BGP FILTER DISCARD NOT WORKING ROS 5.6

polokus · Tue Sep 06, 2011 6:26 am

Hello Anyone notice that the filter is not working?

/routing filter> export
# sep/06/2011 11:21:17 by RouterOS 5.6
#
/routing filter
add action=accept chain=isp-1-out disabled=yes invert-match=no prefix=67.55.220.0/24 prefix-length=24
add action=accept chain=isp-1-out disabled=no invert-match=no prefix=67.55.221.0/24 prefix-length=24
add action=accept chain=isp-1-out disabled=yes invert-match=no prefix=67.55.222.0/24 prefix-length=24
add action=accept chain=isp-1-out disabled=yes invert-match=no prefix=67.55.223.0/24 prefix-length=24 set-bgp-prepend=\
    10
add action=accept chain=isp-1-out disabled=yes invert-match=no prefix=67.55.224.0/24 prefix-length=24
add action=accept chain=isp-1-out disabled=yes invert-match=no prefix=67.55.225.0/24 prefix-length=24
add action=accept chain=isp-1-out disabled=yes invert-match=no prefix=67.55.226.0/24 prefix-length=24
add action=accept chain=isp-1-out disabled=yes invert-match=no prefix=67.55.227.0/24 prefix-length=24
add action=discard chain=isp-1-out comment=discard disabled=no invert-match=no
add action=discard chain=isp-1-out comment=discard disabled=yes invert-match=no prefix=67.55.220.0/21 prefix-length=\
    21-24

add action=discard chain=isp-1-in disabled=no invert-match=no prefix=0.0.0.0
add action=discard chain=isp-1-in disabled=no invert-match=no prefix=67.55.220.0/21 prefix-length=21-24

my rb1100 still getting routing from bgp peer and cpu is 100% all the time finally i manage to re login and disable the peer + reboot the router and it work normally, but i cannot send my prefixes through my isp.
do you guys have a recommendation how to fix this or doing downgrade to 4.17 should be sufficient?

my config is only a slight modification from the bgp example here

http://wiki.mikrotik.com/wiki/Manual:Simple_BGP_Multihoming#Network_Advertisements_and_Routing_Filters

any pointer will be appreciated
thankyou

fewi · Tue Sep 06, 2011 6:48 am

BGP filters are working fine for me on 5.6

What exactly are you trying to accomplish? Presumably you're trying to advertise either 67.55.220.0/21 or 67.55.221.0/24? Can you show the rest of your BGP configuration: "/routing bgp export", "/routing bgp peer print detail", and "/routing bgp advertisement print [peername] detail"?

polokus · Tue Sep 06, 2011 8:19 am

BGP filters are working fine for me on 5.6

What exactly are you trying to accomplish? Presumably you're trying to advertise either 67.55.220.0/21 or 67.55.221.0/24? Can you show the rest of your BGP configuration: "/routing bgp export", "/routing bgp peer print detail", and "/routing bgp advertisement print [peername] detail"?

here it is the filter code with disabled part removed to make clearer view

/routing filter> export
# sep/06/2011 11:21:17 by RouterOS 5.6
#
/routing filter
add action=accept chain=isp-1-out disabled=no invert-match=no prefix=67.55.221.0/24 prefix-length=24
add action=discard chain=isp-1-out comment=discard disabled=no invert-match=no

add action=discard chain=isp-1-in disabled=no invert-match=no prefix=0.0.0.0
add action=discard chain=isp-1-in disabled=no invert-match=no prefix=67.55.220.0/21 prefix-length=21-24

this is the bgp instance

/routing bgp instance
set default as=65141 client-to-client-reflection=no disabled=no ignore-as-path-len=no name=default out-filter="" \
    redistribute-connected=yes redistribute-ospf=no redistribute-other-bgp=yes redistribute-rip=no redistribute-static=\
    no router-id=67.67.224.30 routing-table=""

this is the bgp network listing contains of ip address that i wanted to send to my peer, but currently i only wanted to advertise 1 block 67.55.221.0/24

/routing bgp network
add disabled=no network=67.55.220.0/24 synchronize=no
add disabled=no network=67.55.221.0/24 synchronize=no
add disabled=no network=67.55.222.0/24 synchronize=no
add disabled=no network=67.55.223.0/24 synchronize=no
add disabled=no network=67.55.224.0/24 synchronize=no
add disabled=no network=67.55.225.0/24 synchronize=no
add disabled=no network=67.55.226.0/24 synchronize=no
add disabled=no network=67.55.227.0/24 synchronize=no

this is my peer config, inbound filter using isp-1-in which is discarded all the routing info from peer and send out my specific ip block with isp-1-out filter

/routing bgp peer
add address-families=ip as-override=no comment=PEERING-to-ISP1 default-originate=never disabled=yes hold-time=3m in-filter=\
    isp-1-in instance=default multihop=no name=isp-1 nexthop-choice=default out-filter=isp-1-out passive=no \
    remote-address=67.67.224.29 remote-as=65142 remove-private-as=no route-reflect=no tcp-md5-key="" ttl=255 use-bfd=no

detail mode

/routing bgp> peer print detail 
Flags: X - disabled, E - established 
 0 X ;;; isp-1
     name="isp-1" instance=default remote-address=67.67.224.29 remote-as=65142 tcp-md5-key="" nexthop-choice=default 
     multihop=no route-reflect=no hold-time=3m ttl=255 in-filter=isp-1-in out-filter=isp-1-out address-families=ip 
     default-originate=never remove-private-as=no as-override=no passive=no use-bfd=no

this is the advertisement it should contain my ip block 67.55.221.0/24, but currently offline (i disabled it)

/routing bgp> advertisements print isp-1 detail

peer is not active

i have my default route from the other isp so i discarded all the routing information given by isp1, i need traffic in it just for specific block 67.55.221.0/24
but when i enabled the peer config my rb 1100 still receive 300 thousand routes from isp-1 which should've been dropped by the input filter

, my guess is that the routing filter is broken somehow.
Any comment will be appreciated

regards

Tue Sep 06, 2011 8:48 am

Get rid of prefix=0.0.0.0, rule with such prefix will not match anything.

polokus · Tue Sep 06, 2011 10:45 am

Get rid of prefix=0.0.0.0, rule with such prefix will not match anything.

So it is a gui problem then, i put manually on terminal and it works, but must remove the old one and input new command, using set command doesn't work

thanks guys problem solved

Tue Sep 06, 2011 10:49 am

yes, this is a known gui problem which will be fixed in v5.7

nikhil · Sun Sep 11, 2011 8:16 pm

similar issue here ... do i need to control it or not?

fewi · Sun Sep 11, 2011 8:52 pm

Remove the "0.0.0.0" prefix erroneously added to the rules created via the GUI. You simply have to delete that rule in the CLI and then re-create it without the prefix.

nikhil · Sun Sep 11, 2011 8:59 pm

this is what got it working
add action=accept chain=reliance-bgp-out disabled=no invert-match=no prefix=\
XXXXXXXXX prefix-length=24 set-bgp-prepend=9 set-in-nexthop=\
YYYYY set-out-nexthop=YYYYY

---this rule gets rid of everything so it doesnt go out ..
add action=discard chain=reliance-bgp-out disabled=no invert-match=no prefix=\
!0.0.0.0

BGP FILTER DISCARD NOT WORKING ROS 5.6

BGP FILTER DISCARD NOT WORKING ROS 5.6

Re: BGP FILTER DISCARD NOT WORKING ROS 5.6

Re: BGP FILTER DISCARD NOT WORKING ROS 5.6

Re: BGP FILTER DISCARD NOT WORKING ROS 5.6

Re: BGP FILTER DISCARD NOT WORKING ROS 5.6

Re: BGP FILTER DISCARD NOT WORKING ROS 5.6

Re: BGP FILTER DISCARD NOT WORKING ROS 5.6

Re: BGP FILTER DISCARD NOT WORKING ROS 5.6

Re: BGP FILTER DISCARD NOT WORKING ROS 5.6

Who is online