For the application scenario where you want to partition the physical router into several virtual ones, you use the
/ip route vrf functionality.
Before starting - I only explain how to partition the router, but the very first thing to do is to set up the firewall, so that the router doesn't get cracked into five minutes after you connect it to internet. The best way is to dedicate one LAN interface only for management and prevent any access to the router itself from anywhere else.
To the topic:
- add the three /interface pppoe-client, named pppoe-out1 to pppoe-out3 for the purpose of this guide, you can use other names of your preference, disable them
- run
/ip route vrf
add routing-mark=group-1 interfaces=pppoe-out1,ether3,ether4
add routing-mark=group-2 interfaces=pppoe-out2,ether5,ether6
add routing-mark=group-3 interfaces=pppoe-out3,ether7,ether8
- this will create the three partitions; packets which come in through any of the interfaces listed for each group get the routing-mark assigned
- now enable the pppoe-client interfaces; this will create a default route in the individual routing table for each group of ports
- as you assign IP addresses and subnets to the Ethernet interfaces, the connected routes to these subnets will be automatically added to the respective routing tables
- depending on the intended application, you can create bridge interfaces and make the Ethernet interfaces member ports of these bridges; in that case, you put the bridges to the interfaces list on the /ip route vrf rows, instead of the names of the member Ethernet interfaces
What's important, the router itself keeps using routing table
main unless you use rules in
chain=output of mangle to assign a
routing-mark (routing table name). So if there are no routes in routing table
main, i.e. no routes without any
routing-mark value assigned, the router cannot communicate.