Page 1 of 1
Help needed with routing filters v7
Posted: Wed Sep 01, 2021 1:00 pm
by sander123
Hello,
There is very little information about the routing filters, and i need some help with it.
I have found this:
https://help.mikrotik.com/docs/display/ ... figuration
But it is not much.
First i need help with OSPF and later with my BGP maybe, but lets start with the OSPF part.
I have now 3 filter rules, i replaced our subnets with some fake.
0 chain=ospf-out-v2 rule="if (dst-len==32 && dst in 10.255.255.0/24) {accept}"
1 chain=ospf-out-v3 rule="if (dst-len>32 && dst in 2aaa:aaaa::/32) {accept}"
2 chain=ospf-out-v2 rule="if (dst-len>22 && dst in 185.1.2.0/22) {accept}"
Rule 0 is for the loopback IP's and rule 1/2 are for our public IP's.
I want to advertise all smaller subnets we have split over multiple vlans (so /29 and /30 subnets for example), but only if they are active on this router, we use multiple routers as PPPoE servers and clients are randomly load balanced so as soon as a client connect to one of the PPPoE servers OSPF needs to advertise the route for this clients subnet.
In v6 you have the option "Redistribute Connected Routes as type 1", i cannot find this on v7.
The reason i not set redistribute connected and redistribute static routes on in v7 is that i don't want alle other subnets to be advertised in OSPF.
I hope my question/problem is clear, if not let me know!
Kind regards,
Sander
Re: Help needed with routing filters v7
Posted: Wed Sep 01, 2021 1:05 pm
by mrz
v7 also has redistribute parameter.
/routing/ospf/instance set xx redistribute=connected
The only difference is that type and cost must be set using routing filters.
Re: Help needed with routing filters v7
Posted: Wed Sep 01, 2021 1:37 pm
by sander123
Oke, thanks.
Do you know the syntax for setting the cost and the type in the routing filter?
Re: Help needed with routing filters v7
Posted: Wed Sep 01, 2021 3:07 pm
by mrz
"set ospf-ext-type type1; set ospf-ext-metric 11"
Re: Help needed with routing filters v7
Posted: Wed Sep 01, 2021 3:49 pm
by sander123
Thank you, the autofill doesn't give all the options back that are possible.
Can you check if i understand it right? Is this the correct way to select both static and connected? (so using ||)
if (dst-len>32 && dst in 2aaa:aaaa::/32 && protocol static || protocol connected ) {set ospf-ext-type type1; set ospf-ext-metric 20; accept }
Re: Help needed with routing filters v7
Posted: Wed Sep 01, 2021 3:55 pm
by mrz
Completion does not show that yet, but you can type
if (protocol static,connected) {}
Re: Help needed with routing filters v7
Posted: Wed Sep 01, 2021 4:10 pm
by sander123
Thank you, it works!
I have a last question for BGP in v7.
What is the best way to filter bogon networks? In v6 we have:
We have a separate rule sets for every peer.
first rule is a jump rule to Discard-IPv4-in
then we have some discard rules in order to block for example 192.168.0.0/16 and 0.0.0.0/8 etc etc
then we have a return rule.
the we accept all other routes and set local pref
The same we do for IPv6.
Is this still the way to go in v7?
Re: Help needed with routing filters v7
Posted: Wed Sep 01, 2021 7:30 pm
by mrz
The same approach can be used in v7, except that instead of drop you can only reject in filter rules.
Logic is something like this:
* BGP packet received
* accepted/dropped by input.accept config (configured in bgp template or connection)
* accepted input messages decoded and stored in memory
* decoded prefixes are sent to be filtered by routing filters.
So if you want to save memory and completely discard some bogon prefixes then use input.accept-nlir, or other input.accept- parameters to accept only specific prefixes to BGP input.
Re: Help needed with routing filters v7
Posted: Fri Sep 03, 2021 10:27 am
by sander123
I have a small OSPF problem,
I have the following route filter:
if (dst in 185.x.x.0/22 && protocol static,connected) {set ospf-ext-type type1; set ospf-ext-metric 20; accept}
When a PPPoE user/secret has also a routes object/rule, to route for example a /29 subnet to the customer, this is not being redistributed through OSPF.
In the route table the route has a DAS state, so Dynamic, Active, Static.
How do i change the route filter to also distribute this routes?
Re: Help needed with routing filters v7
Posted: Fri Sep 03, 2021 11:12 am
by mrz
Send a supout file to support.
Re: Help needed with routing filters v7
Posted: Fri Sep 03, 2021 1:46 pm
by sander123
Send a supout file to support.
Ticket SUP-59118
Re: Help needed with routing filters v7
Posted: Sat Sep 04, 2021 12:36 am
by sander123
I think it's a bug in v7.
The extra subnet has the status of a VPN route.
I i change the route filter and do "redistribute static,connected,vpn" it works
Re: Help needed with routing filters v7
Posted: Sat Sep 04, 2021 10:54 am
by mrz
What do you consider a bug? That you need to specify to redistribute vpn routes for vpn routes?
Re: Help needed with routing filters v7
Posted: Mon Sep 19, 2022 4:52 pm
by millanbelsue
I have V7.5 and I am a little confused regards BGP output filter.
I have a router with a lot of subnets but I only want to publish (172.23.54.x/24)
0 chain=BGP_Filter rule="if (dst-len>24 && dst in 172.23.54.0/24) {accept}"
Besides I have configured the BGP as follow:
name="bgp1"
remote.address=10.109.173.1/32 .as=65052
local.default-address=10.109.173.2 .role=ebgp
routing-table=main templates=default as=65873 nexthop-choice=default hold-time=3m cisco-vpls-nlri-len-fmt=auto-bits
output.redistribute=connected .filter-chain="BGP_Filter" .default-originate=never
I do not know if it is ok because I have no idea how to check which are the subnets advertised,
Re: Help needed with routing filters v7
Posted: Mon Sep 19, 2022 5:00 pm
by rextended
«I only want to publish (172.23.54.x/24)» ???
Filters are for filter what you get, not what you give.
/ip firewall address-list
add address=172.23.54.0/24 list=bgp-networks
/ip route
add blackhole disabled=no distance=255 dst-address=172.23.54.0/24 routing-table=main
/routing bgp template
set bgp1 output.network=bgp-networks
Re: Help needed with routing filters v7
Posted: Tue Sep 20, 2022 10:39 am
by millanbelsue
OK, thank you. I have implemented those commands but I do not find how to see what are the network adverised in order to know if it is working.
Please, can you share with me the command.
Re: Help needed with routing filters v7
Posted: Tue Sep 20, 2022 5:20 pm
by anav
Filters are for filter what you get, not what you give.
Priceless 
But, I think he is metaphorically stating something that is obvious in his life!
If I filter Italian coffee ( the worlds best), its what you get after the filter, not what you put into the filter, that counts.
Re: Help needed with routing filters v7
Posted: Tue Sep 20, 2022 6:56 pm
by rextended
I can't find CCR1036 anymore (with v6 or not). New availability is at November...
I'm forced to use a CCR2116-12G-4S+ and I'm afraid to use v7 for BGP…
I don't know what awaits me…
Re: Help needed with routing filters v7
Posted: Wed Sep 21, 2022 1:54 am
by loloski
@millanbelsue
I suggest if that's production box, put that in the lab like in GNS3 then try it there if it works then copy the config in production, it a sad story that this simple thing is not giving a priority boost from MT
Re: Help needed with routing filters v7
Posted: Thu Sep 22, 2022 11:34 pm
by millanbelsue
I can not configure everything in a lab. I have to do right now and I do not find how to see what are the network adverised in order to know if it is working.
Please, anyone can share with me the command.
Re: Help needed with routing filters v7
Posted: Thu Sep 22, 2022 11:49 pm
by Railander
I can't find CCR1036 anymore (with v6 or not). New availability is at November...
I'm forced to use a CCR2116-12G-4S+ and I'm afraid to use v7 for BGP…
I don't know what awaits me…
i'm just trying to setup v7 for bgp and for the love of me i cannot do the v6 equivalent of
in the new filters. nothing works and the documentation doesn't even have basic examples.
one would think it's
but unset doesn't support that property.
also doesnt work...
Re: Help needed with routing filters v7
Posted: Fri Sep 23, 2022 10:17 am
by mrz
delete bgp-*-communities
Re: Help needed with routing filters v7
Posted: Sat Sep 24, 2022 1:38 pm
by Railander
delete bgp-*-communities
bgp-*-communities is not a valid term. no idea how you even came up with that.
i've tried basically everything possible and nothing works. in fact from my testing i don't even see how anything involving the command delete instead of filter would work.
filter removes only the matcher, while delete is an inversed filter that removes everything except the matcher, except when the matcher is not found, in that case it removes nothing. both require a matcher to function, so you cant do just "filter bgp-communities" nor "delete bgp-communities".
and of course, you'd think something like "filter bgp-communities *" would work, except it doesn't.
Re: Help needed with routing filters v7
Posted: Mon Sep 26, 2022 10:16 am
by StubArea51
I'm having the same type of issue with deleting communities in a route.
Here is a received route with a large community
[zuul@rtr-core-01.v7.ipa.dev] > routing/route/print det where dst-address=0.0.0.0/0 && bgp
Flags: X - disabled, F - filtered, U - unreachable, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, a - ldp-address, l - ldp-mapping, y - copy; H - hw-offloaded; + - ecmp, B - blackhole
AbH afi=ip4 contribution=active dst-address=0.0.0.0/0 routing-table=main gateway=100.127.1.1 immediate-gw=100.126.1.1%vlan3100 distance=200 scope=40 target-scope=30
belongs-to="bgp-IP-100.127.1.1"
bgp.peer-cache-id=*B000002 .as-path="65102" .communities=1016:0 .large-communities=1016:65102:4 .local-pref=100 .atomic-aggregate=yes .origin=igp
debug.fwp-ptr=0x202C2AE0
When I apply this filter:
add chain=ipv4-remove-isp-origin-community-2 rule="if ( bgp-large-communities equal 1016:65102:4 ) { delete bgp-large-communities all; accept;}"
The community is deleted as shown
[zuul@rtr-core-01.v7.ipa.dev] > routing/route/print det where dst-address=0.0.0.0/0
Flags: X - disabled, F - filtered, U - unreachable, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, a - ldp-address, l - ldp-mapping, y - copy; H - hw-offloaded; + - ecmp, B - blackhole
AbH afi=ip4 contribution=active dst-address=0.0.0.0/0 routing-table=main gateway=100.127.1.1 immediate-gw=100.126.1.1%vlan3100 distance=200 scope=40 target-scope=30
belongs-to="bgp-IP-100.127.1.1"
bgp.peer-cache-id=*B000002 .as-path="65102" .communities=1016:0 .local-pref=100 .atomic-aggregate=yes .origin=igp
debug.fwp-ptr=0x202C2AE0
However when I apply this filter
/routing filter community-large-list
add communities=1016:65102:4 list=bgp-community-large-1016-65102-4
routing/filter/rule/
routing/filter/rule/set rule="if ( bgp-large-communities equal-list bgp-community-large-1016-65102-4 ) { delete bgp-large-communities all; accept;}"
The large community is not deleted:
[zuul@rtr-core-01.v7.ipa.dev] > routing/route/print det where dst-address=0.0.0.0/0 && bgp
Flags: X - disabled, F - filtered, U - unreachable, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, a - ldp-address, l - ldp-mapping, y - copy; H - hw-offloaded; + - ecmp, B - blackhole
AbH afi=ip4 contribution=active dst-address=0.0.0.0/0 routing-table=main gateway=100.127.1.1 immediate-gw=100.126.1.1%vlan3100 distance=200 scope=40 target-scope=30
belongs-to="bgp-IP-100.127.1.1"
bgp.peer-cache-id=*B000002 .as-path="65102" .communities=1016:0 .large-communities=1016:65102:4 .local-pref=100 .atomic-aggregate=yes .origin=igp
debug.fwp-ptr=0x202C2AE0
Re: Help needed with routing filters v7
Posted: Mon Sep 26, 2022 3:37 pm
by millanbelsue
How can I check what are the routes advertised by BGP???
Re: Help needed with routing filters v7
Posted: Mon Sep 26, 2022 3:56 pm
by Railander
I'm having the same type of issue with deleting communities in a route.
Here is a received route with a large community
[zuul@rtr-core-01.v7.ipa.dev] > routing/route/print det where dst-address=0.0.0.0/0 && bgp
Flags: X - disabled, F - filtered, U - unreachable, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, a - ldp-address, l - ldp-mapping, y - copy; H - hw-offloaded; + - ecmp, B - blackhole
AbH afi=ip4 contribution=active dst-address=0.0.0.0/0 routing-table=main gateway=100.127.1.1 immediate-gw=100.126.1.1%vlan3100 distance=200 scope=40 target-scope=30
belongs-to="bgp-IP-100.127.1.1"
bgp.peer-cache-id=*B000002 .as-path="65102" .communities=1016:0 .large-communities=1016:65102:4 .local-pref=100 .atomic-aggregate=yes .origin=igp
debug.fwp-ptr=0x202C2AE0
When I apply this filter:
add chain=ipv4-remove-isp-origin-community-2 rule="if ( bgp-large-communities equal 1016:65102:4 ) { delete bgp-large-communities all; accept;}"
The community is deleted as shown
[zuul@rtr-core-01.v7.ipa.dev] > routing/route/print det where dst-address=0.0.0.0/0
Flags: X - disabled, F - filtered, U - unreachable, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, a - ldp-address, l - ldp-mapping, y - copy; H - hw-offloaded; + - ecmp, B - blackhole
AbH afi=ip4 contribution=active dst-address=0.0.0.0/0 routing-table=main gateway=100.127.1.1 immediate-gw=100.126.1.1%vlan3100 distance=200 scope=40 target-scope=30
belongs-to="bgp-IP-100.127.1.1"
bgp.peer-cache-id=*B000002 .as-path="65102" .communities=1016:0 .local-pref=100 .atomic-aggregate=yes .origin=igp
debug.fwp-ptr=0x202C2AE0
However when I apply this filter
/routing filter community-large-list
add communities=1016:65102:4 list=bgp-community-large-1016-65102-4
routing/filter/rule/
routing/filter/rule/set rule="if ( bgp-large-communities equal-list bgp-community-large-1016-65102-4 ) { delete bgp-large-communities all; accept;}"
The large community is not deleted:
[zuul@rtr-core-01.v7.ipa.dev] > routing/route/print det where dst-address=0.0.0.0/0 && bgp
Flags: X - disabled, F - filtered, U - unreachable, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, a - ldp-address, l - ldp-mapping, y - copy; H - hw-offloaded; + - ecmp, B - blackhole
AbH afi=ip4 contribution=active dst-address=0.0.0.0/0 routing-table=main gateway=100.127.1.1 immediate-gw=100.126.1.1%vlan3100 distance=200 scope=40 target-scope=30
belongs-to="bgp-IP-100.127.1.1"
bgp.peer-cache-id=*B000002 .as-path="65102" .communities=1016:0 .large-communities=1016:65102:4 .local-pref=100 .atomic-aggregate=yes .origin=igp
debug.fwp-ptr=0x202C2AE0
tried
delete bgp-communities all and
filter bgp-communities all, neither worked.
from my tests,
filter removes matching communities while
delete is an inversed filter, removing everything except the matching communities (does nothing if there are no matching communities).
for now i'm having to settle with
set bgp-communities internet, which seems to be the same as community 0:0.
by the way, because the parameter
bgp-communities can refer to both a community and a community list, if you try to use a community list with the exact same name as one of the well-known communities (for example
/routing/filter/community-list/add list=internet ) you get soft-locked. nothing was lost but had to reboot.
Re: Help needed with routing filters v7
Posted: Wed Sep 28, 2022 2:42 pm
by mrz
command delete bgp-communities all doe snot exist
if you want to delete everything from bgp-communities then use
delete bgp-communities wk,other;
Re: Help needed with routing filters v7
Posted: Wed Sep 28, 2022 2:44 pm
by mrz
However when I apply this filter
/routing filter community-large-list
add communities=1016:65102:4 list=bgp-community-large-1016-65102-4
routing/filter/rule/
routing/filter/rule/set rule="if ( bgp-large-communities equal-list bgp-community-large-1016-65102-4 ) { delete bgp-large-communities all; accept;}"
The large community is not deleted:
In this case there is not a problem with the delete but with the matcher. On which version you are testing?
Re: Help needed with routing filters v7
Posted: Wed Sep 28, 2022 2:55 pm
by StubArea51
This is with 7.6 beta8
Re: Help needed with routing filters v7
Posted: Wed Sep 28, 2022 3:24 pm
by mrz
Please wait for the next beta where this particular problem should be fixed
Re: Help needed with routing filters v7
Posted: Tue Dec 20, 2022 2:08 pm
by Fi011
Can anybody tell me the equivalent to this this super easy filter in 6.4?:
add action=accept chain=TEST-in prefix=103.X.X.0/22 prefix-length=22-24
add action=discard chain=TEST-in
And this one:
add action=reject chain=out-test prefix=10.0.0.0/24 prefix-length=24-32
add action=accept chain=out-test
thanks in advance
Re: Help needed with routing filters v7
Posted: Tue Dec 20, 2022 2:13 pm
by mrz
Re: Help needed with routing filters v7
Posted: Tue Dec 20, 2022 3:40 pm
by Fi011
Mikrotik support - helpful as always LOL
I dont get why you have to post such unhelpful posts really... I know where I can find the documentation thanks
Can you at least tell me if this will allow everything except 10.8.1.0/24? Will rule 2 accept all prefixes sent, or rule 3, or any of those would work? In v6 we just used 0.0.0.0/0 accept in filters to allow all prefixes, not sure if its going to work here.
Hope you can answer directly not point to documentation I already read. Thanks.
1. add chain=test-out disabled=no rule="if (dst==10.8.1.0/24) {reject}\r\
\n"
2. add chain=test-out disabled=no rule="if (dst==0.0.0.0/0) {accept}\r\
\n"
3. add chain=test-out disabled=no rule="if (dst-len>=0) {accept}\r\
Re: Help needed with routing filters v7
Posted: Tue Dec 20, 2022 3:47 pm
by chechito
Re: Help needed with routing filters v7
Posted: Tue Dec 20, 2022 3:52 pm
by Fi011
Hi chechito,
Yes, I think it's needed to do blackroute similar to NULL0 in cisco.
Do you maybe have any input for my question (post above)?
Hope which of those rules will allow anything.
Thanks.
Re: Help needed with routing filters v7
Posted: Tue Dec 20, 2022 4:12 pm
by mrz
Documentation examples have exactly what you have asked in your original post.
== measn "equal" so, no, dst==0.0.0.0/0 will not match everything, because 0.0.0.0/0 is a default route
Re: Help needed with routing filters v7
Posted: Tue Dec 20, 2022 4:35 pm
by Fi011
meaning that add chain=test-out disabled=no rule="if (dst-len>=0) {accept}\r\ will accept everything, right?
or dst>=0.0.0.0/0 will match everything?
I'm sorry but moving to a totally new concept is confusing. In the documentation there is an example for matching the default route, but not for matching all traffic, which is what I need.
Re: Help needed with routing filters v7
Posted: Wed Dec 21, 2022 4:58 pm
by karaye91
I have implemented those commands but I do not find how to see what are the network adverised in order to know if it is working.
Please, can you share with me the command.
