BGP on Mikrotik

In the future, using the website cloudhosting.lv, you agree to the rules of using Cookies. Read more. I agree

BGP на Mikrotik

Enable IPv6 on your router

The first thing we will do is enable IPv6 on our Mikrotik router.

system package enable ipv6
system reboot 
y

This will restart the device, and when it comes back, it will have a new menu named IPv6.

We will also set a longer ARP timeout to be a good citizen; 4 hours is usually a reasonable time to avoid sending updates every 5 minutes..

/ip settings set arp-timeout=04:00:00

Specify the IPv4 and IPv6 addresses for your interfaces for IP transit, Perú IX (PIT Peru sac) (pitperu.net), and your internal network.

Assumptions for example::

  • ASN (Autonomous System Number) provided by LACNIC for our organization, - AS 123456.
  • The IPv4 block assigned by LACNIC is 100.100.100.0 / 22.
  • The IPv6 block assigned by LACNIC, equals 2803: cd10 :: / 32
  • IPv4 address for the point-to-point connection to the IP transit provider is 198.51.100.2/30 (where the equipment on the side of the IP transit provider, with which we will perform)BGP, 198.51.100.1)
  • IPv6 address for the point-to-point connection to the IP transit provider is 2803:dd99:1111::2/126 (where the equipment on the side of the IP transit provider, with which we will perform) BGP, 2803: dd99: 1111 :: 1)
  • IPv4-Address assigned by Perú IX (PIT Peru sac) (pitperu.net): 45.183.47.254 / 24
  • IPv6-Address assigned by Perú IX (PIT Peru sac) (pitperu.net): 2803: cd60: 6411: 5 :: ff / 64
  • "Configure the IPv4 and IPv6 addresses provided by LACNIC on the feedback interface.

    The first thing to do is to create a feedback interface and assign it the IPv4 and IPv6 addresses provided by LACNIC. Another option is to assign the IP to another interface or statically route it to another router.

    /interface bridge add name=loopback
    #change la 100.100.100.1/22 for the first IPv4 of the range assigned by LACNIC #
    /ip address add address=100.100.100.1/22 interface=loopback 
    #cambiar la 2803:cd10::/32 por la primera IPv6 del rango asignado por LACNIC#
    /ipv6 address add address=2803:cd10::/32 advertise=no interface=loopback  

    Next, we are going to define the IPv4 and IPv6 addresses of the IP transit provider if they are not yet defined on the device

    #cambiar la 198.51.100.2/30 por la IPv4 otorgada por tu Proveedor de IP transit#
    /ip address add address=198.51.100.2/30 interface=IP_TRANSIT
    #cambiar la 2803:dd99:1111::2/126 por la IPv6 otorgada por tu Proveedor de IP transit#
    /ipv6 address add address=2803:dd99:1111::2/126 advertise=no interface=IP_TRANSIT

    Finally, we are going to configure the IP addresses provided byPerú IX (PIT Peru sac).

    #cambiar la 45.183.47.254/24 por la IPv4 asignada por Perú IX (PIT Peru sac)#
    /ip address add address=45.183.47.254/24 interface=PIT_PERU_sac 
    #cambiar la 2803:cd60:6411:5::ff/64 por la IPv6 asignada por Perú IX (PIT Peru sac)#
    /ipv6 address add address=2803:cd60:6411:5::ff/64 advertise=no interface=PIT_PERU_sac

    Enter the ASN of your organization (ASN provided by LACNIC)

    In our example, let's assume that LACNIC has assigned us ASN 123456. We will use our first publicly available IPv4 address for the router-id." # Change the name to your preference, the AS number to the one assigned by LACNIC, and use the IP of the loopback or another for the router-id # /routing bgp instance add name=AS123456 as=123456 router-id=your_first_public_IPv4_address.

    # change the name to the name you like, the ace to your ASN number granted by LACNIC and in route-id you can use the IP of the loopback or another #
    /routing bgp instance add name=AS123456 as=123456 router-id=100.100.100.1

    Create routing filters for OUT and IN chains.

    Before starting BGP sessions, it is VERY IMPORTANT to create security filters for both input and output..

    Important: In filters, the order of factors matters; the first index of each chain is always processed first.

    Output Filters IPv4 (OUT)

     #change the 100.100.100.0/22 with your prefix assigned by LACNIC #
     
    /routing filter
    add action=accept chain=IP_TRANSIT_IPv4_OUT prefix=100.100.100.0/22 prefix-length=22
    add action=discard chain=IP_TRANSIT_IPv4_OUT
     
     
    #change the 100.100.100.0/22 with your prefix assigned by LACNIC. It is important that we are going to send more specific prefixes to IX, in this case / 24s #
     
    /routing filter
    add action=accept chain=PIT_PERU_sac_IPv4_OUT prefix=100.100.100.0/22 prefix-length=22-24
    add action=discard chain=PIT_PERU_sac_IPv4_OUT

    Output filters IPv6 (OUT)

    # change 2803: cd10 :: / 32 with your IPv6 prefix assigned by LACNIC #
     
    /routing filter
    add action=accept chain=IP_TRANSIT_IPv6_OUT prefix=2803:cd10::/32 prefix-length=32
    add action=discard chain=IP_TRANSIT_IPv6_OUT
     
     
    #change 2803: cd10 :: / 32 with your IPv6 prefix assigned by LACNIC. It is important that we will send more specific prefixes to IX, in this case / 48s #
     
    /routing filter
    add action=accept chain=PIT_PERU_sac_IPv6_OUT prefix=2803:cd10::/32 prefix-length=32-48
    add action=discard chain=PIT_PERU_sac_IPv6_OUT

    Why are we advertising the IP transit provider's /22 (less specific prefix) and Perú IX (PIT Peru sac) with a more specific /24? This question appears to address the decision-making process behind advertising a ?

    This is important to ensure that the path through Perú IX (PIT Peru sac) is preferred over the IP transit, thus avoiding traffic that could be served through Perú IX (PIT Peru sac) instead being serviced through IP transit.

    IPv4 Inbound (IN) Filters

    Here, we need to make a decision: whether to ask the IP transit provider to send us only the default route, or if we request the DFZ (full BGP table without the default route, also known as Full Internet Routing Table). Full BGP)

    # we will only use this first line if we are accepting default route #
     
    /routing filter
    add action=accept chain=IP_TRANSIT_IPv4_IN prefix=0.0.0.0/0
    add action=discard chain=IP_TRANSIT_IPv4_IN prefix=45.183.47.0/24 prefix-length=24-32
    add action=discard chain=IP_TRANSIT_IPv4_IN prefix=10.0.0.0/8 prefix-length=8-32
    add action=discard chain=IP_TRANSIT_IPv4_IN prefix=100.64.0.0/10 prefix-length=10-32
    add action=discard chain=IP_TRANSIT_IPv4_IN prefix=127.0.0.0/8 prefix-length=8-32
    add action=discard chain=IP_TRANSIT_IPv4_IN prefix=169.254.0.0/16 prefix-length=16-32
    add action=discard chain=IP_TRANSIT_IPv4_IN prefix=172.16.0.0/12 prefix-length=12-32
    add action=discard chain=IP_TRANSIT_IPv4_IN prefix=192.0.8.0/24 prefix-length=24-32
    add action=discard chain=IP_TRANSIT_IPv4_IN prefix=192.88.99.0/24 prefix-length=24-32
    add action=discard chain=IP_TRANSIT_IPv4_IN prefix=192.168.0.0/16 prefix-length=16-32
    add action=discard chain=IP_TRANSIT_IPv4_IN prefix=198.18.0.0/15 prefix-length=15-32
    add action=discard chain=IP_TRANSIT_IPv4_IN prefix=198.51.0.0/24 prefix-length=24-32
    add action=discard chain=IP_TRANSIT_IPv4_IN prefix=203.0.113.0/24 prefix-length=24-32
    add action=discard chain=IP_TRANSIT_IPv4_IN prefix=224.0.0.0/4 prefix-length=4-32
    add action=discard chain=IP_TRANSIT_IPv4_IN prefix=240.0.0.0/4 prefix-length=4-32
    add action=discard chain=IP_TRANSIT_IPv4_IN prefix=0.0.0.0/0 prefix-length=25-32
    add action=accept chain=IP_TRANSIT_IPv4_IN
     
     
     
    In the filters of the Perú IX (PIT Peru sac) chain we will also apply filters, although the Route Servers apply filters it is important to always apply filters anyway #
     
    /routing filter
    add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=0.0.0.0/0
    add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=45.183.47.0/24 prefix-length=24-32
    add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=10.0.0.0/8 prefix-length=8-32
    add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=100.64.0.0/10 prefix-length=10-32
    add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=127.0.0.0/8 prefix-length=8-32
    add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=169.254.0.0/16 prefix-length=16-32
    add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=172.16.0.0/12 prefix-length=12-32
    add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=192.0.8.0/24 prefix-length=24-32
    add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=192.88.99.0/24 prefix-length=24-32
    add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=192.168.0.0/16 prefix-length=16-32
    add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=198.18.0.0/15 prefix-length=15-32
    add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=198.51.0.0/24 prefix-length=24-32
    add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=203.0.113.0/24 prefix-length=24-32
    add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=224.0.0.0/4 prefix-length=4-32
    add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=240.0.0.0/4 prefix-length=4-32
    add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=0.0.0.0/0 prefix-length=25-32
    add action=accept chain=PIT_PERU_sac_IPv4_IN

    Inbound Filters(IN) IPv6

    Here, we should accept all prefixes sent to us by Perú IX (PIT Peru sac), except those recommended for filtering based on best practices.

    # the first line will only be used if we accept the default path #
     
    /routing filter
    add action=accept chain=IP_TRANSIT_IPv6_IN prefix=::/0
    add action=discard chain=IP_TRANSIT_IPv6_IN prefix=100::/64 prefix-length=64-128
    add action=discard chain=IP_TRANSIT_IPv6_IN prefix=2001:2::/48 prefix-length=48-128
    add action=discard chain=IP_TRANSIT_IPv6_IN prefix=2001:10::/28 prefix-length=28-128
    add action=discard chain=IP_TRANSIT_IPv6_IN prefix=2001:db8::/32 prefix-length=32-128
    add action=discard chain=IP_TRANSIT_IPv6_IN prefix=2002::/16 prefix-length=16-128
    add action=discard chain=IP_TRANSIT_IPv6_IN prefix=3ffe::/16 prefix-length=16-128
    add action=discard chain=IP_TRANSIT_IPv6_IN prefix=fc00::/7 prefix-length=7-128
    add action=discard chain=IP_TRANSIT_IPv6_IN prefix=fe80::/10 prefix-length=10-128
    add action=discard chain=IP_TRANSIT_IPv6_IN prefix=fec0::/10 prefix-length=10-128
    add action=discard chain=IP_TRANSIT_IPv6_IN prefix=ff00::/8 prefix-length=8-128
    add action=discard chain=IP_TRANSIT_IPv6_IN prefix=::/0 prefix-length=65-128
    add action=accept chain=IP_TRANSIT_IPv6_IN
     
    #In the filters of the Perú IX (PIT Peru sac) chain we will also apply filters, although the Route Servers apply filters it is important to always apply filters anyway #
    /routing filter
    add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=::/0
    add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=100::/64 prefix-length=64-128
    add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=2001:2::/48 prefix-length=48-128
    add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=2001:10::/28 prefix-length=28-128
    add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=2001:db8::/32 prefix-length=32-128
    add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=2002::/16 prefix-length=16-128
    add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=3ffe::/16 prefix-length=16-128
    add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=fc00::/7 prefix-length=7-128
    add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=fe80::/10 prefix-length=10-128
    add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=fec0::/10 prefix-length=10-128
    add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=ff00::/8 prefix-length=8-128
    add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=::/0 prefix-length=65-128
    add action=accept chain=PIT_PERU_sac_IPv6_IN

    Create a peer BGP node with your IP transit provider.

    #Change the instance for the one that corresponds in your case, the same in the remote-address and remote-as #
    /routing bgp peer add name=IP_TRANSIT_IPv4 instance=AS123456 remote-address=198.51.100.1 remote-as=1200 in-filter=IP_TRANSIT_IPv4_IN out-filter=IP_TRANSIT_IPv4_OUT remove-private-as=yes
    #Change the instance for the one that corresponds in your case, the same in the remote-address and remote-as #
    /routing bgp peer add name=IP_TRANSIT_IPv6 instance=AS123456 remote-address=2803:dd99:1111::1 remote-as=1200 in-filter=IP_TRANSIT_IPv6_IN out-filter=IP_TRANSIT_IPv6_OUT remove-private-as=yes address-families=ipv6

    Create peer BGP nodes using routing servers. Perú IX (PIT Peru sac) (pitperu.net)

    In this example, we are going to configure both IPv4 and IPv6 routing servers at Perú IX (PIT Peru sac), namely RS1 and RS2. In our example, a BGP password has been assigned to us. «peeringinperu».”

    /routing bgp peer add name=PIT_PERU_sac_RS1_IPv4 instance=AS123456 remote-address=45.183.47.1 remote-as=64115 tcp-md5-key=peeringinperu max-prefix-limit=12000 max-prefix-restart-time=360 in-filter=PIT_PERU_sac_IPv4_IN out-filter=PIT_PERU_sac_IPv4_OUT remove-private-as=yes
    /routing bgp peer add name=PIT_PERU_sac_RS2_IPv4 instance=AS123456 remote-address=45.183.47.2 remote-as=64115 tcp-md5-key=peeringinperu max-prefix-limit=12000 max-prefix-restart-time=360 in-filter=PIT_PERU_sac_IPv4_IN out-filter=PIT_PERU_sac_IPv4_OUT remove-private-as=yes
     
    /routing bgp peer add name=PIT_PERU_sac_RS1_IPv6 instance=AS123456 remote-address=2803:cd60:6411:5::1 remote-as=64115 tcp-md5-key=peeringinperu max-prefix-limit=12000 max-prefix-restart-time=360 in-filter=PIT_PERU_sac_IPv6_IN out-filter=PIT_PERU_sac_IPv6_OUT remove-private-as=yes address-families=ipv6
    /routing bgp peer add name=PIT_PERU_sac_RS2_IPv6 instance=AS123456 remote-address=2803:cd60:6411:5::2 remote-as=64115 tcp-md5-key=peeringinperu max-prefix-limit=12000 max-prefix-restart-time=360 in-filter=PIT_PERU_sac_IPv6_IN out-filter=PIT_PERU_sac_IPv6_OUT remove-private-as=yes address-families=ipv6

    Определите префиксы, которые вы собираетесь анонсировать

    Здесь нам нужно будет изменить префиксы для префиксов, назначенных LACNIC, и мы объявим это как / 22, так и / 24. В IPv6 мы будем анонсировать его пока только как / 32.

    /routing bgp network add network=100.100.100.0/22 synchronize=no
    /routing bgp network add network=100.100.100.0/24 synchronize=no
    /routing bgp network add network=100.100.101.0/24 synchronize=no
    /routing bgp network add network=100.100.102.0/24 synchronize=no
    /routing bgp network add network=100.100.103.0/24 synchronize=no
     
    /routing bgp network add network=2803:cd10::/32 synchronize=no

    Verify the functionality.

    Check the status of BGP Peers. If they are operational, the status should indicate "Established." If it shows "Connect" or "Idle," it means there is a misconfiguration either on your side or on the provider's side.

       /routing bgp peer print

    This sentence expresses the hope that the provided guide will make it easy and safe for you to explore the wonderful world of BGP. If you have any more questions or if there's anything else I can assist you with, feel free to let me know!

    Limitations BGP в Mikrotik RouterOS

    In connection with a large number of questions, I share with you a list of limitations that exist in RouterOS, at least in its version. 6.x.x с BGP.

  • Changes in BGP filters are not reflected in the routes received or sent to a peer BGP node. To resolve this issue, you can try disabling and re-enabling the filters in the corresponding chain. If that doesn't work, you may need to change the order of the filters. Also, keep in mind that you need to be patient with BGP in RouterOS, as it is a single-core process. This doesn't impact routing itself, but it's important to verify the changes after implementation to ensure they have taken effect.
  • It does not display the list of advertising announcements in the Winbox graphical interface, and this is another well-known limitation. To address this issue, open the Terminal and enter the comman «/ routing bgp Advertisements print»
  • Slow convergence time is observed because BGP in RouterOS 6.x is a single-core process and, as a result, cannot take advantage of multiple cores.
  • When receiving a full BGP table (DFZ) from a peer BGP node, the display of all routes in the Winbox graphical interface is very slow. My advice is to use regular expressions and the "/ip route print..." command instead of viewing routes through the graphical interface.
  • tho aspects don't necessarily mean that BGP is flawed in RouterOS; you just have to learn to live with these limitations and keep them in mind.