Community discussions

MikroTik App
  4. RouterOS
  5. General

Drop Inbound OSPF

Post Reply
 
User avatar
Hammy
Forum Veteran
Forum Veteran
Topic Author
Posts: 776
Joined: Fri May 28, 2004 5:53 pm
Location: DeKalb, IL
Contact:
Contact Hammy

Drop Inbound OSPF

Fri Sep 08, 2017 4:07 pm

I can't seem to figure out why I can't drop inbound OSPF packets.
Code: Select all
add action=drop chain=input comment="Drop OSPF" in-interface-list=Not-Internal protocol=ospf
add action=drop chain=output comment="Drop OSPF" out-interface-list=Not-Internal protocol=ospf
/interface list
add name=Not-Internal
/interface list member
add interface=ether10-MediaNet list=Not-Internal
add interface=ether9-South_AP list=Not-Internal
However, I'm getting no hits in the input rule and my log is reporting area conflicts with an outside system, yet my output rule is getting hits.

Any better way to block OSPF on an interface?


Running 6.38.7.
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Drop Inbound OSPF

Sat Sep 09, 2017 12:01 am

Add the interface in OSPF as a static passive interface, and that will disable sending/receiving hellos on it.
Top
 
User avatar
Hammy
Forum Veteran
Forum Veteran
Topic Author
Posts: 776
Joined: Fri May 28, 2004 5:53 pm
Location: DeKalb, IL
Contact:
Contact Hammy

Re: Drop Inbound OSPF

Sat Sep 09, 2017 6:01 pm

Add the interface in OSPF as a static passive interface, and that will disable sending/receiving hellos on it.
I did find a rule that was accepting traffic before my rule blocking it.

Passive would ignore any attempts of another router to connect? I was tired of seeing log entries because of a customer's router, which is why I started looking into this.

I haven't done anything with passive. The MT wiki says passive doesn't send or receive OSPF traffic. Why not just call it disabled, then?
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Drop Inbound OSPF

Sat Sep 09, 2017 6:13 pm

I haven't done anything with passive. The MT wiki says passive doesn't send or receive OSPF traffic. Why not just call it disabled, then?
Passive means that the router will not form adjacencies on the interface, but the interface is still connected to a network which is "interior" to your routing domain. I.e. - the interface's connected network will be originated into OSPF.

This distinction passes by a lot of people on here because it's extremely common (sadly) for people to just do the lazy method of redistributing connected routes into OSPF. This is a bad habit to get into. There are very few situations where you must redistribute connected. The reasons why this is bad involve lots of OSPF theory and design best practices, and many Mikrotik users will not ever have networks that grow large enough that they will be truly hampered by the problems that tons of external routes can cause. . . but if you start off with the right habits from the beginning, then your transition into larger networks will not be difficult.

You'll find that I've been pretty vocal about this recently - but it's only because I want to help spread good practices to people as they learn more advanced routing skills.
Top
 
User avatar
Hammy
Forum Veteran
Forum Veteran
Topic Author
Posts: 776
Joined: Fri May 28, 2004 5:53 pm
Location: DeKalb, IL
Contact:
Contact Hammy

Re: Drop Inbound OSPF

Sat Sep 09, 2017 6:16 pm

I redistribute a couple statics here and there, but that's it. I don't do connected routes. I manually specify all of my networks.
Top
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], GoogleOther [Bot], onnoossendrijver and 107 guests
  4. RouterOS
  5. General