MikroTik

Hello Folks.

Here's the config i have:
- Mikrotik router @ my home with 2 ISPs.
- Mikrotik router @ a IX.
- MikrotikOS router @ a worldwide ISP.

My Home router connects to:
- ISP 1 with BGP session.
- ISP 2 (no BGP here).
- Mikrotik router @ IX by GRE and BGP session.
- Mikrotik router @ worldwide ISP with GRE and BGP session.
- A 3rd anti-ddos ISP with GRE and BGP session.

The config is pretty simple. I announce my IP ranges to internet on ISP1, IX, worldwide and anti-ddos ISP.

Now, i want to send the traffic from worldwide ISP to anti-ddos ISP. How can i do this? Take note that i don't have a router or can control the announcements on anti-ddos ISP.
Mainly, i want to announce on worldwide ISP that the route should go thru anti-ddos.

Is this possible?

Regards

I don't know if I fully understand what you ask, but I believe that in order to achieve what you want, you stop announcing your prefixes to the worldwide ISP and only announce them to the Anti-DDoS ISP, and they in turn announce them to the world.

This way your incoming world-wide traffic will arrive to you only through the Anti-DDoS ISP, while outgoing traffic will work as it did before.

Hello Cha0s.

Yes, i understand that. It's the default behavior i used. But this is my problem:
I have:
- ISP1
- ISP2
- ISP3
- AntiDDoS ISP

I want to send all traffic from ISP2 to AntiDDoS ISP. Only that one. If i stop the announcement on ISP2, it goes by default to ISP1, and i don't want that.
I tried to set, on ISP2, set-out-nexthop with the AntiDDoS router IP, but it ended up with routes not being announced and the traffic goes to ISP1.

Regards

I don't think you can do that.

The way I understand it, if you need a prefix to be passed through the Anti-DDoS ISP, you need to only announce it via them and not any other ISP.
Otherwise, anyone that is closer to that other ISP will choose that path to reach you instead of the Anti DDoS ISP.

Usually one would create a tunnel to a DDOS provider, and advertise your prefixes there.

Hello Cha0s.

Yes, i understand that. It's the default behavior i used. But this is my problem:
I have:
- ISP1
- ISP2
- ISP3
- AntiDDoS ISP

I want to send all traffic from ISP2 to AntiDDoS ISP. Only that one. If i stop the announcement on ISP2, it goes by default to ISP1, and i don't want that.
I tried to set, on ISP2, set-out-nexthop with the AntiDDoS router IP, but it ended up with routes not being announced and the traffic goes to ISP1.

Regards

Use a GRE (or even a direct cable) to the AntiDDoS ISP.
Ask your ISP to create you a bgp community that allows you to tell the ISP's to stop advertising your prefixes to their peers.
This forces all incoming traffic to go via the AntiDDoS provider (since they the only ones advertising your prefixes or the prefix being attacked), and all outgoing traffic still goes out via your non-saturated ISP's links.

Only read now that you only want it to happen on the one ISP2 link. I dont think you going to be able to force traffic coming over ISP2 to go via the AntiDDoS because of the way BGP does best path selection.