Strange BGP Routing issue to mikrotik subnet

RouterOS Forwarding Protocols
1

Dear Forum,

I have 2 Core Routers and one Peering router all connected via OSPF4 to each other and BGP4.

Core Router do Full Bgp feed peering router only peering point.

I found out that i am unable to update software packages on the peering router - Error Time out.

Looking for prefix on peering router

/ip route print where dst-address=159.148.147.0/24      
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE

I checked that i get a bigger prefix from peering partner hurricane electric

/ip route print where dst-address=159.148.0.0/16  
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADb  159.148.0.0/16                     193.203.0.185            20

I assume that the smaller subnet is in but when i do a traceroute it looks like this …

 tool traceroute 159.148.147.204
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS                                                                                                                                                               
 1 193.203.0.185                      0%    1   0.2ms     0.2     0.2     0.2       0                                                                                                                                                                      
 2 10.198.78.1                        0%    1     6ms       6       6       6       0                                                                                                                                                                      
 3 184.105.223.109                    0%    1  11.6ms    11.6    11.6    11.6       0                                                                                                                                                                      
 4 72.52.92.85                        0%    1  11.7ms    11.7    11.7    11.7       0                                                                                                                                                                      
 5                                  100%    1 timeout                                                                                                                                                                                                      
 6                                  100%    1 timeout                                                                                                                                                                                                      
 7                                  100%    1 timeout                                                                                                                                                                                                      
 8                                  100%    1 timeout                                                                                                                                                                                                      
 9                                    0%    1     0ms

Now the same checks on my first core router:

 /ip route print where dst-address=159.148.0.0/16
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADb  159.148.0.0/16                     92.61IPOFMYPEERING ROUTER            200
 1  Db  159.148.0.0/16                     89.185.XXXXX           20
 2  Db  159.148.0.0/16                     77.67.XXXXXX             20

here command with prefix of mikrotiks upgrade server ( i dont see route of my peering server)

/ip route print where dst-address=159.148.147.0/24
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADb  159.148.147.0/24                   89.185XXXXX           20
 1  Db  159.148.147.0/24                   77.67.XXXXX             20

traceroute from core one to MT server

 tool traceroute 159.148.147.204                  
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS                                                                                                                                                               
 1 89.185XXXXXX                   0%    2   0.1ms     0.2     0.1     0.2     0.1                                                                                                                                                                      
 2 195.95.XXXXX                    0%    2   0.2ms     0.2     0.2     0.2       0                                                                                                                                                                      
 3 80.81.194.165                      0%    2  69.3ms    69.5    69.3    69.6     0.2                                                                                                                                                                      
 4                                  100%    2 timeout                                                                                                                                                                                                      
 5                                  100%    2 timeout                                                                                                                                                                                                      
 6                                  100%    2 timeout                                                                                                                                                                                                      
 7 159.148.147.204                    0%    1  50.1ms    50.1    50.1    50.1       0

Can someone see the reason of my problem?

thank you for your input

Mark

2

i was thinking today — found out that when i add peering loopback address in source using trace route tool i can reach the Mikrotik host.

3

Your problem is hopefully quite simple :slight_smile:

you reach the Mikrotik update servers through a VIX peering, so by default, your router will source all packets it sends towards that destination using the IP address it has assigned on the egress interface - which will be in the peering LAN range 193.203.0.0/24

Peering LANs should not be routable globally, and most are not. So my guess is that the return packets get nullrouted somewhere along the way, as either Mikrotik themselves or their ISP(s) will not have a route towards the VIX peering LAN unless they actively peer there. If you use a different IP address to source those packets, as you do when explicitly stating your loopback IP in a traceroute, you will of course get replies from the Mikrotik servers as your own IPs are globally routable.

The fix for this should also be quite simple. On other routers (like Juniper for example) you can set a globally preferred source IP address for all purposes. On Mikrotik you will have to change your routing filters to set an explicit “set-pref-src=” for all incoming routes you accept from VIX peers or the route servers - that should hopefully fix your connectivity troubles

Greetings to the capital, let me know how this works out for you

Edit: also if you’d rather not touch your route filters, you can obviously also just upload the packages by any other means to your router.