Connecting exabgp to Mikrotik RouterOS v 7.15.2 (latest stable)

elico commented 1 month ago

Request for help

I am trying to connect exabgp to Mikrotik RouterOS v7.15.2 devices and CHR but unable to make the bgp session to stick. I am able to establish a connection/session between two RouterOS device. I need to test how is with VyOS and FRR in general.

I am using the next exabgp conf:

#!/usr/bin/env exabgp

process blocklist-192.168.74.1 {
    run ./api-blocklist.py;
    encoder text;
}

template {
    neighbor blocklist {
        local-as 65001;
        peer-as 65001;
        router-id 192.168.220.119;
        local-address 192.168.220.119;
        group-updates true;
        hold-time 60;
        capability {
            graceful-restart 1200;
            route-refresh enable;
            operational enable;
        }
        family {
            ipv4 unicast;
            ipv6 unicast;
        }
    }
}

neighbor 192.168.74.1 {
    inherit blocklist;
}

I am receiving the next output when running exabgp:

16:49:30 | 6309   | welcome       | Thank you for using ExaBGP
16:49:30 | 6309   | version       | 4.2.22  
16:49:30 | 6309   | interpreter   | 3.11.2 (main, May  2 2024, 11:59:08) [GCC 12.2.0]
16:49:30 | 6309   | os            | Linux 610-NgTech-Ansible-1 6.1.0-23-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.99-1 (2024-07-15) x86_64
16:49:30 | 6309   | installation  | /usr/local
16:49:30 | 6309   | cli control   | named pipes for the cli are:
16:49:30 | 6309   | cli control   | to send commands  /usr/local/run/exabgp.in
16:49:30 | 6309   | cli control   | to read responses /usr/local/run/exabgp.out
16:49:30 | 6309   | configuration | performing reload of exabgp 4.2.22
16:49:30 | 6309   | configuration | > process          | 'blocklist-192.168.74.1'
16:49:30 | 6309   | configuration | . run              | './api-blocklist.py'
16:49:30 | 6309   | configuration | . encoder          | 'text'
16:49:30 | 6309   | configuration | < process          | 
16:49:30 | 6309   | configuration | > template         | 
16:49:30 | 6309   | configuration | > neighbor         | 'blocklist'
16:49:30 | 6309   | configuration | . local-as         | '65001'
16:49:30 | 6309   | configuration | . peer-as          | '65001'
16:49:30 | 6309   | configuration | . router-id        | '192.168.220.119'
16:49:30 | 6309   | configuration | . local-address    | '192.168.220.119'
16:49:30 | 6309   | configuration | . group-updates    | 'true'
16:49:30 | 6309   | configuration | . hold-time        | '60'
16:49:30 | 6309   | configuration | > capability       | 
16:49:30 | 6309   | configuration | . graceful-restart | '1200'
16:49:30 | 6309   | configuration | . route-refresh    | 'enable'
16:49:30 | 6309   | configuration | . operational      | 'enable'
16:49:30 | 6309   | configuration | < capability       | 
16:49:30 | 6309   | configuration | > family           | 
16:49:30 | 6309   | configuration | . ipv4             | 'unicast'
16:49:30 | 6309   | configuration | . ipv6             | 'unicast'
16:49:30 | 6309   | configuration | < family           | 
16:49:30 | 6309   | configuration | < neighbor         | 
16:49:30 | 6309   | configuration | < template         | 
16:49:30 | 6309   | configuration | > neighbor         | '192.168.74.1'
16:49:30 | 6309   | configuration | . inherit          | 'blocklist'
16:49:30 | 6309   | configuration | route-refresh requested, enabling adj-rib-out
16:49:30 | 6309   | configuration | < neighbor         | 
16:49:30 | 6309   | reactor       | new peer: neighbor 192.168.74.1 local-ip 192.168.220.119 local-as 65001 peer-as 65001 router-id 192.168.220.119 family-allowed in-open
16:49:30 | 6309   | reactor       | loaded new configuration successfully
16:49:30 | 6309   | process       | forked process blocklist-192.168.74.1
16:49:30 | 6309   | process       | forked process api-internal-cli-b911eafc
16:49:30 | 6309   | reactor       | initialising connection to peer-1
16:49:30 | 6309   | outgoing-1    | attempting connection to 192.168.74.1:179
16:49:30 | 6309   | outgoing-1    | sending TCP payload (  83) FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 0053 0104 FDE9 003C C0A8 DC77 3602 0601 0400 0100 0102 0601 0400 0200 0102 0641 0400 00FD E902 0C40 0A84 B000 0101 8000 0201 8002 0202 0002 0246 0002 02B9 0002 0206 00
16:49:30 | 6309   | outgoing-1    | >> OPEN version=4 asn=65001 hold_time=60 router_id=192.168.220.119 capabilities=[Multiprotocol(ipv4 unicast,ipv6 unicast), Route Refresh, Extended Message(65535), Graceful Restart Flags 0x8 Time 1200 ipv4/unicast=0x80 ipv6/unicast=0x80, ASN4(65001), Enhanced Route Refresh, Operational]
16:49:30 | 6309   | ka-outgoing-1 | receive-timer 60 second(s) left
16:49:30 | 6309   | outgoing-1    | outgoing-1 192.168.220.119-192.168.74.1, closing connection
16:49:30 | 6309   | outgoing-1    | peer reset, message [closing connection] error[issue reading on the socket: [Errno ECONNRESET] [Errno 104] Connection reset by peer]
16:49:30 | 6309   | outgoing-1    | outgoing-1 192.168.220.119-192.168.74.1, closing connection
16:49:30 | 6309   | reactor       | initialising connection to peer-1
16:49:30 | 6309   | outgoing-2    | attempting connection to 192.168.74.1:179
16:49:30 | 6309   | outgoing-2    | sending TCP payload (  83) FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 0053 0104 FDE9 003C C0A8 DC77 3602 0601 0400 0100 0102 0601 0400 0200 0102 0641 0400 00FD E902 0C40 0A84 B000 0101 8000 0201 8002 0202 0002 0246 0002 02B9 0002 0206 00
16:49:30 | 6309   | outgoing-2    | >> OPEN version=4 asn=65001 hold_time=60 router_id=192.168.220.119 capabilities=[Multiprotocol(ipv4 unicast,ipv6 unicast), Route Refresh, Extended Message(65535), Graceful Restart Flags 0x8 Time 1200 ipv4/unicast=0x80 ipv6/unicast=0x80, ASN4(65001), Enhanced Route Refresh, Operational]
16:49:30 | 6309   | ka-outgoing-2 | receive-timer 60 second(s) left
16:49:30 | 6309   | outgoing-2    | outgoing-2 192.168.220.119-192.168.74.1, closing connection
16:49:30 | 6309   | outgoing-2    | peer reset, message [closing connection] error[issue reading on the socket: [Errno ECONNRESET] [Errno 104] Connection reset by peer]
16:49:30 | 6309   | outgoing-2    | outgoing-2 192.168.220.119-192.168.74.1, closing connection
16:49:31 | 6309   | reactor       | initialising connection to peer-1
16:49:31 | 6309   | outgoing-3    | attempting connection to 192.168.74.1:179
16:49:31 | 6309   | outgoing-3    | sending TCP payload (  83) FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 0053 0104 FDE9 003C C0A8 DC77 3602 0601 0400 0100 0102 0601 0400 0200 0102 0641 0400 00FD E902 0C40 0A84 B000 0101 8000 0201 8002 0202 0002 0246 0002 02B9 0002 0206 00
16:49:31 | 6309   | outgoing-3    | >> OPEN version=4 asn=65001 hold_time=60 router_id=192.168.220.119 capabilities=[Multiprotocol(ipv4 unicast,ipv6 unicast), Route Refresh, Extended Message(65535), Graceful Restart Flags 0x8 Time 1200 ipv4/unicast=0x80 ipv6/unicast=0x80, ASN4(65001), Enhanced Route Refresh, Operational]
16:49:31 | 6309   | ka-outgoing-3 | receive-timer 60 second(s) left
16:49:31 | 6309   | outgoing-3    | outgoing-3 192.168.220.119-192.168.74.1, closing connection
16:49:31 | 6309   | outgoing-3    | peer reset, message [closing connection] error[issue reading on the socket: [Errno ECONNRESET] [Errno 104] Connection reset by peer]
16:49:31 | 6309   | outgoing-3    | outgoing-3 192.168.220.119-192.168.74.1, closing connection
^C16:49:33 | 6309   | reactor       | ^C received
16:49:33 | 6309   | reactor       | performing shutdown
unexpected response shutdown 6309 1702 received.
unexpected response  received.
16:49:33 | 6309   | process       | terminating process blocklist-192.168.74.1
16:49:33 | 6309   | process       | terminating process api-internal-cli-b911eafc

I see that the blocklist app works fine and I stopped it since I do see a fundamental issue with the session establishment.

16:50:45 | 6325   | process       | responding to blocklist-192.168.74.1 : error
unexpected response error received.
16:50:45 | 6325   | api           | no neighbor matching the command : announce route 121.139.41.95/32 next-hop 192.0.2.1 community [ 65535:666 no-advertise ]
16:50:45 | 6325   | process       | responding to blocklist-192.168.74.1 : error
unexpected response error received.
....

To Reproduce

RouterOS configuration (might be the issue..)

/routing bgp template
add as=65001 disabled=no hold-time=1m keepalive-time=1s name=exabgp router-id=\
    192.168.74.1 routing-table=main
/routing bgp connection
add address-families=ip,ipv6 as=65001 disabled=no keepalive-time=1s listen=yes \
    local.address=192.168.74.1 .role=ibgp multihop=yes name=to-exabgp \
    remote.address=192.168.220.119/32 .as=65001 router-id=192.168.74.1 \
    routing-table=main templates=exabgp

Expected behavior

A bgp sessions to be established so I can try to filter the input from the block lists

Environment (please complete the following information):

OS: Debian 12.6

Version: pip version installed

ExaBGP : 4.2.22
Python : 3.11.2 (main, May  2 2024, 11:59:08) [GCC 12.2.0]
Uname  : Linux 610-NgTech-Ansible-1 6.1.0-23-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.99-1 (2024-07-15) x86_64
Root   : /usr/local

Additional context I have a lab and I am able to text every detail regarding RouterOS, VyOS, basic FRR and couple other devices like EDGEROUTER Lite. I hope it will help me and others to work with exabgp and RouterOS.

thomas-mangin commented 1 month ago

It looks like your CHR is not accepting incoming BGP connection or something is blocking the outgoing connections.

thomas-mangin commented 1 month ago

It may also be that the source IP address is not configured on the host

elico commented 1 month ago

@thomas-mangin Thanks, The issue was that the RouterOS firmware is probably corrupted in some way. The bgp daemon is not working properly on this device. On other devices I have here it works fine both in virtual environment and also on physical devices. I will try to factory reset (netinstall) the RouterOS device to see if it's resolve that issue and will update.

Now the issue is only to find the right way to configure the service with RouterOS devices so the blacklisted routes will be routed to a blackhole somehow.

Thanks.

elico commented 1 month ago

OK, I managed to make it work eventually with the next routeros bgp config:

/ip route
add blackhole disabled=no distance=1 dst-address=192.0.2.1/32 gateway="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10

/routing bgp template
add address-families=ip as=65001 disabled=no hold-time=30s multihop=yes name=as1 router-id=192.168.111.96 routing-table=\
    main
/routing bgp connection
add address-families=ip as=65001 disabled=no hold-time=30s input.filter=get_active listen=yes local.address=\
    192.168.111.96 .role=ibgp multihop=yes name=as1-to-as3 output.filter-chain=get_active .filter-select=my_select_chain \
    remote.address=192.168.220.159/32 .as=65001 router-id=192.168.111.96 routing-table=main templates=as1
/routing filter rule
add chain=get_active disabled=no rule="if (dst in 0.0.0.0/0) {set distance 1;accept}"
/routing filter select-rule
add chain=my_select_chain disabled=no do-where=get_active

with the next exabgp file:

#!/usr/bin/env exabgp

process blocklist-192.168.111.96 {
    run ./api-blocklist.run;
    encoder text;
}

template {
    neighbor blocklist {
        local-as 65001;
        peer-as 65001;
        router-id 192.168.220.159;
        local-address 192.168.220.159;
        group-updates true;
        hold-time 30;
        capability {
            graceful-restart 1200;
            route-refresh enable;
            operational enable;
        }
        family {
            ipv4 unicast;
        }
    }
}

neighbor 192.168.111.96 {
    inherit blocklist;
    api {
                processes [ blocklist-192.168.111.96 ];
        }

}

Thanks! I hope it will help others (I kind of cherry picked from https://help.mikrotik.com/docs/display/ROS/Route+Selection+and+Filters )

Exa-Networks / exabgp

Connecting exabgp to Mikrotik RouterOS v 7.15.2 (latest stable) #1229