ROSv7 - BGP Blackhole

kellogs · July 1, 2024, 11:28pm

hello

https://help.mikrotik.com/docs/display/ROS/Moving+from+ROSv6+to+v7+with+examples

May I know why do we need to set the IP prefix which we are advertising in blackhole please?

/ip/firewall/address-list/
add list=bgp-networks address=192.168.0.0/24

/ip/route
add dst-address=192.168.0.0/24 blackhole

/routing/bgp/connection
set peer_name output.network=bgp-networks

chechito · July 1, 2024, 11:43pm

just a few lines forward in the same page you find that answer

In v7 it is not possible to turn off synchronization with IGP routes (the network will be advertised only if the corresponding IGP route is present in the routing table).

https://help.mikrotik.com/docs/display/ROS/Moving+from+ROSv6+to+v7+with+examples#MovingfromROSv6tov7withexamples-Networks

kellogs · July 2, 2024, 3:22am

Thank you for the reply. I still dont understand why this is related with blackhole actually. I am sorry if you could explain more it would be very much appreciated.

Wombat7 · July 3, 2024, 12:07am

The black hole is just so that the route is present. If the route is used anywhere else in the routing table i.e broken up into smaller routes or assigned to interfaces these will take precedent when it comes to the actual routing of traffic. The blackhole is essentially just used as a catch all so BGP knows its in use somewhere on the router.

kellogs · August 8, 2024, 10:17am

actually setting to blackhole is a bad idea … if you never set any static route for that subnet afterwards … all the traffic would be dropped!

mrz · August 8, 2024, 10:30am

Quite the contrary, it is a bad idea to route traffic inside your network without an actual destination.
Blackholing traffic on the edge prevents it.

kellogs · August 8, 2024, 10:36am

is there any better option than blackholing it?

because there are many ways to add a subnet into routing table. say if you setup the blackhole and now you set the static route to point this /24 to our downstream. when public access this subnet they would get blackhole because the entry is there!

mrz · August 8, 2024, 10:46am

If you set a static route to point to your downstream then traffic will not be blackholed, it will be routed downstream, but if you do not have routes at all (even no blackhole) and have a default route to upstream, then congratulations you created a routing loop and congested your upstream link. Basically, DOSed yourself.

kellogs · August 8, 2024, 11:37am

i think in v7, the BGP would not advertise the prefix to the upstream if the prefix is not in the routing table

mrz · August 8, 2024, 11:45am

Yes, it won’t as it was already mentioned before here and in the documentation, because of the reasons I pointed out in my previous posts.
So setting a blackhole route on the edge router is a good practice.