MikroTik

Posted: **Thu Jul 24, 2008 3:40 am**

How can I stop OSPF from publishing routes to Private IP ranges?

I havn't added the private IP ranges into the ospf area in "/routing ospf network" but they can still be seen in the routing tables of other routers. The area is displayed as "unknown" in the ospf routing table on the other routers.

All routers are either v3.10 or v3.11

If you need more information let me know.

Regards,

Posted: **Thu Jul 24, 2008 1:02 pm**

"/routing ospf network" defines ranges, and when addresses on some interface are in these ranges, the interface participates in OSFP distribution, and distributes all routes. if you want to filter some routes, you must use "/routing filter"

Posted: **Mon Jul 28, 2008 7:48 am**

I cant find much information regarding "/routing filter"

Could you or anyone provide an example of how to stop a specific subnet from being distributed via OSPF?

Cheers

Posted: **Mon Jul 28, 2008 8:09 am**

Don't worry it's actually very straight forward:

e.g.

/routing filter add chain=ospf-out prefix=10.6.50.0/24 action=discard

Cheers.

Posted: **Tue Feb 10, 2009 9:52 am**

Hello. I have a following problem.

I have a router with 3 interfaces and OSPF routing enabled. I need to hide one of the interfaces from other routers.

I've tried everything:

* I do not add network of this interface to OSPF
* I've set up routing filters for this network
* I've added some firewall rules to filter traffic.

But this seemed not enough.

My setup looks like this:
Interfaces

 #    NAME                         TYPE             RX-RATE    TX-RATE    MTU  
 0  R KN                           ether            0          0          1500 
 1  R MainGate                     ether            0          0          1500 
 2 X  702                          ether            0          0          1500

Addresses

 #   ADDRESS            NETWORK         BROADCAST       INTERFACE      
 0   192.168.108.254/24 192.168.108.0   192.168.108.255 KN             # local network
 1   192.168.105.34/24  192.168.105.0   192.168.105.255 MainGate       # Local network to backbone area
 2   *.*.*.*/27         91.198.10.0     91.198.10.31    MainGate       # real IP here
 3   192.168.158.254/24 192.168.158.0   192.168.158.255 KN             # local network
 4 X 192.168.3.254/24   192.168.3.0     192.168.3.255   702            # This one should be hidden (currently disabled)

OSPF

/routing ospf interface print
 0 interface=KN cost=10 priority=0 authentication-key="12345678" 
   network-type=broadcast retransmit-interval=5s transmit-delay=1s 
   hello-interval=10s dead-interval=40s 

 1 interface=MainGate cost=10 priority=0 authentication-key="12345678" 
   network-type=broadcast retransmit-interval=5s transmit-delay=1s 
   hello-interval=10s dead-interval=40s

/routing ospf network print 
Flags: X - disabled, I - invalid 
 #   NETWORK            AREA    
 0   192.168.105.0/24   backbone
 1   192.168.108.0/24   backbone
 2   192.168.158.0/24   backbone

OSPF Filters

 /routing filter print
Flags: X - disabled 
 0   chain=ospf-out prefix=192.168.3.0/24 type=ospf invert-match=no 
     action=discard 

 1   chain=ospf-out prefix=192.168.3.254 type=ospf invert-match=no 
     action=discard 

 2   chain=ospf-out prefix=192.168.3.0/24 prefix-length=24 type=ospf 
     invert-match=no action=discard

the problem is that when i disable 3.254 address then everything is OK:

  1    <1 мс    <1 мс    <1 мс  192.168.122.254
  2    <1 мс     1 ms     1 ms  192.168.105.13
  3  192.168.105.13  reports: Destination host unreachable.

192.168.105.13 -- our designated router (not under my control)

But when i enable it, i've got pings with "redirected" flag (currently i solved problem with firewall filters, but this is NOT OK). 3.x network should be hidden completely from outside.

Currently network is hidden (regardless of 3.254 address enabled) but 3.254 is visible.

Pls help.

PS: in routing table there is no records with 3.x addresses

Posted: **Tue Feb 10, 2009 6:59 pm**

any suggestions?

Posted: **Wed Feb 11, 2009 1:36 am**

hm... ip firewall filter add chain=input dst-address=3.254 action=reject reject-with=icmp-network-unreachable ?

Posted: **Wed Feb 11, 2009 12:49 pm**

hm... ip firewall filter add chain=input dst-address=3.254 action=reject reject-with=icmp-network-unreachable ?

yes, I've setup this currently.

But this leads to 192.168.105.34 reports: destination host unreachable

...

but this is not what i need.

I need that this 3.x network should not be announced to 105.13 so 105.13 should reject with this message. ('Couse 105.13 is default GW here)

Posted: **Wed Feb 11, 2009 1:15 pm**

Put the interface you don't require in passive mode. That essentially will disable OSPF on that single interface

Q. How do I stop individual interfaces from developing adjacencies in an OSPF network?

A. To stop routers from becoming OSPF neighbors on a particular interface, issue the passive-interface command at the interface.

In Internet service provider (ISP) and large enterprise networks, many of the distribution routers have more than 200 interfaces. Configuring passive-interface on each of the 200 interfaces can be difficult. The solution in such situations is to configure all the interfaces as passive by default using a single passive-interface default command. Then, configure individual interfaces where adjacencies are desired using the no passive-interface command. For more information, refer to Default Passive Interface Feature.

There are some known problems with the passive-interface default command. Workarounds are listed in Cisco bug ID CSCdr09263 ( registered customers only) .

http://www.cisco.com/en/US/tech/tk365/t ... 4704.shtml

Based on your original post, I presume this is what you're looking for...

Posted: **Wed Feb 11, 2009 2:28 pm**

Put the interface you don't require in passive mode. That essentially will disable OSPF on that single interface
...
Based on your original post, I presume this is what you're looking for...

How could I accomplish that on MikroTik?

Posted: **Wed Feb 11, 2009 2:34 pm**

/routing ospf interface set 1 passive=yes

?

Posted: **Wed Feb 11, 2009 6:47 pm**

i didn't add that interface to OSPF at all, that's "702" interface and it's not listed on OSPF

Posted: **Fri Feb 13, 2009 5:01 pm**

hm... ip firewall filter add chain=input dst-address=3.254 action=reject reject-with=icmp-network-unreachable ?
yes, I've setup this currently.

But this leads to 192.168.105.34 reports: destination host unreachable

...

but this is not what i need.

I need that this 3.x network should not be announced to 105.13 so 105.13 should reject with this message. ('Couse 105.13 is default GW here)

Are you sure that 192.168.105.13 is receiving an announcement for 192.168.3.0/24 or does it perhaps have a static route? See if someone can check its routing table and see if that route is being learned via OSPF, or see if it perhaps has a route for 192.168.0.0/16 pointing to 105.13.

Posted: **Sat Feb 14, 2009 11:42 am**

192.168.105.13 DO NOT receive announcement for 192.168.3.0/24 but do receive for 192.168.3.254/32 (IP address on 702 interface of my router) This route is not listed in IP routes list on other OSPF servers, but when i do traceroute to 192.168.3.254 it goes (not dirrectly through my interface 105.34) through 192.168.105.13.

Is that happening because of presence of all IP addresses on router in OSPF hello packet?
Any way to hide this single address?

MikroTik

OSPF and private IP ranges

OSPF and private IP ranges

Re: OSPF and private IP ranges

Re: OSPF and private IP ranges

Re: OSPF and private IP ranges

Re: OSPF and private IP ranges

Re: OSPF and private IP ranges

Re: OSPF and private IP ranges

Re: OSPF and private IP ranges

Re: OSPF and private IP ranges

Re: OSPF and private IP ranges

Re: OSPF and private IP ranges

Re: OSPF and private IP ranges

Re: OSPF and private IP ranges

Re: OSPF and private IP ranges