eBGP routes all inactive due to gateway unreachable

RouterOS Forwarding Protocols
1

Hi fellow Tik'ers,

I manged to peer successfully with our first of three ISPs. We do receive teh routes but all the routes BGP routes are inactive with the state gateway unreachable. Any obvious reasons of why this would be?
The TCP connection (BGP peering) works fine over two VLAN intefaces distinguishing between national and international traffic. The national interface's peer has a prefix count of 3359 whereas the international interface has only 1, the default route.

Any help would be appreciated!

Stefan

2

http://wiki.mikrotik.com/wiki/Manual:Using_scope_and_target-scope_attributes

3

Hi mrz,

thank you for pointing me to that wiki article. I read through it and figured that I cannot apply “Add default route with scope < target-scope of BGP routes:” as the default route is also a BGP route (which I cannot adjust).
Further, all BGP routes received have a gateway which is directly connected though one of the two VLAN interfaces with a /31 network. If I add a static route for the default gateway (pointing to my international remote VLAN peer), the route will be inactive if I define the IP address as the gateway. As soon as I make this gateway an interface, the route becomes active. Unfortunately, this cannot be done to dynamic BGP routes.
Btw. we are running RB600 with ROS 4.11 .

Thanks,
Stefan

4

it might be helpful if you post actual routes (unchanged / original IPs) and interface information.

5

Hi azg,

thanks for your reply.
Please find the config information below.

IP addresses:

>ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
 0   ;;; untagged uplink
     a.a.40.3/31     a.a.40.2     a.a.40.3     toUplink                
 1   a.a.40.17/28    a.a.40.16    a.a.40.31    toNetwork             
 2   10.10.10.2/24      10.10.10.0      10.10.10.255    toNetwork             
 3   a.a.16.215/31   a.a.16.214   a.a.16.215   International_VLAN
 4   a.a.16.217/31   a.a.16.216   a.a.16.217   Domestic_VLAN

BGP instance

>routing bgp instance print
0   name="default" as=65430 router-id=0.0.0.0 redistribute-connected=no 
     redistribute-static=no redistribute-rip=no redistribute-ospf=no 
     redistribute-other-bgp=no out-filter="" client-to-client-reflection=yes 
     ignore-as-path-len=no routing-table=""

BGP peers:

>routing bgp peer print
 #   INSTANCE        REMOTE-ADDRESS                                REMOTE-AS  
 0 E default         a.a.16.216                                 <ISP AS>      
 1 E default         a.a.16.214                                 <ISP AS>

Active routes:

>/ip route print detail where active 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 2 ADC  dst-address=10.10.10.0/24 pref-src=10.10.10.2 gateway=toNetwork gateway-status=toNetwork reachable distance=0 scope=10 
16 ADC  dst-address=a.a.16.214/31 pref-src=a.a.16.215 gateway=International_VLAN gateway-status=International_VLAN reachable distance=0 
        scope=10 
17 ADC  dst-address=a.a.16.216/31 pref-src=a.a.16.217 gateway=Domestic_VLAN gateway-status=Domestic_VLAN reachable distance=0 scope=10 
18 ADC  dst-address=a.a.40.2/31 pref-src=a.a.40.3 gateway=toUplink gateway-status=toUplink reachable distance=0 scope=10 

19 ADC  dst-address=a.a.40.16/28 pref-src=a.a.40.17 gateway=toNetwork gateway-status=toNetwork reachable distance=0 scope=10

Configuration:

/routing bgp instance
set default as=65430 client-to-client-reflection=yes comment="" disabled=no ignore-as-path-len=no name=default out-filter="" redistribute-connected=no \
    redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no redistribute-static=no router-id=0.0.0.0 routing-table=""

/routing bgp peer
add address-families=ip,ipv6 as-override=no comment="" default-originate=never disabled=yes hold-time=3m in-filter=bgp-in instance=default interface=\
    Domestic_VLAN multihop=no name=DomesticPeer nexthop-choice=force-self out-filter="" passive=no remote-address=a.a.16.216 remote-as=<ISP AS> \
    remove-private-as=no route-reflect=no tcp-md5-key="" ttl=default update-source=Domestic_VLAN use-bfd=no
add address-families=ip,ipv6 as-override=no comment="" default-originate=never disabled=yes hold-time=3m in-filter="" instance=default interface=\
    International_VLAN multihop=no name=InternationalPeer nexthop-choice=default out-filter="" passive=no remote-address=a.a.16.214 remote-as=<ISP AS> \
    remove-private-as=no route-reflect=no tcp-md5-key="" ttl=default update-source=International_VLAN use-bfd=no

I do not have any VRF configured as does not seem to be mandatory according to any of the Wiki articles.

Please advise.

Many thanks. Stefan

6

this is full of manual edits – sorry, you’re on your own that way.
i don’t understand why people are so afraid of telling their IP or AS numbers.

also – the config does not look like being real with two upstream BGP peers being a.a.16.214 and a.a.16.216… normally the providers assign addresses to you for this purpose from their address spaces. this looks more like a school assignment to me.

before BGP make sure you understand IP addressing & in particular netmasks. and if you have real, unaltered config you can still post it.

andy

7

Hi Andy,

sorry for the confusion. I thought I was just following common practise by not posting full IPs as this seems to be the case in the majority of posts. On the other hand, I am quite confident, that I can recreate the scenario with whichever IP addresses I want.

However, a.a. is meant to be 111.69. and the remote AS is 23655.

Do you want me to post the previous config with those amendments made?

The remote peer is a Juniper and it is indeed a real configuration as provided by the upstream ISP.

Thanks for your help.

Stefan

8

yes complete, unaltered config of 1:1 exactly the problem would help.
i wonder in particular for the peering networks how come there are /31 subnets.

9

IP Addresses:

[stefan@toISP] > ip add pr
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE             
 0   ;;; toSnap
     111.69.40.3/31     111.69.40.2     111.69.40.3     toISP                 
 1   111.69.40.17/28    111.69.40.16    111.69.40.31    toNetwork             
 2   10.10.10.2/24      10.10.10.0      10.10.10.255    toNetwork             
 3   111.69.16.215/31   111.69.16.214   111.69.16.215   International_VLAN1425
 4   111.69.16.217/31   111.69.16.216   111.69.16.217   Domestic_VLAN1424

BGP instance

[stefan@toISP] > rou bgp ins print 
Flags: X - disabled 
 0   name="default" as=65430 router-id=0.0.0.0 redistribute-connected=no 
     redistribute-static=no redistribute-rip=no redistribute-ospf=no 
     redistribute-other-bgp=no out-filter="" client-to-client-reflection=yes 
     ignore-as-path-len=no routing-table=""

BGP peers

[stefan@toISP] > rout bgp pe pr   
Flags: X - disabled, E - established 
 #   INSTANCE        REMOTE-ADDRESS                                 REMOTE-AS  
 0 E default         111.69.16.216                                  23655      
 1 E default         111.69.16.214                                  23655

Active routes:

[stefan@toISP] > ip route print detail where active  
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 1 ADC  dst-address=10.10.10.0/24 pref-src=10.10.10.2 gateway=toNetwork 
        gateway-status=toNetwork reachable distance=0 scope=10 
42 ADC  dst-address=111.69.16.214/31 pref-src=111.69.16.215 
        gateway=International_VLAN1425 
        gateway-status=International_VLAN1425 reachable distance=0 scope=10 
43 ADC  dst-address=111.69.16.216/31 pref-src=111.69.16.217 
        gateway=Domestic_VLAN1424 gateway-status=Domestic_VLAN1424 reachable 
        distance=0 scope=10 
44 ADC  dst-address=111.69.40.2/31 pref-src=111.69.40.3 gateway=toISP 
        gateway-status=toISP reachable distance=0 scope=10 
45 ADC  dst-address=111.69.40.16/28 pref-src=111.69.40.17 gateway=toNetwork 
        gateway-status=toNetwork reachable distance=0 scope=10

Configuration:

/routing bgp instance
set default as=65430 client-to-client-reflection=yes comment="" disabled=no \
    ignore-as-path-len=no name=default out-filter="" redistribute-connected=\
    no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
    redistribute-static=no router-id=0.0.0.0 routing-table=""

/routing bgp peer
add address-families=ip,ipv6 as-override=no comment="" default-originate=\
    never disabled=no hold-time=3m in-filter=bgp-in instance=default \
    interface=Domestic_VLAN1424 multihop=no name=DomesticPeer nexthop-choice=\
    force-self out-filter="" passive=no remote-address=111.69.16.216 \
    remote-as=23655 remove-private-as=no route-reflect=no tcp-md5-key="" ttl=\
    default update-source=Domestic_VLAN1424 use-bfd=no
add address-families=ip,ipv6 as-override=no comment="" default-originate=\
    never disabled=no hold-time=3m in-filter="" instance=default interface=\
    International_VLAN1425 multihop=no name=InternationalPeer nexthop-choice=\
    default out-filter="" passive=no remote-address=111.69.16.214 remote-as=\
    23655 remove-private-as=no route-reflect=no tcp-md5-key="" ttl=default \
    update-source=International_VLAN1425 use-bfd=no

I hope, this sheds some light.

Thanks,
Stefan

10

RouterOS does not work with /31 addresses. You have to set either point to point /32 or /30 addresses

11

Hi mrz,

thanks for your reply. Can you please explain which part of RouterOS does not work with /31?
Since the peering works and I do receive all the routes through from the two peers, I assume /31 works on TCP and on general routing?
Is it just BGP related or which other functionalities suffer? Do you know, is there any plan to make RouterOS work with /31, please?

Thanks,
Stefan

12

Roting in general will not work properly. As yo can see, when /31 is added ip address and broadcast address are the same.
0 ;;; toSnap
111.69.40.3/31 111.69.40.2 111.69.40.3 toISP

In RouterOS address should not match broadcast or network.
In your case I’m guessing BGP installs routes with gateway 111.69.40.2, routeros is unable to resolve the gateway because 111.69.40.2 is the network address.

13

Well, if I go static routes only, everything works sweet, as I can assign an interface as gateway. Doing BGP it populates the gateway with the peer IP (as expected). And this gateway shows as unavailable, even though the dynamic entry generated by IP address assignment show the gateway being available/being connected.

However, if this is still not related to BGP as you say, is there any plan to fix /31 functionality?

Thanks,
Stefan

14

There are no plans to add /31 functionality at least in near future.

For BGP routes you can try to set gateway as interface with routing filter.

15

Hi mrz,

this routing-filter gateway assignment might be my solution. Can you provide me an example or put me in the right direction please?

I tried

add chain=bgp-in prefix=0.0.0.0/0 set-out-nexthop=111.69.16.214 set-pref-src=111.69.16.215 disabled=no

,
but that had no effect.

Thanks,
Stefan

16

/routing filter
add chain=bgp-in set-in-nexthop-direct=ether1

17

Mrz,
very good, my routes through one of the two VLANs are marked active now.
Traceroute in and out of the router still does not work.
Traceroute from the router out gives a timeout on the first hop.
traceroute from the outside fails at the last hop.

Somehow, the router still does not know, where to send the packets.
The interface is now assigned properly.

Thanks,
Stefan

18

Excellent, /30 resolved it.
Thanks mrz.