MikroTik

Posted: **Wed May 18, 2005 8:58 am**

I've got OSPF working between two Mikrotik routers. The problem I'm having is that routes that should NOT be propagated, which don't belong in the network/area, are also being replicated. Essentially I have a 10.0.0.0/8 network which is subnetted and routed between multiple routers (actually wireless access points). In order to work on the units from the ground, the ethernet interface is configured with a 192.168.1.0/30 address (this also serves as the power supply via PoE). Even though the network area 0.0.0.0 is configured for 10.0.0.0/8, the 192.168.1.0/30 route is being propagated to the remote routers. I thought the /routing prefix-list option would allow me to invalidate any routes that don't belong to 10.0.0.0/8, but reading the manual states that it only applies to RIP and BGP....and in fact trying to create a prefix-list just to "see" if it would work didn't yield the desired results...

I've overcome a similar problem with the quagga suite (v0.98.3), by using the following commands:

!
router ospf
... SNIP ...
redistribute connected route-map just-10
network 10.0.0.0/8 area 0.0.0.0
... SNIP ...
!
route-map just-10 permit 10
match ip address net-10
!

This effectively stops those routes from being advertised. In the MikroTik OS, I'm not able to find a similar option or easy work around to avoid replicating the 192.168.1.0/30 address space. Has anyone experienced this or can explain what I'm doing wrong?

Below are the configurations for each of the routers.

First router: (Router OS v2.8.27)

/ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   192.168.1.1/30     192.168.1.0     192.168.1.3     Configuration
 1   10.1.4.1/22        10.1.4.0        10.1.7.255      Omni
 2   10.0.0.18/30       10.0.0.16       10.0.0.19       PTP

/ip route print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
 #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
 0 Do 0.0.0.0/0          r 10.0.0.17       110      PTP
 1 DC 192.168.1.0/30     r 0.0.0.0         0        Configuration
 2 Do 10.1.12.0/22       r 10.0.0.17       110      PTP
 3 Do 10.1.8.0/22        r 10.0.0.17       110      PTP
 4 Io 10.1.4.0/22                          110
 5 DC 10.1.4.0/22        r 0.0.0.0         0        Omni
 6 Io 10.0.0.16/30                         110
 7 DC 10.0.0.16/30       r 0.0.0.0         0        PTP
 8 Do 10.0.0.0/29        r 10.0.0.17       110      PTP

/routing ospf print
                 router-id: 10.0.0.18
        distribute-default: never
    redistribute-connected: as-type-1
       redistribute-static: no
          redistribute-rip: no
          redistribute-bgp: no
            metric-default: 1
          metric-connected: 20
             metric-static: 20
                metric-rip: 20
                metric-bgp: 20

/routing ospf network print
Flags: X - disabled, I - invalid
 #   NETWORK            AREA
 0   10.0.0.0/8         backbone

/routing ospf interface print
 0 interface=Omni cost=1 priority=1 authentication-key=""
   retransmit-interval=5s transmit-delay=1s hello-interval=10s
   dead-interval=40s

 1 interface=PTP cost=1 priority=1 authentication-key=""
   retransmit-interval=5s transmit-delay=1s hello-interval=10s
   dead-interval=40s

 2 interface=PTP-Future cost=1 priority=1 authentication-key=""
   retransmit-interval=5s transmit-delay=1s hello-interval=10s
   dead-interval=40s

Second router: (Router OS v2.8.27)

/ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   10.0.0.4/29        10.0.0.0        10.0.0.7        Core
 1   10.1.8.1/22        10.1.8.0        10.1.11.255     Sector1
 2   10.1.12.1/22       10.1.12.0       10.1.15.255     Sector2
 3   10.0.0.17/30       10.0.0.16       10.0.0.19       PTP

/ip route print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
 #    DST-ADDRESS        G GATEWAY         DISTANCE INTERFACE
 0  S 0.0.0.0/0          r 10.0.0.1        1        Core
 1 Do 192.168.1.0/30     r 10.0.0.18       110      PTP
 2 Io 10.1.12.0/22                         110
 3 DC 10.1.12.0/22       r 0.0.0.0         0        Sector2
 4 Io 10.1.8.0/22                          110
 5 DC 10.1.8.0/22        r 0.0.0.0         0        Sector1
 6 Do 10.1.4.0/22        r 10.0.0.18       110      PTP
 7 Io 10.0.0.16/30                         110
 8 DC 10.0.0.16/30       r 0.0.0.0         0        PTP
 9 Io 10.0.0.0/29                          110
10 DC 10.0.0.0/29        r 0.0.0.0         0        Core

/routing ospf print
                 router-id: 10.0.0.4
        distribute-default: if-installed-as-type-1
    redistribute-connected: as-type-1
       redistribute-static: no
          redistribute-rip: no
          redistribute-bgp: no
            metric-default: 1
          metric-connected: 20
             metric-static: 20
                metric-rip: 20
                metric-bgp: 20

/routing ospf interface print
 0 interface=Sector1 cost=1 priority=1 authentication-key=""
   retransmit-interval=5s transmit-delay=1s hello-interval=10s
   dead-interval=40s

 1 interface=Sector2 cost=1 priority=1 authentication-key=""
   retransmit-interval=5s transmit-delay=1s hello-interval=10s
   dead-interval=40s

 2 interface=PTP cost=1 priority=1 authentication-key=""
   retransmit-interval=5s transmit-delay=1s hello-interval=10s
   dead-interval=40s

/routing ospf network print
Flags: X - disabled, I - invalid
 #   NETWORK            AREA
 0   10.0.0.0/8         backbone

If you need more details about the configuration, please let me know and I'll gladly provide.

Posted: **Wed May 18, 2005 10:49 am**

I think you should turn off redistribute-connected and just explicitly configure the networks that you want to propagate.

--Tom

Posted: **Wed May 18, 2005 4:07 pm**

If I turn off redistribute-connected, how would I explicitly propagate the networks that I want? If I did that, would I still be using OSPF? Seems like the policy-filters should be enabled / allowed for OSPF (at least I assume they would do what I need).

One possible thought that occurred to me to work around this problem is to bridge the ethernet interface (Configuration) to a wireless interface (Omni) and assign that the same 10.x.x.x address as the wireless interface before...preferrably one that had DHCP-RELAY enabled? I assume this is possible? Then I wouldn't have the 192.168.1.0/30 addresses...

Any other recommendations before I screw this all up, kick myself off the antenna and have to climb the tower to fix it... :?

Posted: **Wed May 18, 2005 5:07 pm**

Actually...thanks to another post I found, MikroTik uses quagga (as I had originally suspected), I was able to telnet into the quagga ospf daemon and set the necessary route maps.

/system telnet 127.0.0.1 2604

Use default zebra/quagga password: zebra

Once I added the route map, and reconfigured the connected metric, I copied the running config to the startup config.

copy running-config startup-config

Subsequent changes to the /routing ospf submenu do not appear to affect the additional route-map command.

Posted: **Wed May 18, 2005 7:26 pm**

gheers,

this might work for you right now, but I think that using undocumented features (like the quagga hack you did) should be avoided and probably makes it harder to support your configuration in the future, but that's of course up to you.

Anyway, two things should be noted here

- In RouterOS 2.9 it seems there is an official way to do what you did with your quagga hack, because it appears that under /routing ospf area parameters prefix-list-export and prefix-list-import can be set for an area.

- As I mentioned in my earlier reply you could (and should!) completely avoid the need to filter the exported routes by not exporting them at all in the first place, i.e. by setting redistribute-connected=no

(Re-)distributing external routing information into OSPF should be done with care and only if you cant help it any other way, for example if you absolutely must redistribute a static route that points to a "dumb" network that has no OSPF capable devices itself, but this is certainly not necessary for the directly connected networks of an OSPF capable routers such as your MikroTik box. So how do you go about this? It's simple: just provide the exact, matching network address range for each and every (directly connected) network you wish to include in OSPF and omit everything else! So you should not have

network=10.0.0.0/8

under /routing ospf network like you did but instead

network=10.1.4.0/22
network=10.0.0.16/30

under /routing ospf network on your first router and

network=10.0.0.0/29
network=10.1.8.0/22
network=10.1.12.0/22
network=10.0.0.16/30

under /routing ospf network on your second router.

Then turn off redistribute-connected on both routers. The routes to the specified networks will now be seen as OSPF internal routes by the other router (as it should be) and not as external Type-1 or Type-2 routes.

Here are some snippets I just took from a MikroTik router talking OSPF to a Cisco.

First, the IP addressing on the MikroTik box

[admin@AP1] routing ospf> /ip addr print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   10.20.5.99/24      10.20.5.0       10.20.5.255     ether1
 1   10.173.10.1/24     10.173.10.0     10.173.10.255   ether3
 2   212.23.xxx.12/29   212.23.xxx.8    212.23.xxx.15   ether2
 3   ;;; hotspot network
     10.5.50.1/24       10.5.50.0       10.5.50.255     wlan1-public
[admin@AP1] routing ospf>

I only want OSPF to export the routes to 10.20.5.0/24 and 10.173.10.0/24, not the other networks. So here are the complete OSPF settings on the MikroTik router

[admin@AP1] routing ospf> export
/ routing ospf
set router-id=0.0.0.0 distribute-default=never redistribute-connected=no \
    redistribute-static=no redistribute-rip=no redistribute-bgp=no metric-default=1 \
    metric-connected=20 metric-static=20 metric-rip=20 metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 authentication=none prefix-list-import="" \
    prefix-list-export="" disabled=no
/ routing ospf network
add network=10.173.10.0/24 area=backbone disabled=no
add network=10.20.5.0/24 area=backbone disabled=no
[admin@AP1] routing ospf>

The Cisco is connected to ether3 within the 10.173.10.0/24 network, so I had to include this network in any case, and here is the corresponding result as seen by the Cisco

cisco#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.173.10.1       1   FULL/BDR        00:00:34    10.173.10.1     FastEthernet0
cisco#
cisco#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     172.30.0.0/24 is subnetted, 1 subnets
C       172.30.30.0 is directly connected, Vlan1
     10.0.0.0/24 is subnetted, 2 subnets
O       10.20.5.0 [110/11] via 10.173.10.1, 00:01:58, FastEthernet0
C       10.173.10.0 is directly connected, FastEthernet0
cisco#

You can see 10.20.5.0/24 as an internal OSPF route on the Cisco (i.e. just O, not O E1 or O E2). The 10.173.10.0/24 is directly connected at the Cisco (as well as the MikroTik) anyway.

Now if I do

[admin@AP1] routing ospf> set redistribute-connected=as-type-1

back at the MikroTik, then lets look again at the Cisco

cisco#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     172.30.0.0/24 is subnetted, 1 subnets
C       172.30.30.0 is directly connected, Vlan1
     10.0.0.0/24 is subnetted, 3 subnets
O       10.20.5.0 [110/11] via 10.173.10.1, 00:00:00, FastEthernet0
O E1    10.5.50.0 [110/21] via 10.173.10.1, 00:00:00, FastEthernet0
C       10.173.10.0 is directly connected, FastEthernet0
     212.23.xxx.0/29 is subnetted, 1 subnets
O E1    212.23.xxx.8 [110/21] via 10.173.10.1, 00:00:00, FastEthernet0
cisco#

Now the connected networks that I did not want to export from the MikroTik are here as well.

To summarise: Just export what you want others to see, then you won't have to filter. Filtering in OSPF is more useful on incoming routes as a sanity check so you may control what ends up installed in your routing table. The LSAs themselves cant be filtered anyway because its a link-state algorithm and therefore needs to see the complete graph of the network to do its calculations.

Hope that helps,

--Tom

Posted: **Wed May 18, 2005 8:49 pm**

I agree 110%, I'd prefer not to hack things. So I backed out the hacks that I did, and added the settings that you recommended. It worked. I actually reverted back to a single 10.0.0.0/8 network and it worked that way as well, but switched it back to defining the individual network / interfaces since that appears to be the recommended method.

The redistribute-connected seems to be what screwed everything up. So the problem was my lack of fully understanding how OSPF works.

Many thanks for straightening things out!

George

Posted: **Wed May 18, 2005 9:13 pm**

I actually reverted back to a single 10.0.0.0/8 network and it worked that way as well, but switched it back to defining the individual network / interfaces since that appears to be the recommended method.

Yes, 10.0.0.0/8 works in your case because the network that you wanted to hide was 192.168..something... which is outside of 10.0.0.0/8, so you were lucky

With the method I described you always have very fine control about what OSPF exports, that's why I recommend it.

I'm glad things worked out for you.

--Tom

MikroTik

OSPF-Routes outside network/area being redistributed

OSPF-Routes outside network/area being redistributed

Re: OSPF-Routes outside network/area being redistributed