MikroTik

JanZorz

Ahh too bad. Is your other router a mikrotik v7 or v6?

FRR

Cheers, Jan

JanZorz

OH AND ... the flap bug is back, the v7 router starting flapping my eBGP routes after switching to ibgp-rr for my IPv4 iBGP peer. This got me into trouble last time and is quite nasty yes, I noticed that. I'm using IPv6 address as BGP session endpoints and announce v4 and v6 over it. If I do just I...

JanZorz

ok, I upgraded to RouterOS v7.7beta8 and set the local.role=ibgp-rr and all of a sudden - routes are advertising to my downstreams

Done.

JanZorz

1. what does this mean, they are both in the same routing-table "main", both use the same router-id 2. bgp-networks advertisement is only for advertising to eBGP peers, correct? 1. yes, they are in the main routing table and all BGP sessions have the same router-id 2. well, I tried all co...

JanZorz

No it is not related to affinity. You need to make sure that local as and local router-id are identical on all the bgp sessions. If I set output.redistribute=connected,static,bgp then I receive exactly 2 routes to the downstream router... local loopback and one /64 IPv6 prefix that is on the router...

JanZorz

No it is not related to affinity. You need to make sure that local as and local router-id are identical on all the bgp sessions. Hmm... same AS and same router-id on all BGP sessions - but still no advertisement of prefixes in main routing table. Weird. 6.x BGP worked like charm, I have no idea why...

JanZorz

1. For BGP to redistribute received routes from upstream, both peers must be running the same instance.

Thnx! So I need to play with input.affinity and output.affinity? Currently it's "alone". Should I try putting all in "main"?

Cheers, Jan Z

JanZorz

Hi you have to create an accept filter and associate it in the bgp peer as output bgp filter. in this you will redistribute all the table of your router by default bgp rejects everything.. Hi... I have this as output filter: chain=bgp_out_advertise rule="accept" And I get just one route a...

JanZorz

Hey, I'm testing ROS7 (7.7beta6) and I'm trying to announce all routes in main routing table to downstream BGP router, IPv6 and IPv4. I got full routing tables from my upstreams and now I try to re-distribute them. I understand that now I need to add networks in /ip/firewall/address-list and /ipv6/f...

JanZorz

Is it really the case from what you observed that routes that 1) survive the inbound filter based on RPKI status + operator policy, 2) survive route selection and get installed into the table, 3) at some later time the RPKI validator group becomes unreachable … these routes get marked invalid? That...

JanZorz

Same happens in 7.2rc1

Please, please, please fix this ASAP as this is far from production ready.

Cheers, Jan Žorž
6connect labs

JanZorz

How is the new /routing/routes working for seeing inbound routes in your production environment?

That's actually quite a useful thing to have... it shows some interesting information about routes and filters (also RPKI).

Cheers, Jan

JanZorz

Hey, I managed to get management port into its separate VRF and routing-table and it works great (other than lack of SNMPd listening there), but in 7.1 and 7.1.1 I'm encountering an issue that after booting the router - ssh and www services that are bound to management VRF are marked as invalid. I n...

JanZorz

We will think of some solution not to make whole chain invalid after validator goes down. excellent, thnx!!! While thinking about this - I would expand a little bit the behaviour description: "if RPKI validator is not reachable just ignore the rpki-verify clause and still process the rest of t...

JanZorz

Hi, Yes, we lost my report from a bit more extensive test, so let me try to write that again. I left my validator VM offline for 12 hours and removed Internet access from it and when I started it again - it tried to refresh ROAs from the Internet repositories, failed and then loaded whatever was in ...

JanZorz

Hi,

on ROS7.1 I managed to get Management interface in its own VRF/routing_table and web/ssh services works fine. However, I can't find a way how to persuade SNMPd to also run on that interface. It's running in main table, but not in management.

Any idea?

Cheers, Jan

JanZorz

Hi,

What's the equivalent of ROS6 command: /routing bgp advertisements print in ROS7.1?

Cheers, Jan

JanZorz

It sounds the same, validator cannot get data because you are relying on validator to use BGP routes that should be validated to get data. It really is a misconfiguration. And isn't the validator returning "unknown" if there is no record for the route? So you can accept "unknown"...

JanZorz

I tested with routinator that was oflline for 12 hours and with setting stale="warn" or stale="accept" it will start, try to connect to the Internet to fetch the new ROAs and when it fails - it'll just load stale objects from the disk and use those. At that moment router is able ...

JanZorz

To me it looks like not a good network design if you need BGP routes to connect to the validator to verify the same BGP routes. I can connect to validator directly, no worries about that. Problem is if the whole network is cut away from the world because routes received over BGP are not active beca...

JanZorz

Hi, I've been testing RPKI on ROS 7.1 and it works fine. I followed the suggestions in documentation and it does what it is supposed to do. The thing that is bothering me is that if you activate rpki-validation in filter rule - that particular filter becomes invalid if RPKI validator is not accessib...

JanZorz

Tried to install .iso image into KVM on Proxmox, but after install it reboots and is stuck at "Booting from hard disk..."

Same procedure works fine on the same KVM setup with 6.47.1... any idea?

Cheers, Jan

JanZorz

Thank you very much for this information. Any idea when ROS 7 will be available for testing? I'm willing to test RPKI for you (IPv6 and IPv4 routes) if you send me the code as soon as it's available

Cheers, Jan Zorz

JanZorz

I'm eagerly waiting for Mikrotik to deploy RPKI route origin validation. Currently I'm doing it on ASR1k router but would gladly move this function to CCR1036 as it seems to be powerfull enough to take care of this stuff. Mikrotik staff, any information when can we expect RPKI in RouterOS? Cheers, J...

JanZorz

Completely agree, this would be preferred and in accordance to BCP84 - http://tools.ietf.org/html/bcp84.

Cheers, Jan

JanZorz

Hi, This feature is very useful for many things, read the document below. Cisco implemented it and many operators is using it. http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-additional-paths.html Can we hope to have it in at least ROS7? Cheers and thnx, Jan Zorz

JanZorz

you have to mark packets from up-stream and then add routing-mark to them ensuring that the router will answer on the same interface it received packet from. But I should do this only for icmp packets, directed to the router itself (input chain). I'm not interested in touching any other traffic, BG...

JanZorz

I would think that the natural IP to respond would be the IP that received the request. Well, yes, indeed. But I have 3 different uplinks to 3 different ASN-s and when you do a traceroute from outside towards my network and match the hops to ASNs, then sometimes it happens that return path is diffe...

JanZorz

You can use src NAT on ICMP to change the originating ip. You'll probably want to match the src addresses on the rule so as to not to match ICMP passing through the router. This is an ugly hack, I have to admit :S If there are no other options that I'll have to use it, but probably it would be a ve...

JanZorz

Hi, I've been trying to figure out this for some time now. I moved all 3 uplinks from Cisco box to CCR and everything works fine - except that RouterOS seems to select out-interface address as a source address for packets originating for the router itself - in this case icmp messages used for tracer...

JanZorz

we are planning to add it, it's in our list.

Hi,

Any news on this topic? This is really needed...

Cheers, Jan

JanZorz

How about the /48 IPv6 PI assignments - with ~200 customers in a rural area I'm still a bit too small to become a LIR (for cost reasons), so can't get a /32 but only a /48 IPv6 PI (currently have /23 IPv4 PI for BGP with two uplinks, and just starting to look into IPv6) - is there a chance to propo...

JanZorz

I would think that /64 for residential and /48 for business would be fine. Not sure why home users would need to subnet? Dude. V6 is introduced to give everyone enough addresses. There are enough addresses available and no reason to conserve. It's not difficult to imagine that users would like one ...

JanZorz

you do not need addresses for intermediate network stuff, just the end equipment of users should get the address. There you give out addresses with /64 Anyway, nothing that script cannot do. We actually put global IPv6 addresses on eth interfaces, just for later troubleshooting purposes. Problem is...

JanZorz

if client is receiving /64 prefix, you could get the value and assign this address using script :) as there is not yet a testing-build available with this feature automated in dhcp-client. No way, /64 PD is a very wrong thing to do for ISP. They do /56 for residential user and /48 for business - as...

JanZorz

assignment of acquired address on one of the interfaces with /64 and advertise is coming. Can you predict when? We are testing IPv6 over pppoe for our ISP and having DHCPv6 client with PD is great, but we need PD assignment to interfaces in order to render your device useful :) If there is any ROS ...

JanZorz

Hi, in ROS 5.9 we have DHCPv6 client, that is able to receive PD. Fine, great job, we were all waiting for that. What I'm missing is the configuration option to which ethernet port(s) we automatically provision first (and consequent) /64 subnets. On Linux you have this option in dhcp6c config: confi...

Search found 37 matches

Re: BGP config to announce all prefxes to downstream...

Re: BGP config to announce all prefxes to downstream...

Re: BGP config to announce all prefxes to downstream...

Re: BGP config to announce all prefxes to downstream...

Re: BGP config to announce all prefxes to downstream...

Re: BGP config to announce all prefxes to downstream...

Re: BGP config to announce all prefxes to downstream...

Re: BGP config to announce all prefxes to downstream...

BGP config to announce all prefxes to downstream...

Re: RPKI and real life failure scenario

Re: services invalid after boot if in management VRF

Re: BGP advertisements print

services invalid after boot if in management VRF

Re: RPKI and real life failure scenario

Re: RPKI and real life failure scenario

SNMPd listening on MNGMT VRF

BGP advertisements print

Re: RPKI and real life failure scenario

Re: RPKI and real life failure scenario

Re: RPKI and real life failure scenario

RPKI and real life failure scenario

Re: v7.1beta1 [development] is released!

Re: RPKI

Re: RPKI

Re: RP Filter Loose Reverse Path Forwarding Ignoring Default

Feature request: BGP additional path propagation

Re: multihoming and source address of outgoing icmp messages

Re: multihoming and source address of outgoing icmp messages

Re: multihoming and source address of outgoing icmp messages

multihoming and source address of outgoing icmp messages...

Re: Feature Request: IPv6 static neighbor

Re: PPPoE & IPv6

Re: PPPoE & IPv6

Re: PPPoE & IPv6

Re: PPPoE & IPv6

Re: PPPoE & IPv6

Re: PPPoE & IPv6