Community discussions

MikroTik App
 
SapieH
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Wed May 13, 2009 9:44 pm

OSPF out route filter V7.XX

Thu Jul 18, 2024 6:21 pm

Good day All,
there are numerous posts for inbound route filters for OSPF. I am struggling to find examples of outbound route filters. I need to prevent certain connected IP ranges from being distributed by ospf.
 
User avatar
sirbryan
Member
Member
Posts: 372
Joined: Fri May 29, 2020 6:40 pm
Location: Utah
Contact:

Re: OSPF out route filter V7.XX

Fri Jul 19, 2024 5:59 pm

If you set up a filter for OSPF out, it will, by default, reject everything and only allow what you want to go out.

So, for example, if I want 10.0.0.0/24 to go out, my filter would be:
if (dst==10.0.0.0/24) { accept; }
In this case, I want to allow any subnets within the 10.0.0.0/8 range. Use "in" instead of "==" to allow for any subnets within the range to be announced.
if (dst in 10.0.0.0/8) { accept; }
If you want to be "lazy" and allow everything but a specific subnet, you'd have filters like the following.
if (dst==10.0.0.0/8) { reject; }
if (dst==192.168.0.0/16) { reject; }
accept;

Note that "==" explicitly matches on the subnet as written. If you want all smaller portions of a subnet to be filtered, you use "in" instead of "==":

if (dst in 10.0.0.0/8) { reject; }
if (dst in 192.168.0.0/16) { reject; }
accept;

It's usually smarter, though, to do what I did in the first example, which is allow the system to reject everything by default and specifically allow what you want.

From the CLI, these look like this:
# From a working example
/routing filter rule
# Allow CGNAT subnets to be advertised
add chain=ospf-out disabled=no rule="if (dst in 100.64.0.0/10 && dst-len in 24-32) { accept; }"
# Allow management IP's to be advertised
add chain=ospf-out disabled=no rule="if (dst in 10.0.0.0/8 && dst-len in 16-32) { accept; }"
# By default anything else the router has is rejected
 
elbob2002
Member Candidate
Member Candidate
Posts: 267
Joined: Tue May 15, 2018 8:15 pm
Location: Ireland

Re: OSPF out route filter V7.XX

Sat Jul 20, 2024 1:17 pm

That is such a great explanation. Wish the official docs were as good with practical examples!

Filtering has been wrecking my head since it first came out.

Who is online

Users browsing this forum: Maggiore81 and 5 guests