Hey, Have been trying to figure out how to mangle specific packets (using IP Firewall) for packets destined for a specific AS (I need to add Source IP to addr list + log).
I thought I could use Route Filter: add specific asn to BGP AS-path (i.e. 1234), and add a routing mark (say ‘mark1’). Then, I expected to be able to pickup routing mark in mangle firewall, but I am not getting any hits.
any thoughts? thanks!
This really sounds like a “you’re doing it wrong” kind of thing.
When using BGP, you should use BGP’s own natural behavior to affect routing policy, not route-marking/mangling.
(generally speaking - you may have some really specific reason I’m unaware of)
Chances are, you should be setting the local_preference high or low on your matching routes to cause this peer to be more/less preferred than other peers. If you’re trying to blackhole certain destinations, set the route type=blackhole on matches. If you want THIS router to change its policy, but not other BGP speakers in your AS, then use the WEIGHT instead of the local preference.
thanks for feedback. What we are actually trying to achieve here is to find out which of our users are communicating with prefixes from a specific AS.
What I was thinking is that somehow add the source addresses of our users on our side to an address list in Mangle - but obviously we need to know the prefixes to achieve that in firewall… hence trying to mark traffic/routes/etc prefixes in a specific AS…
Well, one idea comes to mind: your in-filter can have a rule which matches on BGP AS Path: and in Actions, use passthrough with Set Route Comment = “as-flagged” (or whatever makes sense - it’s best to choose just one flag, no matter which AS it comes from)
Then you’ll just have to have a script which searches through your route table occasionally, and looks for the routes with that comment, and adds the matching dst-address=x.x.x.x/x to an address list. Your filter table forward chain can have a rule after the “match established” rule (so only new connections make log entries, and the rule only gets checked every once in a while whenever new connections start, and not on every single packet) which checks dst-address-list=flagged action=log