Community discussions

MikroTik App
 
User avatar
maniraj4143
just joined
Topic Author
Posts: 11
Joined: Wed Jan 22, 2014 4:47 am
Location: INDIA
Contact:

Beginner for BGP implemantation

Tue Jun 19, 2018 2:20 pm

Hi, I'm new with the BGP implementation with mikrotik. I need some help in fine tuning the configuration. I've done some work on configuration part and I'm posting here it for checking purposes as we are facing some issues with website browsing. Kindly have a look on our configuration and reply if anything found wrong.

Our upstream provider is AirTel - 182.X.Y.186/30
For Bandwidth & User Management we use Smartguard running on CentOS6 - 103.X.Y.2/29

RouterOS 6.41.1
model = RouterBOARD 3011UiAS

/interface ethernet
set [ find default-name=ether2 ] comment=AirTel-WAN
set [ find default-name=ether3 ] comment=SERVER-LAN
set [ find default-name=ether4 ] comment=LOCAL

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/queue simple
add max-limit=20M/20M name=queue1 target=192.168.45.10/32

/routing bgp instance
set default as=1XXXX8 client-to-client-reflection=no comment=My-AS

/ip address
add address=182.X.Y.186/30 comment=AirTel-WAN interface=ether2 network=182.X.Y.184
add address=103.X.Y.1/29 comment=SERVER-LAN interface=ether3 network=103.X.Y.0
add address=192.168.45.1/24 comment=LOCAL interface=ether4 network=192.168.45.0

/ip dns
set cache-size=50000KiB servers=8.8.8.8,8.8.4.4,4.2.2.2

/ip firewall address-list
add address=0.0.0.0/8 list=NotPublic
add address=10.0.0.0/8 list=NotPublic
add address=100.64.0.0/10 list=NotPublic
add address=127.0.0.0/8 list=NotPublic
add address=169.254.0.0/16 list=NotPublic
add address=172.16.0.0/12 list=NotPublic
add address=192.0.0.0/24 list=NotPublic
add address=192.0.2.0/24 list=NotPublic
add address=192.168.0.0/16 list=NotPublic
add address=192.88.99.0/24 list=NotPublic
add address=198.18.0.0/15 list=NotPublic
add address=198.51.100.0/24 list=NotPublic
add address=203.0.113.0/24 list=NotPublic
add address=224.0.0.0/4 list=NotPublic
add address=240.0.0.0/4 list=NotPublic

/ip firewall filter
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=jump chain=forward connection-state=new disabled=yes jump-target=detect-ddos
add action=return chain=detect-ddos disabled=yes dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos disabled=yes
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos disabled=yes
add action=drop chain=forward connection-state=new disabled=yes src-address-list=ddoser
add action=drop chain=input comment="Drop all Input from WAN NotPublic" in-interface=ether2 src-address-list=NotPublic
add action=drop chain=output comment="Drop all Output from LAN NotPublic" out-interface=ether3 src-address-list=NotPublic
add action=add-src-to-address-list address-list="From WAN Not Public" address-list-timeout=1d chain=forward comment="Drop all Forward from WAN NotPublic" in-interface=ether2 log-prefix=FWD_WAN_NOT_PUBLIC src-address-list=NotPublic
add action=drop chain=forward comment="Drop all Forward from WAN NotPublic" in-interface=ether2 log-prefix=FWD_WAN_NOT_PUBLIC src-address-list=NotPublic

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2 src-address=192.168.45.0/24

/ip firewall service-port
set sip disabled=yes

/ip route
add distance=1 gateway=182.X.Y.185
add distance=1 dst-address=103.X.Y.32/27 gateway=103.X.Y.2 (Direct IP addresses given to customer)
add distance=1 dst-address=103.X.Y.64/27 gateway=103.X.Y.2 (Direct IP addresses given to customer)
add distance=1 dst-address=103.X.Y.128/26 gateway=103.X.Y.2 (Direct IP addresses given to customer)
add distance=1 dst-address=103.X.Y.192/26 gateway=103.X.Y.2 (One IP pool for SNAT)

/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes

/lcd
set backlight-timeout=1h color-scheme=light default-screen=stats

/lcd interface
set ether1 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set sfp1 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes

/routing bgp network
add network=103.X.Y.0/24 synchronize=no

/routing bgp peer
add in-filter=AirTel-IN name=AirTel out-filter=AirTel-OUT remote-address=182.X.Y.185 remote-as=9498 ttl=default update-source=ether2

/routing filter
add action=accept chain=AirTel-OUT prefix=103.X.Y.0/24 set-bgp-prepend=8
add action=discard chain=AirTel-OUT
add action=discard chain=AirTel-IN prefix=0.0.0.0/8
add action=discard chain=AirTel-IN prefix=10.0.0.0/8
add action=discard chain=AirTel-IN prefix=100.64.0.0/10
add action=discard chain=AirTel-IN prefix=127.0.0.0/8
add action=discard chain=AirTel-IN prefix=169.254.0.0/16
add action=discard chain=AirTel-IN prefix=172.16.0.0/12
add action=discard chain=AirTel-IN prefix=192.0.0.0/24
add action=discard chain=AirTel-IN prefix=192.0.2.0/24
add action=discard chain=AirTel-IN prefix=192.88.99.0/24
add action=discard chain=AirTel-IN prefix=192.168.0.0/16
add action=discard chain=AirTel-IN prefix=192.18.0.0/15
add action=discard chain=AirTel-IN prefix=192.51.100.0/24
add action=discard chain=AirTel-IN prefix=203.0.113.0/24
add action=discard chain=AirTel-IN prefix=224.0.0.0/4
add action=discard chain=AirTel-IN prefix=240.0.0.0/4
add action=accept chain=AirTel-IN distance=2 prefix=0.0.0.0/0

/system clock
set time-zone-name=Asia/Kolkata

/system identity
set name=My BGP Router

/system ntp client
set enabled=yes server-dns-names=in.pool.ntp.org,pool.ntp.org

/tool bandwidth-server
set enabled=no

/tool graphing interface
add
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: Beginner for BGP implemantation

Tue Jun 19, 2018 3:15 pm

Probably you don't need to caching dns queries.
 
User avatar
maniraj4143
just joined
Topic Author
Posts: 11
Joined: Wed Jan 22, 2014 4:47 am
Location: INDIA
Contact:

Re: Beginner for BGP implemantation

Tue Jun 19, 2018 4:34 pm

Probably you don't need to caching dns queries.
I've checked it dns caching is not storing anything, even the Allow Remote Request is unchecked.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: Beginner for BGP implemantation

Tue Jun 19, 2018 5:05 pm

What issues exactly you have with browsing?
 
User avatar
maniraj4143
just joined
Topic Author
Posts: 11
Joined: Wed Jan 22, 2014 4:47 am
Location: INDIA
Contact:

Re: Beginner for BGP implemantation

Tue Jun 19, 2018 5:58 pm

What issues exactly you have with browsing?
There is a particular website on which we're facing the issue, it is http://amazesms.in/. We are able to access the home page of this website from our network. It asks username & password credentials for further access. When we input the username & password on this website, then instead of login success it always returns to the same login home page. We have cross - checked it the account with the same username & password credentials are working successfully on other networks.

common browsing response is little late, I expect it to be snappier on a 155Mbps link consuming only 50% of it during the peak hours.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: Beginner for BGP implemantation

Thu Jun 21, 2018 10:57 am

What other networks?
 
User avatar
maniraj4143
just joined
Topic Author
Posts: 11
Joined: Wed Jan 22, 2014 4:47 am
Location: INDIA
Contact:

Re: Beginner for BGP implemantation

Thu Jun 21, 2018 12:35 pm

What other networks?
Other Networks means Other ISP Network or Mobile data.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: Beginner for BGP implemantation

Thu Jun 21, 2018 12:54 pm

What other networks?
Other Networks means Other ISP Network or Mobile data.
Then maybe your upstream ISP blocking this resource?

Who is online

Users browsing this forum: No registered users and 13 guests