Hi Alex, My experience so far has been that the Mikrotik services (ssh, winbox, snmp, dns, ntp, etc) will listen on all VRFs, but will only respond on the "main" routing table. As long as you have an active non-blackhole route in the main routing table that covers the return traffic, the return traffic will be generated, but only on the "main" routing table. You need to have a Mangle rule for all return traffic, which Damien Gardner on this list previously showed can probably be most easily done by using Connection Marking. Perhaps try this: /ip firewall mangle ## Tag all new connections incoming on the Management VRF add action=mark-connection chain=input connection-state=new new-connection-mark=connection-Management passthrough=yes routing-table=vrf-Management ## Tag all new connections initiated by the router which should be on the Management VRF - YOU WILL NEED TO ADJUST THIS TO MEET YOUR REQUIREMENTS add action=mark-connection chain=output connection-state=new new-connection-mark=connection-Management passthrough=yes out-interface=etherX ## Move all traffic with the Connection Mark of Management to the Management VRF add action=mark-routing chain=output connection-mark= connection-Management new-routing-mark= vrf-Management passthrough=yes You will also need a route to cover all management traffic - doesn't have to be a default route, eg if your management network is 10.100.100.0/24, just have a route for that. I haven't fully test this... please let us know how you go. Regards, Philip Loenneker | Network Engineer | TasmaNet -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Saturday, 28 January 2017 6:24 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] VRF - routing and default local services Hi So how do I work with the local services .. DNS and NTP ??? Alex ________________________________________ From: Public [public-bounces@talk.mikrotik.com.au] on behalf of Alex Samad - Yieldbroker [Alex.Samad@yieldbroker.com] Sent: Friday, 27 January 2017 3:10 PM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] VRF - routing and default local services Also one other question it was mentioned that if I enter a rule (or two ?) into /ip route vrf Route will disappear from the default route table. /ip route> export # /ip route add distance=250 gateway=10.32.80.1 routing-mark=Management add distance=251 gateway=192.168.0.2 /ip route vrf add interfaces=Management routing-mark=Management /ip route> print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 A S 0.0.0.0/0 10.32.80.1 250 1 ADC 10.32.80.0/24 10.32.80.72 Management 0 2 A S 0.0.0.0/0 192.168.0.2 251 3 ADC 192.168.0.0/24 192.168.0.1 ether1 0 So what do I need to add to vrf to make 0 A S 0.0.0.0/0 10.32.80.1 250 Disappear when printing the default table ? Or am I misunderstanding something Alex -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Alex Samad - Yieldbroker Sent: Friday, 27 January 2017 3:02 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] VRF - routing and default local services Hi Just continuing on my journey for multiple VRF. I have segregated of an interface for management. Using routing with vrf = Management and mangle rules to mark all packets / connections with vrf=Management. Caveat is that my default routing table must have a valid route. So when I tested telnet ccr on the management port ip from a box on the same vlan - management, I could see packets coming in and then nothing leaving Add in default route via a cross connect and suddenly packets start to flow back. Note I can send default to blackhole that doesn't work. Now my question is things like logging can I set the source address / interface . will setting the source set the interface ? Will packets pick up the mark if they have that source address - or do I need to add in a mangle that say's any with that source address has the vrf=Management Alex Alex Samad | Network And System Manager | Yieldbroker * +61 2 9994 2893 | ( +61 438 838 143 | * alex.samad@yieldbroker.com<mailto:alex.samad@yieldbroker.com> This email is confidential and intended for the addressee only. If you may have received this email in error please delete it and notify the sender immediately. Recipients should not forward, disclose, distribute or copy this e-mail or any attachments in whole or part without the express permission of the sender. Views expressed in this message are those of the individual sender, except where they are specifically stated to be those of Yieldbroker. Yieldbroker accepts no liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided, unless that information is subsequently confirmed in writing. Yieldbroker can not guarantee the integrity of this communication and shall not be liable for e-mail which may be intercepted, corrupted, lost, spoofed, delayed, incomplete, or virus infected. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg Click here to report this message as spam: https://console.mailguard.com.au/ras/1Q8Yx1dlys/BtttE6CLbVF1p34JTDGua/0.2 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au