I have a Mikrotik router running BGP towards two different ISPs (ISP1 and ISP2). ISP1 is connected to sfp-sfpplus1 over a /30 link network and ISP2 is connected to ether1 over another /30 link network. We consider ISP1 to be our main provider, and ISP2 to be our backup provider.
We have default routes only to the ISPs (no full/partial BGP tables). Normally, all outbound traffic is routed via ISP1 (by setting a lower bgp-weight in routing filer for ISP1 and a higher bgp-weight for ISP2).
In case of ISP1 having issues (BGP still up, but problems with the traffic further out in their network) we would need a way to connect to the router to temporarily disable BGP towards ISP1. In order for that to work we need traffic to the router's IPs (in the /30 link networks) to return using the same ISP. I've tried setting it up as follows.
1) Create separate routing tables for the two ISPs, each only containing the 0.0.0.0/0 default route for each ISP.
/routing/table/add name=ISP1_table fib
/routing/table/add name=ISP2_table fib
2) Enter the corresponding routing table on each BGP connection.
3) Mark inbound connections based on dst_address.
/ip/firewall/mangle/add chain=prerouting dst-address=IP1 action=mark-connection new-connection-mark=ISP1_conn
/ip/firewall/mangle/add chain=prerouting dst-address=IP2 action=mark-connection new-connection-mark=ISP2_conn
IP1/IP2 = The router's IP in each /30 link network.
4) Make traffic using the correct routing table
/ip/firewall/mangle/add chain=prerouting connection-mark=ISP1_conn new-routing-mark=ISP1_table
/ip/firewall/mangle/add chain=prerouting connection-mark=ISP2_conn new-routing-mark=ISP2_table
This configuration seems to create a loop somewhere. Traffic over BGP still works, but a ping from the outside towards IP1 or IP2 ends up with a Time to live exceeded.
Any ideas where I went wrong?
We have default routes only to the ISPs (no full/partial BGP tables). Normally, all outbound traffic is routed via ISP1 (by setting a lower bgp-weight in routing filer for ISP1 and a higher bgp-weight for ISP2).
In case of ISP1 having issues (BGP still up, but problems with the traffic further out in their network) we would need a way to connect to the router to temporarily disable BGP towards ISP1. In order for that to work we need traffic to the router's IPs (in the /30 link networks) to return using the same ISP. I've tried setting it up as follows.
1) Create separate routing tables for the two ISPs, each only containing the 0.0.0.0/0 default route for each ISP.
/routing/table/add name=ISP1_table fib
/routing/table/add name=ISP2_table fib
2) Enter the corresponding routing table on each BGP connection.
3) Mark inbound connections based on dst_address.
/ip/firewall/mangle/add chain=prerouting dst-address=IP1 action=mark-connection new-connection-mark=ISP1_conn
/ip/firewall/mangle/add chain=prerouting dst-address=IP2 action=mark-connection new-connection-mark=ISP2_conn
IP1/IP2 = The router's IP in each /30 link network.
4) Make traffic using the correct routing table
/ip/firewall/mangle/add chain=prerouting connection-mark=ISP1_conn new-routing-mark=ISP1_table
/ip/firewall/mangle/add chain=prerouting connection-mark=ISP2_conn new-routing-mark=ISP2_table
This configuration seems to create a loop somewhere. Traffic over BGP still works, but a ping from the outside towards IP1 or IP2 ends up with a Time to live exceeded.
Any ideas where I went wrong?
Statistics: Posted by themoose7 — Sat Mar 01, 2025 2:54 pm