Below are some basic Filter Rules for Mikrotik BGP filtering. \u00a0These are not complex and can be very easily implemented on your BGP peers.<\/p>\n
Before we get to the code there are a few assumptions
\n1.Your own IP space in this example is 1.1.1.0\/22
\n2.These filters are not fancy and are geared toward upstream ISPs, not your own internal routers or clients.
\n3.If you copy and paste the below code make sure there is one command per line. \u00a0Some browsers will cut the line off and then it won’t paste right. \u00a0If in doubt paste it into notepad, textedit, etc. and clean it up.<\/p>\n
\/routing filter\r\nadd action=discard chain=INET-IN comment=\"BEGIN INET-IN\" prefix=127.0.0.0\/8 protocol=bgp\r\nadd action=discard chain=INET-IN prefix=10.0.0.0\/8 protocol=bgp\r\nadd action=discard chain=INET-IN prefix=169.254.0.0\/16 protocol=bgp\r\nadd action=discard chain=INET-IN prefix=172.16.0.0\/12 protocol=bgp\r\nadd action=discard chain=INET-IN prefix=192.168.0.0\/16 protocol=bgp\r\nadd action=discard chain=INET-IN prefix=224.0.0.0\/3 protocol=bgp\r\nadd action=discard chain=INET-IN prefix=1.1.1.0\/22 protocol=bgp\r\nadd action=discard chain=INET-IN prefix-length=25-32 protocol=bgp\r\nadd action=discard chain=INET-IN protocol=bgp\r\nadd action=accept chain=INET-OUT comment=\"BEGIN INET OUT\" prefix=1.1.1.0\/22 protocol=bgp\r\nadd action=discard chain=INET-OUT protocol=bgp<\/pre>\nSo what does this do?
\n-The first 6 lines filter out non routeable IP space. \u00a0There should be no reason these are being advertised to you from the public internet.<\/p>\n-Next we are saying if we see our own IP space being advertised to us (in this case 1.1.1.0\/22) discard that. \u00a0There should be no reason we see our own IP space on a public peer.<\/p>\n
-The next line filters out prefixes that are a \/25 and smaller. \u00a0Just about every provider out there has a minimum size of a \/24 they will accept as an advertisement. \u00a0If you are getting anything smaller it’s a good practice to drop that. \u00a0If there happens to be smaller prefixes they can be sent to a default route to the provider. \u00a0This helps trim your routing table, which makes lookups and convergence time quicker.<\/p>\n
Under the INET-OUT rules we are advertising our IP space to our upstream.<\/p>\n
Pretty simple eh? We could get complicated and add in chains, and more rules. But, this is a start. \u00a0We will do some more advanced rules in a later post.<\/p>\n","protected":false},"excerpt":{"rendered":"
Below are some basic Filter Rules for Mikrotik BGP filtering. \u00a0These are not complex and can be very easily implemented on your BGP peers. Before we get to the code there are a few assumptions 1.Your own IP space in this example is 1.1.1.0\/22 2.These filters are not fancy and are geared toward upstream ISPs, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[24,17],"tags":[209,13,107,210,25],"jetpack_publicize_connections":[],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6VLMf-5T","jetpack-related-posts":[{"id":1309,"url":"http:\/\/www.mtin.net\/blog\/how-i-learned-to-love-bgp-communities-and-so-can-you\/","url_meta":{"origin":365,"position":0},"title":"How I learned to love BGP communities, and so can you","author":"j2sw","date":"July 6, 2016","format":false,"excerpt":"BGP communities can be a powerful, but almost mystical thing. \u00a0If you aren't familiar with communities start here at Wikipedia. \u00a0For the purpose of part one of this article we will talk about communities and how they can be utilized for traffic coming into your network.\u00a0Part two of this article\u2026","rel":"","context":"In "BGP"","block_context":{"text":"BGP","link":"http:\/\/www.mtin.net\/blog\/category\/networking\/bgp\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":443,"url":"http:\/\/www.mtin.net\/blog\/how-does-bgp-select-which-route\/","url_meta":{"origin":365,"position":1},"title":"How does BGP select which route?","author":"j2sw","date":"November 26, 2015","format":false,"excerpt":"BGP can be a complex and almost mystical protocol. For those of you who are trying to determine how BGP selects which route here is your guide. Before we get into it a couple of things to keep in mind. First, BGP is not a multipath routing protocol. This is\u2026","rel":"","context":"In "BGP"","block_context":{"text":"BGP","link":"http:\/\/www.mtin.net\/blog\/category\/networking\/bgp\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":284,"url":"http:\/\/www.mtin.net\/blog\/helpful-mikrotik-bgp-route-print\/","url_meta":{"origin":365,"position":2},"title":"Helpful Mikrotik BGP route print","author":"j2sw","date":"May 2, 2015","format":false,"excerpt":"\/ip route print where received-from=
Replace with the name of one of your peers to show the routes received from that particular BGP peer.","rel":"","context":"In \"advertisments\"","block_context":{"text":"advertisments","link":"http:\/\/www.mtin.net\/blog\/tag\/advertisments\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":183,"url":"http:\/\/www.mtin.net\/blog\/bgp-lockdown-hints\/","url_meta":{"origin":365,"position":3},"title":"BGP lockdown hints","author":"j2sw","date":"September 29, 2014","format":false,"excerpt":"As I am preparing talks for the upcoming WISPAPALOOZA 2014 in Las Vegas I am making some notes on advanced BGP. \u00a0If you are running BGP, and want to lock it down a little here are some general hints. \u00a0If you want more attend my session in Vegas or look\u2026","rel":"","context":"In "Mikrotik"","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1178,"url":"http:\/\/www.mtin.net\/blog\/mikortik-user-meet-2016-presentation\/","url_meta":{"origin":365,"position":4},"title":"Mikortik User Meet 2016 Presentation","author":"j2sw","date":"May 8, 2016","format":false,"excerpt":"My powerpoint converted to PDF. Topics Include: Carrier Grade NAT Xbox & Nat BGP Tips mum-2016","rel":"","context":"In "BGP"","block_context":{"text":"BGP","link":"http:\/\/www.mtin.net\/blog\/category\/networking\/bgp\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2864,"url":"http:\/\/www.mtin.net\/blog\/mikrotik-mum-presentation-on-the-schedule\/","url_meta":{"origin":365,"position":5},"title":"Mikrotik MUM presentation on the schedule","author":"j2sw","date":"February 19, 2019","format":false,"excerpt":"It's official.\u00a0 Day 1, last presentation of the day.\u00a0https:\/\/mum.mikrotik.com\/2019\/US\/info\/EN","rel":"","context":"In "Mikrotik"","block_context":{"text":"Mikrotik","link":"http:\/\/www.mtin.net\/blog\/category\/mikrotik\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-19-at-3.38.53-PM-3.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-19-at-3.38.53-PM-3.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-19-at-3.38.53-PM-3.png?resize=700%2C400 2x"},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/365"}],"collection":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/comments?post=365"}],"version-history":[{"count":4,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/365\/revisions"}],"predecessor-version":[{"id":409,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/365\/revisions\/409"}],"wp:attachment":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/media?parent=365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/categories?post=365"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/tags?post=365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}