BGP Multihoming issue

momentumz · Wed Feb 07, 2018 2:11 pm

Hi all,
I have a small problem setting up a BGP multihoming on my network. I have two separate optical links to my mikrotik rb3011, from same ISP. Its supposed to be used like:
Link1 = Main link
Link2 = Backup link

Link1 is connected to ISP via VLAN. I also have a public IP address that i have set on one of the ports on the router. When i visit www.ping.eu, it reports my IP as the public IP i got from my ISP, so its ok.
Link2 is just a link between me and my ISP, no VLAN.

Tech girl from ISP told me their AS and the one assigned to me, i got all BGP related things set up. Tested it by unplugging the cable from Link1, BGP send me a new route through Link2. So looks like BGP works just fine.

My problem is this. When i traceroute any IP address on the internet directly from mikrotik, it pings just fine. But when i traceroute by setting any local address, it doesnt work if i'm on BACKUP link. On MAIN link, its all fine.

I have to mention, i am src-natting the local addresses to the public IP address.

Does anyone have a clue why i cant ping from local addresses when the default route goes to Link2??
I am using 111.111.111.111 as example of my public IP
222.222.222.222 would be my IP to ISP1
333.333.333.333 would be my IP to ISP2

/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.0.0/24 to-addresses=111.111.111.111
add action=src-nat chain=srcnat src-address=192.168.5.0/24 src-address-type="" to-addresses=111.111.111.111

/routing bgp network
add network=111.111.111.111/31 synchronize=no

/routing filter
add action=accept chain=isp1-out prefix=111.111.111.111/31 set-bgp-communities=""
add action=discard chain=isp1-out
add action=accept bgp-communities="" chain=isp2-out prefix=111.111.111.111/31
add action=discard chain=isp2-out
add action=accept chain=isp1-in
add action=accept chain=isp2-in set-bgp-prepend=3

/ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADb  0.0.0.0/0                          222.222.222.222              20
 1  Db  0.0.0.0/0                          333.333.333.333          20
 2 ADC  222.222.222.222/30     222.222.222.223     vlan1                     0
 3  DC  111.111.111.111/31    111.111.111.111    ether6                  255
 4 ADC  192.168.0.0/24     192.168.0.1     ether10                   0
 5 ADC  192.168.5.0/24     192.168.5.1     ether5                    0
 6 ADC  333.333.333.333/30 333.333.333.333 ether2                    0

momentumz · Fri Feb 09, 2018 9:27 am

noone?

pe1chl · Fri Feb 09, 2018 10:57 am

Normally with a setup like that, you would have two /30 or /31 networks between you and the ISP and use them only for routing and BGP peering, and then you would have a larger subnet (e.g. /28 or /29) that is advertised over that peering as your internet subnet. THAT would be the address you use on all communication, and it will be routed over the link that works at that time. You add it to some internal interface or bridge.
When you use your link address as your public outgoing IP you cannot failover silently because your link address becomes invalid once that link it belongs to goes down.

momentumz · Fri Feb 09, 2018 6:44 pm

Well, thats exactly what i did. BGP works just fine, aka i get the default route changed when main link goes down.
Also, yes, the public /31 address is what i have already assigned to a eth6 port and i'm src-natting all local 192.168.x.x addresses to that public /31 address. But i still have a problem... i have no firewall rules in place either

pe1chl · Fri Feb 09, 2018 6:51 pm

Yes but as I wrote: that is not the normal/proper way to do it!
You should not NAT to one of the /31 addresses but rather to an address that is separately assigned to you (normally a subnet but could be a single address) and that you advertise to the ISP over BGP so they have a route to that address over the active link.

momentumz · Fri Feb 09, 2018 6:56 pm

Ok, maybe i didnt express myself very well, since english is not my native language.

I have two /30 addresses that i use to peer with my ISP.
Also, i got a public /31 address that i advertise to BGP. Thats the address i'm src-natting my local 192.168.x.x addresses to.
I hope i explained it better now.

momentumz · Fri Feb 09, 2018 7:54 pm

Man i do feel really stupid...

OK, it works fine. It takes almost 3 minutes for traffic to resume through a backup link. Is this kind of normal time?

pe1chl · Fri Feb 09, 2018 8:13 pm

Ok I misread your description, that is what happens when writing on the forum while working on something else...
Yes, 3 minutes is the normal time. You specify that in the BGP peer: hold time
You can set a shorter time instead, or you can use BFD for very quick switchover (but that has to be done on both ends).

momentumz · Fri Feb 09, 2018 9:14 pm

Ok I misread your description, that is what happens when writing on the forum while working on something else...
Yes, 3 minutes is the normal time. You specify that in the BGP peer: hold time
You can set a shorter time instead, or you can use BFD for very quick switchover (but that has to be done on both ends).

Ah, I see. Thank you for your kind replies. Gonna try out lower peer hold times first thing tomorrow moring.

Cheers

BGP Multihoming issue [SOLVED]

BGP Multihoming issue

Re: BGP Multihoming issue

Re: BGP Multihoming issue

Re: BGP Multihoming issue

Re: BGP Multihoming issue

Re: BGP Multihoming issue

Re: BGP Multihoming issue

Re: BGP Multihoming issue [SOLVED]

Re: BGP Multihoming issue

Who is online