Community discussions

MikroTik App
 
mysz0n
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Tue Mar 03, 2009 2:14 am

BGP Migrating filter rules from v6 to v7

Thu Oct 27, 2022 5:21 pm

I would like to ask for help in checking if I have rewritten the rules to v7 correctly (in this example 123.231.0.0/20 is my external BGP IP pool)

v6:
/routing filter
add action=jump chain=Out_MyISP jump-target=No_Bogon
add action=accept bgp-as-path="^\$" chain=Out_MyISP prefix=123.231.0.0/20 prefix-length=20-24 set-bgp-prepend=3
add action=discard chain=Out_MyISP
[b]add action=jump chain=In_MyISP jump-target=No_Bogon set-bgp-communities=""
add action=discard append-bgp-communities="" chain=In_MyISP prefix=123.231.0.0/20 prefix-length=20-32 set-bgp-communities=""
add action=discard append-bgp-communities="" chain=In_MyISP prefix=0.0.0.0/0 set-bgp-communities=""
add action=accept append-bgp-communities="" chain=In_MyISP[/b]
add action=discard chain=No_Bogon prefix=127.0.0.0/8 prefix-length=8-32
add action=discard chain=No_Bogon prefix=255.255.255.255
v7:
/routing filter rule
add chain=Out_MyISP rule="jump No_Bogon;"
add chain=Out_MyISP rule="if (dst in 123.231.0.0/20 && dst-len in 20-24 && bgp-as-path-slow-legacy \"^\$\") { set bgp-path-prepend 3; accept; }"
add chain=Out_MyISP rule="reject;"
add chain=In_MyISP rule="jump No_Bogon;"
add chain=In_MyISP rule="if (dst in 123.231.0.0/20 && dst-len in 20-32) {reject;}"
add chain=In_MyISP rule="if (dst in 0.0.0.0/0) {reject;}"
add chain=In_MyISP disabled=no rule="accept;"
add chain=No_Bogon rule="if (dst in 127.0.0.0/8 && dst-len in 8-32) { reject; }"
add chain=No_Bogon rule="if (dst == 255.255.255.255) {reject;}"

I don't know why, when upgrading from v6 to v7 all "In_MyISP" rules were skipped and not converted to the new version?
Interestingly, when I downgrade to v6, "In_MyISP" rules reappeared. Does that mean mikrotik keeps the settings for both versions in different places?

Anticipating suggestions, I have read https://help.mikrotik.com/docs/display/ ... nd+Filters
However, I already had 2 attempts to upgrade my BGP to v7 and both turned out to be a failure, this time I would like to be sure the filters are OK
Last edited by BartoszP on Thu Oct 27, 2022 5:45 pm, edited 1 time in total.
Reason: Use proper tags: quote to quote, code for code
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: BGP Migrating filter rules from v6 to v7

Thu Oct 27, 2022 6:09 pm

What exactly you consider as failure? As far as I can see from your output all rules from In_MyISP chain are converted correctly.

And some of your v6 rules doe snot make sense either, why do you set and append communities to empty values for routes that you are discarding anyway?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: BGP Migrating filter rules from v6 to v7

Thu Oct 27, 2022 7:20 pm

It is important to remember that a filter chain that ends without accepting everything is working OK in v6 because there is an implicit accept at the end of the filter chain, but in v7 there is an implicit reject at the end of the chain so when you are not explicitly accepting everything you want to accept the filter will fail in v7.
I think it is a mistake that the automatic conversion from v6 to v7 does not add an "accept everything" (with appropriate comment like "added by v6->v7 conversion, review if you need it") because this leads to very hairy problems.
 
User avatar
sirbryan
Member Candidate
Member Candidate
Posts: 298
Joined: Fri May 29, 2020 6:40 pm
Location: Utah
Contact:

Re: BGP Migrating filter rules from v6 to v7

Thu Oct 27, 2022 8:30 pm

I agree with the last post about default accept vs default reject. That caught me off guard in my conversions to 7 from 6 with BGP and OSPF going bonkers because suddenly routes that were there before weren't, and vice versa.

In v6 routers, my last rule is generally a "discard" rule because I don't want just everything to pass through, so they get converted (and are redundant/unnecessary), but don't hurt anything. In the case of BGP peering with upstream providers, when turning things up on v7, I had to create a rule to explicitly accept everything while applying my desired attributes.

Who is online

Users browsing this forum: No registered users and 30 guests