Using BGP - Can't ping with public IP

godzillante · September 27, 2018, 3:44pm

Hi,

I have a CCR1036 running v6.42.4 and configured with BGP routing. It works perfectly, except I can’t reach the outside directly.

For example, I can’t simply ping 8.8.8.8 :

[admin@router] > ping 8.8.8.8
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                
    0                                                         no route to host                                                                                                      
    1                                                         no route to host                                                                                                      
    sent=2 received=0 packet-loss=100%

Instead if I set a source address it works:

[admin@router] > ping 8.8.8.8 src-address=my.public.ip.address
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                                   
    0 8.8.8.8                                    56 120 25ms 
    1 8.8.8.8                                    56 120 25ms 
    sent=2 received=2 packet-loss=0% min-rtt=25ms avg-rtt=25ms max-rtt=25ms

The router is reachable from the outside and routes everything as it should. The public IP is assigned to the main bridge and all the hosts with public address use it as a gateway. It’s a /24 subnet.

Also, I’m currently NATting some private network and they can surf with absolutely no problem and are visible as “my.public.ip.address” from external hosts.

[admin@router] > /ip firewall nat export terse
# (hidden info)
/ip firewall nat add action=same chain=srcnat same-not-by-dst=no src-address=10.10.48.0/20 to-addresses=my.public.ip.address
/ip firewall nat add action=same chain=srcnat same-not-by-dst=no src-address=10.10.16.0/20 to-addresses=my.public.ip.address

What am I missing?

Thank you in advance!

Anumrak · September 28, 2018, 11:11am

Print you route list and firewall nat please.

guipoletto · May 13, 2019, 8:26am

I have the exact same issue. Have you managed to solve this situation?

I don’t have any NAT’s in my BGP box, just the BGP session trough a VLAN, and a bypass of another (legacy) VLAN.

my config:

may/12/2019 13:30:21 by RouterOS 6.44.1

model = CCR1036-8G-2S+

/interface bridge
add fast-forward=no name=BDG_IPIP_ protocol-mode=none
add name=BDG__BGP protocol-mode=none
add fast-forward=no name=BGP_loopback protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=1-189_IPIP rx-flow-control=on
tx-flow-control=on
set [ find default-name=ether2 ] disabled=yes name=“2-189R_(BGP)”
rx-flow-control=on tx-flow-control=on
set [ find default-name=ether3 ] name=3-190 rx-flow-control=on
tx-flow-control=on
set [ find default-name=ether4 ] disabled=yes name=4-190R
set [ find default-name=ether5 ] name=5-159 rx-flow-control=on
tx-flow-control=on
set [ find default-name=ether6 ] disabled=yes name=6-159R
set [ find default-name=ether7 ] name=7-none
set [ find default-name=ether8 ] name=8-none
set [ find default-name=sfp-sfpplus1 ] advertise=1000M-full auto-negotiation=
no comment=“forced” name=sfp1- rx-flow-control=on speed=
1Gbps tx-flow-control=on
set [ find default-name=sfp-sfpplus2 ] comment=“forced” name=
sfp2- rx-flow-control=on tx-flow-control=on
/interface vlan
add interface=sfp1- name=vlan_BGP_ vlan-id=3001
add interface=sfp1- name=vlan_IPIP_ vlan-id=3002
/routing bgp instance
set default as=NUMBER comment=NUMBER router-id=my.asn.ip.0
/interface bridge port
add bridge=BDG_IPIP_ interface=1-189_IPIP
add bridge=BDG_IPIP_ interface=vlan_IPIP_
add bridge=BDG__BGP disabled=yes interface=3-190
add bridge=BDG__BGP interface=5-159
/ip address
add address=my.asn.ip.0 comment=loopback interface=BGP_loopback network=
my.asn.ip.0
add address=rem.asn.ip.14/30 interface=vlan_BGP_ network=rem.asn.ip.12
add address=my.asn.ip.1/30 interface=BDG__BGP network=my.asn.ip.0
add address=my.asn.ip.254/25 interface=BDG__BGP network=my.asn.ip.128
/ip cloud
set update-time=no
/ip dns
set servers=8.8.8.8
/ip route
add comment=“default->>>, KEEP DISABLED!!!” disabled=yes distance=1
gateway=rem.asn.ip.13
add distance=1 dst-address=my.asn.ipa.0/28 gateway=my.asn.ip.159

/ipv6 address
add address=my:side:of:the:v6:peer advertise=no interface=vlan_BGP_
add address=myv6:blck::1 interface=3-190
add address=myv6:blck::/128 advertise=no interface=BGP_loopback
/ipv6 firewall filter
add action=drop chain=input in-interface=3-190
add action=drop chain=output out-interface=3-190
/ipv6 firewall raw
add action=drop chain=prerouting disabled=yes in-interface=3-190
/ipv6 route
add comment=default->>> distance=1 gateway=their:side:v6:peer

/routing bgp network
add network=my.asn.ip.0/22 synchronize=no
add network=myv6:blck::/32 synchronize=no
/routing bgp peer
add address-families=ipv6 in-filter=-ipv6-IN name=-ipv6 out-filter=
-ipv6-OUT remote-address=their:side:v6:peer remote-as=NUMBER
ttl=default update-source=vlan_BGP_
add in-filter=-ipv4-IN name=-ipv4 out-filter=-ipv4-OUT
remote-address=rem.asn.ip.13 remote-as=NUMBER ttl=default update-source=
vlan_BGP_
/routing filter
add action=discard chain=-ipv4-IN comment=
“discard mine” prefix=my.asn.ip.0/22
add action=discard chain=-ipv4-IN disabled=yes
add action=discard chain=-ipv6-IN comment=
“discard mine” prefix=myv6:blck::/32
add action=discard chain=-ipv6-IN disabled=yes
add action=accept chain=-ipv4-OUT prefix=my.asn.ip.0/22 prefix-length=
22-24
add action=discard chain=-ipv4-OUT
add action=accept chain=-ipv6-OUT prefix=myv6:blck::/32
add action=discard chain=-ipv6-OUT