrf      fw_transit_work                work_vrf                         10             5         0DAb 10.255.50.0/30   10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20DAb 10.255.99.0/30   10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20DAb 0.0.0.0/0        10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20DAb 192.168.4.0/22   10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20DAb 10.1.10.0/24     10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20DAb 10.1.20.0/24     10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20DAc 10.1.50.0/24     server@server_vrf             server                         server_vrf                       10             5         0DAb 10.1.99.0/24     10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20DAb 10.33.3.0/24     10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20DAb 192.168.1.0/24   10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20DAb 192.168.88.0/24  10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20DAb 10.255.1.0/30    10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20DAb 10.255.3.0/30    10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20DAb 10.255.10.0/30   10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20DAb 10.255.20.0/30   10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20DAc 10.255.50.0/30   fw_transit_server@server_vrf  fw_transit_server              server_vrf                       10             5         0DAb 10.255.99.0/30   10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20DAb 0.0.0.0/0        10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20DAb 192.168.4.0/22   10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20DAb 10.1.10.0/24     10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20DAb 10.1.20.0/24     10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20DAb 10.1.50.0/24     10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20DAc 10.1.99.0/24     dmz@dmz_vrf                   dmz                            dmz_vrf                          10             5         0DAb 10.33.3.0/24     10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20DAb 192.168.1.0/24   10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20DAb 192.168.88.0/24  10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20DAb 10.255.1.0/30    10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20DAb 10.255.3.0/30    10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20DAb 10.255.10.0/30   10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20DAb 10.255.20.0/30   10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20DAb 10.255.50.0/30   10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20DAc 10.255.99.0/30   fw_transit_dmz@dmz_vrf        fw_transit_dmz                 dmz_vrf                          10             5         0DAb 0.0.0.0/0        10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20DAb 192.168.4.0/22   10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20DAb 10.1.10.0/24     10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20DAb 10.1.20.0/24     10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20DAb 10.1.50.0/24     10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20DAb 10.1.99.0/24     10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20DAc 10.33.3.0/24     office@office_vrf             office                         office_vrf                       10             5         0DAb 192.168.1.0/24   10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20DAb 192.168.88.0/24  10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20DAb 10.255.1.0/30    10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20DAc 10.255.3.0/30    fw_transit_office@office_vrf  fw_transit_office              office_vrf                       10             5         0DAb 10.255.10.0/30   10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20DAb 10.255.20.0/30   10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20DAb 10.255.50.0/30   10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20DAb 10.255.99.0/30   10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20

Each DHCP pool has their VRF interface set as the default gateway and the 0.0.0.0/0 I am learning from my ISP router (192.168.1.1) is getting learned by the OPNsense and shared to each VRF via the BGP interfaces.

If I have a network on the main table it can talk to any network behind the OPNsense so I’m very confident the routing itself is good.

Something I tested last night before bed is enabling the OPNsense to NAT traffic leaving it to ether2. When it NATs to 10.255.1.2 then it is able to hit the Mikrotik’s NAT rules to hit the ISP. Which is a work around I guess but I hate that at that point my traffic is getting triple NAT applied to it. (OPNsense,Mikrotik,ISP)

lurker888 · January 6, 2026, 5:04pm

Yep. What you've confirmed is what the docs sayand what I've stated. The filter rules will have to be rewritten.

The main problem is of course elsewhere, but that will probably only turn up in the routing tables.

EDIT: Ooooh, now I seem to get it. What OP is doing is that he wants to first receive the packets from the clients into a Mikrotik VRF, then send them out to an OPNsense, then get them back in, now into the main vrf and then src-nat them and eject them towards the Internet. Is this correct???

If it is, you'll have to add a raw notrack rule for the interfaces home, dmz, etc. (all trunk01 vlans).

CGGXANNX · January 6, 2026, 5:17pm

Let me reformat your print output:

/ip route print output

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, b - BGP, d - DHCP
Columns: DST-ADDRESS, GATEWAY, IMMEDIATE-GW, ROUTING-TABLE, VRF-INTERFACE, SCOPE, TARGET-SCOPE, DISTANCE
    DST-ADDRESS      GATEWAY                       IMMEDIATE-GW                   ROUTING-TABLE  VRF-INTERFACE  SCOPE  TARGET-SCOPE  DISTANCE
DAd 0.0.0.0/0        192.168.1.1                   192.168.1.1%ether1             main           ether1            30            10         1
DAb 192.168.4.0/22   10.255.1.2                    10.255.1.2%ether2              main                             40            10        20
DAb 10.1.10.0/24     10.255.1.2                    10.255.1.2%ether2              main                             40            10        20
DAb 10.1.20.0/24     10.255.1.2                    10.255.1.2%ether2              main                             40            10        20
DAb 10.1.50.0/24     10.255.1.2                    10.255.1.2%ether2              main                             40            10        20
DAb 10.1.99.0/24     10.255.1.2                    10.255.1.2%ether2              main                             40            10        20
DAb 10.33.3.0/24     10.255.1.2                    10.255.1.2%ether2              main                             40            10        20
DAc 192.168.1.0/24   ether1                        ether1                         main                             10             5         0
DAc 192.168.88.0/24  bridge                        bridge                         main                             10             5         0
DAc 10.255.1.0/30    ether2                        ether2                         main                             10             5         0
DAb 10.255.3.0/30    10.255.1.2                    10.255.1.2%ether2              main                             40            10        20
DAb 10.255.10.0/30   10.255.1.2                    10.255.1.2%ether2              main                             40            10        20
DAb 10.255.20.0/30   10.255.1.2                    10.255.1.2%ether2              main                             40            10        20
DAb 10.255.50.0/30   10.255.1.2                    10.255.1.2%ether2              main                             40            10        20
DAb 10.255.99.0/30   10.255.1.2                    10.255.1.2%ether2              main                             40            10        20
DAb 0.0.0.0/0        10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20
DAc 192.168.4.0/22   wireless@home_vrf             wireless                       home_vrf                         10             5         0
DAc 10.1.10.0/24     home@home_vrf                 home                           home_vrf                         10             5         0
DAb 10.1.20.0/24     10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20
DAb 10.1.50.0/24     10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20
DAb 10.1.99.0/24     10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20
DAb 10.33.3.0/24     10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20
DAb 192.168.1.0/24   10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20
DAb 192.168.88.0/24  10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20
DAb 10.255.1.0/30    10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20
DAb 10.255.3.0/30    10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20
DAc 10.255.10.0/30   fw_transit_home@home_vrf      fw_transit_home                home_vrf                         10             5         0
DAb 10.255.20.0/30   10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20
DAb 10.255.50.0/30   10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20
DAb 10.255.99.0/30   10.255.10.2@home_vrf          10.255.10.2%fw_transit_home    home_vrf                         40            10        20
DAb 0.0.0.0/0        10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20
DAb 192.168.4.0/22   10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20
DAb 10.1.10.0/24     10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20
DAc 10.1.20.0/24     work@work_vrf                 work                           work_vrf                         10             5         0
DAb 10.1.50.0/24     10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20
DAb 10.1.99.0/24     10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20
DAb 10.33.3.0/24     10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20
DAb 192.168.1.0/24   10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20
DAb 192.168.88.0/24  10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20
DAb 10.255.1.0/30    10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20
DAb 10.255.3.0/30    10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20
DAb 10.255.10.0/30   10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20
DAc 10.255.20.0/30   fw_transit_work@work_vrf      fw_transit_work                work_vrf                         10             5         0
DAb 10.255.50.0/30   10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20
DAb 10.255.99.0/30   10.255.20.2@work_vrf          10.255.20.2%fw_transit_work    work_vrf                         40            10        20
DAb 0.0.0.0/0        10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20
DAb 192.168.4.0/22   10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20
DAb 10.1.10.0/24     10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20
DAb 10.1.20.0/24     10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20
DAc 10.1.50.0/24     server@server_vrf             server                         server_vrf                       10             5         0
DAb 10.1.99.0/24     10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20
DAb 10.33.3.0/24     10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20
DAb 192.168.1.0/24   10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20
DAb 192.168.88.0/24  10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20
DAb 10.255.1.0/30    10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20
DAb 10.255.3.0/30    10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20
DAb 10.255.10.0/30   10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20
DAb 10.255.20.0/30   10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20
DAc 10.255.50.0/30   fw_transit_server@server_vrf  fw_transit_server              server_vrf                       10             5         0
DAb 10.255.99.0/30   10.255.50.2@server_vrf        10.255.50.2%fw_transit_server  server_vrf                       40            10        20
DAb 0.0.0.0/0        10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20
DAb 192.168.4.0/22   10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20
DAb 10.1.10.0/24     10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20
DAb 10.1.20.0/24     10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20
DAb 10.1.50.0/24     10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20
DAc 10.1.99.0/24     dmz@dmz_vrf                   dmz                            dmz_vrf                          10             5         0
DAb 10.33.3.0/24     10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20
DAb 192.168.1.0/24   10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20
DAb 192.168.88.0/24  10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20
DAb 10.255.1.0/30    10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20
DAb 10.255.3.0/30    10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20
DAb 10.255.10.0/30   10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20
DAb 10.255.20.0/30   10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20
DAb 10.255.50.0/30   10.255.99.2@dmz_vrf           10.255.99.2%fw_transit_dmz     dmz_vrf                          40            10        20
DAc 10.255.99.0/30   fw_transit_dmz@dmz_vrf        fw_transit_dmz                 dmz_vrf                          10             5         0
DAb 0.0.0.0/0        10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20
DAb 192.168.4.0/22   10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20
DAb 10.1.10.0/24     10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20
DAb 10.1.20.0/24     10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20
DAb 10.1.50.0/24     10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20
DAb 10.1.99.0/24     10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20
DAc 10.33.3.0/24     office@office_vrf             office                         office_vrf                       10             5         0
DAb 192.168.1.0/24   10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20
DAb 192.168.88.0/24  10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20
DAb 10.255.1.0/30    10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20
DAc 10.255.3.0/30    fw_transit_office@office_vrf  fw_transit_office              office_vrf                       10             5         0
DAb 10.255.10.0/30   10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20
DAb 10.255.20.0/30   10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20
DAb 10.255.50.0/30   10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20
DAb 10.255.99.0/30   10.255.3.2@office_vrf         10.255.3.2%fw_transit_office   office_vrf                       40            10        20

Ok, so the fw_transit_xxx interfaces are the exit interfaces that you would want to apply SRCNAT masquerade, aren't they? Currently your NAT table only has masquerade rules with out-interface-list=WAN and that list only contains ether1. All the fw_transit_xxx interfaces are in list LAN.

Have you tried to put those fw_transit_xxx interfaces in the interface list WAN instead of LAN?

lurker888 · January 6, 2026, 5:22pm

@CGGXANNX Read my edit. I think this is a classic case of the same packet making two rounds through the same router in different vrfs - I think the OPNsense is re-injecting the packets that go out the fw_transit_xxx interfaces into an interface in the main vrf.

This will currently only work in MT-land if the first trip is notrack-ed.

CGGXANNX · January 6, 2026, 5:59pm

Ah, thank you, that's quite a convoluted setup (and why announcing all those /24 routes in each of VRF routing table when a 0.0.0.0/0 route also exists with the exact same gateway?). Maybe there are better way to do that.

But isn't the setup currently missing a fw_transit_internet that should be plugged into that inet_vrf. I do understand that, for example a host 10.1.10.25 attached to the home VLAN interface in @home_vrf sends packets to 10.1.50.232, it will be sent out of fw_transit_home to OPNsense which sits on 10.255.10.2.

If OPNsense lets the packet through, that will arrive back to the RB5009 on in-interface=fw_transit_server in @server_vrf, and will be sent out of the server VLAN interface to 10.1.50.232.

But if 10.1.10.25 sends packets to 1.1.1.1, when OPNsense forwards those packets back to the RB5009, they are arriving on which interface/in which VRF?

Shouldn't they arrive from fw_transit_internet and inet_vrf has the routes BGP except for the default route, which will refere to 192.168.1.1@main as gateway instead?

Is ether2 doing the job of fw_transit_internet right now?

lurker888 · January 6, 2026, 6:43pm

As I read it, they are sent to the OPNsense on ether3 in different vlans, return from the it on ether2 (no vlans), and go out to the Internet on ether1, ideally srcnat-ed.

Sorry for linking my own explanations, but the relevant one is:

CGGXANNX · January 6, 2026, 7:13pm

Thank you. I understood the issue with conntrack when you described it in the previous post already. I was pondering someway to simplify the setup.

I guess OP chose the setup for experimentation / learning purposes, and maybe another reason is that the existence of the OPNsense device should be completely hidden from all other devices in his network. Without those reasons. there are simpler ways to achieve the same separation of the subnets + OPNsense handling the inter-VLAN routing and filtering + RB5009 doing DHCP server and internet gateway.

lurker888 · January 6, 2026, 8:02pm

Well, the explanation was not really meant for you

The setup could obviously be simplified, but if this is what OP wants, why not. There could be some more prominent reminder that in most cases only connections that all pass through a single vrf should be tracked...

lewstherin · January 7, 2026, 10:29pm

Sorry work kept me away from my lab yesterday. I will try to respond to all the feedback.

I did originally have an inet_transit vrf that I had ether2 (link from the OPNsense) and ether1 (ISP link) in but it was not working as I know now probabably because of NAT. to simplifiy that part I removed that VRF and just made ether2 drop onto the main table thinking that if its in the main table that I know works it should work too.

I imagine the most simple way to do this is just move the gateways to the OPNsense and trunk those vlans over to the MR but I have a stronger network background then firewall so I felt more comfortable having the bulk of the settings being on the router.

I will cleanup the routes becase you are right the individual vrfs really only need the 0.0.0.0/0 route to the FW but it wasnt hurting having the routes there so wasnt worried about it at that time. Just need to add a filter to only accept the default or maybe only send the default from the FW.

Thank you for the notrack rule for the vlan interfaces lurker888 I will for sure give that a try. Your explination makes sense. I just didnt realise it would track them that way.

above all thank you so much for all the info. Real experience is only with Cisco but really enjoying figuring this MikroTik out!