Community discussions

MikroTik App
 
expo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Tue Jan 27, 2009 7:57 am

/32 blackhole redistribute between bgp instances

Thu Mar 25, 2021 1:07 am

I have fastnetmon setup and upon detection of ddos it sends /32 with 65001:666 via bgp to my CHR, I have FNM setup as a peer with it's own instance but for some reason the route doesn't seem to show when I run /routing bgp advertisements print peer=MYPEER so I'm assuming I have something in the config wrong?

/routing bgp instance print
0 * name="default" as=myasn router-id=MyIP redistribute-connected=no
redistribute-static=no redistribute-rip=no redistribute-ospf=no
redistribute-other-bgp=no out-filter=HE-OUT client-to-client-reflection=no
ignore-as-path-len=no routing-table=""

1 name="FNM" as=65001 router-id=0.0.0.0 redistribute-connected=no
redistribute-static=no redistribute-rip=no redistribute-ospf=no
redistribute-other-bgp=yes out-filter="" client-to-client-reflection=no
ignore-as-path-len=no routing-table=""

/routing bgp peer print
0 E default xx.yy.zz.aa 6939
1 E default xx.yy.zz.aa 7018
2 E FNM xx.yy.zz.aa 65001

Here are the relevant filters;

91 chain=FNM-OUT invert-match=no action=discard set-bgp-prepend-path=""

90 chain=FNM-IN invert-match=no action=accept set-type=blackhole set-bgp-prepend-path=""

71 chain=ATT-OUT prefix-length=32 bgp-communities=65001:666 invert-match=no action=accept set-bgp-prepend-path="" set-bgp-communities=7018:86

49 chain=HE-OUT prefix-length=32 bgp-communities=65001:666 invert-match=no action=accept set-bgp-prepend-path="" set-bgp-communities=6939:666

Thoughts are greatly appreciated!

-TJ
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: /32 blackhole redistribute between bgp instances

Thu Mar 25, 2021 7:06 am

I have fastnetmon setup and upon detection of ddos it sends /32 with 65001:666 via bgp to my CHR, I have FNM setup as a peer with it's own instance but for some reason the route doesn't seem to show when I run /routing bgp advertisements print peer=MYPEER so I'm assuming I have something in the config wrong?
You shouldn't need a separate BGP instance for fastnetmon. It is a lot better to use the same instance, that is what we do.
 
expo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Tue Jan 27, 2009 7:57 am

Re: /32 blackhole redistribute between bgp instances

Thu Mar 25, 2021 7:08 am

I was actually thinking about this, I'm glad you mentioned it.

Do you use your normal (external) AS# for Fastnetmon's connection to your router? I'm guessing yes otherwise you need a second instance?
I have fastnetmon setup and upon detection of ddos it sends /32 with 65001:666 via bgp to my CHR, I have FNM setup as a peer with it's own instance but for some reason the route doesn't seem to show when I run /routing bgp advertisements print peer=MYPEER so I'm assuming I have something in the config wrong?
You shouldn't need a separate BGP instance for fastnetmon. It is a lot better to use the same instance, that is what we do.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: /32 blackhole redistribute between bgp instances

Thu Mar 25, 2021 7:15 am

Do you use your normal (external) AS# for Fastnetmon's connection to your router? I'm guessing yes otherwise you need a second instance?
Yes we use our external AS for fastnetmon's connection to the router. It works fine.

Redistribution of BGP routes from one instance to another becomes much more complex and is harder to troubleshoot, and higher chance of encountering weird bugs. In your case, I don't specifically see anything wrong with your configuration that is that different from ours that would cause problems, except for the separate instances.
 
expo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Tue Jan 27, 2009 7:57 am

Re: /32 blackhole redistribute between bgp instances

Thu Mar 25, 2021 7:22 am

Thank you, I will try that.

Who is online

Users browsing this forum: No registered users and 11 guests