In my opinion i must say that your solution is more complicated but have same level of security of leakage as :

thanks for time spend on my issue. We have same conclusion about issue that without route in table or proper rule separation in VRF doent work at all. Why in ROS we can not chosse output interface for internal services - that isnt profesional looking way to do what you what to do . Eh once again tha...

Ok , When VRF, default gw is active i delete all rules , mangle have some hits like this : output : in : (unknown 0 ) out:vlan453, proto UDP, 77.999.999.146:123->10.999.1.1:123, len 76 and dont work - But this is what i do whant avoid . When i disable vrf , mangle have hits like this : output : in :...

Ok make some clarification ( i know that 999 doesnt exist in ip add ) in config : # feb/25/2019 08:41:11 by RouterOS 6.41.2 /interface vlan add interface=ether1 name=vlan92 vlan-id=92 add interface=ether1 name=vlan453 vlan-id=453 /ip address add address=10.999.1.8/24 interface=vlan92 network=10.999....

# feb/25/2019 08:41:11 by RouterOS 6.41.2 /interface vlan add interface=ether1 name=vlan92 vlan-id=92 add interface=ether1 name=vlan453 vlan-id=453 /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip address add address=X.Y.Z.8/24 interface=vlan92 network...

@heribertos You have absolutely right ! But it doesnt work i try this on begining of unfair fight with this . In result of setup mangle - output chain is that no packet was send via physical output interface ( checked by wireshark on pc ) . I gues that if there is no route (or rule ) in main table c...

You solution works but its not isolate networks in VRF mgmt. Because its main goal i cant let packect etc. for leaking trought from main table.
Cisco have beter solution - you simlpy indicate ntp source interface and that should be for separation - not putting route in main table.

@heribertos: thank you for answering, but you have not understood my problem. More specifically: 1.I have one VRF mgmt, one of networks in VRF mgmt have an NTP server 2. The rest of the network is separated from mgmt is in main table. I know that when i use NTP client , service search only in main t...

Hello it seems to me that I read most of the posts related to ntp and vrf but failed to achieve the goal: to indicate another interface for NTP not in the main table but in another vrf table . I tried to use Magle but no success. Normal NAT turns ip but does not change the output interface. I've run...