As far as I can tell Mikrotik is unable to make routing decision based on the originating or peer AS or communities for the source addreses - something taken for granted with established vendors laike Cisco.
The necessary capability is already available in the Linux kernel with realms:
All is needed is to add a route filter to assign realms for BGP prefixes. The realm can be used to select different routing tables either directly or through a firewall rule.
Another way to implement the same functionality would be to have a option to syncronize (add/remove) BGP prefixes with a adress list in a routing filter.
The address list may be used then to select the appropriate routing table in the firewall.
No, it doesn’t.
The existing routing mark applies to outgoing packets only, based on the destination AS/comunity/whatever.
There is no way to apply it to the incoming packets ( to do source routing based on the AS/community of the source address/ peer rather than the destination)
routing-marks apply to any packets that the router is routing, incoming or outgoing. you can use ‘/ip route rule’ to put those routing marks into a table so you can route them differently as they come in if you wish.
This is exactly what I do now - I use scripts to populate a firewall address list with prefixes extracted from the routing table, and mark packets with the appropriate routing mark.
We have to to it this way because the routes themselves don’t apply at all to the pachets we are interested into.
However, it’s a cumbersome and unelegant solution for a common problem (Cisco users take it for granted).
At least a option to create a adress list in the routing filter ( maybe only for BGP prefixes ) will ease such configurations considerably, since the address list will be automaticaly synced with the prefix list.
This is exactly what I do now - I use scripts to populate a firewall address list with prefixes extracted from the routing table, and mark packets with the appropriate routing mark.
So what are you using to determine what routes to mark, something in the route itself? Paste your script or something to give me a hint and I’ll try to make it easier. I know it can be done - but I am not sure what you want to filter on.
There is also route aggregation in there as well - just not sure if it works on non-bgp or what, never touched that piece.
Here is a script I use to take a BGP feed of BOGONS IPs and enter them into an address-list:
## Builds an address list with bogons based on the
## learned bgp routes which have the specific routing-mark.
:log info "Removing all BOGONS, starting sync."
:foreach subnet in [/ip firewall address-list find list=bogons] do {
/ip firewall address-list remove $subnet
}
:foreach subnet in [/ip route find routing-mark=bogons bgp-communities=65333:888] do {
:set bogon [/ip route get $subnet dst-address]
:log info ("Found " . $bogon . " as bogon entry.")
/ip firewall address-list add list=bogons address=$bogon
}
# Mail me a copy ...
/ip firewall address-list export from=[/ip firewall address-list find list=bogons] file=bogons
/tool e-mail send from="bogons@cip" to="sam@" subject="Bogons Export" body="Latest bogons export based on BGP table from cymru.com.\n\n" file=bogons.rsc
which results in a script as well to use on other routers:
My script is quite similar.
However, the received prefixes may change much more often than the bogon list.
And clearing all the routes isn’t very elegant either, as the traffic will go to the wrong interface until the address list is rebuild.
A facility in the router itself to maintain such a table is IMHO quite easy to implement and very useful.
The obvious place for it is in the routing filter - just add an option to add the prefix to a address list ( as long as the rule is valid, of course ).
you missed what i said below. there is a way to do what you need, but im not sure what you are trying to pick out of the routes coming in to make your list. do you make your list based on communities, asn numbers, what? post that and i’ll help you get the routing-filter you need for it. i only use that address-list script below because I dont want to affect routing with bogons, i just want firewall options. If i were to use it in routing I would do this:
/ routing filter
add chain=cymru-in bgp-as-path=65333 invert-match=no action=accept
set-routing-mark=“bogons” set-bgp-communities=65333:888
set-type=blackhole comment=“Cymru Chain - Mark bogons with a
different routing-mark” disabled=no
This will affect only packets going TO the addresses in the bogon list, not packets coming FROM them.
To affect incoming packets you have to do some kind of source routing, and it looks like the only way to do this in Mikrotik so far is to use firewall routing mark with multiple routing tables.
It comes then to implement a way to synchronize prefixes between routing daemons and an address list (named realm in the Linux kernel implementation ), and using this address list to select routing tables/ queues/etc.
I think I understand what you mean now … the ‘route rules’ aren’t used on the way in, unless you use src-address, which you can’t pick from an address-list, only hardcoded subnets.
I mocked this up - its about 90% functional but should get you close. The removes piece could be done a few different ways depending on how many routes you are dealing with. I assume in this script you’ve already got a routing table with the entries you want.
## Builds a route ruile list with entries matching specific routing tables.
:local table bogons
:local testmode yes
:local subnetId
:local subnet
:log info ( "Working on table '" . $table . "'" )
# Adds
:foreach subnetId in [/ip route find routing-mark=$table] do {
:set subnet [/ip route get $subnetId dst-address]
:if ( [:len [/ip route rule find src-address=$subnet ]] = 0) do={
:log info ("Adding " . $subnet . " as a new rule.")
/ip route rule add src-address=$subnet table=$table disabled=$testmode
} else={
:log info ( "Route rule exists for " . $subnet )
}
}
# Removes
:foreach subnetId in [/ip route rule find table=$table] do {
:set subnet [/ip route rule get $subnetId src-address]
:log info ("Looking for " . $subnet . " as a routing rule.")
:if ( [:len [/ip route find dst-address=$subnet ]] > 0) do={
:log info ("Removing " . $subnet . " as a routing rule.")
/ip route rule remove $subnetId
}
}
My approach was a little different ( I was using two tables, adding prefixes to one and then erasing the other one).
Seems to be holding OK for the about 10000 prefixes involved.
Maybe in the future this will be a feature in the Mikrotik itself, however.
It’s quite easy for the routing daemon to know when a route announcement is changed, it just have to offer this info to other subsystems.
For lots of prefixes (> 1000) the previous script is unworkable.
For one testing if the prefixes are already recorded takes hours, instead of minutes for a table copy.
Exporting directly to routing rules rules doesn’t work, either, as will severly degrade the routing performance and lock the router eventualy.
Using firewall address lists works OK, but I’ve uncovered a little bug:
Say you have in the adress list a IP address with id A
I add the same address again, with id B ( the route list will have 2 identical addreses).
Then I remove id A.
The adress list still list my adress ( with id B ) but the router ignores it ( at least for firewall marking purposes).
yes, that script below was an example and figured it wouldnt be ideal. so allowing ‘/ip route rule’ src-address to use an address-list would be ideal? Not sure if that would be slow in the routing process or not - but worth asking MT if they could add it.