Hello!
[boris@MikroTik] > /routing bgp instance print
Flags: * - default, X - disabled
0 * name="default" as=198070 router-id=31.44.12.205 redistribute-connected=yes
redistribute-static=yes redistribute-rip=no redistribute-ospf=no
redistribute-other-bgp=no out-filter=rm-bgp-local
client-to-client-reflection=no ignore-as-path-len=no routing-table=""
/routing filter
remove [find chain=rm-bgp-local]
add chain=rm-bgp-local action=passthrough protocol="connect,static" address-family=ip set-bgp-local-pref=900 set-bgp-communities="local-as,65070:100"
add chain=rm-bgp-local action=passthrough protocol="connect,static" address-family=ipv6 set-bgp-local-pref=900 set-bgp-communities="local-as,65070:100"
add chain=rm-bgp-local action=passthrough protocol="static" address-family=ip prefix=31.44.12.0/23 set-bgp-local-pref=900 set-bgp-communities="65070:101"
add chain=rm-bgp-local action=passthrough protocol="static" address-family=ip prefix=89.223.20.0/24 set-bgp-local-pref=900 set-bgp-communities="65070:101"
add chain=rm-bgp-local action=passthrough protocol="static" address-family=ipv6 prefix=2a00:ff20:0001::/48 set-bgp-local-pref=900 set-bgp-communities="65070:101"
/routing filter
remove [find chain=rm-bgpv4-upstream-out]
add chain=rm-bgpv4-upstream-out action=accept address-family=ip prefix=0.0.0.0/0 prefix-length=8-24 bgp-communities=65070:101
add chain=rm-bgpv4-upstream-out action=accept address-family=ip prefix=0.0.0.0/0 prefix-length=8-24 bgp-communities=65070:104
add chain=rm-bgpv4-upstream-out action=discard
[boris@MikroTik] > /routing bgp peer print detail where name=up-v4-comfortel
Flags: X - disabled, E - established
0 E name="up-v4-comfortel" instance=default remote-address=85.143.187.21
remote-as=56534 tcp-md5-key="" nexthop-choice=default multihop=no
route-reflect=no hold-time=3m ttl=default in-filter=rm-bgpv4-upstream-in
out-filter=rm-bgpv4-upstream-out address-families=ip default-originate=never
remove-private-as=no as-override=no passive=no use-bfd=no
[boris@MikroTik] > /routing bgp advertisements print up-v4-comfortel
PEER PREFIX NEXTHOP AS-PATH ORIGIN LOCAL-PREF
up-v4... 85.143.188.0/23 85.143.187.22 51783,51783,5... igp
up-v4... 83.96.23.0/24 85.143.187.22 35000,20764,2... igp
up-v4... 37.237.194.0/24 85.143.187.22 35000,20764,1... igp
up-v4... 93.95.26.0/24 85.143.187.22 35000,20485,1... igp
up-v4... 85.9.104.0/21 85.143.187.22 35000,20764,2... igp
up-v4... 85.143.168.0/22 85.143.187.22 51783,51783,5... igp
up-v4... 37.238.158.0/23 85.143.187.22 35000,20764,1... igp
up-v4... 85.143.187.22 35000,20764,2... igp
up-v4... 151.236.161.0/24 85.143.187.22 35000,20764,2... igp
and all 600k prefixes more
For example:
[boris@MikroTik] > /ip route print detail where dst-address=2.189.48.0/22
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADb dst-address=2.189.48.0/22 gateway=85.235.198.125
gateway-status=85.235.198.125 reachable via VL0.230 distance=20 scope=40
target-scope=10 bgp-as-path="35000,20764,200612,12880,49100,34918"
bgp-local-pref=200 bgp-origin=igp
bgp-communities=0:0,20764:3000,20764:3013,20764:3020,20764:3031,35000:1105,
65070:102
received-from=up-v4-prometey
1 Db dst-address=2.189.48.0/22 gateway=85.143.187.21
gateway-status=85.143.187.21 reachable via VL0.1605 distance=20 scope=40
target-scope=10 bgp-as-path="56534,20764,200612,12880,49100,34918"
bgp-local-pref=200 bgp-origin=incomplete
bgp-communities=0:0,0:6412,0:12880,0:15802,0:43852,0:48159,0:48728,0:60929,
5607:5607,8714:8714,20764:3006,20764:3014,20764:3020,20764:3035,
56534:1000,56534:1040,65070:102
received-from=up-v4-comfortel
May be I'm ver very stupid. But please tell me, why the route 2.198.48.0/22 for example is announced to upstream???
Regards,
Boris
Re: What's wrong with my out filter????
So, I found the problem may be in:
bgp-communities (integer:integer | internet | local-as | no-advertise | no-export;) match the COMMUNITIES BGP attribute. Match is done when communities attribute in a route contains all entries from this configured list. But note that if communities list contains 'internet', the whole list always matched.
As we can see, routes contain 0:0 (internet) community. So, is there a way to filter routes with 0:0 community? Simple adding
add chain=rm-bgpv4-upstream-out action=discard address-family=ip bgp-communities=0:0
totally discards all the routes.
Mikrotik support, gurus, please help me in this very simple task. I can do it with cisco, quagga and can't with mikrotik????
Regards,
Boris
bgp-communities (integer:integer | internet | local-as | no-advertise | no-export;) match the COMMUNITIES BGP attribute. Match is done when communities attribute in a route contains all entries from this configured list. But note that if communities list contains 'internet', the whole list always matched.
As we can see, routes contain 0:0 (internet) community. So, is there a way to filter routes with 0:0 community? Simple adding
add chain=rm-bgpv4-upstream-out action=discard address-family=ip bgp-communities=0:0
totally discards all the routes.
Mikrotik support, gurus, please help me in this very simple task. I can do it with cisco, quagga and can't with mikrotik????
Regards,
Boris
Re: What's wrong with my out filter????
Have read many post about 0:0 community and ROS. And always only one answer: if the route is marked with 0:0 community it is impossible to filter it by bgp-communities. It is always matched. But why? This is (IMHO) definitely wrong. From my point of view this is serious security issue. In real BGP world where we are transit ISP and should pass user's communities from one link to another we can't use own communities to simplify our filters. We must keep tons of filters with prefixes to be sure the right way announces. As any user can set 0:0 community to its prefix and bypass our filters. 
It this true or there is a solution?
It this true or there is a solution?Re: What's wrong with my out filter????
Dear support!
Please take a look at this too.
Regards,
Boris
Please take a look at this too.
Regards,
Boris
Re: What's wrong with my out filter????
An easy fix would be to drop prefixes from customers if they contain community 0:0 and make that part of your published policy.
Do you want to allow customers to send communities to you which you then allow through to other networks? It's my understanding that this is not common practice. Perhaps your in-filters on customers should check for communities that you support, perform those actions on the prefix, and then replace the community list with your own communities.
Basically, scrub everything at the door when it comes in, so you can build out filters secure in the knowledge that communities will only be a certain way that you've designed.
Do you want to allow customers to send communities to you which you then allow through to other networks? It's my understanding that this is not common practice. Perhaps your in-filters on customers should check for communities that you support, perform those actions on the prefix, and then replace the community list with your own communities.
Basically, scrub everything at the door when it comes in, so you can build out filters secure in the knowledge that communities will only be a certain way that you've designed.
Re: What's wrong with my out filter????
ZeroByte, it is common practice for transit ISP, as me. With passing communities on users prefixes I permit users to more precisely route traffic based on upstream policy (for example user do not want to receive some kind of traffic from my upstream). So I can't replace communities, only append.
Drop prefix with 0:0 community is a very bad idea as it may (and it is) come even from upstream and breaks my policy too.
Regards, Boris
Drop prefix with 0:0 community is a very bad idea as it may (and it is) come even from upstream and breaks my policy too.
Regards, Boris
Who is online
Users browsing this forum: k3wf3w and 15 guests