I am actually new to the MikroTik family, heard a lot about them, many of our ISPs use them as their CPEs, so why dont migrate from Cisco ASR 1001-X to MikroTik as well and save one or two gold-bars of company money . We bought a pair of CCR2116-12G-4S+ as our main Internet Routers with 4x BGP Full-Feed and announcing our PI address space.
For for the problem description:
I want to lock down security as much as I can for the two Internet Routers. I tried to lock the BGP sessions for the ISPs to their respective interfaces. However, when the packet first BGP TCP SYN packet hits the firewall outgoing, it is specified with an unkown output interface. If I remove the outgoing interface of the firewall rule and enable logging, I always see two hits immediately:
Code: Select all
ALLOW-OUTPUT-BGP output: in:(unknown 0) out:(unknown 6), connection-state:new proto TCP (SYN), 169.254.0.1:45213->169.254.0.2:179, len 60
ALLOW-OUTPUT-BGP output: in:(unknown 0) out:SFP4-HA-to-Router-2, connection-state:new proto TCP (SYN), 169.254.0.1:45213->169.254.0.2:179, len 60
Question: Why is it hitting the Firewall engine first with an unknown interface, then with the correct output interface SFP4-HA-to-Router-2?
I also tried to add a prerouting firewall rule to accept the one hit before, but this did not help either...
Testsetup of the Log-entry above:
Router1 SFP4 IP 169.254.0.1/30 connected to Router2 SFP4 IP 169.254.0.2/30
I use this link between the routers to replicate all routing information, in case the ISP(s) of one Router goes down and to prevent asymmetric routing.
Any ideas about that behavior and how to lock the BGP sessions with the firewall ruleset to their interfaces?
We are using RouterOS version 7.7. This did not work with 7.6 either.
Kind Regards,
Felix