Community discussions

MUM Europe 2020
 
webix
newbie
Topic Author
Posts: 28
Joined: Fri May 04, 2018 3:34 pm

BGP/Routing question

Mon Nov 25, 2019 12:41 pm

Hello Folks.

Here's the config i have:
- Mikrotik router @ my home with 2 ISPs.
- Mikrotik router @ a IX.
- MikrotikOS router @ a worldwide ISP.

My Home router connects to:
- ISP 1 with BGP session.
- ISP 2 (no BGP here).
- Mikrotik router @ IX by GRE and BGP session.
- Mikrotik router @ worldwide ISP with GRE and BGP session.
- A 3rd anti-ddos ISP with GRE and BGP session.

The config is pretty simple. I announce my IP ranges to internet on ISP1, IX, worldwide and anti-ddos ISP.

Now, i want to send the traffic from worldwide ISP to anti-ddos ISP. How can i do this? Take note that i don't have a router or can control the announcements on anti-ddos ISP.
Mainly, i want to announce on worldwide ISP that the route should go thru anti-ddos.

Is this possible?

Regards
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 916
Joined: Tue Oct 11, 2005 4:53 pm

Re: BGP/Routing question

Mon Nov 25, 2019 4:00 pm

I don't know if I fully understand what you ask, but I believe that in order to achieve what you want, you stop announcing your prefixes to the worldwide ISP and only announce them to the Anti-DDoS ISP, and they in turn announce them to the world.

This way your incoming world-wide traffic will arrive to you only through the Anti-DDoS ISP, while outgoing traffic will work as it did before.
 
webix
newbie
Topic Author
Posts: 28
Joined: Fri May 04, 2018 3:34 pm

Re: BGP/Routing question

Mon Nov 25, 2019 4:25 pm

Hello Cha0s.

Yes, i understand that. It's the default behavior i used. But this is my problem:
I have:
- ISP1
- ISP2
- ISP3
- AntiDDoS ISP

I want to send all traffic from ISP2 to AntiDDoS ISP. Only that one. If i stop the announcement on ISP2, it goes by default to ISP1, and i don't want that.
I tried to set, on ISP2, set-out-nexthop with the AntiDDoS router IP, but it ended up with routes not being announced and the traffic goes to ISP1.

Regards
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 916
Joined: Tue Oct 11, 2005 4:53 pm

Re: BGP/Routing question

Mon Nov 25, 2019 4:47 pm

I don't think you can do that.

The way I understand it, if you need a prefix to be passed through the Anti-DDoS ISP, you need to only announce it via them and not any other ISP.
Otherwise, anyone that is closer to that other ISP will choose that path to reach you instead of the Anti DDoS ISP.
 
paulct
Member
Member
Posts: 303
Joined: Fri Jul 12, 2013 5:38 pm

Re: BGP/Routing question

Mon Nov 25, 2019 6:05 pm

Usually one would create a tunnel to a DDOS provider, and advertise your prefixes there.
 
User avatar
Murmaider
Member Candidate
Member Candidate
Posts: 124
Joined: Fri Oct 30, 2015 10:10 am

Re: BGP/Routing question

Wed Dec 04, 2019 6:48 pm

Hello Cha0s.

Yes, i understand that. It's the default behavior i used. But this is my problem:
I have:
- ISP1
- ISP2
- ISP3
- AntiDDoS ISP

I want to send all traffic from ISP2 to AntiDDoS ISP. Only that one. If i stop the announcement on ISP2, it goes by default to ISP1, and i don't want that.
I tried to set, on ISP2, set-out-nexthop with the AntiDDoS router IP, but it ended up with routes not being announced and the traffic goes to ISP1.

Regards
Use a GRE (or even a direct cable) to the AntiDDoS ISP.
Ask your ISP to create you a bgp community that allows you to tell the ISP's to stop advertising your prefixes to their peers.
This forces all incoming traffic to go via the AntiDDoS provider (since they the only ones advertising your prefixes or the prefix being attacked), and all outgoing traffic still goes out via your non-saturated ISP's links.

Only read now that you only want it to happen on the one ISP2 link. I dont think you going to be able to force traffic coming over ISP2 to go via the AntiDDoS because of the way BGP does best path selection.

Who is online

Users browsing this forum: No registered users and 3 guests