Blocking Private ASN inbound

plankanater · November 30, 2017, 4:25pm

Is there a way in filters to block all private ASN (64512 to 65535) inbound?

vasilevkirill · November 30, 2017, 8:19pm

Use Filter
https://wiki.mikrotik.com/wiki/Manual:Routing/Routing_filters

Use regexp
if first as use regexp = ^(6451[2-9]|645[2-9][0-9]|64[6-9][0-9]{2}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]).*

/routing filter
add bgp-as-path=“^(6451[2-9]|645[2-9][0-9]|64[6-9][0-9]{2}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]).*” chain=AS-500-Peer-In

if your as peer 500 (example)
add bgp-as-path=!^500.* chain=AS-500-Peer-In action=discard

mrz · December 1, 2017, 4:17pm

Note that there are also 4-byte ASNs, you should block those too.
https://www.apnic.net/get-ip/faqs/asn/#private-asn

plankanater · December 6, 2017, 9:46pm

How would I write the 4-byte ASNs in regular expression?

plankanater · December 8, 2017, 3:56pm

So this is the rule I have entered in.

add action=discard bgp-as-path=“^(6451[2-9]|645[2-9][0-9]|64[6-9][0-9]{2}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]).*” chain=XO_In

But is still seems to be letting some things in, for example

0 ADb dst-address=191.243.72.0/24 gateway=207.238.201.5
gateway-status=207.238.201.5 reachable via sfp-sfpplus1 - XO Internet
distance=20 scope=40 target-scope=10
bgp-as-path=“2828,6762,263047,263047,263047,263047,263499,263499,263499, 263499,263499,65001”
bgp-med=3 bgp-origin=igp received-from=XO

Any thoughts?

plankanater · December 8, 2017, 4:20pm

So i changed the rule to

add action=discard bgp-as-path=“^(6451[2-9]|645[2-9][0-9]|64[6-9][0-9]{2}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])_*” chain=XO_In

It is still letting the route in but just dropping the private as off of the as path

0 ADb dst-address=191.243.72.0/24 gateway=70.34.190.113
gateway-status=70.34.190.113 recursive via 69.58.114.166 sfp-sfpplus4 -
180 - New
distance=200 scope=40 target-scope=30
bgp-as-path=“26554,174,6762,263047,263047,263047,263047,263499,263499,263499,263499,263499”

Then after about 15 minutes it still is showing the private as number

0 ADb dst-address=191.243.72.0/24 gateway=207.238.201.5
gateway-status=207.238.201.5 reachable via sfp-sfpplus1 - XO Internet
distance=20 scope=40 target-scope=10
bgp-as-path=“2828,6762,263047,263047,263047,263047,263499,263499,263499,263499,263499,65001”

JimmyNyholm · December 9, 2017, 12:03pm

Just a quick thought isn’t the ^ in your regexp anchoring in the beginning of the string? use a $ at the end for searching at the end for originating as.

plankanater · December 9, 2017, 12:23pm

I want it to drop the private as anywhere in line.

So should it be more like this

add action=discard bgp-as-path=“^(6451[2-9]|645[2-9][0-9]|64[6-9][0-9]{2}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])*” chain=XO_In