We started to worry about future of mikrotik. Look like that they lost their leading developers who understand network technologies.
In October 2023 i reported to mikrotik problem that VPN4 packets from MPLS interface to VRF marked in firewall as packets from unknown interface to unknown interface. I passed endless discussions and after a while it become even worse. In Current ROS 7 beta such packets became not visible for firewall at all. It means that if you have in your CPE router rules :
Code: Select all
/ip firewall filter
add action=accept chain=forward comment=ER connection state=established,related
add action=drop chain=forward log=yes log-prefix=drop
Today morning i got an answer from Mikroitik support that :
Code: Select all
I received information from our specialists that MPLS packet which should be routed in vrf is being sent from vrf interface and is seen in output chain (not forward).
If you will set output filter you will see the packets.