New BGP setup some advice needed.
Posted: Thu Sep 21, 2023 11:50 am
Hi all.
I have now configured my two Mikrotik CCR2116-12G-4s+
I have a IPV4 + IPV6 EBGP session setup with my ISP.
I have 3 VRRP's (currently shared between the two devices and the failover on them works as expected.
However when i disable eth1 on R1 R2 ports become master But it takes up to 1 min to stabilise the WAN connection, This isn't great.
We only have one peering session and a /31 supplied by the ISP
How can i set my device up so the failover is much quicker.
I have pasted my config it is pretty much the same on both so will only post one.
I have removed any personal info
Thanking you in advance
I have now configured my two Mikrotik CCR2116-12G-4s+
I have a IPV4 + IPV6 EBGP session setup with my ISP.
I have 3 VRRP's (currently shared between the two devices and the failover on them works as expected.
However when i disable eth1 on R1 R2 ports become master But it takes up to 1 min to stabilise the WAN connection, This isn't great.
We only have one peering session and a /31 supplied by the ISP
How can i set my device up so the failover is much quicker.
I have pasted my config it is pretty much the same on both so will only post one.
I have removed any personal info
Thanking you in advance
Code: Select all
# 2023-09-21 09:44:19 by RouterOS 7.10.1
# software id = 6132-QYFL
#
# model = CCR2116-12G-4S+
# serial number = xxxxx
/interface vrrp
add interface=ether1 name=VRRP-94Range priority=200 vrid=94
add interface=ether1 name=VRRP-198Range priority=200 vrid=10
add group-authority=self interface=ether1 name=VRRP-BT195 priority=200 vrid=\
50
# No IPv4 address!
add interface=ether1 name=VRRP-IPV6 priority=200 vrid=6
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=strict
/interface list member
add interface=ether1 list=WAN
add list=LAN
/ip address
add address=0.0.0.99/31 interface=VRRP-BT195 network=0.0.0.98
add address=192.168.50.198/24 interface=ether13 network=192.168.50.0
add address=0.0.0.2/24 interface=ether1 network=0.0.0.0
add address=0.0.0.2/24 interface=ether1 network=0.0.0.0
add address=0.0.0.1/24 interface=VRRP-198Range network=0.0.0.0
add address=0.0.0.1/24 interface=VRRP-94Range network=0.0.0.0
/ip firewall address-list
add address=0.0.0.0/24 list=BGP-OUT
add address=0.0.0.0/24 list=BGP-OUT
add address=192.168.50.0/24 list=support
add address=192.168.20.0/24 list=support
add address=0.0.0.0/24 list=support
add address=192.168.96.0/24 list=support
add address=0.0.0.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
\_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=bogons
add address=80.193.233.0/24 list=support
add address=0.0.0.0/24 list=support
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
connection-state=established
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add action=accept chain=ICMP comment=\
"Echo request - Avoiding Ping Flood, adjust the limit as needed" \
disabled=yes icmp-options=8:0 limit=2,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" disabled=yes icmp-options=\
0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" disabled=yes \
icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" disabled=yes \
icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 \
protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \
protocol=icmp
add action=jump chain=output comment="Jump for icmp output" disabled=yes \
jump-target=ICMP protocol=icmp
/ip firewall nat
add action=accept chain=srcnat protocol=tcp src-address-list=\
allowed_to_router
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting in-interface=ether1 protocol=!tcp \
src-address-list=FW_Block_unkown_port
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=0.0.0.98 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.50.0/24
set api-ssl disabled=yes
/ipv6 address
add address=ipv62/32 advertise=no interface=ether1
add address=ipv61/32 advertise=no interface=VRRP-IPV6
add address=ipv6/127 advertise=no interface=ether1
/ipv6 firewall address-list
add address=ipv6 list=BGP-OUT
/routing bgp connection
add address-families=ip as=1234 disabled=no local.address=0.0.0.99 \
.role=ebgp name=BT_PEER_IPV4 output.network=BGP-OUT remote.address=\
0.0.0.98/31 .as=2856 routing-table=main templates=default
add address-families=ipv6 as=1234 disabled=no local.address=\
ipv6 .role=ebgp multihop=yes name=BT_PEER_IPV6 \
output.network=BGP-OUT remote.address=ipv6 .as=\
2856 routing-table=main templates=default
add address-families=ip as=1234 connect=yes disabled=no local.address=\
192.168.50.198 .role=ibgp-rr name=IBGP remote.address=192.168.50.199/32 \
routing-table=main templates=default
/snmp
set enabled=yes trap-interfaces=all trap-target=192.168.50.198
/system note
set show-at-login=no
/system ntp client servers
add address=129.250.35.250
/system routerboard settings
set enter-setup-on=delete-key
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no