ip route - null route

alexfossa · March 16, 2005, 12:34pm

Hi,

What I want to do is as follows, I cant seem to do it on Mikrotik.

I want to add a static route that matches out BGP announcement. Tf there is no matching route in the routing table, the prefix won’t be announced. Routing an address range to the Null0 interface will make sure BGP always announce our prefix.

On ciscos the cmd is:

ip route null0 250

Regards,

Alex

wildbill442 · March 16, 2005, 2:53pm

I beleive you have to use a firewall rule, just specify the protocol (BGP)…

MT doesn’t have a null interface.

eflanery · March 16, 2005, 4:20pm

The solution I have used for “null routing” is:

Create an empty bridge (don’t put any interfaces in it)

Add an unused non-routable (rfc1918) subnet to to that interface.

Add a static route for the subnet I want to null route via another (non-existant) ip in the subnet created above.

So, something like this:

/int br add name=null0
/ip add add add=172.25.0.1/30 int=null0
/ip rou add dst=a.b.c.d/x gate=172.25.0.2

Where a.b.c.d/x is the subnet you want to “null route”, and 172.25.0.0/30 is a subnet you don’t actually use anywhere (substitute as necessary)

Great for sinking the unused parts of a large network that may not be fully announced, helps prevent loops.

Also good for attaching /32 addresses to, as “routable loopback” IPs. Reachable over any interface, as long as your routing protocol is working.

wildbill442 · March 16, 2005, 4:24pm

eflanery,

Why not use a drop rule? What you specified is just wasting CPU cycles…

eflanery · March 16, 2005, 6:59pm

Because the point isn’t to “drop” anything, but rather to generate a routing protocol anouncement, without actually having the subnet attached to a “real interface” on the router.

In the case where you “null route”, you want to attract all traffic for a particular network which does not match any more specific route.

So in the simple loop-prevention case, say you have routes to 1.0.0.0/24 and 1.0.2.0/24, but not to 1.0.1.0/24 or 1.0.3.0/24 (haven’t decided where to use them yet, or whatever). Also say that your upstream sends you packets for the entire 1.0.0.0/22; and they statically route 1.0.0.0/22 to you, and you have a default pointing to them (simple case, no BGP).

Without “sinking” the extra subnets, any packets sent to an address in 1.0.1.0/24 or 1.0.3.0/24 will be sent to you by the upstream, only to be turnned back around and sent (via the default) back to the upstream, who will in turn send them back to you, etc… Thus causing a routing loop, and wasting your bandwidth to the upstream.

In alexfossa’s case, I suspect that he has routes to all of his subnets, but that either they are too small for his upstream(s) to accept in a BGP announcement (usually /24 is the longest mask a transit provider will allow), or he want’s to be a good operator and not polute the global BGP system with excess routes which could be aggregated.

By “null routing” the entire aggregated network, he can make just one announcement, and filter anything longer. Once the packets hit his router, the longer (more specific) matches to the individual subnets will take precedence over the null routed aggregate.

In the “routable loopback” case, you can place a /32 on a “null interface” which cannot go “down”, and then announce that /32 via your IGP routing protocol (works great with OSPF). This gives you the advantage of being able to reach your router via this IP, regardless of which interfaces are up, so long as the router is reachable via some interface.

Personally, I add a “null” or “loopback” bridge to every MT I run, and “sink” all of my address ranges at each router (be it MT, Cisco, AT or whatever). I also put a “routable loopback” address on each of them, makes re-aranging the network much easier, and prevents “false alarms” when only one interface goes down.

This technique, together with the new OSPF NBMA-Neighbor settings in 2.9, should also make some semblance of “unnumbered interfaces” fully workable over non-ppp links. I haven’t tried it yet, but it should work, hopefully.

–Eric

sten · March 17, 2005, 1:12pm

I use policy routing to achieve some of the same things (but i miss being able to add routes with -reject or -drop flags too!)

in your main table add all your routes but do not add your default route here.
This is also the table where routing protocols operate.
First you will have your main table lookup rule.
Then you will have your rules specifying which networks to drop/unreach.
Then add a final table with your default route and make a lookup to this one.

Sort of like this (IP addresses changed to protect the innocent).

/ ip policy-routing add name=“default”
/ ip policy-routing rule
add src-address=0.0.0.0/0 dst-address=0.0.0.0/0 action=lookup table=main
add src-address=0.0.0.0/0 dst-address=192.168.0.0/16 action=unreachable
add src-address=0.0.0.0/0 dst-address=172.16.0.0/12 action=unreachable
add src-address=0.0.0.0/0 dst-address=10.0.0.0/8 action=unreachable
add src-address=0.0.0.0/0 dst-address=0.0.0.0/0 action=lookup table=default
/ ip policy-routing table default
add dst-address=0.0.0.0/0 gateway=12.0.0.1
/ ip policy-routing table main
add dst-address=12.0.1.0/24 gateway=12.0.0.6
add dst-address=12.0.2.0/24 gateway=12.0.0.6
add dst-address=12.0.3.0/24 gateway=12.0.0.8

miahac · March 28, 2013, 4:39pm

I am trying to pin up my /22 by routing it to a nullbridge but it does not seem to work. I am still only advertising 2 of the /24’s that are in the /22. The ones advertising are connected routes… I did check connected and static for my instance, but have not reconnected bgp since then… hmmm

bbs2web · March 21, 2017, 1:25pm

Hopefully this helps someone else…

We prefer to dynamically originate routes from a single static blackhole route, usually the provider edge routers, for the same reason that eflanery explained.
We utilise OSPF as our IGP and BGP as our EGP. BGP is set to redistribute static routes whilst OSPF redistributes both static and connected routes. We use community strings to set whether or not the route should be prepended, have a custom MED value set, what weight or local preference to assign.

OSPF wins over BGP though, so we filter outbound OSPF announcements using a route comment:

ip route
add bgp-communities=33314:500,33314:4000 bgp-local-pref=300 bgp-origin=
igp comment=“originate via BGP:” dst-address=
123.123.123.0/24 type=blackhole

/routing filter
add action=discard chain=ospf-out comment=
“Do not distribute routes with comment="originate via BGP:":”
route-comment=“originate via BGP:”

Herewith an example of an outbound BGP filter rule, on a remote router:
/routing filter
add action=accept 33314:4000 chain=ixp-out comment=
“IXP, set-bgp-prepend=1 where community=33314:4000:”
set-bgp-prepend=1

ZeroByte · March 21, 2017, 3:06pm

To do a null route in Mikrotik, just add a route like this:

/ip route add dst=192.0.2.0/24 type=blackhole

done

This is equivalent to the Cisco command:
ip route 192.0.2.0 255.255.255.0 null0

There is (last I checked) no blackhole type route in ROS’s IPv6 stack, so you use type=unreachable to achieve this effect for IPv6.