Community discussions

MikroTik App
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

BGP filtering

Thu Jan 26, 2023 3:36 pm

Hello there,

as I am very new to BGP and it's filtering mechanism I would like out to get some help:
What would be the right filter for an
- input "Any route that you send me I will accept"
- output "I only send you my biggest /40 subnet but not the /48 & /64 subnets which I splitted from"
 
User avatar
felixhappy
just joined
Posts: 9
Joined: Mon Jan 23, 2023 2:32 pm
Location: Vienna
Contact:

Re: BGP filtering

Mon Jan 30, 2023 11:35 am

Hello An5teifo,

the default behavior is, to accept anything, so therefore you do not need an input filter. You an altough set one, just with this rule:
accept

For the output filter, you have to create an output filter with the following code:
if(dst-len = 40) {accept} else {reject}
This actually only filters for the prefix length. However, you can also set the filter to exactly only match the subnet you want to advertise:
if (dst == x:y:z::/40) {accept} else {reject}

Be sure to have this exact /40 subnet in you routing table, either learned or with a static route, very likely with an additional blackhole route with a high administrative distance. That way, the router always advertises the route and you prevent a massive internet routing change (and therefore your own reachability) if there is just an issue with your inside facing interface.

Make also sure to announce it. Either set the "Output Network" parameter of the BGP connection, or redistribute static routes (if you have a static route for your /40 you want to announce, which I definitely recommend if it is your border internet router)
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: BGP filtering

Mon Jan 30, 2023 11:42 am

Hello felixhappy,

I thought that on ROS 7 the default filter mechanism is to deny any?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: BGP filtering

Mon Jan 30, 2023 12:11 pm

v7 default is reject
 
User avatar
felixhappy
just joined
Posts: 9
Joined: Mon Jan 23, 2023 2:32 pm
Location: Vienna
Contact:

Re: BGP filtering

Mon Jan 30, 2023 12:17 pm

Hello An5teifo,

yes, you are correct, the default filter action is to "reject". Stated in the documentation here: https://help.mikrotik.com/docs/display/ ... nd+Filters
Be aware that the default action of the routing filter chain is "reject"

However, if you do NOT set a filter, everything will be accepted 😀.

I dont know how familiar you are with BGP, but if you are facing the issue that you do not get and prefixes from you BGP neighbor, maybe you are facing the issue, that active routes of another iBGP member are not advertised between iBGP peers.

Example 1: If a Router has an active default route from an ISP (eBGP session), this route will be advertised to another iBGP session.
Example 2: If the Router as an active default route from an internal Router (iBGP peer), this route will NOT be advertised to another iBGP peer.

iBGP: connection from one router to another Router with the same AS (autonomous system)
eBGP: conneciton from one router to another Router with a different AS (autonomous system)

If you have the issue from example 2, you either can fully mesh all iBGP peers, or use the BGP Router reflector feature with your routers.
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: BGP filtering

Mon Jan 30, 2023 12:28 pm

Isn't a bit weird?
If I set a filter the default is being reject anything - if I do not set a filter (leaving it blank) everything would be accepted?!
 
User avatar
felixhappy
just joined
Posts: 9
Joined: Mon Jan 23, 2023 2:32 pm
Location: Vienna
Contact:

Re: BGP filtering  [SOLVED]

Mon Jan 30, 2023 1:44 pm

I dont think it is weird, actually pretty logical. If you do NOT filter anything by not setting a filter, everything should be accepted... because you dont filter anything.

In other, maybe more logical words: Accept everything, except you filter... right?

And if you use a filter... it starts filtering EVERYTHING... except the things you accept in the filter.

Please be aware, that when using winbox, leaving the filter blank, actually sets a filter with the name "". See ssh / console routing/bgp/export. If you do not want to filter, you have to unset the filter. That is the small icon next to the dropdown at the filter field. Then the filter will be greyed out again, and the filter is not set.

If the first answer solved your issue, please mark the topic as solved 😉
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: BGP filtering

Mon Jan 30, 2023 1:55 pm

Okay from this perspective I agree.

Are there any general recommondation regarding BGP in-filtering as I came accross some input that accepting anything is not always the best solution?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: BGP filtering

Mon Jan 30, 2023 1:57 pm

Bogons must be filtered everytime...

No matter to discard useless bogons, like 192.0.2.0/24,
but the classic private network, used inside your network, must be filtered,
like 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 169.254.0.0/16 and 192.168.0.0/16
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: BGP filtering

Mon Jan 30, 2023 2:15 pm

So should I create two generell in/output filters?
One for IPv4 and one for IPv6?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: BGP filtering

Mon Jan 30, 2023 2:36 pm

just on input
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: BGP filtering

Mon Jan 30, 2023 2:48 pm

But e.g. on input I do currently have also
if ( dst-len > 48 ) { accept }
rule for IPv6.
With such a rule I would also filter some routable IPv4 ranges - wouldn't I?

If so it would make sense to create to different chains - 1x v4 & 1x v6
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: BGP filtering

Mon Jan 30, 2023 3:19 pm

it's obvious create different filters.
 
User avatar
felixhappy
just joined
Posts: 9
Joined: Mon Jan 23, 2023 2:32 pm
Location: Vienna
Contact:

Re: BGP filtering

Mon Jan 30, 2023 4:50 pm

Yes An5teifo, your code would reject all IPv4 prefixes, because the all only have smaller prefixes than 48... hence prefixes ranging from 1 to 32.

I recommend a RAW Firewall rule to block incoming packets from all ISP interfaces with the BOGON IP addresses described in RFC 6890. I use this address-list for IPv4:
/ip/firewall/address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
As user rextended outlined, you may also want to filter those networks as incoming routes from the ISPs as well.

I recommend an output filter to just advertise only the network(s) you want to advertise to the ISP, especially if your router is Multi-Homed with more than one ISP. The ISP should filter any not negotiated route from the ISP side anyway, but in case they have a misconfiguration, it may happen that you attract traffic that you actually don't want.

There is actually a pretty good article on at the Mikrotik documentation about securing a MikroTik Router: Building Advanced firewall
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: BGP filtering

Mon Jan 30, 2023 5:01 pm

Thanks for that. From a firewall perspective I am already pretty solid.
I just recently received my own ASN and try to figure out any best practice rules for peering with others via BGP.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: BGP filtering

Mon Jan 30, 2023 5:05 pm

Best practice rule on ebgp router: do not use stateful firewall,
the firewall must be on another machine,
the ebgp router must be unreachable from everywhere (for management) except internal network (and the access must be restricted only by certs and local port).
No one other single service must be active, except obviously the bgp...
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: BGP filtering

Mon Jan 30, 2023 5:16 pm

Behind my Mikrotik I am running a dedicated firewall.
Access to Mikrotik is only granted from a specific IP range.

Why shouldn't there be any additional service running on the router?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: BGP filtering

Mon Jan 30, 2023 5:18 pm

Why shouldn't there be any additional service running on the router?
Really??? Is this a real or rhetorical question?
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: BGP filtering

Mon Jan 30, 2023 5:20 pm

I am just someone who is new to BGP and peering with others.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: BGP filtering

Mon Jan 30, 2023 7:22 pm

You can definitely run BGP and other services on the same router, bout you must understand the limitations when you are running multihoming setup.
 
An5teifo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Mon Dec 13, 2021 10:51 am
Location: Austria

Re: BGP filtering

Mon Jan 30, 2023 7:26 pm

No in general I only have one ISP but it is only providing my an IPv4 address.
I am connected to several tunnelbroker, vIXP etc. which all uses different types of tunneling (GRE, EoIP, VXLAN, SIT).

So far I did not see any issues on that.

Who is online

Users browsing this forum: No registered users and 4 guests