Static Routes + BGP - Routers can ping each other, but won't pass traffic through it (ingress and egress)

AlohaSpark · Tue Aug 29, 2023 5:49 pm

NOTE: All the IP addresses below are examples, and are not my actual public IP addresses.

I have a Mikrotik located on my ISP's premises. I also have a /24 block and ASN, which is announced just fine.

[admin@MikroTik] > /routing/bgp/advertisements/print
 0 peer=bgp1 dst=49.123.123.0/24 afi=ip nexthop=111.222.222.111 origin=0 as-path=sequence 123456

I then established a VxLAN tunnel between the ISP and my local MT. I assigned the IP addresses as in the below diagram.

Lastly, I added a static route on the ISP-side MT:

[admin@MikroTik] /ip/route> export

/ip route
add blackhole disabled=no distance=200 dst-address=49.123.123.0/24
add disabled=no dst-address=49.123.123.3/32 gateway=192.168.123.2 routing-table=main

 ┌────────────────────┐         ┌─────────────────────┐
 │                    │         │                     │      IPv4 BGP
 │     Mikrotik 1     │         │     Mikrotik 2      │     Full table
 │                    │         │                     │          ▲
 │ vxlan-local        │◄───────►│ vxlan-2             │          │
 │  192.168.123.2/30  │  VxLAN  │  192.168.123.1/30   │          │
 │  49.123.123.3/32   │         │                     │          │
 │                    │         │ eth1-WAN            │          │
 │ eth1-WAN           │         │  111.222.222.111/24 ├──────────┘
 │  Normal internet   │         │  49.123.123.2/32    │
 │                    │         │                     │
 │ eth2-LAN           │         │                     │
 │  Normal LAN        │         │                     │
 │                    │         │                     │
 │                    │         │                     │
 │                    │         │                     │
 └────────────────────┘         └─────────────────────┘

I confirmed that the local MT can ping ISP-MT (192.168.123.1), and ISP-MT can ping local MT (192.168.123.2 and 49.123.123.3). Additionally, I can ping ISP-MT (111.222.222.111 and 49.123.123.2) from the outside, which is great. BGP is working, and static routing works I think.

The issue is I can't ping local MT from outside. Am I missing anything?
BGP works, both routers can talk to each other, but outside can't access local MT.

Currently at a loss. Any help will be appreciated.

pe1chl · Tue Aug 29, 2023 7:09 pm

Do you have a firewall configuration?

AlohaSpark · Tue Aug 29, 2023 7:27 pm

Do you have a firewall configuration?

Currently, no. Both MikroTiks have zero firewall/NAT rules.

StubArea51 · Fri Sep 01, 2023 12:35 pm

Is the peering iBGP or eBGP between the routers?

What address are you trying to ping and where does it stop if you traceroute?

AlohaSpark · Fri Sep 01, 2023 2:34 pm

Is the peering iBGP or eBGP between the routers?

What address are you trying to ping and where does it stop if you traceroute?

It's eBGP between ISP my Mikrotik (on their premises). I then tried to set a static route to that remote MT and my local MT.

All good now, it seems to have been a Windows issue rather than the routers (which were apparently working the whole time).

Currently now have OSPF and appropriate filters between the two MTs.

Static Routes + BGP - Routers can ping each other, but won't pass traffic through it (ingress and egress) [SOLVED]

Static Routes + BGP - Routers can ping each other, but won't pass traffic through it (ingress and egress)

Re: Static Routes + BGP - Routers can ping each other, but won't pass traffic through it (ingress and egress)

Re: Static Routes + BGP - Routers can ping each other, but won't pass traffic through it (ingress and egress)

Re: Static Routes + BGP - Routers can ping each other, but won't pass traffic through it (ingress and egress)

Re: Static Routes + BGP - Routers can ping each other, but won't pass traffic through it (ingress and egress) [SOLVED]

Who is online