Good day.
It docked with the provider for BGP, and announced its network.
For example.
79.142.xxx.10/30 - IP Miktrotik router through the IP in the VLAN connected BGP session.
Our new network 185.xxx.178.0/24
I have registered in mikrotike network:
185.xxx.178.1/24
At the gateway ping 185.xxx.178.1 appeared.
But when the ping ip 185.xxx.178.2, then the answer is:
ping 185.xxx.178.2
PING 185.xxx.178.2 (185.xxx.178.2) 56 (84) bytes of data.
From 79.142.xxx.10 icmp_seq = 1 Destination Host Unreachable
From 79.142.xxx.10 icmp_seq = 2 Destination Host Unreachable
From 79.142.xxx.10 icmp_seq = 3 Destination Host Unreachable
From 79.142.xxx.10 icmp_seq = 4 Destination Host Unreachable
How to hide IP BGP session?
I tried this method:
ip firewall mangle add action = change-ttl chain = prerouting new-ttl = increment: 1 passthrough = yes
But then there is a large provider Ping 800 ms, in the core of the network and in our VLAN.
# jan/07/2017 18:51:17 by RouterOS 6.37.3
#
/interface bridge
add name=bridge_vlan_11
/interface ethernet
set [ find default-name=ether1 ] name=ether1
set [ find default-name=ether2 ] name=ether2_eth0
set [ find default-name=ether3 ] name=ether3_eth1
set [ find default-name=ether5 ] comment="D-Link DGS" name=\
ether5_dgs_8
set [ find default-name=ether6 ] comment="D-Link DES" name=ether6_dgs_24
set [ find default-name=ether7 ] name=ether7
set [ find default-name=ether8 ] name=ether8
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=\
79.142.xxx.xx mtu=1280 name=sit1 remote-address=216.66.84.xx
/ip neighbor discovery
set ether5_dgs_8 comment="D-Link DGS"
set ether6_dgs_24 comment="D-Link DES"
set sit1 comment="Hurricane Electric IPv6 Tunnel Broker"
/interface vlan
add interface=ether1_akado loop-protect-disable-time=0s \
loop-protect-send-interval=0s name="2a0b:xxxx::1(2a0b:6900::/32)" \
vlan-id=10
add comment="Cisco 6500 Gi1/14 xx.ru SFP-1G" interface=sfp1 name=\
gw_xxx_vlan_37 vlan-id=37
add interface=ether5_dgs_8 loop-protect-disable-time=0s \
loop-protect-send-interval=0s name=manage.net.2 vlan-id=2
add interface=ether5_dgs_8 loop-protect-disable-time=0s \
loop-protect-send-interval=0s name=servers.3 vlan-id=3
add interface=ether6_dgs_24 loop-protect-disable-time=0s \
loop-protect-send-interval=0s name=sirx.vds.103 vlan-id=103
add interface=bridge_vlan_11 loop-protect-disable-time=0s \
loop-protect-send-interval=0s name=vlan_11_parkhost vlan-id=11
add interface=ether6_dgs_24 loop-protect-disable-time=0s \
loop-protect-send-interval=0s name=vlan_12_sirx vlan-id=12
add interface=ether6_dgs_24 loop-protect-disable-time=0s \
loop-protect-send-interval=0s name=vlan_13_sirx vlan-id=13
add interface=ether2_eth0 loop-protect-disable-time=0s \
loop-protect-send-interval=0s name=vlan_103 use-service-tag=yes vlan-id=\
103
add interface=vlan_103 loop-protect-disable-time=0s \
loop-protect-send-interval=0s name=vlan_mg_12 vlan-id=12
/ip neighbor discovery
set gw_rk1_vlan_37 comment="Cisco 6500 Gi1/14 xx.ru SFP-1G"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.2.1.2-10.2.1.30
add name=dhcp ranges=10.1.2.3-10.1.2.254
add name=185.xxx.176.2-185.xxx.176.5 ranges=185.xxx.176.2-185.xxx.176.5
add name=dhcp_pool2 ranges=185.xxx.177.18-185.xxx.177.30
add name=dhcp_pool3 ranges=185.xxx.177.20-185.xxx.177.30
/ip dhcp-server
add address-pool=dhcp_pool3 disabled=no interface=servers.3 name=dhcp1
/ipv6 pool
add name=6900 prefix=2a0b:6900::/32 prefix-length=64
/routing bgp instance
set default as=2068xxx redistribute-connected=yes redistribute-static=yes \
router-id=79.142.xxx.xx
/system logging action
set 1 disk-file-name=/disk2/log
/interface bridge port
add disabled=yes interface=ether1
add disabled=yes interface=ether3_eth1
add disabled=yes interface=ether2_eth0
add disabled=yes interface=ether4
add disabled=yes interface=ether5_dgs_8
add bridge=bridge_vlan_11 interface=ether7
add bridge=bridge_vlan_11 interface=ether8
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set max-neighbor-entries=1024
/ip address
add address=10.22.0.1/24 interface=ether1_akado network=10.22.0.0
add address=79.xxx.xxx.10/30 comment="BGP xxx" interface=gw_xxx_vlan_37 \
network=79.xxx.xxx.8
add address=185.xxx.176.1/24 comment=ds5-parkhost interface=vlan_11_parkhost \
network=185.xxx.176.0
add address=185.xxx.177.1/28 interface=manage.net.2 network=185.xxx.177.0
add address=185.xxx.177.17/28 interface=servers.3 network=185.xxx.177.16
add address=185.xxx.178.1/24 interface=sirx.vds.103 network=185.xxx.178.0
add address=31.25.xxx.6/24 interface=sirx.vds.103 network=31.25.xxx.0
add address=185.xxx.179.1/24 interface=vlan_12_sirx network=185.xxx.179.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=clientid,hostname interface=\
servers.3
/ip dhcp-server network
add address=10.1.1.0/24 gateway=10.1.1.0 netmask=24
add address=10.1.2.0/24 gateway=10.1.2.1 netmask=24
add address=10.2.1.0/27 dns-server=8.8.8.8 gateway=10.2.1.1
add address=185.xxx.176.0/24 gateway=185.xxx.176.1
add address=185.xxx.177.16/28 dns-server=185.xxx.178.2 gateway=185.xxx.177.17 \
netmask=28 next-server=185.xxx.177.20
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,2001:4860:4860::4444
/ip firewall filter
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=jump chain=forward comment="SYN Flood protect" connection-state=\
new disabled=yes jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp \
tcp-flags=syn
add action=jump chain=forward comment="drop ddos" connection-state=new \
disabled=yes jump-target=block-ddos
add action=drop chain=forward connection-state=new disabled=yes \
dst-address-list=ddosed log=yes log-prefix=ddos src-address-list=ddoser
add action=return chain=block-ddos disabled=yes dst-limit=\
50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
10m chain=block-ddos disabled=yes
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
10m chain=block-ddos disabled=yes
add action=accept chain=input disabled=yes dst-port=161 protocol=udp \
src-address-list=85.12.197.32/30
add action=jump chain=input comment="Jump to detect-syn chain" \
connection-limit=200,32 connection-state=new disabled=yes jump-target=\
detect-syn protocol=tcp tcp-flags=syn
add action=jump chain=forward comment="SYN: Jump to detect-syn chain" \
connection-state=new disabled=yes in-interface=sfp-sfpplus1 jump-target=\
detect-syn protocol=tcp tcp-flags=syn
add action=tarpit chain=forward comment=\
"Tarpit new SYN connections from IPs in syn-flooders address list" \
disabled=yes protocol=tcp src-address-list=syn-flooders
add action=jump chain=forward comment="Jump to DDOS detection chain" \
connection-state=new disabled=yes jump-target=detect-ddos
add action=drop chain=forward comment=\
"DDOS: Drop new connections from/to blacklisted IPs" connection-state=new \
disabled=yes dst-address-list=ddosed src-address-list=ddoser
add action=return chain=detect-ddos comment="Accept connections within limit" \
disabled=yes dst-limit=10000,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
10m chain=detect-ddos comment=DDOS disabled=yes
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
10m chain=detect-ddos comment=DDOS disabled=yes
add action=return chain=detect-syn disabled=yes dst-limit=\
1000,100,dst-address-and-port/10s
add action=add-src-to-address-list address-list=syn-flooders \
address-list-timeout=10m chain=detect-syn connection-state=new disabled=\
yes protocol=tcp tcp-flags=syn
/ip firewall mangle
add action=change-ttl chain=prerouting disabled=yes new-ttl=increment:10 \
passthrough=yes protocol=icmp
add action=clear-df chain=prerouting disabled=yes passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=sfp1 \
src-address-list=""
add action=masquerade chain=srcnat disabled=yes out-interface=ether1_akado
add action=accept chain=srcnat disabled=yes src-address=185.xxx.176.0/24
add action=accept chain=srcnat disabled=yes src-address=185.xxx.178.0/24 \
src-address-list=""
/ip route
add disabled=yes distance=1 dst-address=31.25.xxx.100/32 gateway=31.25.xxx.1
/ip service
set ftp disabled=yes
set api disabled=yes
/ipv6 address
add address=2001:470:1f0a:1226::2 advertise=no interface=sit1
add address=2001:470:12:191::2 advertise=no interface=sit1
add address=2a0b:xxxx:0:1::1 comment= interface=xxx.vds.103
/ipv6 nd
set [ find default=yes ] advertise-dns=yes
/ipv6 route
add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref \
!bgp-med !bgp-origin !bgp-prepend !check-gateway distance=1 dst-address=\
2000::/3 gateway=2001:xxx:12:191::1 !route-tag
add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref \
!bgp-med !bgp-origin !bgp-prepend !check-gateway distance=1 dst-address=\
2a0b:xxxx::/32 gateway=2a0b:xxxx::1 !route-tag
/lcd
set read-only-mode=yes
/routing bgp network
add network=185.xxx.176.0/22 synchronize=no
add network=2a0b:xxxxx::/29 synchronize=no
add disabled=yes network=2a0b:xxxxx::/32 synchronize=no
/routing bgp peer
add in-filter=ASxxxxx-bgp-in name=RK out-filter=ASxxxxx-bgp-out \
remote-address=79.xxx.xxx.9 remote-as=xxxxx ttl=default
add address-families=ip,ipv6 in-filter=ipv6-ebgp-relaxed name=HE-IPV6 \
out-filter=ipv6-ebgp-relaxed remote-address=2001:xxx:12:191::1 remote-as=\
6939 ttl=default
add address-families=ip,ipv6 in-filter=ASxxxxx-bgp-in multihop=yes name=\
QRATOR out-filter=ASxxxxx-bgp-out remote-address=178.xxx.237.29 \
remote-as=197068 tcp-md5-key=xxx ttl=default
/routing filter
add action=discard chain=ASxxxxx-bgp-in prefix=10.0.0.0/8
add action=accept chain=ASxxxxx-bgp-out prefix=185.xxx.176.0/22
add action=discard chain=ASxxxxx-bgp-in prefix=185.xxx.176.0/22
add action=discard chain=ASxxxxx-bgp-in prefix=192.168.0.0/16
add action=discard chain=ASxxxxx-bgp-in prefix=172.16.0.0/12
add action=discard chain=ASxxxxx-bgp-in prefix=169.254.0.0/16
add action=discard chain=ASxxxxx-bgp-in prefix=224.0.0.0/4
add action=discard chain=ASxxxxx-bgp-in prefix=127.0.0.0/8
add action=discard chain=ASxxxxx-bgp-in prefix=240.0.0.0/4
add action=accept bgp-as-path="" chain=ASxxxxx-bgp-in
add action=discard chain=ASxxxxx-bgp-out
add action=reject chain=ipv6-ebgp-relaxed prefix=3ffe::/16 prefix-length=\
0-128
add action=reject chain=ipv6-ebgp-relaxed prefix=2001:db8::/32 prefix-length=\
0-128
add action=accept chain=ipv6-ebgp-relaxed prefix=2001::/32
add action=reject chain=ipv6-ebgp-relaxed prefix=2001::/32 prefix-length=\
0-128
add action=accept chain=ipv6-ebgp-relaxed prefix=2002::/16
add action=reject chain=ipv6-ebgp-relaxed prefix=2002::/16 prefix-length=\
0-128
add action=reject chain=ipv6-ebgp-relaxed prefix=::/8 prefix-length=0-128
add action=reject chain=ipv6-ebgp-relaxed prefix=fe00::/9 prefix-length=0-128
add action=reject chain=ipv6-ebgp-relaxed prefix=ff00::/8 prefix-length=0-128
add action=accept chain=ipv6-ebgp-relaxed prefix=2000::/3 prefix-length=0-48
add action=reject chain=ipv6-ebgp-relaxed prefix=::/0 prefix-length=0-128
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
replaced the real information about the IP address xxxx on the signs, I hope it does not hurt to analyze the information?