Community discussions

 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Sun Oct 14, 2018 7:54 pm

Network isolation using VRF?

Wed Jul 10, 2019 3:22 pm

Hello,

Is it possible to do network isolation using VRF?

Lets say u have 10.0.10.1 and 10.0.11.1 set up with all the bridges, networks, dhcp etc.
As far as I understand Mikrotik will do routing between them automatically.

So if u want them to be isolate, can u do it via VRF or do you need rules like a forward drops between them?

ps, sorry i know there are 100 post about network isolation, but id like to do the cleanest setup.
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Sun Oct 14, 2018 7:54 pm

Re: Network isolation using VRF?

Wed Jul 10, 2019 4:52 pm

I ended up just making a routing rule that drops between both networks.

Seems to me the cleanest way to do this.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1023
Joined: Fri Jul 28, 2017 2:53 pm

Re: Network isolation using VRF?

Thu Jul 11, 2019 5:38 pm

I ended up just making a routing rule that drops between both networks.

Seems to me the cleanest way to do this.
or just firewall drop rule(s)

but in general, I agree.
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Network isolation using VRF?

Thu Jul 11, 2019 6:57 pm

1. what is the difference wrt the load on the CPU for both methods.
2. if i basically in my forward chain simply allow lan to wan traffic and have a generic drop all rule last,
- does that stop traffic between bridges and thus don't need many rules just one!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Sun Oct 14, 2018 7:54 pm

Re: Network isolation using VRF?

Fri Jul 12, 2019 7:27 am

Some experience i had with some other routers, the general setup is that if u have 2 networks, they wont see each other until you do routing.

But Mikrotik for some reason does this for you. So to break this link all i did was:

/ip route rule
add action=drop dst-address=192.168.aa.0/24 src-address=192.168.bb.0/24
add action=drop dst-address=192.168.bb.0/24 src-address=192.168.aa.0/24

Done with no messy firewall rules, that clutter up the already busy firewall list.

Hope this helps someone in the future.
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Sun Oct 14, 2018 7:54 pm

Re: Network isolation using VRF?

Fri Jul 12, 2019 7:43 am

1. what is the difference wrt the load on the CPU for both methods.
2. if i basically in my forward chain simply allow lan to wan traffic and have a generic drop all rule last,
- does that stop traffic between bridges and thus don't need many rules just one!
Regarding this, perhaps someone with some more in depth experience can explain, how the traffic goes trough the router.

So does it check firewall first than routing, or is it the other way around?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5811
Joined: Mon Jun 08, 2015 12:09 pm

Re: Network isolation using VRF?

Fri Jul 12, 2019 11:10 am

You can find this in the manual: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Network isolation using VRF?

Fri Jul 12, 2019 11:32 pm

Nice try but I went over the diagrams and nothing is clear in terms of order.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Network isolation using VRF?

Mon Jul 15, 2019 10:44 pm

Some experience i had with some other routers, the general setup is that if u have 2 networks, they wont see each other until you do routing.

But Mikrotik for some reason does this for you. So to break this link all i did was:

/ip route rule
add action=drop dst-address=192.168.aa.0/24 src-address=192.168.bb.0/24
add action=drop dst-address=192.168.bb.0/24 src-address=192.168.aa.0/24

Done with no messy firewall rules, that clutter up the already busy firewall list.

Hope this helps someone in the future.

As far as my knowledge goes, any router will automatically route between directly connected networks, including Cisco
MTCNA, MTCTCE, MTCRE & MTCINE

Who is online

Users browsing this forum: No registered users and 26 guests