MikroTik

Hello,
I've updated from ros6 to ros7 and BGP filters seems to not work anymore.
In the ros6 the config it's this:

[admin@ros6] /routing filter> print
0 chain=from_telekom prefix=x.x.96.0/23 invert-match=no action=discard set-bgp-prepend-path=""
1 chain=from_rds prefix=x.x.96.0/23 invert-match=no action=discard set-bgp-prepend-path=""
2 chain=from_telekom prefix=x.x.98.0/23 invert-match=no action=discard set-bgp-prepend-path=""
3 chain=from_rds prefix=x.x.98.0/23 invert-match=no action=discard set-bgp-prepend-path=""
4 chain=from_telekom prefix=0.0.0.0/0 invert-match=no action=accept set-bgp-weight=100 set-bgp-local-pref=120 set-bgp-prepend-path=""
5 chain=from_rds invert-match=no action=accept set-distance=50 set-bgp-prepend-path=""
6 chain=to_telekom prefix=x.x.96.0/23 invert-match=no action=accept set-bgp-prepend=3 set-bgp-prepend-path="" set-bgp-communities=""
7 chain=to_rds prefix=x.x.96.0/23 invert-match=no action=accept set-bgp-prepend-path="" set-bgp-communities="" append-bgp-communities=""
8 chain=to_telekom prefix=x.x.98.0/23 invert-match=no action=accept set-bgp-prepend=3 set-bgp-prepend-path="" set-bgp-communities=""
9 chain=to_rds prefix=x.x.98.0/23 invert-match=no action=accept set-bgp-prepend-path="" set-bgp-communities="" append-bgp-communities=""
10 chain=to_rds invert-match=no action=discard set-bgp-prepend-path=""
11 chain=to_telekom invert-match=no action=discard set-bgp-prepend-path=""

In the ros7 the config it's this:
[admin@ros7] /routing/filter> export
add chain=from_telekom disabled=no rule="if (dst == x.x.96.0/23) { reject; }"
add chain=from_rds disabled=no rule="if (dst == x.x.96.0/23) { reject; }"
add chain=from_telekom disabled=no rule="if (dst == x.x.98.0/23) { reject; }"
add chain=from_rds disabled=no rule="if (dst == x.x.98.0/23) { reject; }"
add chain=from_telekom disabled=no rule="if (dst == 0.0.0.0/0) { set bgp-weight 100; set bgp-local-pref 120; accept; }"
add chain=from_rds disabled=no rule="set distance 50; accept;"
add chain=to_rds disabled=no rule="reject;"
add chain=to_telekom disabled=no rule="reject;"

Any ideeas what to change in ros7 to work?

you can use this as a starting point and also discard is no longer available please read the document

https://help.mikrotik.com/docs/display/ ... h+examples
https://help.mikrotik.com/docs/display/ ... nd+Filters

you can use this as a starting point and also discard is no longer available please read the document

https://help.mikrotik.com/docs/display/ ... h+examples
https://help.mikrotik.com/docs/display/ ... nd+Filters

Thank you, but I've tried those links before posting.
Also, I've tried to disable the rules with discarding with no luck.

Macosoft, I think your last 3 rules should be:
Let me know if that works for you.

Edited: I noticed that the first version did not cover the default route. Fixed by changing "0" with "-1".

Don't get hung up on just checking the filter rules,
just because you think that's where the mistake lies.
Maybe the rest of the address-list configuration in the firewall and the other BGP parameters can be also wrong...


Simple test: remove all filters.
On default, if a filter is present, the action is reject,
but on default, if filter is not present, is accept,
so if the filters are the problems, removing all filters produce a working BGP peer, but if still not work, the problem is (also) elsewhere...

Macosoft, I think your last 3 rules should be:

Code: Select all

add chain=from_rds disabled=no rule="if (dst-len>-1) {set distance 50; accept}"
add chain=to_rds disabled=no rule="if (dst-len>-1) {reject}" comment="Should not be needed - default is to reject"
add chain=to_telekom disabled=no rule="if (dst-len>-1) {reject}" comment="Should not be needed - default is to reject"

Let me know if that works for you.

Edited: I noticed that the first version did not cover the default route. Fixed by changing "0" with "-1".

I tried with your modified rules but with no luck.
When I disable this rule:
chain=from_telekom disabled=no rule="if (dst == 0.0.0.0/0) { set bgp-weight 100; set bgp-local-pref 120; accept; }"
I dont have internet on the router either. Seems like that it's working only bgp from one provider.

Don't get hung up on just checking the filter rules,
just because you think that's where the mistake lies.
Maybe the rest of the address-list configuration in the firewall and the other BGP parameters can be also wrong...


Simple test: remove all filters.
On default, if a filter is present, the action is reject,
but on default, if filter is not present, is accept,
so if the filters are the problems, removing all filters produce a working BGP peer, but if still not work, the problem is (also) elsewhere...

I have disabled all the filters but in this case it shows BGP connections up from both providers with no internet access on router or computer.
In ros7 it should be any aditional rule in route list?

Macosoft, I think your last 3 rules should be:
...
I tried with your modified rules but with no luck.
When I disable this rule:
chain=from_telekom disabled=no rule="if (dst == 0.0.0.0/0) { set bgp-weight 100; set bgp-local-pref 120; accept; }"
I dont have internet on the router either. Seems like that it's working only bgp from one provider.

Can you post the route filters you have here, as well as the output of /ip route print when you disable the rule for the default in the chain from_telekom?

QUOTE: vingjfg ( from other thread on same topic )
Hi Macosoft,

Can you provide the output of the following commands?

I may need a larger subset of the configuration later but I want to start with the minimum.
[/quote]

Remember that in v6 when a chain of filters ends, the default action is "accept". In v7, the default action at the end is "reject".
So, when you had filters in v6 that only modify some BGP parameters or rejected some networks, it would work because the implicit accept at the end accepts the routes. In v7 you need an explicit rule that does rule="accept;" at the end to make it work the same way.