AMINUL ISLAM SHAMIM

https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall

• Step 1:
• /ip/firewall/address-list/
• add list=XXX-ISP address=x.x.x.0/24
• add list=XXX-ISP address=x.x.x.0/24
• Step 2:
• /ip/route
• add dst-address=x.x.x.0/24 blackhole
• add dst-address=x.x.x.0/24 blackhole
• Step 3:
• /routing filter rule
• add chain=IIG-IN disabled=no rule=“if (dst ==0.0.0.0/0) { accept; }”
• add chain=IIG-IN disabled=no rule=“reject;”
• add chain=IIG-OUT disabled=no rule=“if (dst ==x.x.x.0/24) { accept; }”
• add chain=IIG-OUT disabled=no rule=“if (dst ==x.x.x.x/24) { accept; }”
• add chain=IIG-OUT disabled=no rule=“if (dst in x.x.x.x/23 && dst-len in 23-24) { set bgp-path-prepend 2; accept; }”
• add chain=IIG-OUT disabled=no rule=“if (dst-len in 0-32) { reject; }”
• Step 3 V6:
• /routing filter rule
• add chain=IIG-IN-V6 disabled=no rule=“if (dst == ::/0) { accept; }”
• add chain=IIG-IN-V6 disabled=no rule=“reject;”
• add chain=IIG-Local-1-V6-OUT disabled=no rule=“if (dst == xxx:xxx:xxx::/48) { accept; }”
• add chain=IIG-Local-1-V6-OUT disabled=yes rule=“if (dst == xxx:xxx:xxx::/48) { set bgp-path-prepend 2; accept; }”
• add chain=IIG-Local-1-V6-OUT disabled=no rule=“reject;”
• Step 4:
• /routing bgp connection
• add as=XXX connect=yes disabled=no listen=yes local.role=ebgp name=XXX-IIG-PEER output.filter-chain=IIG-OUT .network=XXX-ISP .no-client-to-client-reflection=yes remote.address=10.56.79.249/32 .as=58717 router-id=10.56.79.250 routing-table=main templates=default
• Step 5:
• /routing/bgp/advertisements print
• /routing/bgp/connection/print
• /routing/bgp/session/print
• /ip route print detail where 210.4.64.0/24 in dst-address
• /routing/bgp/session/refresh address-family=ip numbers=CCL-BDIX-IPV4-1
• /ip route print detail where 103.11.138.0 in dst-address received-from =CCl

1. routing bgp advertisements print where nexthop=103.197.204.250 as-path ~ “150335\$”
3. routing bgp advertisements print where nexthop=103.197.204.250 dst=103.203.237.0/24
4. 0 peer=CCL-BDIX-IPV4-1 dst=103.203.237.0/24 afi=ip nexthop=103.197.204.250 origin=0 as-path=sequence 58717 140632 atomic-aggregate=yes

• [nazmul@TO-Core] > ipv6/firewall/address-list/export
• /ipv6 firewall address-list
• add address=2001:df2:66c0::/48 list=SCL-IPv6-OUT
• [nazmul@TO-Core] > ipv6/route/export
• /ipv6 route
• add blackhole disabled=no dst-address=2001:df2:66c0::/48 gateway=“” routing-table=main
• add disabled=no dst-address=::/0 gateway=2405:1500:30:1::5 routing-table=main
• [nazmul@TO-Core] > routing/bgp/connection/export
• /routing bgp connection
• ddress-families=ipv6 as=151318 disabled=no local.role=ebgp name=SCL-IIG-IPv6 output.filter-chain=SCL-IPv6-OUT .network=SCL-IPv6-OUT remote.address=\
• 2405:1500:30:1::5/128 .as=58717 routing-table=main templates=Talora-AS
• [nazmul@TO-Core] >
• /routing filter rule
• add chain=SCL-IPv6-OUT disabled=no rule=“if (dst==2001:DF2:66C0::/48) {accept;}”

• /routing filter community-list
• add communities=58717:36759 disabled=no list=CCL
• /routing filter rule
• add chain=SCL-CCL-IN disabled=no rule=“if (bgp-communities equal-list CCL) { set bgp-local-pref 80; accept; }”
• add chain=SCL-CCL-IN disabled=no rule=“if (dst in 0.0.0.0 && dst-len == 0) { reject; }”
• add chain=SCL-CCL-IN disabled=no rule=“if (dst in 192.168.0.0/16 && dst-len in 16-32) {reject;}”
• add chain=SCL-CCL-IN disabled=no rule=“if (dst in 0.0.0.0/0 && dst-len in 0-64) { reject; }”
• add chain=SCL-CCL-IN disabled=yes rule=“if (dst-len>30 ) { reject;}”
• add chain=SCL-CCL-IN disabled=no rule=“if (dst in 116.193.216.176/28 && dst-len>28) { reject;}”
• add chain=SCL-CCL-IN disabled=no rule=“if ( not bgp-network) {reject; }”
• add chain=SCL-CCL-IN disabled=no rule=“if (dst == 103.138.144.0/24) { set bgp-communities 58717:36759; set bgp-local-pref 95; accept; }”
• add chain=SCL-CCL-OUT disabled=no rule=“accept;”
• add chain=SCL-CCL-OUT disabled=no rule=“if (dst-len in 30-32) { reject; }”
• add chain=HM-COMM disabled=no rule=“if (dst in 1.1.1.0/23 && dst-len in 23-24) { accept; }\r\
• \n”
• add chain=HM-COMM disabled=no rule=“if (dst ==2.2.2.0/24) { accept; }”
• add chain=HM-COMM disabled=no rule=“if (dst-len in 0-32) { reject; }”
• add chain=HM-COMM disabled=no rule=“reject;”

• # serial number = HE208J6CTY9
• /routing bgp template
• set default as=64512 disabled=no router-id=10.31.53.250 routing-table=main
• /routing bgp connection
• add address-families=ip as=64512/0 connect=yes disabled=no listen=yes local.role=ebgp name=BDIX nexthop-choice=default output.redistribute=bgp \
• remote.address=10.31.53.249/32 .as=58717 router-id=10.31.53.250 routing-table=main templates=default

• /ip route print detail where gateway=10.225.98.161

• /ip route print detail where bgp-as-path ~ “137213\$”

• /ip route print detail where 59.152.101.254 in dst-address

• /routing/bgp/network print

• /routing/bgp/peer reset

• /routing/bgp/advertisements print

• /ip route/print where bgp

• /ip route/print

• https://help.mikrotik.com/docs/display/ROS/Moving+from+ROSv6+to+v7+with+examples
• https://help.mikrotik.com/docs/display/ROS/Route+Selection+and+Filters
• https://rickfreyconsulting.com/wp-content/uploads/2022/04/ROSv7-Filters-Cheat-Sheet-1.pdf
• /ip/firewall/address-list/
• add list=bgp-SCL address=103.138.144.0/24
• add list=bgp-SCL address=103.138.145.0/24
• /ip/route
• add dst-address=103.138.144.0/24 blackhole
• add dst-address=103.138.145.0/24 blackhole
• /routing/bgp/connection
• set peer_name output.network=bgp-SCL
• /routing bgp connection
• add as=139008 cisco-vpls-nlri-len-fmt=auto-bits connect=yes disabled=no listen=yes local.role=ebgp name=Summit-IIG-IN output.filter-chain=SComm-IIG-OUT .network=bgp-SCL .no-client-to-client-reflection=yes remote.address=10.56.79.249/32 .as=58717 \.port=179 router-id=10.56.79.250 routing-table=main templates=default

• /routing filter rule
• add chain=“IIG Blackhole” disabled=no rule=“if (dst in 0.0.0.0/0 && dst-len == 32) { accept; }”
• add chain=“IIG Blackhole” disabled=no rule=“reject;”
• add chain=Summit-IIG-IN disabled=no rule=“if (dst == 0.0.0.0/0) { accept; }”
• add chain=Summit-IIG-IN disabled=no rule=“reject;”
• add chain=Summit-IIG-OUT disabled=no rule=“if (dst == 103.138.144.0/23 && bgp-as-path-slow-legacy \”139008\“) { set bgp-path-prepend 4; accept; }”
• /routing filter rule
• add chain=SComm-IIG-OUT disabled=no rule=“if (dst == 103.138.144.0/24) { set bgp-path-prepend 2; accept; }”
• add chain=SComm-IIG-OUT disabled=no rule=“if (dst == 103.138.145.0/24) { set bgp-path-prepend 2; accept; }”
• add chain=SComm-IIG-OUT disabled=no rule=“reject;”
• add chain=Summit-IIG-IN-V6 disabled=no rule=“if (dst == ::/0) { accept; }”
• add chain=Summit-IIG-IN-V6 disabled=no rule=“reject;”
• add chain=Summit-IIG-OUT-V6 disabled=no rule=“reject;”
• add chain=IIG-Local-1-V6-OUT disabled=yes rule=“if (dst == 2406:2c0:1101::/48) { accept; }”
• add chain=IIG-Local-1-V6-OUT disabled=no rule=“if (dst == ::/0 && distance == 20) { accept; }”
• add chain=IIG-Local-1-V6-OUT disabled=no rule=“reject;”
• add chain=NO-Route disabled=no rule=“reject;”
• add chain=Prefix_not_send disabled=no rule=“if (dst == 10.10.10.0/24) { reject; }”
• add chain=SCOMM-OUT disabled=no rule=“if (dst == 103.138.144.0/23) { set bgp-path-prepend 4; accept; }”
• add chain=SCOMM-OUT disabled=no rule=“if (dst in 103.138.144.0/23 && dst-len in 23-24) { set bgp-path-prepend 3; accept; }”
• [Neef@Core IIG] >

• /routing filter community-list
• add communities=15121:200 disabled=no list=Summit_GGC
• add communities=15121:300 disabled=no list=Summit_FNA
• add communities=15121:400 disabled=no list=Summit_BDIX
• add communities=15121:100 disabled=no list=Summit_INT
• add communities=15121:500 disabled=no list=Summit_CDN
• /routing filter rule
• add chain=Summit_INT disabled=no rule=“if ( dst==0.0.0.0/0){set bgp-communities Summit_INT ;accept ;}”
• add chain=Summit_OUT disabled=no rule=“if ( dst==103.133.246.0/23) { set bgp-path-prepend 2; accept; }”
• add chain=Summit_OUT disabled=no rule=“if ( dst==103.133.246.0/24) { set bgp-path-prepend 2; accept; }”
• add chain=Summit_OUT disabled=no rule=“if ( dst==103.133.247.0/24) { set bgp-path-prepend 2; accept; }”
• add chain=Summit_CDN_INT disabled=no rule=“if ( dst-len >=0||dst-len ⇐32){set bgp-local-pref 1000;set bgp-communities Summit_CDN ; accept;}”
• add chain=Summit_CDN_OUT disabled=no rule=“if ( dst==103.133.246.0/23) { accept; }”
• add chain=Summit_CDN_OUT disabled=no rule=“if ( dst==103.133.246.0/24) { accept; }”
• add chain=Summit_CDN_OUT disabled=no rule=“if ( dst==103.133.247.0/24) { accept; }”
• add chain=Summit_GGC disabled=no rule=“if ( dst-len >=0||dst-len ⇐32){set bgp-communities Summit_GGC ;accept }”
• add chain=Summit_FNA disabled=no rule=“if ( dst-len >=0||dst-len ⇐32){set bgp-communities Summit_FNA ;accept }”
• add chain=Summit_BDIX disabled=no rule=“if ( dst-len >=0||dst-len ⇐32){set bgp-communities Summit_BDIX;accept }”
• add chain=DIS_GGC_OUT rule=“if ( bgp-communities equal-list Summit_GGC ){accept ;}”
• add chain=DIS_INT_OUT disabled=no rule=“if ( bgp-communities equal-list Summit_INT ){accept ;}”
• add chain=DIS_FNA_OUT rule=“if ( bgp-communities equal-list Summit_FNA){accept ;}”
• add chain=DIS_BDIX_OUT rule=“if ( bgp-communities equal-list Summit_BDIX){accept ;}”
• add chain=Client_INT_OUT disabled=no rule=“if ( dst==0.0.0.0/0){accept ;}”
• add chain=Client_CDN_OUT disabled=no rule=“if ( bgp-communities equal-list Summit_CDN ){accept ;}”
• add chain=FTP_BDIX disabled=yes rule=“if ( dst-len >=0||dst-len ⇐32){set bgp-communities Summit_BDIX;accept }”
• add chain=Summit_CDN_INT disabled=yes rule=“if ( dst-len >=0||dst-len ⇐32){set bgp-local-pref 1000; accept;}”
• add chain=Summit_CDN_INT disabled=yes rule=“if ( dst-len >=0||dst-len ⇐32){set bgp-communities Summit_INT ;accept }”
• add chain=Summit_BDIX disabled=yes rule=“if ( dst in 0.0.0.0/0){reject ;}”
• add chain=Summit_BDIX disabled=yes rule=“if ( dst in 0.0.0.0/8 && dst-len in 8-32){reject ;}”