Community discussions

MikroTik App
 
Magicle
just joined
Topic Author
Posts: 3
Joined: Sat Nov 14, 2020 11:36 am

Route all traffic matching a BGP chain to a VPN

Sat Nov 14, 2020 11:47 am

Hello! I've been trying out RouterOS v7 a bit, and don't know how to port my simple configuration for routing traffic to VPN for all IPs blocked by my provider.

In v6 I did the following (assuming pptp-out1 exists and is running) - this routes all traffic for received BGP prefixes through a VPN (and BGP requests themselves are sent out via a VPN too).
/ip route add dst-address=51.75.66.20/32 gateway=pptp-out1
/routing bgp instance set default as=64999 ignore-as-path-len=yes router-id=3.4.5.6
/routing bgp peer add hold-time=4m in-filter=bgp_in keepalive-time=1m multihop=yes name=antifilter remote-address=51.75.66.20 remote-as=65444 ttl=default update-source=pptp-out1
/routing filter add action=accept chain=bgp_in comment="Set nexthop to VPN" set-in-nexthop-direct=pptp-out1
/ip firewall nat add chain=srcnat action=masquerade out-interface=pptp-out1
I understood that I can do roughly the same (without update-source) for instance and peer, but I'm not sure about filter since there's no
set-in-nexthop-direct
anymore.
/routing bgp template set antifilter as=64999 hold-time=4m input.filter=bgp_in keepalive-time=1m multihop=yes name=antifilter
# How do I specify that I want this connection to be done through pptp-out1 ?
/routing bgp connection add local.role=ibgp remote.address=51.75.66.20/32 template=antifilter
# How do I specify that I want traffic matching this rule to go through pptp-out1 ?
/routing filter rule add action=accept chain=bgp_in
/ip firewall nat add chain=srcnat action=masquerade out-interface=pptp-out1
But v7 completely changed the way BGP configuration works, so I'm at a loss for how I can replicate this in v7.
Any help would be appreciated!
Last edited by Magicle on Sun Nov 15, 2020 11:09 am, edited 1 time in total.
 
Magicle
just joined
Topic Author
Posts: 3
Joined: Sat Nov 14, 2020 11:36 am

Re: Route all traffic matching a BGP chain to a VPN

Sun Nov 15, 2020 9:26 am

Hah, I don't know why I didn't just use the same rule to route BGP traffic through the VPN
/ip route add comment="For BGP" dst-address=51.75.66.20 gateway=pptp-out1
Still not sure about how to route all traffic for BGP prefixes through pptp-out1
Last edited by Magicle on Mon Nov 16, 2020 4:22 am, edited 1 time in total.
 
Magicle
just joined
Topic Author
Posts: 3
Joined: Sat Nov 14, 2020 11:36 am

Re: Route all traffic matching a BGP chain to a VPN

Sun Nov 15, 2020 10:32 am

I made it work! With the filter rule written as
/routing filter rule add action=accept chain=bgp_in set-prfx-prop=gw>192.168.1.2
(where 192.168.1.2 is the remote address of the VPN) it now works.

There's a problem with that though - if the remote address of the VPN changes I'll have to edit that. "gw>pptp-out1" didn't work, so I'm still not sure if the way I made it work is the best :D
 
mikhan
just joined
Posts: 6
Joined: Mon Aug 16, 2021 5:56 am

Re: Route all traffic matching a BGP chain to a VPN

Mon Aug 16, 2021 6:00 am

hi, have you managed to setup it in v7b6?
this rule "/routing filter rule add action=accept chain=bgp_in set-prfx-prop=gw>192.168.1.2" gives an error
 
mikhan
just joined
Posts: 6
Joined: Mon Aug 16, 2021 5:56 am

Re: Route all traffic matching a BGP chain to a VPN

Wed Aug 25, 2021 7:20 pm

following filter rule for bgp_in works in rc1:
set gw 51.75.66.20;
set gw-interface pptp-out1;
accept
 
deepaksnghnjr
just joined
Posts: 1
Joined: Wed Nov 15, 2023 9:47 am

Re: Route all traffic matching a BGP chain to a VPN

Wed Nov 15, 2023 9:51 am

Hello,

I am also facing the same problem.

I have created Hub and Spoke setup using SSTP mikrotik version is 7.10.1. At HUB, in remote address i have created a pool of 10.10.10.0/24 so that spokes obtain tunnel ip from this series (HUB sstp tunnel IP is fixed). At spoke, i have two broadband and used Reverse lookup concept for Failover. over the tunnel, i am using eBGP and advertising a public IP of /30. So when one of the Broadband goes down on Spoke, than assigned tunnel ip gets changed.


So HUB learn the public ip from Spoke tunnel IP address (Db) but in order to work it, i have to create a static route shown in above imge. but during failover tunnel ip of spoke chages and i have to manually cheche the "As" route to changed Tunnel IP address of Spoke at HUB.



Please help to understand this behavior. Ideally Manual Static route need not configure.

Who is online

Users browsing this forum: No registered users and 25 guests