Hello!

I'm trying to achieve complete isolation between two bridges that still reach 0.0.0.0/0 via one interface on a single vrf: main.
My hardware is a hAP AC running ROS 7.1.3.

Right now, I'm doing this in a very dirty way. (Interfaces in bold)
I have created two bridges: bridge and bridge-guest.
VRF main has all interfaces enabled.

ether4 is directly connected to my router, the default route.
ether4 has IP address 192.168.87.2 with gateway 192.168.87.1.

The bridge bridge is home to 192.168.88.0/24, my home network.
The bridge bridge has ports ether1,2,3,5 and wlan1,2.
The bridge bridge has MAC address CC:00:00:00:00:11.

The bridge-guest bridge is home to 10.0.0.0/24, my guest network.
The bridge-guest bridge has ports wlan3(Virtual, parent wlan1, 2.4GHz).
The bridge-guest bridge has MAC address CC:00:00:00:00:12.

The goal is DHCP visibility only for the clients in 10.0.0.2-254 talking to 10.0.0.1 and the bare minimum for Internet reachability.
I also wanted the guest network to be isolated for broadcast traffic as well, hence a separate bridge.
They are not permitted to reach anything on the bridge bridge interface, 192.168.88.0/24 or 192.168.87.0/24.
I have the following firewall rules for isolation as well as route rules. It's very dirty and I'm not happy with it.


What I am trying to prevent is any routing between the two bridges and basically achieve 100% isolation between the two subnets
while maintaining routing to the default route reachable via ether4 which is in VRF main.
I know I have over-complicated the approach and that there is a simpler solution.
My guess is that it's something to do with the VRF table and routing between CC:00:00:00:00:11 and CC:00:00:00:00:12 being disallowed, or the subnets?
I understand that using one VRF, WinBox and SSH will still be visible services via 10.0.0.1, hence the drop rules.
What am I missing? What is the simpler solution that I have foregone? Can I buy anyone a coffee?

So in exploring this, I've found that the route drop rules were effectively useless.
Even though I was denying routing between subnets, traffic was still routing across those networks.
My final solution is still a mix of firewall rules and the only one route rule I found to be effective in actually dropping the specified traffic.

I opted for all interfaces because there was patchy coverage when sticking to per-interface rules, either way my end result is exactly what I want:
1) An offending packet never makes it to the other bridge interface / traffic is dropped with no ingress to the other subnet
2) Both bridge interfaces reach VRF main to utilise the default route but never cross-talk
3) Each subnet has its own separate broadcast domain

I'm guessing there's more to the MikroTik implementation of VRF that I do not understand but I will leave it at this because my intended solution works.
I'm also guessing it has something to do with route rules not applying to internal subnets and only external routes.
I'm trying to create a mental image in my head so I understand the flow but I'm still no closer to conceptually getting it.
I'll run some more test cases at a later date and post the results if I remember to.
I hope this post helps anyone trying to achieve the same results as me get there without the frustration.

The order of firewall rules, the understanding of the role of chains, and the understanding of what a stateful firewall means (to me, "state-aware" would be a more explanatory name but English is not my native language) are the key.

For your goal you don't actually need a VRF. Drop rules after the "accept established, related to them, or excluded from connection tracking" rule prevent new connections from getting established, so if you run a ping between devices in the two subnets and then install a new drop role to the end of the filter, the traffic keeps flowing thanks to the "accept established..." rule. A new ping series will not.

And most important - chain input handles traffic towards the router itself. To handle the transit traffic, i.e. the one the router forwards from one interface to another, you have to put the filter rules to chain forward.

For your goal you don't actually need a VRF.

But what if I wanted to take this from Layer 3 isolation to Layer 2?
Also thanks for pointing out my elementary mistake. I really need more sleep.

But what if I wanted to take this from Layer 3 isolation to Layer 2?

Sorry, I don't get the connection. VRF is an L3 concept, so it works with interfaces on the L3 layer. A VLAN on an L2 link has to be made accessible to the L3 layer by adding an /interface vlan taking care about tagging and untagging. For L2 isolation, you have to use techniques like permitting particular VLANs on particular ports (maybe dynamically using 802.1x), or completely separate bridges. So you can put each of two different VLANs on the same L2 segment to a different VRF, but you cannot put two IPs in the same subnet into different VRFs.

I really need more sleep.

So do I

Sorry, I don't get the connection. VRF is an L3 concept, so it works with interfaces on the L3 layer. A VLAN on an L2 link has to be made accessible to the L3 layer by adding an /interface vlan taking care about tagging and untagging. For L2 isolation, you have to use techniques like permitting particular VLANs on particular ports (maybe dynamically using 802.1x), or completely separate bridges. So you can put each of two different VLANs on the same L2 segment to a different VRF, but you cannot put two IPs in the same subnet into different VRFs.

My mistake. I thought VRF was Layer 2. I'm going to move into VLAN isolation then.
I also need to test and scale the same setup for my friend and his family so I wonder if the hAP AC can handle it (1 CPU).
Potentially 4 separate networks all with Internet access (and possibly a 5th for IoT).

I also need to test and scale the same setup for my friend and his family so I wonder if the hAP AC can handle it (1 CPU).
Potentially 4 separate networks all with Internet access (and possibly a 5th for IoT).

The key question here is what is the uplink bandwidth. Here is a test done using 6.4x with a PPPoE uplink on a hAP ac², so with a direct IP one (static or DHCP) it should be better. The third test is the most relevant one. Blocking access between the four LANs won't affect the performance much, but a "lot of small packets" type of traffic will lower the throughput in Mbit/s.

hAP ac (not ², not lite) has a triple-chain WiFi but a much weaker CPU than hAP ac².

The key question here is what is the uplink bandwidth.

Uplink bandwidth will be around 100Mbps to 220Mbps
It will be 1Gbps fibre link to SFP (hAP AC has a separate 1Gbps interface to the CPU)


So wlan1 and wlan2 (2.4GHz and 5GHz respectively) will have VAP's on them.
Bandwidth will be shared out of the 2.4 GHz 300Mbps theoretical maximum (40MHz + 2S because I doubt there will be any 3x3 clients for 450Mbps on 2.4GHz)
and the 5GHz will let 80MHz + 3S up to 1300Mbps but realistically max for 2x2 clients is 866.6Mbps.
Of course all of this will be reduced after noise, CCI and link rate so I'm hoping for at least 70% - 80% total useable capacity

I'm not worried about the WAN link side, more the wireless side because if a client starts downloading at 800Mbps sustained, there is a CPU spike.
Yes, hAP AC2 and AC3 are better choices because of the better CPU but the dedicated SFP port on hAP AC is hard to miss for 1Gbps fibre setups.

Either way, I will stress the setup and optimise the firewall rules as best as possible.
The last thing I want to do is introduce queues for bandwidth shaping because that negates the point of 1Gbps fibre lol.
I think it'll be okay but estimating full use, roughly 200Mbps per VLAN on Ethernet, 2.4GHz, 5GHz and their VAP's, I foresee CPU as the bottleneck.
Still not a good enough reason to upgrade for him though. If this were my setup, I would build it better with an RB4011iGS+RM (that's just me overdoing it )
but I'm opting not to upgrade because there's no practicality for him to justify the cost. Maybe I'll mod the case and install a heatsink and tiny fan to give it some longevity.

Or do something like these.
https://www.reddit.com/r/homelab/commen ... 5_run_hot/
https://www.reddit.com/r/mikrotik/comme ... drop_from/

Hi, I have a doubt. I have a network, separated by VRF for management and web access. But I have a problem is that I have ping between VRFs, for example: I have a router that contains the two vrfs (vrf1 and vrf2) each vrf has its own different network and the gateways are in router. Now if I have a pc on vrf1 with network 1 and I make the vrf2 gateway this ping is possible. This is counterintuitive because I understand that the vrfs are in different routing domains. And also if I ping vrf1's PC from vrf2 with a source from its own network, I can reach it. Please help.