Community discussions

MikroTik App
  4. RouterOS
  5. Forwarding Protocols

v7 OSPF: Out filter being ignored?  [SOLVED]

Post Reply
 
hjoelr
newbie
Topic Author
Posts: 38
Joined: Mon Apr 28, 2008 11:29 pm

v7 OSPF: Out filter being ignored?

Fri Oct 14, 2022 7:01 pm

I'm on RouterOS 7.5. I have a VPN tunnel between locations and running OSPF over that tunnel. Something like this:
OSPF-diagram.jpg
The issue I ran into (even back on ROSv6) was that the 66.2.148.252/29 route from R1 would be sent to R2, designating the 10.200.0.1 as the next hop for that route. The same would happen the other way also. Once these routes distributed, the tunnel would drop because now the R1 and R2 were not sending tunnel management traffic directly between 66.2.148.252 and 203.30.61.30, but instead between 10.200.0.1 and 10.200.0.2. This would cause the tunnel to be in a continuous cycle of going down and coming back up until OSPF redistributed the route. I solved this in ROSv6 by creating an OSPF out-filter on both routers that would not distribute the external IP's route to the other routers.

Now in ROSv7, I'm trying to do the same thing. However, I can't seem to get the out-filter to prevent the route to distribute. Here's my config. I'll readily admit that I don't understand many of the options of OSPF in ROSv7, so there's a good chance I'm doing something else wrong.

R1
Code: Select all
/ip address
add address=66.2.148.252/29 interface=ether1 network=66.2.148.248
add address=10.200.0.1/30 interface=wireguard-site2site network=10.200.0.0
---SNIP---
/routing filter rule
add chain=ospf-out disabled=no rule="if ( dst in 66.2.148.252/29 ) { reject; }"
/routing ospf instance
add disabled=no name=ospf-v2-instance out-filter-chain=ospf-out router-id=\
    OSPF_ID
/routing ospf area
add area-id=0.0.0.1 disabled=no instance=ospf-v2-instance name=site-to-site
/routing ospf interface-template
add area=site-to-site disabled=no networks=10.200.0.0/30,0.0.0.0/0 type=ptp
R2
Code: Select all
/ip address
add address=203.30.61.30/29 interface=ether1 network=203.30.61.24
add address=10.200.0.2/30 interface=wireguard-site2site network=10.200.0.0
---SNIP---
/routing filter rule
add chain=ospf-out disabled=no rule="if ( dst in 203.30.61.30/29 ) { reject; }"
/routing ospf instance
add disabled=no name=ospf-v2-instance out-filter-chain=ospf-out router-id=\
    OSPF_ID
/routing ospf area
add area-id=0.0.0.1 disabled=no instance=ospf-v2-instance name=site-to-site
/routing ospf interface-template
add area=site-to-site disabled=no networks=10.200.0.0/30,0.0.0.0/0 type=ptp

When OSPF connects up, it's as if my out rules don't exist and it happily distributes those routes. Could someone tell me what I'm doing wrong?
You do not have the required permissions to view the files attached to this post.
Top
 
hjoelr
newbie
Topic Author
Posts: 38
Joined: Mon Apr 28, 2008 11:29 pm

Re: v7 OSPF: Out filter being ignored?  [SOLVED]

Sat Oct 15, 2022 12:17 am

I think I got it figured out. There were actually two things I needed to change.

1. I was using the /routing ospf interface-template add ...networks= attribute with the 0.0.0.0/0 network. Apparently MikroTik ignores the filter rules if the default network is being used. I switched to using the /routing ospf interface-template add ...interfaces= parameter.

2. My routes were not being shared when using the /routing ospf interface-template add ...interfaces= parameter and the following filter

Code: Select all
/routing filter rule
add chain=ospf-out disabled=no rule="if ( dst in 66.2.148.252/29 ) { reject; }"

Apparently filter rules default to reject unless there is an accept rule. I found that I needed to do one of two things. (1) Add an "else" path to the filter rule like this:

Code: Select all
/routing filter rule
add chain=ospf-out disabled=no rule="if ( dst in 66.2.148.252/29 ) { reject; } else { accept; }"

or (2) add a "catch all" rule to accept anything not rejected like this:

Code: Select all
/routing filter rule
add chain=ospf-out disabled=no rule="if ( dst in 66.2.148.252/29 ) { reject; }"
add chain=ospf-out disabled=no rule="accept;"

The second option gives a little more flexibility if you want multiple "reject" rules and don't want to combine it all into one.
Top
 
AUsquirrel
newbie
Posts: 39
Joined: Fri Feb 21, 2014 10:28 pm

Re: v7 OSPF: Out filter being ignored?

Fri Jul 21, 2023 11:21 am

Thanks hjoer, this information help me solve this exact issue.
Top
 
Dude
just joined
Posts: 9
Joined: Wed Nov 19, 2014 2:25 pm

Re: v7 OSPF: Out filter being ignored?

Fri Aug 04, 2023 5:43 pm

Same trouble R1 p2p R2. On R1
Code: Select all
# 2023-08-04 17:36:31 by RouterOS 7.10.2
# software id =
#
/ip address
add address=32.185.10.166/24 interface=ether1 network=32.185.10.0
add address=172.20.103.1/29 interface=vlan1001 network=172.20.103.0
add address=172.16.16.54/30 interface=wg2gw.p2 network=172.16.16.52
add address=172.16.17.6 interface=bridge0 network=172.16.17.6
/routing ospf instance
add disabled=no in-filter-chain=ospf-in name=ospf1 originate-default=never out-filter-chain=ospf-out router-id=172.16.17.6
/routing ospf area
add disabled=no instance=ospf1 name=backbone
/routing filter rule
add chain=ospf-out disabled=no rule="if (dst == 32.185.10.0/24) { reject; }"
add chain=ospf-out disabled=no rule="if (dst == 10.0.0.0/8) { reject; }"
add chain=ospf-out disabled=no rule="if (dst == 192.168.0.0/16) { reject; }"
add chain=ospf-out disabled=no rule="if (dst == 172.16.0.0/12) { reject; }"
add chain=ospf-out disabled=no rule="if (dst == 100.64.0.0/10) { reject; }"
add chain=ospf-out disabled=no rule="if (dst == 169.254.0.0/16) { reject; }"
add chain=ospf-out disabled=no rule=accept
/routing ospf interface-template
add area=backbone disabled=no interfaces=wg2gw.p2 networks=172.16.16.52/30 type=ptp
add area=backbone disabled=no passive
/ip route
add gateway=32.185.10.1
add blackhole distance=254 dst-address=10.0.0.0/8
add blackhole distance=254 dst-address=100.64.0.0/10
add blackhole distance=254 dst-address=169.254.0.0/16
add blackhole distance=254 dst-address=172.16.0.0/12
add blackhole distance=254 dst-address=192.168.0.0/16
And when OSPF established on R2 received routes:
Code: Select all
/ip route/print interval=1 where ospf && gateway ~ "gw1.p3"
Flags: D - DYNAMIC; A - ACTIVE; o, y - BGP-MPLS-VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS      GATEWAY                 DISTANCE
DAo 32.185.10.0/24  172.16.16.54%wg2gw1.p3       110
DAo 172.16.17.6/32   172.16.16.54%wg2gw1.p3       110
DAo 172.20.103.0/29  172.16.16.54%wg2gw1.p3       110
and session drop down constantly
Top
 
Dude
just joined
Posts: 9
Joined: Wed Nov 19, 2014 2:25 pm

Re: v7 OSPF: Out filter being ignored?

Fri Aug 04, 2023 6:02 pm

FIXED: disable passive template ...
Code: Select all
add area=backbone disabled=no interfaces=wg2gw.p2 networks=172.16.16.52/30 type=ptp
add area=backbone disabled=yes passive
Same trouble R1 p2p R2. On R1
Code: Select all
# 2023-08-04 17:36:31 by RouterOS 7.10.2
# software id =
#
/ip address
add address=32.185.10.166/24 interface=ether1 network=32.185.10.0
add address=172.20.103.1/29 interface=vlan1001 network=172.20.103.0
add address=172.16.16.54/30 interface=wg2gw.p2 network=172.16.16.52
add address=172.16.17.6 interface=bridge0 network=172.16.17.6
/routing ospf instance
add disabled=no in-filter-chain=ospf-in name=ospf1 originate-default=never out-filter-chain=ospf-out router-id=172.16.17.6
/routing ospf area
add disabled=no instance=ospf1 name=backbone
/routing filter rule
add chain=ospf-out disabled=no rule="if (dst == 32.185.10.0/24) { reject; }"
add chain=ospf-out disabled=no rule="if (dst == 10.0.0.0/8) { reject; }"
add chain=ospf-out disabled=no rule="if (dst == 192.168.0.0/16) { reject; }"
add chain=ospf-out disabled=no rule="if (dst == 172.16.0.0/12) { reject; }"
add chain=ospf-out disabled=no rule="if (dst == 100.64.0.0/10) { reject; }"
add chain=ospf-out disabled=no rule="if (dst == 169.254.0.0/16) { reject; }"
add chain=ospf-out disabled=no rule=accept
/routing ospf interface-template
add area=backbone disabled=no interfaces=wg2gw.p2 networks=172.16.16.52/30 type=ptp
add area=backbone disabled=no passive
/ip route
add gateway=32.185.10.1
add blackhole distance=254 dst-address=10.0.0.0/8
add blackhole distance=254 dst-address=100.64.0.0/10
add blackhole distance=254 dst-address=169.254.0.0/16
add blackhole distance=254 dst-address=172.16.0.0/12
add blackhole distance=254 dst-address=192.168.0.0/16
And when OSPF established on R2 received routes:
Code: Select all
/ip route/print interval=1 where ospf && gateway ~ "gw1.p3"
Flags: D - DYNAMIC; A - ACTIVE; o, y - BGP-MPLS-VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS      GATEWAY                 DISTANCE
DAo 32.185.10.0/24  172.16.16.54%wg2gw1.p3       110
DAo 172.16.17.6/32   172.16.16.54%wg2gw1.p3       110
DAo 172.20.103.0/29  172.16.16.54%wg2gw1.p3       110
and session drop down constantly
Top
Post Reply
  4. RouterOS
  5. Forwarding Protocols