OSPF out route filter V7.XX

SapieH · July 18, 2024, 3:21pm

Good day All,
there are numerous posts for inbound route filters for OSPF. I am struggling to find examples of outbound route filters. I need to prevent certain connected IP ranges from being distributed by ospf.

sirbryan · July 19, 2024, 2:59pm

If you set up a filter for OSPF out, it will, by default, reject everything and only allow what you want to go out.

So, for example, if I want 10.0.0.0/24 to go out, my filter would be:

if (dst==10.0.0.0/24) { accept; }

In this case, I want to allow any subnets within the 10.0.0.0/8 range. Use “in” instead of “==” to allow for any subnets within the range to be announced.

if (dst in 10.0.0.0/8) { accept; }

If you want to be “lazy” and allow everything but a specific subnet, you’d have filters like the following.

if (dst==10.0.0.0/8) { reject; }
if (dst==192.168.0.0/16) { reject; }
accept;

Note that “==” explicitly matches on the subnet as written. If you want all smaller portions of a subnet to be filtered, you use “in” instead of “==”:

if (dst in 10.0.0.0/8) { reject; }
if (dst in 192.168.0.0/16) { reject; }
accept;

It’s usually smarter, though, to do what I did in the first example, which is allow the system to reject everything by default and specifically allow what you want.

From the CLI, these look like this:

# From a working example
/routing filter rule
# Allow CGNAT subnets to be advertised
add chain=ospf-out disabled=no rule="if (dst in 100.64.0.0/10 && dst-len in 24-32) { accept; }"
# Allow management IP's to be advertised
add chain=ospf-out disabled=no rule="if (dst in 10.0.0.0/8 && dst-len in 16-32) { accept; }"
# By default anything else the router has is rejected

elbob2002 · July 20, 2024, 10:17am

That is such a great explanation. Wish the official docs were as good with practical examples!

Filtering has been wrecking my head since it first came out.

ptsch · July 1, 2025, 3:33pm

sirbryan:

f you set up a filter for OSPF out, it will, by default, reject everything and only allow what you want to go out.

So, for example, if I want 10.0.0.0/24 to go out, my filter would be:
if (dst==10.0.0.0/24) { accept; }

where do i apply that filter though? cause adding it to the ospf instance as an “out filter” still doesn’t prevent all the rest of the routes from being advertised

chechito · July 1, 2025, 6:18pm

you are not alone, but For your relief RouterOS 7.20 beta includes a wizard to help with routing filters

sirbryan · July 7, 2025, 2:52pm

I believe it only applies to routes learned/exported by that router. If some other router inserts those routes, they’re passed on. At least, that is behavior I recall seeing before, and the upstream/peer routers needed those filters too.

StubArea51 · July 7, 2025, 3:18pm

The out filter for OSPF only applies to redistributed/external routes. You can’t filter ospf routes outbound that didn’t originate from another protocol.

MikroTik’s official answer on this here: