/routing bgp instance
set default as=12345
/routing bgp network
add network=124.124.124.0/24
/routing bgp peer
add name=the-isp remote-address=229.229.229.9 remote-as=12345

• if you masquerade or src-nat the source address of anything that goes out the WAN interface, the connections initiated from the /24 addresses will be src-nated, so to avoid that, you have to shadow that masquerade/src-nat rule with an accept one with src-address=124.124.124.0/24 placed in front of it
• you will not be able to even ping anything in 124.124.124.0/24 from the internet unless you permit icmp to be forwarded to these addresses by adding the following rule to a proper place in /ip firewall filter:
• add action=accept chain=forward in-interface=your-WAN-interface protocol=icmp
  Later on you will likely want to add more rules like this to permit access to services running on hosts in the /24 subnet, such as
  add action=accept chain=forward dst-address=124.124.124.5 dst-port=443 in-interface=your-WAN-interface protocol=tcp to permit access from the internet to https service at 124.124.124.5
• if the ISP is paranoid, they may not accept initiation of the BGP control connection from your side, so you may have to add the following rule to a proper place in /ip firewall filter:
  add action=accept chain=input dst-port=179 in-interface=your-WAN-interface protocol=tcp

I'd say that as gents at the ISP haven't specified a private AS number to you, and as peers inside an AS must share the same AS number, you have to set both the as of your /routing bgp instance and the remote-as of the /routing bgp peer to their AS number, and add the /24 as /ip routing bgp network (an item called network in subtree /routing bgp network),

So if their AS number is 12345, their gateway address in the /29 network is 229.229.229.9/29, and the /24 network is 124.124.124.0/24, and you'll run just a single (default) BGP instance, the whole bgp configuration export would look like this:

Code: Select all

/routing bgp instance
set default as=12345
/routing bgp network
add network=124.124.124.0/24
/routing bgp peer
add name=the-isp remote-address=229.229.229.9 remote-as=12345

Also bear in mind that BGP only distributes the routes, but doesn't automagically add or modify firewall rules. So with the default firewall rules in place, you may get several surprises:

• if you masquerade or src-nat the source address of anything that goes out the WAN interface, the connections initiated from the /24 addresses will be src-nated, so to avoid that, you have to shadow that masquerade/src-nat rule with an accept one with src-address=124.124.124.0/24 placed in front of it
• you will not be able to even ping anything in 124.124.124.0/24 from the internet unless you permit icmp to be forwarded to these addresses by adding the following rule to a proper place in /ip firewall filter:
• add action=accept chain=forward in-interface=your-WAN-interface protocol=icmp
  Later on you will likely want to add more rules like this to permit access to services running on hosts in the /24 subnet, such as
  add action=accept chain=forward dst-address=124.124.124.5 dst-port=443 in-interface=your-WAN-interface protocol=tcp to permit access from the internet to https service at 124.124.124.5
• if the ISP is paranoid, they may not accept initiation of the BGP control connection from your side, so you may have to add the following rule to a proper place in /ip firewall filter:
  add action=accept chain=input dst-port=179 in-interface=your-WAN-interface protocol=tcp

Thank you very much with your detailed/simple descriptions. It was exactly what I wanted, but now they don't want us to use their AS number to announce our IPs, so I've applied for an asn from apnic and already paid and waiting for our asn to be issued. so here are my concerns now:

1. Do I still need them to announce my IPs? (I think yes, but just to make sure)

2. This might sound stupid but, what IF they say no because it's leased or some other BS. Can they do such things? (just wondering)

3. This router I want to configure bgp is already providing services for about 500 PPPoE clients, which I want to assign these Public IPs to them. what would be the trick to so do? (to advertise using bgp and then assign them on Pools to give out to PPPoE clients)

4. Does it take time to start using the IPs after I advertise them?

1. Do I still need them to announce my IPs? (I think yes, but just to make sure)

As said above, you need a BGP peer on each uplink to announce your addresses through, so yes, you still need them or any other ISP through which you would be connected and which also participates in the BGP network.

2. This might sound stupid but, what IF they say no because it's leased or some other BS. Can they do such things? (just wondering)

There is no other way to announce your IPs using BGP than via some uplink, so they kinda cannot say no, as that would make no technical sense. You've got your public subnet (the /24 one), and you tell your direct BGP peer that it's accessible via this IP address of yours (in the /29 subnet). Something is telling me that it works even if you don't tell this directly to your uplink gateway but it is not usual to have the uplink gateway and the BGP peer as different entities.

3. This router I want to configure bgp is already providing services for about 500 PPPoE clients, which I want to assign these Public IPs to them. what would be the trick to so do? (to advertise using bgp and then assign them on Pools to give out to PPPoE clients)

Exactly as you say - once you start advertising the /24 subnet, you can use it as a pool to assign to your PPPoE clients. I believe you don't want to give each of your 500 clients his own address from a pool of 256 addresses, so you'll have to configure the /ppp secret of the privileged users out of those 500 with this pool-public.

Well, I only asked that because their IT guy was like "yea, these IPs are leased and not bought so we might not be able to announce them even if you had your own ASN" and because they're the only available upstream so they can demand some stupid stuffs, but I just wanted to see how is the common way.

Sounds pretty simple then. but I need to assign one public IP on my Wan port to act as a gateway IP address or it's not needed?

That's a commercial issue, not technical. If you have the subnet leased from them, he should not make waves. If you have it leased from someone else - I still think technically there is no problem.

That's the beauty of it, you need not. A PPPoE is a point-to-point tunnel so the client actually doesn't need any IP address as a gateway - "the other end of the tunnel" is the gateway, whatever address it has. So solely to make life easy for Mikrotik users among your clients, you should set your IP address from the /29 network as "remote" for them (because then they will be able to use scriptless failover which only works with IP addresses of gateways, not interface names, and these addresses have to be unique so that it would work).

Having said that, even 124.124.124.0 and 124.124.124.255 can be used as PPPoE client addresses as there is no notion of "network address" and "broadcast address" on a ppp interface.

I assume you talk about peer status?

What is the complete output of

ip firewall connection print detail where dst-address~":179\$" or src-address~":179\$"

(you may edit the IP addresses but don't touch the rest).

many things may be wrong.

So please give me an anonymized output of

/routing bgp export

/ip firewall export

Also do the following to speed things up:
/system logging add topics~bgp

/routing bgp instance print

/routing bgp instance disable 0

now, in another terminal windows, run the following:
/log print follow-only file=bgp-startup where topics~bgp

back in the first command-line window,
/routing bgp instance enable 0

Wait two minutes, then stop (Ctrl-C) the print in the second window, download the file, anonymize it (see my signature below) and post it here too.

Hey, man, you should first of all find time latest today to netinstall your router, someone was there and left you a message in the comments of your firewall rules:

"Add you ip addess to allow-ip in Address Lists."
"I closed the vulnerability with a firewall."
"Please update RouterOS and change password."
" You can say thanks on the WebMoney Z399578297824"
"or BTC 14qiYkk3nUgsdqQawiMLC1bUGDZWHowix1"

I'll continue analysing what you've sent so far, but the above is way more important (I don't mean sending the money to that guy, I mean to export the whole configuration, save it to a file, netintsall the router to remove every piece of s..t someone else than that guy may have installed there, and then first sanitize the exported configuration from anything suspicious you are not sure what the heck it might be good for and then restore it on the device (better manually if it is not too large).

If you need to minimize the outage for your clients, go buy another box, migrate the configuration to it (no backup!, export and manual sanitization), and then switch the cables from the old one to the new one. Still better than to give your customers several hours of outage or even worse, infect your customers' Mikrotiks or anything else, or participate in DDoS to someone who would really mind being DDoSed.

As for the "bgp: connection refused" - this is most likely on TCP level and it was one of the possibilities, either they forgot to permit BGP from you, or they are getting ready to tell you some more BS why they cannot do that, or you may possibly be knocking at wrong door (although I think the peer should be the gateway). The other possibility was that the TCP connection got established but they refused the connection at BGP, not TCP, level for some reason (unexpected ASN or so).

I didn't really get what rights do you miss to tail the log and filter it into a file if you had got enough rights to disable the bgp instance and re-enable it; the biggest problem is that the log only holds 1000 newest items so if other events pour in constantly, the relevant ones may disappear faster than you spot them. If downloading the file is the problem, just omit the file= part, the tail will go to the text window and you can copy-paste from there.

Out of curiosity, can you reveal the country?

it's also hard to find these routers here. so gonna take some time for me.

Sure, it's 23442647826

it's also hard to find these routers here. so gonna take some time for me.

That was partially the reason why I asked for the country. But I'm not clever enough to decipher

Sure, it's 23442647826

so I take it you don't want to reveal it and I definitely don't insist to know.

it should show the one you have configured as the as parameter of the instance. I'm not an expert in different notations, so I would have to see both what you've input and what it shows to compare whether it is the same thing in two different notations or not. But if they refuse already the TCP connection, they couldn't notice yet that you offer a wrong ASN (if you do).