Forwarding Protocols • BGP RTBH Blackhole Flag Not Removed When Community is Withdrawn

Hello everyone,

I am facing an issue with Remote Triggered Black Hole (RTBH) filtering in MikroTik RouterOS 7.
Setup:

My CE router advertises prefixes with the 65535:666 community to trigger blackholing on the PE router.
MikroTik recommends using the following BGP input filter on the PE to implement RTBH: This works as expected: when the CE sends a prefix with 65535:666, the PE correctly blackholes it.

Issue:

When the CE removes the 65535:666 community from a prefix, the PE does not remove the blackhole flag.
The prefix remains blackholed on the PE even though it no longer has the RTBH community.

Temporary Workaround:

To mitigate this, I added the following rule to explicitly unset the blackhole flag when 65535:666 is not present:However, I am concerned that using else may unintentionally match other prefixes that should not be modified.
Question:

Is there a better way to ensure that the blackhole flag is removed only when the prefix was previously blackholed but no longer carries 65535:666?

Any suggestions or best practices would be appreciated.

Thanks!

Statistics: Posted by irghost — Wed Jan 29, 2025 10:01 am

---