Hello,
I am new to BGP and setting it up for the first time. I have a GRE tunnel over which I have a BGP peer relationship, the peer relationship is established and I see the routes. I want only packets to be sent to this peer for routes that it is advertising.
Under IP->Routes->Rules I have created a policy routing rule with source as my internal private network, action lookup, table the name of the BGP routing table.
According to the documentation I read it should be just working with this alone, but it looks like when I try pinging an address over BGP from my internal network, it is being sent out the WAN interface instead of out the GRE tunnel.
I imagine I must be misunderstanding the process but I cannot find very much information on the wiki to help with this. Any advice would be appreciated.
Thanks
Let’s make sure I understand your goal correctly:
The BGP peer announces some prefixes to you:
e.g.:
10.1.1.0/24
10.2.2.0/24
10.3.3.0/24
You want traffic to go through the tunnel if the destination is within one of those prefixes, but go to the WAN otherwise.
I have news for you: You’re overthinking it. You don’t need policy routing at all for this. That’s just basic routing.
Remove all policy routing stuff and just let BGP put the routes directly into the main routing table.
Policy routing is only needed for traffic engineering purposes, or for source-based routing decisions.
I.e. You only want a certain group of hosts using these routes.
Now if you only want certain hosts using the tunnel, and those IP addresses are unreachable over the internet anyway, you may as well just use a firewall filter rule instead of policy routing. It’s much simpler and gets the same job done (see below). If those addresses ARE reachable via the Internet, but you just want certain hosts to go there via the tunnel and you want everyone else to just use the Internet to get there - then THAT’s when you need policy routing.
Simple firewall rule:
chain=forward out-interface=bgp-tunnel src-address-list=!tunnel-users action=drop
Then you add the permitted IP ranges to the “tunnel-users” address list, and only those addresses will pass through the tunnel. All others will get dropped by this rule.
Thanks for the help - already got it resolved and not using policy routing.
I had no previous experience with BGP. I had tried just putting it in the main routing table at first, but it didn’t work. So then I tried policy routing, thinking my static default gateway was taking precedence even though it made no sense.
Turns out the problem was that all of my BGP routes had a recursive next hop through another IP and I had no route to the recursive next hop IP, so it was using the default route (my WAN port) instead of the GRE tunnel to try to reach the recursive next hop. Because of that, my routing table was populated via BGP, but I couldn’t ping anything except if I did a ping from the Mikrotik itself with the interface set to the tunnel. Everything else destined for one of the subnets across the tunnel was going out the WAN interface instead of the GRE tunnel. This led me astray to try policy routing etc.
To fix this issue, I added a static route to reach the recursive BGP next hop through the tunnel and that fixed everything. Solved it last weekend but forgot to update this thread. The fact that I haven’t used BGP before made it more difficult to troubleshoot this issue.
If you end up doing a lot of recursive routes, you might want to consider using OPSF just to advertise the next-hops for BGP instead of static routes.
Thanks, it won’t be necessary in this case though. All of the routes were recursive in this case, and they all had the same next hop IP, so I only needed a static route to that one IP which covered every single BGP route.