I work with RouterOS V7.11.2 and BGP is not respecting the filters for IPV6. For example, I want to reject everything, I don't want to receive anything or announce anything. If I insert the filter: rejetc; RouterOS announces everything and receives everything.
With IPV4 I don't have this problem.
Is anyone going through this?

working fine here.

Maybe you get better help when pasting your bgp and router filter config.

/routing bgp template
set default address-families=ip as=272552 disabled=no router-id=181.189.0.0 routing-table=main
add address-families=ip as=272552 disabled=no multihop=yes name=Multihop-ATC router-id=181.189.0.0 routing-table=main
/routing bgp connection
add address-families=ip as=272552 comment="ANUNCIA PREFIXO IPV4 - ATC" disabled=no local.role=ebgp name=ATC-IPV4-LOCAL output.filter-chain=ATC-IPV4-OUT .network=\
PREFIXOS_MLINK remote.address=186.248.202.201/32 .as=23106 router-id=181.189.0.0 routing-table=main templates=default
add address-families=ip as=272552 disabled=no input.filter=FastNetMon-IN local.role=ibgp name=FastNetMon output.filter-chain=FastNetMon-OUT remote.address=172.16.47.2/32 \
.as=272552 router-id=181.189.0.0 routing-table=main templates=default
add address-families=ip as=272552 cisco-vpls-nlri-len-fmt=auto-bits connect=yes disabled=no input.filter=ATC-IPV4-MULTHOP-IN listen=yes local.address=186.248.202.202 \
.role=ebgp multihop=yes name=ATC-MULTIHOP-FULL-ROUTING-IPV4 nexthop-choice=propagate output.default-prepend=0 remote.address=200.150.1.192/32 .as=23106 router-id=\
181.189.0.0 routing-table=main templates=default
add address-families=ipv6 as=272552 comment="ANUNCIA PREFIXO IPV6 - ATC" disabled=no local.role=ebgp name=ATC-IPV6-ANUNCIA output.filter-chain=ATC-IPV6-OUT .network=\
PREFIXO_MASTERLINK_IPV6 remote.address=2804:238:0:2::5d9/126 .as=23106 router-id=181.189.0.0 routing-table=main templates=default
add address-families=ipv6 as=272552 cisco-vpls-nlri-len-fmt=auto-bits connect=yes disabled=no input.filter=ATC-IPV6-MULTHOP-IN listen=yes local.address=2804:238:0:2::5da \
.role=ebgp multihop=yes name=ATC-MULTIHOP-FULL-ROUTING-IPV6 nexthop-choice=propagate output.default-prepend=0 remote.address=2804:238:0:1::1/128 .as=23106 router-id=\
181.189.0.0 routing-table=main templates=default
add address-families=ip as=272552 comment="ANUNCIA PREFIXO IPV4 - NORTH" disabled=no input.filter=NORTH-IPV4-IN local.role=ebgp name=NORTH-IPV4 output.filter-chain=\
NORTH-IPV4-OUT .network=PREFIXOS_MLINK remote.address=45.185.123.196/31 .as=269096 router-id=181.189.0.0 routing-table=main templates=default
add address-families=ipv6 as=272552 disabled=no hold-time=3m input.filter=NORTH-IPV6-IN keepalive-time=1s local.role=ebgp name=NORTH-IPV6 output.filter-chain=\
NORTH-IPV6-OUT .network=PREFIXO_MASTERLINK_IPV6 remote.address=2804:5f64:265/126 .as=269096 router-id=181.189.0.0 routing-table=main templates=default
add address-families=ip as=272552 comment="ANUNCIA PREFIXO IPV4 - NORTH" disabled=no input.filter=IX-IPV4-IN local.role=ebgp name=IX.BR-IPV4-1 output.filter-chain=\
IX-IPV4-OUT .network=PREFIXOS_MLINK remote.address=200.219.139.253/32 .as=26162 router-id=181.189.0.0 routing-table=main templates=default
add address-families=ip as=272552 comment="ANUNCIA PREFIXO IPV4 - NORTH" disabled=no input.filter=IX-IPV4-IN local.role=ebgp name=IX.BR-IPV4-2 output.filter-chain=\
IX-IPV4-OUT .network=PREFIXOS_MLINK remote.address=200.219.139.254/32 .as=26162 router-id=181.189.0.0 routing-table=main templates=default
add address-families=ipv6 as=272552 disabled=no hold-time=3m input.filter=IX-IPV6-IN keepalive-time=1s local.role=ebgp name=IX.BR-IPV6-253 output.default-prepend=0 \
.filter-chain=IX-IPV6-OUT .network=PREFIXO_MASTERLINK_IPV6 remote.address=20010:3::253/128 .as=26162 router-id=181.189.0.0 routing-table=main templates=default
add address-families=ipv6 as=272552 disabled=no hold-time=3m input.filter=IX-IPV6-IN keepalive-time=1s local.role=ebgp name=IX.BR-IPV6-254 output.default-prepend=0 \
.filter-chain=IX-IPV6-OUT .network=PREFIXO_MASTERLINK_IPV6 remote.address=20010:3::254/128 .as=26162 router-id=181.189.0.0 routing-table=main templates=default



0 ;;; ANTI-DDOS
chain=ATC-IPV4-OUT rule="if (dst in 181.189.0.0/22 && dst-len in 32){accept}"

1 chain=ATC-IPV4-IN rule="if (dst == 0.0.0.0/0) { accept; }"

2 chain=ATC-IPV4-IN rule="reject;"

3 chain=ATC-IPV4-OUT rule="if (dst in 181.189.0.0/22 && dst-len in 22-24){accept}"

4 chain=ATC-IPV4-OUT rule="reject;"

5 X chain=ATC-IPV4-IN rule="accept;"

6 X chain=ATC-IPV4-IN rule="if (dst in 0.0.0.0/0) { accept; }"

7 ;;; NAO E NECESSARIO ANUNCIAR NENHUMA ROTA PELO MULTIHOP, APENAS RECEBE ROTAS
chain=ATC-IPV4-MULTHOP-OUT rule="reject;"

8 ;;; HABILITE ESSA REGRA PARA REEBER FULL ROUTING
chain=ATC-IPV4-MULTHOP-IN rule="accept;"

9 X ;;; DESABILITE ESSA REGRA PARA RECEBER FULL ROUTING
chain=ATC-IPV4-MULTHOP-IN rule="if (dst == 0.0.0.0/0) { accept; }"

10 X ;;; DESABILITE ESSA REGRA PARA RECEBER FULL ROUTING
chain=ATC-IPV4-MULTHOP-IN rule="reject;"

11 ;;; REGRA OK
chain=FastNetMon-IN rule="if (dst in 181.189.0.0/22 && dst-len == 32 && bgp-communities includes 65001:666) { accept; }"

12 chain=FastNetMon-OUT rule="reject;"

13 X ;;; BLACKHOLE teste
chain=ATC-IPV4-OUT rule="if (dst == 181.189.3.17) { set bgp-communities 23106:666; accept; }"

14 ;;; ANUNCIA BLOCO IPV6
chain=ATC-IPV6-OUT rule="if (dst in 2804:8504::/32 && dst-len in 32){accept}"

15 ;;; ANUNCIA BLOCO IPV6
chain=ATC-IPV6-OUT rule="reject;"

16 ;;; RECEBE FULL ROUTING IPV6
chain=ATC-IPV6-MULTHOP-IN rule="accept;"

17 chain=NORTH-IPV4-IN rule="accept;"

18 chain=NORTH-IPV4-OUT rule="if (dst in 181.189.0.0/22 && dst-len in 22-24){accept}"

19 chain=NORTH-IPV4-OUT rule="reject;"

20 ;;; RECEBE FULL ROUTING IPV6
chain=NORTH-IPV6-IN rule="accept;"

21 X ;;; RECEBE FULL ROUTING IPV6
chain=NORTH-IPV6-IN rule="if (dst == ::/0 ) { accept; }"

22 X ;;; RECEBE FULL ROUTING IPV6
chain=NORTH-IPV6-IN rule="reject;"

23 ;;; ANUNCIA BLOCO IPV6
chain=NORTH-IPV6-OUT rule="if (dst in 2804:8504::/32 && dst-len in 32){accept}"

24 ;;; ANUNCIA BLOCO IPV6
chain=NORTH-IPV6-OUT rule="reject;"

25 chain=IX-IPV4-OUT rule="if (dst in 181.189.0.0/22 && dst-len in 22-24){accept}"

26 chain=IX-IPV4-OUT rule="reject;"

27 chain=IX-IPV4-IN rule="accept;"

28 chain=IX-IPV6-IN rule="accept;"

29 ;;; ANUNCIA BLOCO IPV6
chain=IX-IPV6-OUT rule="if (dst in 2804:8504::/32 && dst-len in 32){accept}"

30 ;;; ANUNCIA BLOCO IPV6
chain=IX-IPV6-OUT rule="reject;"

Hi Frederico,

I reduced your config to the relevant IPv6 and non-disabled part.
I left out most of the ipv4 filters, but I wanted to add a note to using ipv4 and ipv6 filters
You can use the same filter chain (name) for ipv4 and ipv6 by additionally querying the AFI:
I don't think "dst-len in 32" is the best way to define it, since 32 is not a range. It should be "dst-len == 32" I think.
(src: https://help.mikrotik.com/docs/display/ ... nd+Filters)

One more thing: according to MT documentation, "reject" is the implicit default: (source: https://help.mikrotik.com/docs/display/ ... eFiltering)
so it should even work when leaving it out. (I have them for readability as well, I don't have the semicolons at the end, but according to documentation that should be valid)


I don't see any obvious errors in your config though.
The peer config refers to template "default", but that one is "address-families=ip" only, maybe change that one.

Could you please post the ouput of it *should* show just the one given prefix...

I will make the informed changes. Thank you very much