Hi everyone,

I have a situation with RouterOS7.8 I have the following topology:
What I'm trying to do is to have redundancy between the two ISPs, but I just can't make it work, I want a prefix to be accessed through ISP2 but is ISP2 fails that it can go through ISP1 and vice versa, I tried with prepend on only 1 prefix on the router connected to ISP1, but it doesn't seem to work. To make it work like I want it I have to delete the prefixes and add them if something happens to ISP2.

Is there something I can do to make it work automatically?? I'll really appreciate your help.

as long as u have def-route provided by ospf , will do redundancy. but your topology is not designed for that.
How about if R2 die?

I know I don't have hardware redundancy with this topology, but I want at least redundancy in the service(access to internet)

My problem right now is that if I leave all the prefixes in Router 1 all IN traffic is coming from ISP1, what I want to do is to have all the prefixes in both routers but still make that all traffic from prefix 201.131.189.0/24 IN and OUT is sent/received from ISP2 and only if ISP2 fails the traffic is sent to ISP1, I hope i explaied a bit better my intentions.

Unfortunately, BGP only gives you the tools to be authoritative about who you send traffic to, not how others send traffic to you.

For the outbound direction, you could use policy routing to ensure that 189 always exits ISP 2 if it's up. That's probably not worth it: for some traffic, ISP 1 might be the better path and for other traffic, ISP 2 might be the better path. Better to just let BGP decide for you.

For the inbound direction, you don't have absolute control, but can still influence. Your choices are AS path prepends (which it seems like you already found) and longest-prefix-match (which is probably out of the question if you're announcing /24s; most providers won't accept anything longer). There are limits on how many times most providers will let you prepend and you can't force remote operators to honor the shorter AS path anyway.

A third (not so great) option might be what you had planned: you don't announce the prefixes where you don't want to receive traffic. Relying on withdrawing and announcing is not good practice because it takes a while for changes to propagate across the internet. While that happens, you're unreachable. It also just thrashes the internet unnecessarily and (less common today) if you do it enough you can get dampened. Plus, if you announce the prefix from every interface where you can receive it, you can benefit from things like fast-reroute in provider networks (precomputed backup route if the first one goes away).

Unless you're large enough that you need to be doing traffic engineering (in which case you probably aren't asking on the Mikrotik forums how to set up BGP ) it's usually not worth the hassle to influence which routes use which links. Just announce all of your prefixes to all of your peers and let BGP's AS-path algorithm sort it out.

The topology you have drawn should give you BGP redundancy, though, as long as you're doing that. You are running iBGP between the two eBGP-speaking routers, right?

If I understand correctly you want incoming traffic for 201.131.189.0/24 to come from ISP2 under normal conditions and if ISP2 fails, then traffic for that prefix should then come from ISP1.

You almost got it right, judging from your diagram and prefixes announced.

All you need to do is on Router2 only announce:
201.131.188.0/22
201.131.189.0/24

And on Router1 only announce:
201.131.188.0/22
201.131.188.0/24
201.131.190.0/24
201.131.191.0/24

This way you influence incoming traffic for 201.131.189.0/24 to prefer ISP2 while for all other /24 prefixes it will prefer ISP1.
If ISP2 fails, there will be the /22 already announced from router1, so traffic for 201.131.189.0/24 will come from ISP1.
If ISP1 fails, there will be the /22 already announced from router2, so traffic for the rest of the /24 prefixes will come from ISP2.

Keep in mind that what you announce influences only incoming traffic.

Outgoing traffic by default will go through whichever ISP sends you the shorter AS path for a given destination prefix (among other criteria for BGP best path selection - read here https://help.mikrotik.com/docs/display/ ... hSelection ). That's the same for all prefixes.

If you want 201.131.189.0/24 to only go out through ISP2, you could make a mangle rule to mark that traffic (routing mark) and route it through a default gateway route to ISP2 on a separate routing table with ping check enabled. If ISP2 stops responding to pings, you can have a second default gateway (with higher distance value) to ISP1, so it can fall back to.

But that will not account for failures further down the line that ISP2 might have, so the outgoing traffic will keep trying to go over ISP2, even if incoming traffic may have already failed over to ISP1. So not ideal. Maybe only for short-term situations where you are on top of it and disable it if something goes wrong with ISP2.

On the other hand, if you need to influence incoming traffic for this specific /24 in order to balance incoming traffic so ISP1 doesn't get saturated, you probably (depending on what type of traffic/users/etc) don't have to force outgoing traffic through ISP2 as well, if your outgoing traffic isn't too much.

The traffic will be asymmetric, but it probably already is anyway to an extend, since you have 2 upstream providers.
Asymmetric traffic is common-place on the internet, so you shouldn't have any noticeable impact.

Thank you for your replies.

The topology you have drawn should give you BGP redundancy, though, as long as you're doing that. You are running iBGP between the two eBGP-speaking routers, right?

No, I'm doing OSPF between routers.

This way you influence incoming traffic for 201.131.189.0/24 to prefer ISP2 while for all other /24 prefixes it will prefer ISP1.
If ISP2 fails, there will be the /22 already announced from router1, so traffic for 201.131.189.0/24 will come from ISP1.
If ISP1 fails, there will be the /22 already announced from router2, so traffic for the rest of the /24 prefixes will come from ISP2.

I thought this would work but because RouterOS no longer advertises anything you want but what is in the routing table, I'm not sure If I'm going to brake something if I add prefix 201.131.188.0/22 as a loopback so it gets to the routing table on both routers so it gets advertised, will this brake something?

Kind regards,

I personally have my /22 prefixes installed on my edge routers as blackholes, first in order to be able to advertise them as /22 with RoSv7 and secondly so that incoming traffic (bot scans, etc) on unused subnets does not go in an endless loop between the two routers, or between me and my upstreams.

If you don't use the /22 as a whole in your network (which you most likely don't - otherwise the /22 advertisement would have already worked for you), then there won't be any issues with having a blackhole route for the whole /22 prefix, as long as you have longer prefixes (/23 and up) inside the rest of your network.

Edit: you should also do iBGP between your routers.
OSPF can stay as it is as IGP, so that routes exchanged via iBGP can get next-hop resolved through OSPF's routes.

I personally have my /22 prefixes installed on my edge routers as blackholes, first in order to be able to advertise them as /22 with RoSv7 and secondly so that incoming traffic (bot scans, etc) on unused subnets does not go in an endless loop between the two routers, or between me and my upstreams.

If you don't use the /22 as a whole in your network (which you most likely don't - otherwise the /22 advertisement would have already worked for you), then there won't be any issues with having a blackhole route for the whole /22 prefix, as long as you have longer prefixes (/23 and up) inside the rest of your network.

Edit: you should also do iBGP between your routers.
OSPF can stay as it is as IGP, so that routes exchanged via iBGP can get next-hop resolved through OSPF's routes.

Thank you for the idea, I will try that and come back with an update.

I personally have my /22 prefixes installed on my edge routers as blackholes

I've tried it on both routers but on router2(ISP2) once I press enter on the command I lose connection to the router (thank god for safe mode), obviously once all is reverted I gain access again.

I'm using this command I'm not sure if I'm doing something wrong: ip route add dst-address=201.131.188.0/22 blackhole

I've tried it on both routers but on router2(ISP2) once I press enter on the command I lose connection to the router (thank god for safe mode), obviously once all is reverted I gain access again.

Mine does sometimes, but usually comes back after a few seconds to a couple minutes.

Doesn't seem to always be an actual issue except for a brief interruption of traffic.

I have OOB access to the serial console so it isn't a big deal to actually recover if I make a mistake.

I've tried it on both routers but on router2(ISP2) once I press enter on the command I lose connection to the router (thank god for safe mode), obviously once all is reverted I gain access again.

Mine does sometimes, but usually comes back after a few seconds to a couple minutes.

Doesn't seem to always be an actual issue except for a brief interruption of traffic.

I have OOB access to the serial console so it isn't a big deal to actually recover if I make a mistake.

I guess I'm going to have to test it on site, sadly I don't have OOB connection T_T.

Kind regards,

I have OOB access to the serial console so it isn't a big deal to actually recover if I make a mistake.

I guess I'm going to have to test it on site, sadly I don't have OOB connection T_T.

Kind regards,

Set up ROMON between the routers. All routers connected via Layer 2 will see each other and be manageable, regardless of Layer 3 connectivity. It's saved my bacon a few times.

comes back after a few seconds to a couple minutes.

I believe the cause is some routes processing the route updates faster than others. An internet router closer to me sees a better route through a different neighbour, but some router(s) along the way are slower to pickup/process the new path. Some of my up-time tests don't even alert even though I can't connect to it.

I can't really prove this though.. I could with a traceroute but I would need to deliberately break things to test it and sometimes it is fixed too quickly.

I guess I'm going to have to test it on site, sadly I don't have OOB connection T_T.

How far is it? Get something to give you OOB management, even temporarily? Cellular data for example?

I guess I'm going to have to test it on site, sadly I don't have OOB connection T_T.

How far is it? Get something to give you OOB management, even temporarily? Cellular data for example?

I know, we are planning on getting something over cellular data but we don't have it yet. But the site is not far from my actual work office.

But the site is not far from my actual work office.

Alright then... For some of us it can mean needing to book a flight, so it is important to ask. haha

Hi everyone, it is done.

I added the /21 as a blackhole route on both routers and it is working, it was a lose of connection of 3 seconds or so and after that it started working fine, now I see the whole /21 being advertised. Thank you so much for all your ideas and replies.

But the site is not far from my actual work office.

Alright then... For some of us it can mean needing to book a flight, so it is important to ask. haha

I can only imagined we are a small local ISP, we started 2 years ago, we haven't reached other cities yet.

I celebrated too soon hahaha, lost connnection a few hours after had to reverse the route