Hi,
Im using a mikrotik CHR to create a bgp session and advertise a /24 net with a public ASN.
Im trying to split it in 3 subnets, two 26 and one 25, the problem is I cant route between them! From the outside internet everything works fine, hosts can access an be accessed, but they cant reach the other subnets, not even the gateways of the other subnets. (ping timeouts)
Already tested with all firewall rules and mangle rules disabled, it still doesnt work. What am I doing wrong?
Thanks for any help that might shed light into this.
Here is /export with anonymized data (public ip is 172.16.0.0/24, asn 65000)
/interface ethernet
set [ find default-name=ether1 ] name=i0p0
set [ find default-name=ether2 ] name=i0p1
set [ find default-name=ether3 ] advertise=10M-full,100M-full,1000M-full name=mgmt speed=100Mbps
/interface bonding
add mode=802.3ad name=port-channel1 slaves=i0p0,i0p1
/interface vlan
add interface=port-channel1 name=port-channel1.800 vlan-id=800
add interface=port-channel1 name=port-channel1.1200 vlan-id=1200
add interface=port-channel1 name=port-channel1.1201 vlan-id=1201
add interface=port-channel1 name=port-channel1.1202 vlan-id=1202
/interface list
add name=public_net_int
/port
set 0 baud-rate=115200
/queue type
add kind=pcq name=public_net_down pcq-classifier=dst-address pcq-dst-address-mask=24 pcq-dst-address6-mask=64 pcq-rate=150M
add kind=pcq name=public_net_up pcq-classifier=src-address pcq-dst-address-mask=24 pcq-dst-address6-mask=64 pcq-rate=150M pcq-src-address-mask=24 pcq-src-address6-mask=64
/queue tree
add name=public_net_up packet-mark=public_net_up parent=global queue=public_net_up
add name=public_net_down packet-mark=public_net_down parent=global queue=public_net_down
/routing bgp instance
set default as=65000 router-id=172.16.0.0
/snmp community
set [ find default=yes ] addresses=192.168.0.0/22 name=R0rLMOKeWOVwwN0
/dude
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add interface=port-channel1.1200 list=public_net_int
add interface=port-channel1.1201 list=public_net_int
add interface=port-channel1.1202 list=public_net_int
add interface=port-channel1.1203 list=public_net_int
/ip address
add address=10.233.226.158/30 interface=port-channel1.800 network=10.233.226.156
add address=192.168.2.1/22 interface=mgmt network=192.168.0.0
add address=172.16.0.1/26 interface=port-channel1.1200 network=172.16.0.0
add address=172.16.0.65/26 interface=port-channel1.1201 network=172.16.0.64
add address=172.16.0.129/25 interface=port-channel1.1202 network=172.16.0.128
/ip dhcp-client
add disabled=no interface=mgmt
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=10.0.0.0/8 list=rfc-1918
add address=127.0.0.1 list=rfc-1918
add address=192.168.0.0/16 list=rfc-1918
add address=172.16.0.0/12 list=rfc-1918
add address=224.0.0.0/4 list=rfc-1918
add address=240.0.0.0/4 list=rfc-1918
add address=85.209.206.53 list=perm_block
add address=85.209.206.36 list=perm_block
add address=160.178.236.19 list=perm_block
add address=165.22.96.192 list=perm_block
add address=159.65.141.157 list=perm_block
add address=192.42.116.16 list=perm_block
add address=185.220.101.194 list=perm_block
add address=144.217.108.11 list=perm_block
add address=185.113.128.30 list=perm_block
add address=193.35.51.13 list=perm_block
add address=45.95.168.96 list=perm_block
add address=172.16.0.130 list=virtualizor_master
add address=172.16.0.112 list=bbb_server
add address=172.16.0.0/24 list=public_addr
add address=69.10.44.114 list=perm_block
/ip firewall filter
add action=drop chain=forward comment="blocked stuff" dst-port=389,11211,139-149,1900,1901 in-interface-list=public_net_int protocol=udp
add action=drop chain=forward dst-port=389,11211,139-145,1900,1901 out-interface-list=public_net_int protocol=udp
add action=drop chain=forward in-interface-list=public_net_int src-address-list=rfc-1918
add action=drop chain=forward dst-address-list=rfc-1918 out-interface-list=public_net_int
add action=drop chain=forward src-address-list=perm_block
add action=drop chain=forward dst-address-list=perm_block
add action=fasttrack-connection chain=forward comment="tracking forwarding" connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="output rules" in-interface-list=public_net_int protocol=tcp src-address-list=public_addr
add action=accept chain=forward in-interface-list=public_net_int protocol=udp src-address-list=public_addr
add action=accept chain=forward in-interface-list=public_net_int protocol=icmp src-address-list=public_addr
add action=drop chain=forward in-interface-list=public_net_int
add action=accept chain=forward comment="bbb server input" dst-address-list=bbb_server dst-port=16384-65535 out-interface-list=public_net_int protocol=udp
add action=accept chain=forward dst-address-list=bbb_server dst-port=80,443 out-interface-list=public_net_int protocol=tcp
add action=accept chain=forward dst-address-list=bbb_server dst-port=22 out-interface-list=public_net_int protocol=tcp
add action=drop chain=forward dst-address-list=bbb_server out-interface-list=public_net_int
add action=accept chain=forward comment="virtualizor input" dst-address-list=virtualizor_master dst-port=4081-4085 out-interface-list=public_net_int protocol=tcp
add action=accept chain=forward dst-address-list=virtualizor_master dst-port=5900-6900 out-interface-list=public_net_int protocol=tcp
add action=accept chain=forward dst-address-list=virtualizor_master dst-port=22 out-interface-list=public_net_int protocol=tcp
add action=accept chain=forward dst-address-list=virtualizor_master out-interface-list=public_net_int protocol=icmp
add action=drop chain=forward dst-address-list=virtualizor_master out-interface-list=public_net_int
add action=accept chain=forward comment="input rules" dst-address-list=public_addr out-interface-list=public_net_int protocol=tcp
add action=accept chain=forward dst-address-list=public_addr out-interface-list=public_net_int protocol=udp
add action=accept chain=forward dst-address-list=public_addr out-interface-list=public_net_int protocol=icmp
add action=drop chain=forward out-interface-list=public_net_int
add action=accept chain=input connection-state=established,related
add action=accept chain=input dst-port=22222 protocol=tcp
add action=accept chain=input dst-address=127.0.0.1 dst-port=8291 protocol=tcp
add action=accept chain=input dst-address-list=public_addr in-interface-list=public_net_int protocol=icmp
add action=accept chain=input dst-port=161 in-interface=mgmt protocol=udp
add action=accept chain=input in-interface=mgmt protocol=icmp
add action=drop chain=input in-interface-list=public_net_int log=yes log-prefix=input_block_internet
/ip firewall mangle
add action=mark-connection chain=forward comment="bandwidth rules" disabled=yes in-interface-list=public_net_int new-connection-mark=public_net_up passthrough=yes src-address=\
172.16.0.0/24
add action=mark-connection chain=forward disabled=yes dst-address=172.16.0.0/24 new-connection-mark=public_net_down out-interface-list=public_net_int passthrough=yes
add action=mark-packet chain=forward disabled=yes in-interface-list=public_net_int new-packet-mark=public_net_up passthrough=yes src-address=172.16.0.0/24
add action=mark-packet chain=forward disabled=yes dst-address=172.16.0.0/24 new-packet-mark=public_net_down out-interface-list=public_net_int passthrough=yes
/ip route
add check-gateway=ping distance=1 gateway=10.233.226.157 pref-src=172.16.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=0.0.0.0/0 port=22222
set api disabled=yes
set winbox address=127.0.0.1/32
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=local strong-crypto=yes
/ipv6 address
add address=1234:5678::1/48 advertise=no interface=port-channel1.1200
add address=1234:5678:1::1/48 advertise=no interface=port-channel1.1201
add address=1234:5678:2::1/48 advertise=no interface=port-channel1.1202
add address=1234:5678:3::1/48 advertise=no interface=port-channel1.1203
/routing bgp network
add network=172.16.0.0/24 synchronize=no
add network=1234:5678::/32 synchronize=no
/routing bgp peer
add in-filter=isp1-in name=isp1 out-filter=isp1-out remote-address=10.233.226.157 remote-as=64570
/routing filter
add action=accept chain=isp1-out prefix=172.16.0.0/24
add action=accept chain=isp1-out prefix=1234:5678::/32
add action=discard chain=isp1-out
add action=accept chain=isp2-out prefix=172.16.0.0/24
add action=accept chain=isp2-out prefix=1234:5678::/32
add action=discard chain=isp2-out
add action=discard chain=isp2-in prefix=0.0.0.0/0
add action=accept chain=isp2-in
add action=discard chain=isp1-in prefix=0.0.0.0/0
add action=accept chain=isp1-in
/snmp
set enabled=yes
/system identity
set name=router1mk
/system logging
set 3 action=disk
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
Here is the ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 pref-src=172.16.0.1 gateway=10.233.226.157 gateway-status=10.233.226.157 reachable via port-channel1.800 check-gateway=ping distance=1 scope=30
target-scope=10 # is this right? i cant get the mikrotik router to connect to internet itself without setting pref-src to 172.16.0.1
1 ADC dst-address=10.233.226.156/30 pref-src=10.233.226.158 gateway=port-channel1.800 gateway-status=port-channel1.800 reachable distance=0 scope=10
2 ADC dst-address=192.168.0.0/22 pref-src=192.168.2.1 gateway=mgmt gateway-status=mgmt reachable distance=0 scope=10
3 ADC dst-address=172.16.0.0/26 pref-src=172.16.0.1 gateway=port-channel1.1200 gateway-status=port-channel1.1200 reachable distance=0 scope=10
4 ADC dst-address=172.16.0.64/26 pref-src=172.16.0.65 gateway=port-channel1.1201 gateway-status=port-channel1.1201 reachable distance=0 scope=10
5 ADC dst-address=172.16.0.128/25 pref-src=172.16.0.129 gateway=port-channel1.1202 gateway-status=port-channel1.1202 reachable distance=0 scope=10