Help needed with routing filters v7

Hello,

There is very little information about the routing filters, and i need some help with it.

I have found this: https://help.mikrotik.com/docs/display/ROS/ROSv7+Basic+Routing+Examples#ROSv7BasicRoutingExamples-OSPFConfiguration
But it is not much.

First i need help with OSPF and later with my BGP maybe, but lets start with the OSPF part.

I have now 3 filter rules, i replaced our subnets with some fake.

0 chain=ospf-out-v2 rule=“if (dst-len==32 && dst in 10.255.255.0/24) {accept}”
1 chain=ospf-out-v3 rule=“if (dst-len>32 && dst in 2aaa:aaaa::/32) {accept}”
2 chain=ospf-out-v2 rule=“if (dst-len>22 && dst in 185.1.2.0/22) {accept}”

Rule 0 is for the loopback IP’s and rule 1/2 are for our public IP’s.
I want to advertise all smaller subnets we have split over multiple vlans (so /29 and /30 subnets for example), but only if they are active on this router, we use multiple routers as PPPoE servers and clients are randomly load balanced so as soon as a client connect to one of the PPPoE servers OSPF needs to advertise the route for this clients subnet.

In v6 you have the option “Redistribute Connected Routes as type 1”, i cannot find this on v7.
The reason i not set redistribute connected and redistribute static routes on in v7 is that i don’t want alle other subnets to be advertised in OSPF.

I hope my question/problem is clear, if not let me know!

Kind regards,

Sander

v7 also has redistribute parameter.
/routing/ospf/instance set xx redistribute=connected

The only difference is that type and cost must be set using routing filters.

Oke, thanks.

Do you know the syntax for setting the cost and the type in the routing filter?

"set ospf-ext-type type1; set ospf-ext-metric 11"

Thank you, the autofill doesn’t give all the options back that are possible.

Can you check if i understand it right? Is this the correct way to select both static and connected? (so using ||)

if (dst-len>32 && dst in 2aaa:aaaa::/32 && protocol static || protocol connected ) {set ospf-ext-type type1; set ospf-ext-metric 20; accept }

Completion does not show that yet, but you can type

if (protocol static,connected) {}

Thank you, it works!

I have a last question for BGP in v7.

What is the best way to filter bogon networks? In v6 we have:

We have a separate rule sets for every peer.
first rule is a jump rule to Discard-IPv4-in
then we have some discard rules in order to block for example 192.168.0.0/16 and 0.0.0.0/8 etc etc
then we have a return rule.
the we accept all other routes and set local pref

The same we do for IPv6.

Is this still the way to go in v7?

The same approach can be used in v7, except that instead of drop you can only reject in filter rules.

Logic is something like this:

• BGP packet received
• accepted/dropped by input.accept config (configured in bgp template or connection)
• accepted input messages decoded and stored in memory
• decoded prefixes are sent to be filtered by routing filters.

So if you want to save memory and completely discard some bogon prefixes then use input.accept-nlir, or other input.accept- parameters to accept only specific prefixes to BGP input.

I have a small OSPF problem,

I have the following route filter:
if (dst in 185.x.x.0/22 && protocol static,connected) {set ospf-ext-type type1; set ospf-ext-metric 20; accept}

When a PPPoE user/secret has also a routes object/rule, to route for example a /29 subnet to the customer, this is not being redistributed through OSPF.
In the route table the route has a DAS state, so Dynamic, Active, Static.

How do i change the route filter to also distribute this routes?

Send a supout file to support.

Ticket SUP-59118

I think it’s a bug in v7.

The extra subnet has the status of a VPN route.
I i change the route filter and do “redistribute static,connected,vpn” it works

What do you consider a bug? That you need to specify to redistribute vpn routes for vpn routes?

I have V7.5 and I am a little confused regards BGP output filter.
I have a router with a lot of subnets but I only want to publish (172.23.54.x/24)

0 chain=BGP_Filter rule=“if (dst-len>24 && dst in 172.23.54.0/24) {accept}”

Besides I have configured the BGP as follow:
name=“bgp1”
remote.address=10.109.173.1/32 .as=65052
local.default-address=10.109.173.2 .role=ebgp
routing-table=main templates=default as=65873 nexthop-choice=default hold-time=3m cisco-vpls-nlri-len-fmt=auto-bits
output.redistribute=connected .filter-chain=“BGP_Filter” .default-originate=never

I do not know if it is ok because I have no idea how to check which are the subnets advertised,

«I only want to publish (172.23.54.x/24)» ???
Filters are for filter what you get, not what you give.

/ip firewall address-list
add address=172.23.54.0/24 list=bgp-networks
/ip route
add blackhole disabled=no distance=255 dst-address=172.23.54.0/24 routing-table=main
/routing bgp template
set bgp1 output.network=bgp-networks

OK, thank you. I have implemented those commands but I do not find how to see what are the network adverised in order to know if it is working.
Please, can you share with me the command.

Priceless But, I think he is metaphorically stating something that is obvious in his life!

If I filter Italian coffee ( the worlds best), its what you get after the filter, not what you put into the filter, that counts.

I can’t find CCR1036 anymore (with v6 or not). New availability is at November…
I’m forced to use a CCR2116-12G-4S+ and I’m afraid to use v7 for BGP…
I don’t know what awaits me…

@millanbelsue

I suggest if that’s production box, put that in the lab like in GNS3 then try it there if it works then copy the config in production, it a sad story that this simple thing is not giving a priority boost from MT

I can not configure everything in a lab. I have to do right now and I do not find how to see what are the network adverised in order to know if it is working.
Please, anyone can share with me the command.