I have a lot of spam coming in from Vietnam and I can block that whole country but I searched the ASN for that provider on Hurricane Electric and it was AS45899.
I tried with selected parts of the network but that was really cumbersome to do I am now on blocking /9 networks and then could also other IP be included than the one from the spamming network.
So is there a simple way to just enter the ASN of that provider into Mikrotik and all the incoming traffic of that specific ASN get Blackholed?
It should be possible to create a route filter that matches the BGP AS Path (regexp, in your case “.*45899$” should work), and then as action set-type=blackhole. That way all routes originating from that AS will be blackholed instantly. That said, it’s a horrible idea to do this and you should rather improve on how your mail systems handle spam.
Thank you very much and I have entered it with your text.
I got Spamassisin and Postfix as tight as possible however valid mailservers are not always correctly configured so I can’t filter everything in Postfix. The address range mentioned are every day in the log as FCRDNS but I rather have them never be able to reach my server.
I have used a few days this filter however it does not work.
0 chain=connected-in bgp-as-path=.*45899$ invert-match=no action=discard set-type=blackhole set-bgp-prepend-path=""
I added the action “discard” after a day because I got one e-mail then which was spam from that network range.
Update, I have now changed it to:
0 chain=connected-in bgp-as-path=45899$ invert-match=no action=log set-type=blackhole set-bgp-prepend-path=""
and it seems that only the “^” and “$” are supported…but that was in 2008. I have to wait to see if this works.
action needs to be accept, with set-type=blackhole. I prefer as path filters like this:
bgp-as-path=“^(45899_)+$”
You’ll need to remove the leading ‘^’ if you are offered the route via other networks though. You could also use the following to match prefixes either originating or transiting the network you wish to block:
bgp-as-path=45899
Or the following for prefixes originating from a given ASN:
bgp-as-path=“_45899$”
If you have multiple routers you will additionally want to append a community value and then set other routers to also blackhole prefixes containing that community value…
Thanks for the new formats and I am now trying the third option on the moment. I noticed now that when I enter your strings in Winbox the given string gets reformatted. And as you can see I have only one line in the whole routing section active.
When I enter “_45899$” it is converted to:
[admin@MikroTik] /routing> export
# RouterOS 6.40.4
/routing filter
add action=accept bgp-as-path="\"_45899\\\$\"" chain=connected-in set-type=blackhole
And when I enter it in the terminal it stays the same:
/routing filter
add action=accept bgp-as-path="_45899\$" chain=connected-in set-type=blackhole
I have a RAW rule as filter and detector and the IP ranges are for vnpt.vn is 14.128.0.0/9 and 113.128.0.0/9 and those are huge that is why I want to be specific filtering only the the vnpt.vn IP addresses. I am connected to my ISP by fiber and I am not doing any routing than the automatic routing done by RouterOS to have my connection.
The formatting I provided was generated by ‘/routing filter export’, should have mentioned that…
Simply enter the non escaped versions in Winbox:
Exclusively originating directly from (caters for possible prepends):
^(45899_)+$
Either originating or transiting a given network:
45899
Exclusively originating from:
_45899$
The following example would match prefixes originating from AS111 only when transiting directly via AS222:
bgp-as-path=“^(222_)+(111_)+$” (/routing filter export format so some characters are escaped out, remove '' when using Winbox)