Tag: bogon

Categories
Mikrotik Networking

Basic Mikrotik BGP filter rules

Below are some basic Filter Rules for Mikrotik BGP filtering.  These are not complex and can be very easily implemented on your BGP peers.

Before we get to the code there are a few assumptions
1.Your own IP space in this example is 1.1.1.0/22
2.These filters are not fancy and are geared toward upstream ISPs, not your own internal routers or clients.
3.If you copy and paste the below code make sure there is one command per line.  Some browsers will cut the line off and then it won’t paste right.  If in doubt paste it into notepad, textedit, etc. and clean it up.

/routing filter
add action=discard chain=INET-IN comment="BEGIN INET-IN" prefix=127.0.0.0/8 protocol=bgp
add action=discard chain=INET-IN prefix=10.0.0.0/8 protocol=bgp
add action=discard chain=INET-IN prefix=169.254.0.0/16 protocol=bgp
add action=discard chain=INET-IN prefix=172.16.0.0/12 protocol=bgp
add action=discard chain=INET-IN prefix=192.168.0.0/16 protocol=bgp
add action=discard chain=INET-IN prefix=224.0.0.0/3 protocol=bgp
add action=discard chain=INET-IN prefix=1.1.1.0/22 protocol=bgp
add action=discard chain=INET-IN prefix-length=25-32 protocol=bgp
add action=discard chain=INET-IN protocol=bgp
add action=accept chain=INET-OUT comment="BEGIN INET OUT" prefix=1.1.1.0/22 protocol=bgp
add action=discard chain=INET-OUT protocol=bgp

So what does this do?
-The first 6 lines filter out non routeable IP space.  There should be no reason these are being advertised to you from the public internet.

-Next we are saying if we see our own IP space being advertised to us (in this case 1.1.1.0/22) discard that.  There should be no reason we see our own IP space on a public peer.

-The next line filters out prefixes that are a /25 and smaller.  Just about every provider out there has a minimum size of a /24 they will accept as an advertisement.  If you are getting anything smaller it’s a good practice to drop that.  If there happens to be smaller prefixes they can be sent to a default route to the provider.  This helps trim your routing table, which makes lookups and convergence time quicker.

Under the INET-OUT rules we are advertising our IP space to our upstream.

Pretty simple eh? We could get complicated and add in chains, and more rules. But, this is a start.  We will do some more advanced rules in a later post.

Categories
Mikrotik Networking xISP

BGP lockdown hints

As I am preparing talks for the upcoming WISPAPALOOZA 2014 in Las Vegas I am making some notes on advanced BGP.  If you are running BGP, and want to lock it down a little here are some general hints.  If you want more attend my session in Vegas or look here afterwords for the full rundown.

General Hints for BGP filter.

1.Filter all all the bogon addresses unless you have a specific need. If you have to ask you probably don’t have a need so filter it. Bogons are:
10.0.0.0/8,
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16

2.Don’t accept your own IP space from upstreams.  There should be no reason someone is advertising your own IP space back to you that is not a downstream customer.  I mean dowstream as to someone you have assigned your own IP space to.

3.Limit the maximum number of prefixes your router will accept.

4.Most ISPs don’t announce anything less than a /24.  Configure your filters to not accept anything smaller than a /24 unless you have a specific need to do so.

5. Separate iBGP from eBGP.

6.Understand the defaults for the platform you are using.