Blocking Private ASN inbound

plankanater · Thu Nov 30, 2017 6:25 pm

Is there a way in filters to block all private ASN (64512 to 65535) inbound?

vasilevkirill · Thu Nov 30, 2017 10:19 pm

Use Filter
https://wiki.mikrotik.com/wiki/Manual:R ... ng_filters

Use regexp
if first as use regexp = ^(6451[2-9]|645[2-9][0-9]|64[6-9][0-9]{2}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]).*

/routing filter
add bgp-as-path="^(6451[2-9]|645[2-9][0-9]|64[6-9][0-9]{2}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]).*" chain=AS-500-Peer-In

if your as peer 500 (example)
add bgp-as-path=!^500.* chain=AS-500-Peer-In action=discard

Fri Dec 01, 2017 6:17 pm

Note that there are also 4-byte ASNs, you should block those too.
https://www.apnic.net/get-ip/faqs/asn/#private-asn

plankanater · Wed Dec 06, 2017 11:46 pm

How would I write the 4-byte ASNs in regular expression?

plankanater · Fri Dec 08, 2017 5:56 pm

So this is the rule I have entered in.

add action=discard bgp-as-path="^(6451[2-9]|645[2-9][0-9]|64[6-9][0-9]{2}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]).*" chain=XO_In

But is still seems to be letting some things in, for example

0 ADb dst-address=191.243.72.0/24 gateway=207.238.201.5
gateway-status=207.238.201.5 reachable via sfp-sfpplus1 - XO Internet
distance=20 scope=40 target-scope=10
bgp-as-path="2828,6762,263047,263047,263047,263047,263499,263499,263499, 263499,263499,65001"
bgp-med=3 bgp-origin=igp received-from=XO

Any thoughts?

plankanater · Fri Dec 08, 2017 6:20 pm

So i changed the rule to

add action=discard bgp-as-path="^(6451[2-9]|645[2-9][0-9]|64[6-9][0-9]{2}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])_*" chain=XO_In

It is still letting the route in but just dropping the private as off of the as path

0 ADb dst-address=191.243.72.0/24 gateway=70.34.190.113
gateway-status=70.34.190.113 recursive via 69.58.114.166 sfp-sfpplus4 -
180 - New
distance=200 scope=40 target-scope=30
bgp-as-path="26554,174,6762,263047,263047,263047,263047,263499,263499,263499,263499,263499"

Then after about 15 minutes it still is showing the private as number

0 ADb dst-address=191.243.72.0/24 gateway=207.238.201.5
gateway-status=207.238.201.5 reachable via sfp-sfpplus1 - XO Internet
distance=20 scope=40 target-scope=10
bgp-as-path="2828,6762,263047,263047,263047,263047,263499,263499,263499,263499,263499,65001"

JimmyNyholm · Sat Dec 09, 2017 2:03 pm

So i changed the rule to

add action=discard bgp-as-path="^(6451[2-9]|645[2-9][0-9]|64[6-9][0-9]{2}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])_*" chain=XO_In

Just a quick thought isn't the ^ in your regexp anchoring in the beginning of the string? use a $ at the end for searching at the end for originating as.

plankanater · Sat Dec 09, 2017 2:23 pm

I want it to drop the private as anywhere in line.

So should it be more like this

add action=discard bgp-as-path="^_(6451[2-9]|645[2-9][0-9]|64[6-9][0-9]{2}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])_*" chain=XO_In

Blocking Private ASN inbound

Blocking Private ASN inbound

Re: Blocking Private ASN inbound

Re: Blocking Private ASN inbound

Re: Blocking Private ASN inbound

Re: Blocking Private ASN inbound

Re: Blocking Private ASN inbound

Re: Blocking Private ASN inbound

Re: Blocking Private ASN inbound

Who is online