Good day All,
there are numerous posts for inbound route filters for OSPF. I am struggling to find examples of outbound route filters. I need to prevent certain connected IP ranges from being distributed by ospf.
If you set up a filter for OSPF out, it will, by default, reject everything and only allow what you want to go out.
So, for example, if I want 10.0.0.0/24 to go out, my filter would be:
if (dst==10.0.0.0/24) { accept; }
In this case, I want to allow any subnets within the 10.0.0.0/8 range. Use “in” instead of “==” to allow for any subnets within the range to be announced.
if (dst in 10.0.0.0/8) { accept; }
If you want to be “lazy” and allow everything but a specific subnet, you’d have filters like the following.
if (dst==10.0.0.0/8) { reject; }
if (dst==192.168.0.0/16) { reject; }
accept;
Note that “==” explicitly matches on the subnet as written. If you want all smaller portions of a subnet to be filtered, you use “in” instead of “==”:
if (dst in 10.0.0.0/8) { reject; }
if (dst in 192.168.0.0/16) { reject; }
accept;
It’s usually smarter, though, to do what I did in the first example, which is allow the system to reject everything by default and specifically allow what you want.
From the CLI, these look like this:
# From a working example
/routing filter rule
# Allow CGNAT subnets to be advertised
add chain=ospf-out disabled=no rule="if (dst in 100.64.0.0/10 && dst-len in 24-32) { accept; }"
# Allow management IP's to be advertised
add chain=ospf-out disabled=no rule="if (dst in 10.0.0.0/8 && dst-len in 16-32) { accept; }"
# By default anything else the router has is rejected
That is such a great explanation. Wish the official docs were as good with practical examples!
Filtering has been wrecking my head since it first came out.
where do i apply that filter though? cause adding it to the ospf instance as an “out filter” still doesn’t prevent all the rest of the routes from being advertised
you are not alone, but For your relief RouterOS 7.20 beta includes a wizard to help with routing filters
I believe it only applies to routes learned/exported by that router. If some other router inserts those routes, they’re passed on. At least, that is behavior I recall seeing before, and the upstream/peer routers needed those filters too.
The out filter for OSPF only applies to redistributed/external routes. You can’t filter ospf routes outbound that didn’t originate from another protocol.
MikroTik’s official answer on this here: