I have a BGP session with Team Cymru on a Cisco router and I want to redistribute this bogons from this router to another Mikrotik Routers.
I configured the BGP session on the first MT and all works fine but in the second MT router the bogon prefixes are in invalid state, same configuration, same RouterOS Version 3.16, same hardware.
Someone had the same problem?
Thanks in advance,
Pablo
Re: BGP Prefixes Problem
i attempted to do the same thing, although i was marking the routes coming in from cymru in a routing-mark so it didn't interfere with my main table. i wasn't able to bgp prefixes in alternate tables I believe. If the routes are just invalid it's most likely because the gateway isn't reachable, you might need to set-nexthop using routing-filters.
Re: BGP Prefixes Problem
Invalid or Unreachable? it might be a scope/target-scope problem
-
-
gustkiller
Member
- Posts: 419
- Joined:
- Location: Brazil
- Contact:
Re: BGP Prefixes Problem
here's a config example from team cymru's website.
Code: Select all
# Config by Ariel S. Weher, based on Team Cymru's Cisco Template.
# Working in the 3.X version of Mikrotik RouterOS.
/routing bgp instance
set default as=<YOUR_ASN_NUMBER> client-to-client-reflection=yes comment="" disabled=no \
ignore-as-path-len=no name=default out-filter="" redistribute-connected=\
no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
redistribute-static=no router-id=<Your router-id ip address>
/ip firewall address-list
add address=<SESSION#1.Team-Cymru's.IP.Address> comment="TEAM-CYMRU BOGON Server #1" disabled=no list=BGP-NEIGHBORS
add address=<SESSION#2.Team-Cymru's.IP.Address> comment="TEAM-CYMRU BOGON Server #2" disabled=no list=BGP-NEIGHBORS
/ip firewall filter
add action=accept chain=input comment="BGP Neighbors" disabled=no dst-port=179 protocol=\
tcp src-address-list=BGP-NEIGHBORS
/ip route
add comment="Blackhole traffic route" disabled=no distance=1 dst-address=192.0.2.1/32 type=blackhole
/routing bgp peer
add address-families=ip comment="TEAM-CYMRU BOGON Server #1" disabled=no hold-time=3m in-filter=BOGON-SERVER-IN \
instance=default max-prefix-limit=50 multihop=yes name=CYMRU-1 \
nexthop-choice=default out-filter=BGP-DROP remote-address=\
<SESSION#1.Team-Cymru's.IP.Address> remote-as=65333 route-reflect=no tcp-md5-key=Password_Received_From_Cymru ttl=255
add address-families=ip comment="TEAM-CYMRU BOGON Server #2" disabled=no hold-time=3m in-filter=BOGON-SERVER-IN \
instance=default max-prefix-limit=50 multihop=yes name=CYMRU-1 \
nexthop-choice=default out-filter=BGP-DROP remote-address=\
<SESSION#2.Team-Cymru's.IP.Address> remote-as=65333 route-reflect=no tcp-md5-key=Password_Received_From_Cymru ttl=255
/routing filter
add action=accept bgp-communities=65333:888 chain=BOGON-SERVER-IN comment="" \
disabled=no invert-match=no protocol=bgp set-out-nexthop=192.0.2.1
add action=discard chain=BOGON-SERVER-IN comment="" disabled=no invert-match=\
no protocol=bgp
add action=discard chain=BGP-DROP comment="" disabled=no invert-match=no \
protocol=bgp
-
-
plucchetti
newbie
- Posts: 33
- Joined:
Re: BGP Prefixes Problem
Changeip: next-hop from v3.x was removed, that's work fine in 2.9.51
Medianet: I mean Unreachable and I using target-scope=40 in both routers
Medianet: I mean Unreachable and I using target-scope=40 in both routers
Re: BGP Prefixes Problem
As far as i can see you have multihop peerings, try to lower the scope of your static route to the peer:
Static route scope < BGP route target-scope to make them active
Static route scope < BGP route target-scope to make them active
-
-
plucchetti
newbie
- Posts: 33
- Joined:
Re: BGP Prefixes Problem
Doesn't work changing static route scope lower than BGP Target Scope 
Any ideas?
Thanks!
Pablo
Any ideas?
Thanks!
Pablo
Re: BGP Prefixes Problem
so the next hop is unreachable? and it's in a connected route ?
-
-
plucchetti
newbie
- Posts: 33
- Joined:
Re: BGP Prefixes Problem
Next hop is 192.0.2.1, these route was created on MT as blackhole interface like null interface in Cisco.
Here's the export of BGP:
/routing bgp instance
set default as=65503 client-to-client-reflection=yes comment="" disabled=no ignore-as-path-len=no name=default out-filter="" redistribute-connected=no \
redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no redistribute-static=no router-id=172.16.16.18
/routing bgp peer
add address-families=ip comment="" disabled=no hold-time=3m in-filter=bogon-in instance=default multihop=yes name=peer1 nexthop-choice=default out-filter=\
deny-all remote-address=200.xxx.xxx.xxx remote-as=27926 route-reflect=no tcp-md5-key=nnnnnnn ttl=40
/routing filter
add action=accept bgp-communities=27926:8888 bgp-origin=igp chain=bogon-in comment="" disabled=no invert-match=no protocol=bgp set-out-nexthop=192.0.2.1 \
set-target-scope=40
add action=discard bgp-origin="" chain=bogon-in comment="" disabled=no invert-match=no protocol=bgp
add action=discard chain=deny-all comment="" disabled=no invert-match=no
/ip route
add comment="" disabled=no distance=1 dst-address=192.0.2.1/32 type=blackhole
Regards,
Pablo
Here's the export of BGP:
/routing bgp instance
set default as=65503 client-to-client-reflection=yes comment="" disabled=no ignore-as-path-len=no name=default out-filter="" redistribute-connected=no \
redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no redistribute-static=no router-id=172.16.16.18
/routing bgp peer
add address-families=ip comment="" disabled=no hold-time=3m in-filter=bogon-in instance=default multihop=yes name=peer1 nexthop-choice=default out-filter=\
deny-all remote-address=200.xxx.xxx.xxx remote-as=27926 route-reflect=no tcp-md5-key=nnnnnnn ttl=40
/routing filter
add action=accept bgp-communities=27926:8888 bgp-origin=igp chain=bogon-in comment="" disabled=no invert-match=no protocol=bgp set-out-nexthop=192.0.2.1 \
set-target-scope=40
add action=discard bgp-origin="" chain=bogon-in comment="" disabled=no invert-match=no protocol=bgp
add action=discard chain=deny-all comment="" disabled=no invert-match=no
/ip route
add comment="" disabled=no distance=1 dst-address=192.0.2.1/32 type=blackhole
Regards,
Pablo
Re: BGP Prefixes Problem
Is that 192.0.2.1 active in the routing table? Can you run an /ip route print detail and give me that snippet ?
Also, just for troubleshooting, try creating an empty bridge interface (loopback), and place the 192.0.2.1/32 IP address on it... and remove the blackhole rule. I am wondering if it's the blackhole feature that's causing it to be unreachable, since it's a blackhole.
Also, just for troubleshooting, try creating an empty bridge interface (loopback), and place the 192.0.2.1/32 IP address on it... and remove the blackhole rule. I am wondering if it's the blackhole feature that's causing it to be unreachable, since it's a blackhole.
-
-
plucchetti
newbie
- Posts: 33
- Joined:
Re: BGP Prefixes Problem
Hello Changeip, here is a part of my routing table, as you can see static route is already active.
36 Db 175.0.0.0/8 unreachable 192.0.2.1 20
37 Db 176.0.0.0/8 unreachable 192.0.2.1 20
38 Db 177.0.0.0/8 unreachable 192.0.2.1 20
39 Db 179.0.0.0/8 unreachable 192.0.2.1 20
40 Db 180.0.0.0/8 unreachable 192.0.2.1 20
41 Db 181.0.0.0/8 unreachable 192.0.2.1 20
42 Db 182.0.0.0/8 unreachable 192.0.2.1 20
43 Db 183.0.0.0/8 unreachable 192.0.2.1 20
44 Db 185.0.0.0/8 unreachable 192.0.2.1 20
45 Db 192.0.2.0/24 unreachable 192.0.2.1 20
46 A SB 192.0.2.1/32 1
Creating an empty bridge with ip address 192.10.2.1/32 works fine because I tried before but why don't with blackhole interface? In other hand I have a similiar router with same configuration without problems.
Thanks!
Pablo
36 Db 175.0.0.0/8 unreachable 192.0.2.1 20
37 Db 176.0.0.0/8 unreachable 192.0.2.1 20
38 Db 177.0.0.0/8 unreachable 192.0.2.1 20
39 Db 179.0.0.0/8 unreachable 192.0.2.1 20
40 Db 180.0.0.0/8 unreachable 192.0.2.1 20
41 Db 181.0.0.0/8 unreachable 192.0.2.1 20
42 Db 182.0.0.0/8 unreachable 192.0.2.1 20
43 Db 183.0.0.0/8 unreachable 192.0.2.1 20
44 Db 185.0.0.0/8 unreachable 192.0.2.1 20
45 Db 192.0.2.0/24 unreachable 192.0.2.1 20
46 A SB 192.0.2.1/32 1
Creating an empty bridge with ip address 192.10.2.1/32 works fine because I tried before but why don't with blackhole interface? In other hand I have a similiar router with same configuration without problems.
Thanks!
Pablo
Re: BGP Prefixes Problem
I have same problem. Static ip address on a bridge interface doesn't resolve problem.
IP prefixes received from Cymru's bogon servers are inactive.
Anybody can help?
IP prefixes received from Cymru's bogon servers are inactive.
Code: Select all
0 Db dst-address=1.0.0.0/8 gateway=192.0.2.1 unreachable distance=20 scope=40 target-scope=10
bgp-as-path="65333" bgp-med=0 bgp-origin=igp bgp-communities=65333:888,no-export
received-from=80.81.197.33
1 Db dst-address=1.0.0.0/8 gateway=192.0.2.1 unreachable distance=20 scope=40 target-scope=10
bgp-as-path="65333" bgp-med=0 bgp-origin=igp bgp-communities=65333:888,no-export
received-from=81.91.160.38
2 Db dst-address=2.0.0.0/8 gateway=192.0.2.1 unreachable distance=20 scope=40 target-scope=10
bgp-as-path="65333" bgp-med=0 bgp-origin=igp bgp-communities=65333:888,no-export
received-from=80.81.197.33
3 Db dst-address=2.0.0.0/8 gateway=192.0.2.1 unreachable distance=20 scope=40 target-scope=10
bgp-as-path="65333" bgp-med=0 bgp-origin=igp bgp-communities=65333:888,no-export
received-from=81.91.160.38
Re: BGP Prefixes Problem
Yes, because the 192.0.2.1 is probably blackholed and it's not reachable right ? I don't think those instructions on the cymru stuff are 100% right. I will test a few thing and see if I can get a workable solution. We simply use the BGP to get the list, convert them to a address-list and then drop in the firewall.
Re: BGP Prefixes Problem
I heve tested both. 192.0.2.1 blackholed and assigned to bridge interface.
In BGP should not be a problem to set next-hop to prefixes received via BGP right? I use routing-test 3.20.
The route to 192.0.2.1 is active in routing table. I don't understand this situation. Using address-list is bad idea in my opinion.
For 35 routes it's not a problem but in case I want to set next-hop for 18000 prefixes? I think doing address-list is not a replacement.
In BGP should not be a problem to set next-hop to prefixes received via BGP right? I use routing-test 3.20.
The route to 192.0.2.1 is active in routing table. I don't understand this situation. Using address-list is bad idea in my opinion.
For 35 routes it's not a problem but in case I want to set next-hop for 18000 prefixes? I think doing address-list is not a replacement.
Re: BGP Prefixes Problem
no, we use the incoming routes to build an address-list so that we can also use these prefixes in the firewall... it's in addition to, not replacing. We'd rather block the traffic as it's coming in, not trying to leave. (we do both however).
/routing filter
add action=accept chain=cymru-in comment=\
"Cymru Chain - Mark bogons with a different routing-mark" disabled=no \
invert-match=no set-bgp-communities=65333:888 \
set-type=blackhole
You can simply use that routing filter above to tell it to make it a blackhole route. No gateway, interface, next hop, or anything else needed.
/routing filter
add action=accept chain=cymru-in comment=\
"Cymru Chain - Mark bogons with a different routing-mark" disabled=no \
invert-match=no set-bgp-communities=65333:888 \
set-type=blackhole
You can simply use that routing filter above to tell it to make it a blackhole route. No gateway, interface, next hop, or anything else needed.
Re: BGP Prefixes Problem
Oh You have right. There is no option set-type=blackhole in winbox. I did't check in command line.
Thanks. Now it works.
Thanks. Now it works.
Re: BGP Prefixes Problem
below is a modified version of that document.
now what i want to know is how to reflect these prefixes to another router. It seems like if you have anything in a routing-mark or blackhole type table you can't reflect the list.
now what i want to know is how to reflect these prefixes to another router. It seems like if you have anything in a routing-mark or blackhole type table you can't reflect the list.
Code: Select all
# Config by Ariel S. Weher, based on Team Cymru's Cisco Template.
# Working in the 3.X version of Mikrotik RouterOS.
# 2009-02-06 Modified by Sam Norris. Removed static routes
# and used "set-type=blackhole".
/routing bgp instance
set default as=<YOUR_ASN_NUMBER> router-id=<Your router wan ip address>
/ip firewall address-list
add address=<SESSION#1.Team-Cymru's.IP.Address> comment="TEAM-CYMRU BOGON Server #1" disabled=no list=BGP-NEIGHBORS
add address=<SESSION#2.Team-Cymru's.IP.Address> comment="TEAM-CYMRU BOGON Server #2" disabled=no list=BGP-NEIGHBORS
/ip firewall filter
add action=accept chain=input comment="BGP Neighbors" disabled=no dst-port=179 protocol=\
tcp src-address-list=BGP-NEIGHBORS
/routing bgp peer
add comment="TEAM-CYMRU BOGON Server #1" hold-time=3m in-filter=BOGON-SERVER-IN \
instance=default max-prefix-limit=50 multihop=yes name=CYMRU-1 \
nexthop-choice=default out-filter=BGP-DROP remote-address=\
<SESSION#1.Team-Cymru's.IP.Address> remote-as=65333 route-reflect=no tcp-md5-key=Password_Received_From_Cymru ttl=255
add comment="TEAM-CYMRU BOGON Server #2" hold-time=3m in-filter=BOGON-SERVER-IN \
instance=default max-prefix-limit=50 multihop=yes name=CYMRU-1 \
nexthop-choice=default out-filter=BGP-DROP remote-address=\
<SESSION#2.Team-Cymru's.IP.Address> remote-as=65333 route-reflect=no tcp-md5-key=Password_Received_From_Cymru ttl=255
/routing filter
add action=accept bgp-communities=65333:888 chain=BOGON-SERVER-IN comment="" \
disabled=no invert-match=no set-type=blackhole
add action=discard chain=BOGON-SERVER-IN comment="" disabled=no invert-match=no
add action=discard chain=BGP-DROP comment="" disabled=no invert-match=no
Who is online
Users browsing this forum: Bing [Bot] and 39 guests