The first thing we will do is enable IPv6 on our Mikrotik Router
system package enable ipv6 system reboot y
This will restart the computer, and when it comes back, it will have a new menu named IPv6
We will also set a longer arp-timeout to be a good citizen, 4 hours is usually a fairly prudent time that avoids sending updates every 5 minutes.
/ip settings set arp-timeout=04:00:00
Assumptions for the example:
·
The ASN granted by LACNIC to our organization is AS 123456
·
IPv4 block assigned by LACNIC is100.100.100.0/22
·
IPv6 block assigned by LACNIC is 2803:cd10::/32
·
IPv4 address for the point to point link of the IP transit provider198.51.100.2/30 (where
the equipment on the side of the IP transit provider against which we will do
the BGP is 198.51.100.1)
·
IPv6 address for the point-to-point link of the IP transit provider2803:dd99:1111::2/126(where
the equipment on the side of the IP transit provider against which we will do
the BGP is 2803:dd99:1111::1 )
·
IPv4 address assigned by Perú IX (PIT Peru sac) (pitperu.net) is45.183.47.254/24
·
IPv6 address assigned by Perú IX (PIT Peru sac) (pitperu.net) is 2803:cd60:6411:5::ff/64
The first thing to do is to create a loopback interface and assign it to the IPv4 and IPv6 addresses granted by LACNIC. Another option is to assign an IP to another interface or a static route to another router.
/interface bridge add name=loopback #change la 100.100.100.1/22 for the first IPv4 of the range assigned by LACNIC # /ip address add address=100.100.100.1/22 interface=loopback #cambiar la 2803:cd10::/32 por la primera IPv6 del rango asignado por LACNIC# /ipv6 address add address=2803:cd10::/32 advertise=no interface=loopback
Then we are going to define the IPv4 and IPv6 addresses of the IP transit provider, in case they are not already defined on the device:
#cambiar la 198.51.100.2/30 por la IPv4 otorgada por tu Proveedor de IP transit# /ip address add address=198.51.100.2/30 interface=IP_TRANSIT #cambiar la 2803:dd99:1111::2/126 por la IPv6 otorgada por tu Proveedor de IP transit# /ipv6 address add address=2803:dd99:1111::2/126 advertise=no interface=IP_TRANSIT
Finally, we are going to configure the IP addresses granted by Perú IX (PIT Peru sac)
#cambiar la 45.183.47.254/24 por la IPv4 asignada por Perú IX (PIT Peru sac)# /ip address add address=45.183.47.254/24 interface=PIT_PERU_sac #cambiar la 2803:cd60:6411:5::ff/64 por la IPv6 asignada por Perú IX (PIT Peru sac)# /ipv6 address add address=2803:cd60:6411:5::ff/64 advertise=no interface=PIT_PERU_sac
In our example, we are going to assume that LACNIC gave us ASN 123456, in router-id we are going to put our first public IPv4 address.
# change the name to the name you like, the ace to your ASN number granted by LACNIC and in route-id you can use the IP of the loopback or another # /routing bgp instance add name=AS123456 as=123456 router-id=100.100.100.1
Before starting the BGP sessions, it is VERY IMPORTANT to create security filters for both input and output.
Important: in the filters the order of the factors does matter, the first index of each chain is always processed first.
#change the 100.100.100.0/22 with your prefix assigned by LACNIC # /routing filter add action=accept chain=IP_TRANSIT_IPv4_OUT prefix=100.100.100.0/22 prefix-length=22 add action=discard chain=IP_TRANSIT_IPv4_OUT #change the 100.100.100.0/22 with your prefix assigned by LACNIC. It is important that we are going to send more specific prefixes to IX, in this case / 24s # /routing filter add action=accept chain=PIT_PERU_sac_IPv4_OUT prefix=100.100.100.0/22 prefix-length=22-24 add action=discard chain=PIT_PERU_sac_IPv4_OUT
# change 2803: cd10 :: / 32 with your IPv6 prefix assigned by LACNIC # /routing filter add action=accept chain=IP_TRANSIT_IPv6_OUT prefix=2803:cd10::/32 prefix-length=32 add action=discard chain=IP_TRANSIT_IPv6_OUT #change 2803: cd10 :: / 32 with your IPv6 prefix assigned by LACNIC. It is important that we will send more specific prefixes to IX, in this case / 48s # /routing filter add action=accept chain=PIT_PERU_sac_IPv6_OUT prefix=2803:cd10::/32 prefix-length=32-48 add action=discard chain=PIT_PERU_sac_IPv6_OUT
This is important to ensure that the path via the Perú IX (PIT Peru sac) is preferred over the IP transit, and thus avoid that traffic that could be served via Perú IX (PIT Peru sac) is instead served via IP transit
Here we must make the decision if we ask the IP transit provider to send us the default route only or if we ask for the DFZ (full BGP table without a default route, also known as Full BGP)
# we will only use this first line if we are accepting default route # /routing filter add action=accept chain=IP_TRANSIT_IPv4_IN prefix=0.0.0.0/0 add action=discard chain=IP_TRANSIT_IPv4_IN prefix=45.183.47.0/24 prefix-length=24-32 add action=discard chain=IP_TRANSIT_IPv4_IN prefix=10.0.0.0/8 prefix-length=8-32 add action=discard chain=IP_TRANSIT_IPv4_IN prefix=100.64.0.0/10 prefix-length=10-32 add action=discard chain=IP_TRANSIT_IPv4_IN prefix=127.0.0.0/8 prefix-length=8-32 add action=discard chain=IP_TRANSIT_IPv4_IN prefix=169.254.0.0/16 prefix-length=16-32 add action=discard chain=IP_TRANSIT_IPv4_IN prefix=172.16.0.0/12 prefix-length=12-32 add action=discard chain=IP_TRANSIT_IPv4_IN prefix=192.0.8.0/24 prefix-length=24-32 add action=discard chain=IP_TRANSIT_IPv4_IN prefix=192.88.99.0/24 prefix-length=24-32 add action=discard chain=IP_TRANSIT_IPv4_IN prefix=192.168.0.0/16 prefix-length=16-32 add action=discard chain=IP_TRANSIT_IPv4_IN prefix=198.18.0.0/15 prefix-length=15-32 add action=discard chain=IP_TRANSIT_IPv4_IN prefix=198.51.0.0/24 prefix-length=24-32 add action=discard chain=IP_TRANSIT_IPv4_IN prefix=203.0.113.0/24 prefix-length=24-32 add action=discard chain=IP_TRANSIT_IPv4_IN prefix=224.0.0.0/4 prefix-length=4-32 add action=discard chain=IP_TRANSIT_IPv4_IN prefix=240.0.0.0/4 prefix-length=4-32 add action=discard chain=IP_TRANSIT_IPv4_IN prefix=0.0.0.0/0 prefix-length=25-32 add action=accept chain=IP_TRANSIT_IPv4_IN In the filters of the Perú IX (PIT Peru sac) chain we will also apply filters, although the Route Servers apply filters it is important to always apply filters anyway # /routing filter add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=0.0.0.0/0 add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=45.183.47.0/24 prefix-length=24-32 add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=10.0.0.0/8 prefix-length=8-32 add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=100.64.0.0/10 prefix-length=10-32 add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=127.0.0.0/8 prefix-length=8-32 add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=169.254.0.0/16 prefix-length=16-32 add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=172.16.0.0/12 prefix-length=12-32 add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=192.0.8.0/24 prefix-length=24-32 add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=192.88.99.0/24 prefix-length=24-32 add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=192.168.0.0/16 prefix-length=16-32 add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=198.18.0.0/15 prefix-length=15-32 add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=198.51.0.0/24 prefix-length=24-32 add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=203.0.113.0/24 prefix-length=24-32 add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=224.0.0.0/4 prefix-length=4-32 add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=240.0.0.0/4 prefix-length=4-32 add action=discard chain=PIT_PERU_sac_IPv4_IN prefix=0.0.0.0/0 prefix-length=25-32 add action=accept chain=PIT_PERU_sac_IPv4_IN
Here we must accept all the prefixes that the Perú IX (PIT Peru sac) sends us except those that are recommended in the filtering of good practices
# the first line will only be used if we accept the default path # /routing filter add action=accept chain=IP_TRANSIT_IPv6_IN prefix=::/0 add action=discard chain=IP_TRANSIT_IPv6_IN prefix=100::/64 prefix-length=64-128 add action=discard chain=IP_TRANSIT_IPv6_IN prefix=2001:2::/48 prefix-length=48-128 add action=discard chain=IP_TRANSIT_IPv6_IN prefix=2001:10::/28 prefix-length=28-128 add action=discard chain=IP_TRANSIT_IPv6_IN prefix=2001:db8::/32 prefix-length=32-128 add action=discard chain=IP_TRANSIT_IPv6_IN prefix=2002::/16 prefix-length=16-128 add action=discard chain=IP_TRANSIT_IPv6_IN prefix=3ffe::/16 prefix-length=16-128 add action=discard chain=IP_TRANSIT_IPv6_IN prefix=fc00::/7 prefix-length=7-128 add action=discard chain=IP_TRANSIT_IPv6_IN prefix=fe80::/10 prefix-length=10-128 add action=discard chain=IP_TRANSIT_IPv6_IN prefix=fec0::/10 prefix-length=10-128 add action=discard chain=IP_TRANSIT_IPv6_IN prefix=ff00::/8 prefix-length=8-128 add action=discard chain=IP_TRANSIT_IPv6_IN prefix=::/0 prefix-length=65-128 add action=accept chain=IP_TRANSIT_IPv6_IN #In the filters of the Perú IX (PIT Peru sac) chain we will also apply filters, although the Route Servers apply filters it is important to always apply filters anyway # /routing filter add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=::/0 add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=100::/64 prefix-length=64-128 add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=2001:2::/48 prefix-length=48-128 add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=2001:10::/28 prefix-length=28-128 add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=2001:db8::/32 prefix-length=32-128 add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=2002::/16 prefix-length=16-128 add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=3ffe::/16 prefix-length=16-128 add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=fc00::/7 prefix-length=7-128 add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=fe80::/10 prefix-length=10-128 add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=fec0::/10 prefix-length=10-128 add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=ff00::/8 prefix-length=8-128 add action=discard chain=PIT_PERU_sac_IPv6_IN prefix=::/0 prefix-length=65-128 add action=accept chain=PIT_PERU_sac_IPv6_IN
In our example, our IP transit provider has the ASN 1200, who in our example will use the IP 198.51.100.1. The value 1200 should be replaced by the ASN of your IP transit provider and 198.51.100.1 by the IP for the BGP of the gateway that your IP transit provider gives you.
#Change the instance for the one that corresponds in your case, the same in the remote-address and remote-as # /routing bgp peer add name=IP_TRANSIT_IPv4 instance=AS123456 remote-address=198.51.100.1 remote-as=1200 in-filter=IP_TRANSIT_IPv4_IN out-filter=IP_TRANSIT_IPv4_OUT remove-private-as=yes #Change the instance for the one that corresponds in your case, the same in the remote-address and remote-as # /routing bgp peer add name=IP_TRANSIT_IPv6 instance=AS123456 remote-address=2803:dd99:1111::1 remote-as=1200 in-filter=IP_TRANSIT_IPv6_IN out-filter=IP_TRANSIT_IPv6_OUT remove-private-as=yes address-families=ipv6
In this example we are going to configure both Route Server IPv4 and IPv6 of Perú IX (PIT Peru sac), that is, RS1 and RS2, in our example we were assigned the BGP password “peeringinperu”
/routing bgp peer add name=PIT_PERU_sac_RS1_IPv4 instance=AS123456 remote-address=45.183.47.1 remote-as=64115 tcp-md5-key=peeringinperu max-prefix-limit=12000 max-prefix-restart-time=360 in-filter=PIT_PERU_sac_IPv4_IN out-filter=PIT_PERU_sac_IPv4_OUT remove-private-as=yes /routing bgp peer add name=PIT_PERU_sac_RS2_IPv4 instance=AS123456 remote-address=45.183.47.2 remote-as=64115 tcp-md5-key=peeringinperu max-prefix-limit=12000 max-prefix-restart-time=360 in-filter=PIT_PERU_sac_IPv4_IN out-filter=PIT_PERU_sac_IPv4_OUT remove-private-as=yes /routing bgp peer add name=PIT_PERU_sac_RS1_IPv6 instance=AS123456 remote-address=2803:cd60:6411:5::1 remote-as=64115 tcp-md5-key=peeringinperu max-prefix-limit=12000 max-prefix-restart-time=360 in-filter=PIT_PERU_sac_IPv6_IN out-filter=PIT_PERU_sac_IPv6_OUT remove-private-as=yes address-families=ipv6 /routing bgp peer add name=PIT_PERU_sac_RS2_IPv6 instance=AS123456 remote-address=2803:cd60:6411:5::2 remote-as=64115 tcp-md5-key=peeringinperu max-prefix-limit=12000 max-prefix-restart-time=360 in-filter=PIT_PERU_sac_IPv6_IN out-filter=PIT_PERU_sac_IPv6_OUT remove-private-as=yes address-families=ipv6
Here we will have to change the prefixes for those assigned by LACNIC and we will announce it as both / 22 and / 24s. In IPv6 we will announce it for now only as a / 32.
/routing bgp network add network=100.100.100.0/22 synchronize=no /routing bgp network add network=100.100.100.0/24 synchronize=no /routing bgp network add network=100.100.101.0/24 synchronize=no /routing bgp network add network=100.100.102.0/24 synchronize=no /routing bgp network add network=100.100.103.0/24 synchronize=no /routing bgp network add network=2803:cd10::/32 synchronize=no
Check the status of the BGP Peers, if they are operational they should say status Established, if it says Connect or Idle it means that something is not well configured on your side or that of the provider.
/routing bgp peer print
I hope this guide helps you to enter the beautiful world of BGP in an easy and safe way.
Due to a large number of questions, I share with you a list of the limitations that RouterOS has, at least in its version 6.x.x with BGP
·
Changes in BGP filters are
not reflected in the routes received or sent to a BGP Peer. To solve this, you
can turn off and on again the filters of the corresponding chain, if it does
not work, you can change the order of the filters. And remember you have to be
patient with BGP on RouterOS, as it is a single-core process only. It does not
affect the routing itself, but it is important to check after making a change
to make sure you have made it.
·
It does not show the
Advertisements list in the Winbox GUI, and this is another well-known
limitation, the way to solve it is to open the Terminal and type the command
/ routing bgp advertisements print
·
Slow convergence time,
because BGP in RouterOS 6.x is a single-core process, and therefore cannot take
advantage of the multiple CPU cores.
·
When getting the full BGP
table (DFZ) from a BGP peer, it is very slow to display all routes in the
Winbox GUI. My advice is to use regex and use the command / ip route
print … instead of viewing the routes via the GUI.
·
These points do not mean that
BGP is wrong in RouterOS at all, simply that you have to learn to live with
these limitations and keep them in mind.