First of all I would like to say that BGP configuration on Mikrotik can be made with CLI and Winbox/Webadmin. I recommend to use CLI with BGP, because this protocol contains a lot of routes and display them in Winbox is painful.
Let’s assume that our AS number is – AS12345, IP address is – 192.168.255.25, our public IP range received by RIPE or other similar organization is 109.205.240.0/21
AS number of our peering ISP1 is AS11111, his peering IP – 192.168.255.29. We will not use MD5 password between peers in this example. Check the picture below :
Configuration of global routing process BGP
/routing bgp instance set default as=12345 redistribute-static=no redistribute-connected=no
/routing bgp network add network=109.205.240.0/21 synchronize=no
Setting first BGP peer ISP1
/routing bgp peer add remote-address=192.168.255.29 remote-as=11111 instance=default
out-filter=AS11111-bgp-out in-filter=AS11111-bgp-in
Filters BGP-out – we allow anouncement of our networks only. If Mikrotik BGP process will try to announce other routes, they will be blocked by filter.
/routing filter add action=accept chain=AS11111-bgp-out prefix=109.205.240.0/21 set-bgp-prepend=3
/routing filter add action=discard chain=AS11111-bgp-out
In our example ISP1 is a backup link, we should create a special rule for BGP-out filter then. This rule was created with AS-PATH prepending feature of BGP, it means that we make path to our AS longer and incoming traffic will not be forwarded through ISP1 by other ISPs. As a result, all incoming traffic will come trough ISP2 and ISP1 is a backup in case when ISP2 is not working.
Filters BGP-in – We don’t want to accept “bad” IP networks, such as private ranges and bogons, and we don’t want to receive own network from Internet.
/routing filter add action=discard chain=AS11111-bgp-in prefix=10.0.0.0/8
/routing filter add action=discard chain=AS11111-bgp-in prefix=169.254.0.0/16
/routing filter add action=discard chain=AS11111-bgp-in prefix=192.168.0.0/16
/routing filter add action=discard chain=AS11111-bgp-in prefix=172.16.0.0/12
/routing filter add action=discard chain=AS11111-bgp-in prefix=224.0.0.0/4
/routing filter add action=discard chain=AS11111-bgp-in prefix=240.0.0.0/4
/routing filter add action=discard chain=AS11111-bgp-in prefix=127.0.0.0/8
/routing filter add action=discard chain=AS11111-bgp-in prefix=109.205.240.0/21
/routing filter add action=accept chain=AS11111-bgp-in
Now our BGP peering with ISP1 should be up.
Configuration of BGP peering with ISP2
/routing bgp peer add remote-address=10.10.10.101 remote-as=22222 instance=default
out-filter=AS22222-bgp-out in-filter=AS22222-bgp-in
Filter BGP-out – output filter, we allow announcement of our networks only. Notice that there is no AS-PATH prepending rule, because ISP2 is a main one in our setup.
/routing filter add action=accept chain=AS22222-bgp-out prefix=109.205.240.0/21
/routing filter add action=discard chain=AS22222-bgp-out
Filter BGP-in – it’s similar to BGP-in for ISP1. We don’t accept “wrong” IP networks, such as private ranges and bogons, and we don’t want to receive own network from Internet.
/routing filter add action=discard chain=AS22222-bgp-in comment="" disabled=no prefix=10.0.0.0/8
/routing filter add action=discard chain=AS22222-bgp-in comment="" disabled=no prefix=169.254.0.0/16
/routing filter add action=discard chain=AS22222-bgp-in comment="" disabled=no prefix=192.168.0.0/16
/routing filter add action=discard chain=AS22222-bgp-in comment="" disabled=no prefix=172.16.0.0/12
/routing filter add action=discard chain=AS22222-bgp-in comment="" disabled=no prefix=224.0.0.0/4
/routing filter add action=discard chain=AS22222-bgp-in comment="" disabled=no prefix=240.0.0.0/4
/routing filter add action=discard chain=AS22222-bgp-in comment="" disabled=no prefix=127.0.0.0/8
/routing filter add action=discard chain=AS22222-bgp-in comment="" disabled=no prefix=109.205.240.0/21
/routing filter add action=accept chain=AS22222-bgp-in comment="" disabled=no set-bgp-local-pref=200
Last statement differs from BGP-in filter for ISP1. I put Local preference 200 (by default value is 100). To all received routes from ISP2 we will set local-preference attribute = 200. It meanst that all outgoing traffic will be forwarded to ISP2.
Commands for CLI, similar to show cisco commands:
ip route print count-ony – show amount of routes
routing bgp advertisements print "peer_name"
ip route print detail where "ip_address" in dst-address and bgp
ip route print where received-from="peer_name"