i am using RouterOS v7.6 with 2 VRFs. “ISP” for routing my public subnet and “main” for managing.
I was trying to block everything from forwarding, except which is in the vrf “ISP”.
VRFs are working great, but when i am restricting firewall rules to a specific VRF with “routing mark” those firewall rules does not hit.
They only work when i remove the routing mark “ISP”.
So even if i had the same subnet in more VRFs i cannot restrict the rules to only match for a specific VRF.
Is there a bug in routerOS or a misunderstanding from my side?
A bug (or maybe a feature) on RouterOS side. The VRF implementation has changed in ROS 7 as compared to ROS 6 and so far the behaviour is this. In the firewall, VRF traffic cannot be matched even by interface.
They already fixed/changed matching by incoming interface, and incoming interface list works now too, I think. I didn’t check lately if they did something with outgoing ones. The whole thing still feels a little weird to me, and I’m not sure if hiding what’s happening inside is a good thing. We’ll see.