MikroTik

Hi there,

Currently there are around 2000 IP prefixes in the Internet table with an illegal value 0:0 community set.
-> http://blog.ipspace.net/2008/03/misteri ... unity.html
With all other vendors, thats not a big problem, but with Mikrotik it breaks the matching algorithm for the community filter.

For example:
Your Upstream sends you the whole Internet-table but you only want to accept the prefixes from the Czech Republic, normally you do that by filtering the routes with the "Czech Republic" community set.
Level3 has a community for all prefixes learned in Czech Republic: 3356:512
Then your Filter should look like this:

add action=accept bgp-communities=3356:512 chain=TEST comment=accept_cz_prefixes
add action=discard chain=TEST

currently there are 354 routes tagged with the 3356:512 community, but we can see 2393 routes going through the filter:
/ip route> print count-only
2393

Here an example of a wrong matched route:

6 ADb dst-address=2.179.0.0/16 gateway=XXX gateway-status=XX recursive via XXX vlan252 distance=200 scope=40 target-scope=30 bgp-as-path="200612,12880" bgp-local-pref=100 bgp-med=100 bgp-origin=igp
bgp-communities=0:0,XXX:30000, received-from=XXXX
no 3356:512 at all..

one of the 354 "good" routes:
0 ADb dst-address=31.179.197.0/24 gateway=XXX gateway-status=XXX recursive via XXX vlan252 distance=200 scope=40 target-scope=30 bgp-as-path="3356,50607,198537" bgp-local-pref=100 bgp-med=100
bgp-origin=igp bgp-communities=3356:2,3356:22,3356:100,3356:123,3356:512,3356:2083,XXX:30000,XXX:30120,50607:8000,50607:8079 received-from=XXXX

I sent a bug report months ago but mikrotik wasnt able to fix it by now..

"Ok, sorry. Currently our priority is to work on new routing implementation.
Unfortunately I cannot tell when exactly we will start to fix this problem in old
versions."

Tested with:
6.34.6
6.36.3
6.37rc36

Best Regards,
Tobias

Hi Tobias,

I have reported the same problem, and Mikrotik confirmed.

This is because community 0:0 is seen like a 'match all'. It will match any filter based on community.
So far, we have only one upstream provider sending 0:0 community (Cogent Communication).
As a work around, for this provider, we are not appending our communities, we are setting our communities (so it removes their 0:0 tag).

IMHO, this is a major issue.

Risty / VERIXI (AS49964)

According to http://blog.ipspace.net/2008/03/misteri ... unity.html, it looks like the community INTERNET equals 0:0
MikroTik wiki says that if INTERNET is set, it will match always, see http://wiki.mikrotik.com/wiki/Manual:Ro ... ng_filters

It would be nice if there was a BGP action "strip-community=xxxx:yyyy" which would simply remove specified communities while leaving any others in place.
That would fix this easily by configuring the first rule in a filter to do that to 0:0 and pass-through as the action.
It would be quite useful in other situations too.
Win/Win situation!

Oh yes. I proposed that to mikrotik. Maybe in RouterOS v7

and another poor guy got *ucked by that BUG.

http://forum.mikrotik.com/viewtopic.php?f=14&t=113170

Please fix this ASAP!

The answer of Mikrotik support last week:
All your mentioned features and fixes are part of v7 TODO list.
Unfortunately I cannot tell you when exactly v7 will be ready, if it will take too much time probably to satisfy customers we will try to improve v6 with most critical requests and bugfixes.

Fix with 0:0 community was also requested.

Regards,
Boris

The answer of Mikrotik support last week:
All your mentioned features and fixes are part of v7 TODO list.
Unfortunately I cannot tell you when exactly v7 will be ready, if it will take too much time probably to satisfy customers we will try to improve v6 with most critical requests and bugfixes.

That's getting really old from MT these days...

Problem is solved in 6.38rc31

yes, i can confirm that!
thank you!

What's new in 6.38rc31 (2016-Nov-15 12:51):

!) ipsec - added IKEv2 EAP RADIUS passthrough authentication for responder (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
*) bgp - do not match all prefixes tagged with community 0:0 by routing filters;
*) certificate - fixed crash when crl is removed while it is being fetched;
*) dhcp - request dhcp options only if dhcp client is successfully added;
*) dude - (changes discussed here: http://forum.mikrotik.com/viewtopic.php?f=8&t=112599);
*) log - ignore email topic if action is email;