3.235.147.50

BGP on Mikrotik

BGP on Mikrotik

Enable IPv6 on your router

The first thing we will do is enable IPv6 on our Mikrotik Router

system package enable ipv6
system reboot 
y

This will restart the computer, and when it comes back, it will have a new menu named IPv6

We will also set a longer arp-timeout to be a good citizen, 4 hours is usually a fairly prudent time that avoids sending updates every 5 minutes.

/ip settings set arp-timeout=04:00:00

Define the IPv4 and IPv6 addresses of your interfaces for IP transit, Perú IX (PIT Peru sac) (pitperu.net), and your internal network

Assumptions for the example:

·  The ASN granted by LACNIC to our organization is AS 123456

·  IPv4 block assigned by LACNIC is100.100.100.0/22

·  IPv6 block assigned by LACNIC is 2803:cd10::/32

·  IPv4 address for the point to point link of the IP transit provider198.51.100.2/30 (where the equipment on the side of the IP transit provider against which we will do the BGP is 198.51.100.1)

·  IPv6 address for the point-to-point link of the IP transit provider2803:dd99:1111::2/126(where the equipment on the side of the IP transit provider against which we will do the BGP is 2803:dd99:1111::1 )

·  IPv4 address assigned by Perú IX (PIT Peru sac) (pitperu.net) is45.183.47.254/24

·  IPv6 address assigned by Perú IX (PIT Peru sac) (pitperu.net) is 2803:cd60:6411:5::ff/64

Configure the IPv4 and IPv6 addresses granted by LACNIC on a loopback interface

The first thing to do is to create a loopback interface and assign it to the IPv4 and IPv6 addresses granted by LACNIC. Another option is to assign an IP to another interface or a static route to another router.

/interface bridge add name=loopback
#change la 100.100.100.1/22 for the first IPv4 of the range assigned by LACNIC #
/ip address add address=100.100.100.1/22 interface=loopback 
#cambiar la 2803:cd10::/32 por la primera IPv6 del rango asignado por LACNIC#
/ipv6 address add address=2803:cd10::/32 advertise=no interface=loopback  

Then we are going to define the IPv4 and IPv6 addresses of the IP transit provider, in case they are not already defined on the device:

#cambiar la 198.51.100.2/30 por la IPv4 otorgada por tu Proveedor de IP transit#
/ip address add address=198.51.100.2/30 interface=IP_TRANSIT
#cambiar la 2803:dd99:1111::2/126 por la IPv6 otorgada por tu Proveedor de IP transit#
/ipv6 address add address=2803:dd99:1111::2/126 advertise=no interface=IP_TRANSIT

Finally, we are going to configure the IP addresses granted by Perú IX (PIT Peru sac)

#cambiar la 45.183.47.254/24 por la IPv4 asignada por Perú IX (PIT Peru sac)#
/ip address add address=45.183.47.254/24 interface=PIT_PERU_sac 
#cambiar la 2803:cd60:6411:5::ff/64 por la IPv6 asignada por Perú IX (PIT Peru sac)#
/ipv6 address add address=2803:cd60:6411:5::ff/64 advertise=no interface=PIT_PERU_sac

Enter the ASN of your organization (the ASN granted by LACNIC)

In our example, we are going to assume that LACNIC gave us ASN 123456, in router-id we are going to put our first public IPv4 address.

# change the name to the name you like, the ace to your ASN number granted by LACNIC and in route-id you can use the IP of the loopback or another #
/routing bgp instance add name=AS123456 as=123456 router-id=100.100.100.1

Create the Routing Filters for the OUT and IN chains

Before starting the BGP sessions, it is VERY IMPORTANT to create security filters for both input and output.

Important: in the filters the order of the factors does matter, the first index of each chain is always processed first.

IPv4 output filters (OUT)

 #change the 100.100.100.0/22 with your prefix assigned by LACNIC #
 
/routing filter
add action=accept chain=IP_TRANSIT_IPv4_OUT prefix=100.100.100.0/22 prefix-length=22
add action=discard chain=IP_TRANSIT_IPv4_OUT
 
 
#change the 100.100.100.0/22 with your prefix assigned by LACNIC. It is important that we are going to send more specific prefixes to IX, in this case / 24s #
 
/routing filter
add action=accept chain=PIT_PERU_sac_IPv4_OUT prefix=100.100.100.0/22 prefix-length=22-24
add action=discard chain=PIT_PERU_sac_IPv4_OUT

IPv6 output filters (OUT)

# change 2803: cd10 :: / 32 with your IPv6 prefix assigned by LACNIC #
 
/routing filter
add action=accept chain=IP_TRANSIT_IPv6_OUT prefix=2803:cd10::/32 prefix-length=32
add action=discard chain=IP_TRANSIT_IPv6_OUT
 
 
#change 2803: cd10 :: / 32 with your IPv6 prefix assigned by LACNIC. It is important that we will send more specific prefixes to IX, in this case / 48s #
 
/routing filter
add action=accept chain=PIT_PERU_sac_IPv6_OUT prefix=2803:cd10::/32 prefix-length=32-48
add action=discard chain=PIT_PERU_sac_IPv6_OUT

Why do we advertise to the IP transit provider / 22 (a less specific prefix) and to the Perú IX (PIT Peru sac) multiple / 24 (more specific)?

This is important to ensure that the path via the Perú IX (PIT Peru sac) is preferred over the IP transit, and thus avoid that traffic that could be served via Perú IX (PIT Peru sac) is instead served via IP transit

IPv4 input (IN) filters

Here we must make the decision if we ask the IP transit provider to send us the default route only or if we ask for the DFZ (full BGP table without a default route, also known as Full BGP)

# we will only use this first line if we are accepting default route #
 
/routing filter
add action=accept chain=IP_TRANSIT_IPv4_IN prefix=0.0.0.0/0
add action=discard chain=IP_TRANSIT_IPv4_IN prefix=45.183.47.0/24 prefix-length=24-32
add action=discard chain=IP_TRANSIT_IPv4_IN prefix=10.0.0.0/8 prefix-length=8-32
add action=discard chain=IP_TRANSIT_IPv4_IN prefix=100.64.0.0/10 prefix-length=10-32
add action=discard chain=IP_TRANSIT_IPv4_IN prefix=127.0.0.0/8 prefix-length=8-32
add action=discard chain=IP_TRANSIT_IPv4_IN prefix=169.254.0.0/16 prefix-length=16-32
add action=discard chain=IP_TRANSIT_IPv4_IN prefix=172.16.0.0/12 prefix-length=12-32
add action=discard chain=IP_TRANSIT_IPv4_IN prefix=192.0.8.0/24 prefix-length=24-32
add action=discard chain=IP_TRANSIT_IPv4_IN prefix=192.88.99.0/24 prefix-length=24-32
add action=discard chain=IP_TRANSIT_IPv4_IN prefix=192.168.0.0/16 prefix-length=16-32
add action=discard chain=IP_TRANSIT_IPv4_IN prefix=198.18.0.0/15 prefix-length=15-32
add action=discard chain=IP_TRANSIT_IPv4_IN prefix=198.51.0.0/24 prefix-length=24-32
add action=discard chain=IP_TRANSIT_IPv4_IN prefix=203.0.113.0/24 prefix-length=24-32
add action=discard chain=IP_TRANSIT_IPv4_IN prefix=224.0.0.0/4 prefix-length=4-32
add action=discard chain=IP_TRANSIT_IPv4_IN prefix=240.0.0.0/4 prefix-length=4-32
add action=discard chain=IP_TRANSIT_IPv4_IN prefix=0.0.0.0/0 prefix-length=25-32
add action=accept chain=IP_TRANSIT_IPv4_IN
 
 
 
In the filters of the Perú IX (PIT Peru sac) chain we will also apply filters, although the Route Servers apply filters it is important to always apply filters anyway #
 
/routing filter
add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=0.0.0.0/0
add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=45.183.47.0/24 prefix-length=24-32
add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=10.0.0.0/8 prefix-length=8-32
add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=100.64.0.0/10 prefix-length=10-32
add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=127.0.0.0/8 prefix-length=8-32
add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=169.254.0.0/16 prefix-length=16-32
add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=172.16.0.0/12 prefix-length=12-32
add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=192.0.8.0/24 prefix-length=24-32
add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=192.88.99.0/24 prefix-length=24-32
add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=192.168.0.0/16 prefix-length=16-32
add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=198.18.0.0/15 prefix-length=15-32
add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=198.51.0.0/24 prefix-length=24-32
add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=203.0.113.0/24 prefix-length=24-32
add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=224.0.0.0/4 prefix-length=4-32
add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=240.0.0.0/4 prefix-length=4-32
add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=0.0.0.0/0 prefix-length=25-32
add action=accept chain=PIT_PERU_sac_IPv4_IN

Ingress Filters (IN) IPv6

Here we must accept all the prefixes that the Perú IX (PIT Peru sac) sends us except those that are recommended in the filtering of good practices

# the first line will only be used if we accept the default path #
 
/routing filter
add action=accept chain=IP_TRANSIT_IPv6_IN prefix=::/0
add action=discard chain=IP_TRANSIT_IPv6_IN prefix=100::/64 prefix-length=64-128
add action=discard chain=IP_TRANSIT_IPv6_IN prefix=2001:2::/48 prefix-length=48-128
add action=discard chain=IP_TRANSIT_IPv6_IN prefix=2001:10::/28 prefix-length=28-128
add action=discard chain=IP_TRANSIT_IPv6_IN prefix=2001:db8::/32 prefix-length=32-128
add action=discard chain=IP_TRANSIT_IPv6_IN prefix=2002::/16 prefix-length=16-128
add action=discard chain=IP_TRANSIT_IPv6_IN prefix=3ffe::/16 prefix-length=16-128
add action=discard chain=IP_TRANSIT_IPv6_IN prefix=fc00::/7 prefix-length=7-128
add action=discard chain=IP_TRANSIT_IPv6_IN prefix=fe80::/10 prefix-length=10-128
add action=discard chain=IP_TRANSIT_IPv6_IN prefix=fec0::/10 prefix-length=10-128
add action=discard chain=IP_TRANSIT_IPv6_IN prefix=ff00::/8 prefix-length=8-128
add action=discard chain=IP_TRANSIT_IPv6_IN prefix=::/0 prefix-length=65-128
add action=accept chain=IP_TRANSIT_IPv6_IN
 
#In the filters of the Perú IX (PIT Peru sac) chain we will also apply filters, although the Route Servers apply filters it is important to always apply filters anyway #
/routing filter
add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=::/0
add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=100::/64 prefix-length=64-128
add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=2001:2::/48 prefix-length=48-128
add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=2001:10::/28 prefix-length=28-128
add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=2001:db8::/32 prefix-length=32-128
add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=2002::/16 prefix-length=16-128
add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=3ffe::/16 prefix-length=16-128
add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=fc00::/7 prefix-length=7-128
add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=fe80::/10 prefix-length=10-128
add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=fec0::/10 prefix-length=10-128
add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=ff00::/8 prefix-length=8-128
add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=::/0 prefix-length=65-128
add action=accept chain=PIT_PERU_sac_IPv6_IN

Create the BGP Peer with your IP transit Provider

In our example, our IP transit provider has the ASN 1200, who in our example will use the IP 198.51.100.1. The value 1200 should be replaced by the ASN of your IP transit provider and 198.51.100.1 by the IP for the BGP of the gateway that your IP transit provider gives you.

#Change the instance for the one that corresponds in your case, the same in the remote-address and remote-as #
/routing bgp peer add name=IP_TRANSIT_IPv4 instance=AS123456 remote-address=198.51.100.1 remote-as=1200 in-filter=IP_TRANSIT_IPv4_IN out-filter=IP_TRANSIT_IPv4_OUT remove-private-as=yes
#Change the instance for the one that corresponds in your case, the same in the remote-address and remote-as #
/routing bgp peer add name=IP_TRANSIT_IPv6 instance=AS123456 remote-address=2803:dd99:1111::1 remote-as=1200 in-filter=IP_TRANSIT_IPv6_IN out-filter=IP_TRANSIT_IPv6_OUT remove-private-as=yes address-families=ipv6

Create the BGP Peers with the Route Servers of the Perú IX (PIT Peru sac) (pitperu.net)

In this example we are going to configure both Route Server IPv4 and IPv6 of Perú IX (PIT Peru sac), that is, RS1 and RS2, in our example we were assigned the BGP password “peeringinperu”

/routing bgp peer add name=PIT_PERU_sac_RS1_IPv4 instance=AS123456 remote-address=45.183.47.1 remote-as=64115 tcp-md5-key=peeringinperu max-prefix-limit=12000 max-prefix-restart-time=360 in-filter=PIT_PERU_sac_IPv4_IN out-filter=PIT_PERU_sac_IPv4_OUT remove-private-as=yes
/routing bgp peer add name=PIT_PERU_sac_RS2_IPv4 instance=AS123456 remote-address=45.183.47.2 remote-as=64115 tcp-md5-key=peeringinperu max-prefix-limit=12000 max-prefix-restart-time=360 in-filter=PIT_PERU_sac_IPv4_IN out-filter=PIT_PERU_sac_IPv4_OUT remove-private-as=yes
 
/routing bgp peer add name=PIT_PERU_sac_RS1_IPv6 instance=AS123456 remote-address=2803:cd60:6411:5::1 remote-as=64115 tcp-md5-key=peeringinperu max-prefix-limit=12000 max-prefix-restart-time=360 in-filter=PIT_PERU_sac_IPv6_IN out-filter=PIT_PERU_sac_IPv6_OUT remove-private-as=yes address-families=ipv6
/routing bgp peer add name=PIT_PERU_sac_RS2_IPv6 instance=AS123456 remote-address=2803:cd60:6411:5::2 remote-as=64115 tcp-md5-key=peeringinperu max-prefix-limit=12000 max-prefix-restart-time=360 in-filter=PIT_PERU_sac_IPv6_IN out-filter=PIT_PERU_sac_IPv6_OUT remove-private-as=yes address-families=ipv6

Define the prefixes that you are going to announce

Here we will have to change the prefixes for those assigned by LACNIC and we will announce it as both / 22 and / 24s. In IPv6 we will announce it for now only as a / 32.

/routing bgp network add network=100.100.100.0/22 synchronize=no
/routing bgp network add network=100.100.100.0/24 synchronize=no
/routing bgp network add network=100.100.101.0/24 synchronize=no
/routing bgp network add network=100.100.102.0/24 synchronize=no
/routing bgp network add network=100.100.103.0/24 synchronize=no
 
/routing bgp network add network=2803:cd10::/32 synchronize=no

Check operation

Check the status of the BGP Peers, if they are operational they should say status Established, if it says Connect or Idle it means that something is not well configured on your side or that of the provider.

   /routing bgp peer print

I hope this guide helps you to enter the beautiful world of BGP in an easy and safe way.

Limitations of BGP in Mikrotik RouterOS

Due to a large number of questions, I share with you a list of the limitations that RouterOS has, at least in its version 6.x.x with BGP

·         Changes in BGP filters are not reflected in the routes received or sent to a BGP Peer. To solve this, you can turn off and on again the filters of the corresponding chain, if it does not work, you can change the order of the filters. And remember you have to be patient with BGP on RouterOS, as it is a single-core process only. It does not affect the routing itself, but it is important to check after making a change to make sure you have made it.

·         It does not show the Advertisements list in the Winbox GUI, and this is another well-known limitation, the way to solve it is to open the Terminal and type the command / routing bgp advertisements print

·         Slow convergence time, because BGP in RouterOS 6.x is a single-core process, and therefore cannot take advantage of the multiple CPU cores.

·         When getting the full BGP table (DFZ) from a BGP peer, it is very slow to display all routes in the Winbox GUI. My advice is to use regex and use the command / ip route print … instead of viewing the routes via the GUI.

·         These points do not mean that BGP is wrong in RouterOS at all, simply that you have to learn to live with these limitations and keep them in mind.