Community discussions

MikroTik App
 
User avatar
felixhappy
just joined
Topic Author
Posts: 9
Joined: Mon Jan 23, 2023 2:32 pm
Location: Vienna
Contact:

Firewalling BGP output chain: interfaces not correctly recognized: output: in:(unknown 0) out:(unknown 6)

Tue Jan 24, 2023 9:48 am

Hi everyone =)

I am actually new to the MikroTik family, heard a lot about them, many of our ISPs use them as their CPEs, so why dont migrate from Cisco ASR 1001-X to MikroTik as well and save one or two gold-bars of company money ;-). We bought a pair of CCR2116-12G-4S+ as our main Internet Routers with 4x BGP Full-Feed and announcing our PI address space.

For for the problem description:

I want to lock down security as much as I can for the two Internet Routers. I tried to lock the BGP sessions for the ISPs to their respective interfaces. However, when the packet first BGP TCP SYN packet hits the firewall outgoing, it is specified with an unkown output interface. If I remove the outgoing interface of the firewall rule and enable logging, I always see two hits immediately:
ALLOW-OUTPUT-BGP output: in:(unknown 0) out:(unknown 6), connection-state:new proto TCP (SYN), 169.254.0.1:45213->169.254.0.2:179, len 60
ALLOW-OUTPUT-BGP output: in:(unknown 0) out:SFP4-HA-to-Router-2, connection-state:new proto TCP (SYN), 169.254.0.1:45213->169.254.0.2:179, len 60

Question: Why is it hitting the Firewall engine first with an unknown interface, then with the correct output interface SFP4-HA-to-Router-2?

I also tried to add a prerouting firewall rule to accept the one hit before, but this did not help either...

Testsetup of the Log-entry above:
Router1 SFP4 IP 169.254.0.1/30 connected to Router2 SFP4 IP 169.254.0.2/30

I use this link between the routers to replicate all routing information, in case the ISP(s) of one Router goes down and to prevent asymmetric routing.

Any ideas about that behavior and how to lock the BGP sessions with the firewall ruleset to their interfaces?

We are using RouterOS version 7.7. This did not work with 7.6 either.

Kind Regards,
Felix
 
User avatar
felixhappy
just joined
Topic Author
Posts: 9
Joined: Mon Jan 23, 2023 2:32 pm
Location: Vienna
Contact:

Re: Firewalling BGP output chain: interfaces not correctly recognized: output: in:(unknown 0) out:(unknown 6)  [SOLVED]

Tue Mar 28, 2023 11:37 am

Following up on this, I have create a support case back in January 2023 and have now received the first answer to it (two months later). The engineer now asks for a support.rif file and if the issue can still be reproduced.

The issue cannot be reproduced from my side, it vanished. However, I remember trying to configure everything without connection tracking. Now, the whole setup has connection tracking enabled, but this seems to be the only difference that I remember to the setup back then. Maybe this helps someone in the future with the same issue 😉. If someone stumbles across it and can nail it down to connection tracking, it would be great to leave a comment here 😃
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Firewalling BGP output chain: interfaces not correctly recognized: output: in:(unknown 0) out:(unknown 6)

Tue Mar 28, 2023 12:11 pm

I am using output filters in my firewall, for BGP I am matching "source IP address" and "output interface list" (for a couple of different items).
I have never seen the behavior you are reporting. But I have connection tracking enabled.
Also, such problems may be caused by complicated interaction with other capabilities of the system, e.g. policy routing, route marking.
I think it is probably related to "source address selection" as well. You may have resolved this by setting a "Local address" on your connection, where this previously was blank.

Who is online

Users browsing this forum: No registered users and 11 guests