Community discussions

MikroTik App
 
flameproof
Member Candidate
Member Candidate
Topic Author
Posts: 128
Joined: Tue Sep 01, 2015 3:17 pm

Netflix OCA public IPv4 routing

Tue Nov 02, 2021 8:54 am

Hi all,

Have been scratching my head for a couple of days on this one. We've received a Netflix OCA to install inside our network, and it comes with a configured IPv4 address from the address space we own under our AS. Our core router has two upstream connections, one we call DIA (Direct Internet Access), which is our original "baby steps" connection when we got started 6 years ago, and for which our upstream supplier gave us a /29 from the IPv4 space they own. Our router has various IPs in this space configured on the interface facing DIA.

The second link we added as we grew was IPT (transit) where we advertise a /24 we own over BGP. From this block, we carved out a /30 to use with the OCA, and set things up as shown:
Neflix OCA BGP.png
The OCA has internet access, it can be reached from the internet, but any traffic that originates from it seems to appear as coming from one of the DIA IPs, not the assigned IP advertised through BGP. A traceroute to .253, the IP of the CCR, works fine, but against .254 returns the DIA IP as the last hop instead.

Some relevant configuration:
## DIA block
/ip address add address=40.50.60.2/29 comment="Management" interface= SFP3 network=40.50.60.0
/ip address add address=40.50.60.3/29 comment="Public services" interface=SFP3 network=40.50.60.0
/ip address add address=40.50.60.4/29 comment="Public business" interface= SFP3 network=40.50.60.0

## IPT block
/ip address add address=100.10.20.1/24 comment="IPT #1" interface=SFP1 network=100.10.20.0

## OCA block
/ip address add address=100.10.20.253/30 comment="Netflix OCA" interface=SFP2 network=100.10.20.252

## Others
/ip firewall address-list add address=10.20.0.0/16 list=LAN_RANGES

## Ensure return traffic via IPT
/ip firewall mangle add action=mark-connection chain=prerouting comment="Mark connection inbound via IPT" in-interface=SFP1 new-connection-mark=IPT_INBOUND passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=IPT_INBOUND new-routing-mark=ROUTE_IPT passthrough=no
/ip firewall mangle add action=mark-routing chain=output connection-mark=IPT_INBOUND new-routing-mark=ROUTE_IPT passthrough=no

## Ensure return traffic for DIA
/ip firewall mangle add action=mark-connection chain=prerouting comment="Mark connection inbound via DIA" in-interface=SFP3 new-connection-mark=DIA_INBOUND passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=DIA_INBOUND new-routing-mark=ROUTE_DIA passthrough=no
/ip firewall mangle add action=mark-routing chain=output connection-mark=DIA_INBOUND new-routing-mark=ROUTE_DIA passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting comment="Route Netflix OCA traffic via IPT" disabled=no dst-address-list=!LAN_RANGES new-routing-mark=ROUTE_IPT passthrough=no src-address=100.10.20.253-100.10.20.254

## BGP
/routing bgp instance add as=<OUR_ASN> client-to-client-reflection=no comment="IPT IPv4" name=IPT router-id=100.10.20.1
/routing bgp instance add as=<OUR_ASN> client-to-client-reflection=no comment="Netflix OCA" name=NETFLIX_OCA router-id=100.10.20.253
/routing bgp network add comment="IPT IPv4 block" network=100.10.20.0/24 synchronize=no
/routing bgp peer add in-filter=IPT_IN instance=IPT name=IPT_IPv4 out-filter=IPT_OUT remote-address=196.x.x.100 remote-as=<UPSTREAM_ASN> ttl=default
/routing bgp peer add in-filter=NETFLIX_IN instance=NETFLIX_OCA name=NETFLIX_OCA out-filter=NEFLIX_OUT remote-address=100.10.20.254 remote-as=<NETFLIX_ASN> ttl=default
/routing filter add chain=IPT set-distance=2

## Routes
/ip route add check-gateway=ping comment="** PRIMARY GATEWAY ** DIA" distance=1 gateway=40.50.60.1
/ip route add check-gateway=ping comment="DIA gateway for marked traffic" distance=1 gateway=40.50.60.1 routing-mark=ROUTE_DIA
/ip route add check-gateway=ping comment="IPT gateway for marked traffic" distance=1 gateway=196.x.x.100 routing-mark=ROUTE_IPT
The OCA was configured with 100.10.20.254 as its IP, with 100.10.20.253 as its default gateway, mask /30. Should it be configured with our upstream IPT gateway, 196.x.x.100 instead?

Anyone have any ideas as to why the OCA transmogrifies into a different IP address, or is there a better / correct way to do this? The goals are:

- Give the OCA a public IP with which it can access the internet freely.
- Establish a BGP connection with the OCA so we can mutually advertise local routes for our customers to use it (the BGP establishes fine with the current setup).

The OCA can be pinged, and web interface that returns 403 accessed from the internet, so access to it seems OK. A traceroute, however, reveals:

traceroute to 100.10.20.254 (100.10.20.254), 30 hops max, 60 byte packets
 1  static.x.x.x.x.clients.your-server.de (x.x.x.x)  0.905 ms  0.878 ms  0.849 ms
 2  ... <VARIOUS HOPS>
10  xe-0-1-0-0.our_isp.net (190.x.x.47)  190.958 ms * *
11  40.50.60.2.our_isp.net (40.50.60.2)  196.826 ms  196.861 ms *

A traceroute to .253 is correct:

traceroute to 100.10.20.253 (100.10.20.253), 30 hops max, 60 byte packets
 1  static.x.x.x.x.clients.your-server.de (x.x.x.x)  0.335 ms  0.298 ms  0.267 ms
 2  ... <VARIOUS HOPS>
 9  100.10.20.253 (100.10.20.253)  185.087 ms et-0-1-11.our_isp.net (190.x.x.15)  189.929 ms 100.10.20.253 (100.10.20.253 253)  178.492 ms
You do not have the required permissions to view the files attached to this post.
 
paulct
Member
Member
Posts: 336
Joined: Fri Jul 12, 2013 5:38 pm

Re: Netflix OCA public IPv4 routing

Tue Nov 02, 2021 9:16 am

We have a couple of their caches. I think we allocated two /30 public ranges and a /48 IPV6. Established BGP peers with the servers, and hey they work.
Also use LACP between a CRS317 and our edge.
 
flameproof
Member Candidate
Member Candidate
Topic Author
Posts: 128
Joined: Tue Sep 01, 2015 3:17 pm

Re: Netflix OCA public IPv4 routing

Tue Nov 02, 2021 9:18 am

Thanks for this - do you have details on the upstream routing setup? That's where I'm stuck. Traffic originating from the OCA is not being sent out via IPT, and seems to exit via DIA. Not sure how to force it other than what I have done already...
 
CPTMikMan
just joined
Posts: 1
Joined: Fri Jan 20, 2023 9:26 am

Re: Netflix OCA public IPv4 routing

Fri Jan 20, 2023 9:28 am

Hi flameproof,

Hope you well. Please let me know if you have managed to solve this issue.
I am having the same issue now where the OCA is reporting to receive traffic from our NAP IP, however it has its own /30.

Hope to hear from you soon.

Who is online

Users browsing this forum: No registered users and 19 guests