Community discussions

MikroTik App
 
hjoelr
newbie
Topic Author
Posts: 35
Joined: Mon Apr 28, 2008 11:29 pm

v7 OSPF: Out filter being ignored?

Fri Oct 14, 2022 7:01 pm

I'm on RouterOS 7.5. I have a VPN tunnel between locations and running OSPF over that tunnel. Something like this:
OSPF-diagram.jpg
The issue I ran into (even back on ROSv6) was that the 66.2.148.252/29 route from R1 would be sent to R2, designating the 10.200.0.1 as the next hop for that route. The same would happen the other way also. Once these routes distributed, the tunnel would drop because now the R1 and R2 were not sending tunnel management traffic directly between 66.2.148.252 and 203.30.61.30, but instead between 10.200.0.1 and 10.200.0.2. This would cause the tunnel to be in a continuous cycle of going down and coming back up until OSPF redistributed the route. I solved this in ROSv6 by creating an OSPF out-filter on both routers that would not distribute the external IP's route to the other routers.

Now in ROSv7, I'm trying to do the same thing. However, I can't seem to get the out-filter to prevent the route to distribute. Here's my config. I'll readily admit that I don't understand many of the options of OSPF in ROSv7, so there's a good chance I'm doing something else wrong.

R1
/ip address
add address=66.2.148.252/29 interface=ether1 network=66.2.148.248
add address=10.200.0.1/30 interface=wireguard-site2site network=10.200.0.0
---SNIP---
/routing filter rule
add chain=ospf-out disabled=no rule="if ( dst in 66.2.148.252/29 ) { reject; }"
/routing ospf instance
add disabled=no name=ospf-v2-instance out-filter-chain=ospf-out router-id=\
    OSPF_ID
/routing ospf area
add area-id=0.0.0.1 disabled=no instance=ospf-v2-instance name=site-to-site
/routing ospf interface-template
add area=site-to-site disabled=no networks=10.200.0.0/30,0.0.0.0/0 type=ptp
R2
/ip address
add address=203.30.61.30/29 interface=ether1 network=203.30.61.24
add address=10.200.0.2/30 interface=wireguard-site2site network=10.200.0.0
---SNIP---
/routing filter rule
add chain=ospf-out disabled=no rule="if ( dst in 203.30.61.30/29 ) { reject; }"
/routing ospf instance
add disabled=no name=ospf-v2-instance out-filter-chain=ospf-out router-id=\
    OSPF_ID
/routing ospf area
add area-id=0.0.0.1 disabled=no instance=ospf-v2-instance name=site-to-site
/routing ospf interface-template
add area=site-to-site disabled=no networks=10.200.0.0/30,0.0.0.0/0 type=ptp

When OSPF connects up, it's as if my out rules don't exist and it happily distributes those routes. Could someone tell me what I'm doing wrong?
You do not have the required permissions to view the files attached to this post.
 
hjoelr
newbie
Topic Author
Posts: 35
Joined: Mon Apr 28, 2008 11:29 pm

Re: v7 OSPF: Out filter being ignored?  [SOLVED]

Sat Oct 15, 2022 12:17 am

I think I got it figured out. There were actually two things I needed to change.

1. I was using the /routing ospf interface-template add ...networks= attribute with the 0.0.0.0/0 network. Apparently MikroTik ignores the filter rules if the default network is being used. I switched to using the /routing ospf interface-template add ...interfaces= parameter.

2. My routes were not being shared when using the /routing ospf interface-template add ...interfaces= parameter and the following filter

/routing filter rule
add chain=ospf-out disabled=no rule="if ( dst in 66.2.148.252/29 ) { reject; }"

Apparently filter rules default to reject unless there is an accept rule. I found that I needed to do one of two things. (1) Add an "else" path to the filter rule like this:

/routing filter rule
add chain=ospf-out disabled=no rule="if ( dst in 66.2.148.252/29 ) { reject; } else { accept; }"

or (2) add a "catch all" rule to accept anything not rejected like this:

/routing filter rule
add chain=ospf-out disabled=no rule="if ( dst in 66.2.148.252/29 ) { reject; }"
add chain=ospf-out disabled=no rule="accept;"

The second option gives a little more flexibility if you want multiple "reject" rules and don't want to combine it all into one.

Who is online

Users browsing this forum: No registered users and 3 guests