Community discussions

MikroTik App
 
BrainPain
just joined
Topic Author
Posts: 21
Joined: Sun May 17, 2020 10:40 am

VRF and Firewall Filter Rules

Sun Nov 20, 2022 1:21 pm

Hi,

i am using RouterOS v7.6 with 2 VRFs. "ISP" for routing my public subnet and "main" for managing.
I was trying to block everything from forwarding, except which is in the vrf "ISP".

VRFs are working great, but when i am restricting firewall rules to a specific VRF with "routing mark" those firewall rules does not hit.
They only work when i remove the routing mark "ISP".

So even if i had the same subnet in more VRFs i cannot restrict the rules to only match for a specific VRF.

Is there a bug in routerOS or a misunderstanding from my side?

Regards
BrainPain
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VRF and Firewall Filter Rules

Sun Nov 20, 2022 3:57 pm

A bug (or maybe a feature) on RouterOS side. The VRF implementation has changed in ROS 7 as compared to ROS 6 and so far the behaviour is this. In the firewall, VRF traffic cannot be matched even by interface.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: VRF and Firewall Filter Rules

Sun Nov 20, 2022 7:43 pm

Regarding interfaces: VRF and hidden interfaces

They already fixed/changed matching by incoming interface, and incoming interface list works now too, I think. I didn't check lately if they did something with outgoing ones. The whole thing still feels a little weird to me, and I'm not sure if hiding what's happening inside is a good thing. We'll see.

Who is online

Users browsing this forum: gigabyte091 and 55 guests