Re: [Mikrotik] OSPF over PPtP link
I have tried all of them 32, 24-32, 24 I have a class c I would block Sent from my iPhone On Feb 14, 2011, at 5:42 PM, Scott Reed sr...@nwwnet.net wrote: I don't know if it is the problem, but you do not have the prefix-length clause. On 2/14/2011 5:05 PM, John Babineaux wrote: if I wanted to block just the network on the pptp connection what would I put I tried everything I can think of... best guess is /routing filter add action=discard chain=ospf-in disabled=no \ prefix=172.16.0.2/32 Im just not grabbing how it works correctly From: Butch Evansbut...@butchevans.com Sent: Wednesday, November 24, 2010 2:57 PM To: Mikrotik discussionsmikrotik@mail.butchevans.com Subject: Re: [Mikrotik] OSPF over PPtP link On Wed, 2010-11-24 at 09:23 -0600, John Babineaux wrote: I know there is a way to propagate OSPF over the link or atleast not shut off that side of the network. John, I was supposed to send this to you directly, but here is even better. Here are the steps. First, assume the following network (forgive the poor ascii artwork): pvt 10.0.0.0/16 (RTR1)12.12.12.12--13.13.13.13(RTR2) pvt 10.1.0.0/16 I am assuming that both RTR1 and RTR2 are sharing OSPF with the rest of their private lan segments and have redistribute-default turned on (which is the source of your problem). We will first build a tunnel between RTR1 and RTR2 and assign IP space as follows: RTR1 is the server and has the user secret for RTR2 set with local-address as 172.16.0.1 and remote-address as 172.16.0.2, which means that if you look at RTR1 ip addresses (when the tunnel is connected), you will see: IP: 172.16.0.1 BROADCAST: 172.16.0.2 On RTR2, you will see: IP: 172.16.0.2 BROADCAST: 172.16.0.1 On RTR1, you need to add the broadcast address as a network in OSPF like this: /routing ospf network add network=172.16.0.2 area=backbone RTR2 would have: /routing ospf network add network=172.16.0.1 area=backbone The problem is that these 2 routers would share routes that you do NOT want to see. SO, you can just filter the routes you will insert from OSPF on these 2 routers like this: /routing filter add action=accept chain=ospf-in comment=Allow 10.x disabled=no \ prefix=10.0.0.0/8 prefix-length=8-32 add action=discard chain=ospf-in disabled=no invert-match=no These rules would cause OSPF to ONLY accept routes in the 10.x.x.x range from ANY router in the OSPF network. You would, of course, add the specific network ranges that you want to accept from either side. Your filter may (or may not) be different on the two routers. While this is not a 100% tutorial, hopefully, it will be enough to get you going. -- Scott Reed Owner NewWays Networking, LLC Wireless Networking Network Design, Installation and Administration Mikrotik Advanced Certified www.nwwnet.net (765) 855-1060 ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] OSPF over PPtP link
On 02/15/2011 07:02 AM, John wrote: I have tried all of them 32, 24-32, 24 I have a class c I would block Suppose you have a network as the following ascii diagram poorly represents: 10.10.0.0/16 with multiple subnets of the /16 that you want reachable via the tunnel only | Tunnel endpoint 10.0.0.1/32 | Public IP 12.1.1.1/24 | | Internet | | Public IP 12.2.2.2/24 | Tunnel endpoint 10.0.0.2/32 | 10.11.0.0/16 with multiple subnets With this scenario, you'd want to prevent OSPF from sharing the 12.1.1.0/24 subnet to the neighbor at 10.0.0.2 (tunnel endpoint). On the 10.0.0.2 router, you'd do something like: /routing filter add action=accept chain=ospf-in disabled=no prefix=10.0.0.0/8 prefix-length=0-32 add action=discard chain=ospf-in disabled=no This would allow ospf routes that are part of the 10.0.0.0/8 network with ANY prefix-length (0-32) to be inserted into the routing table. An alternate method would be: /routing filter add action=discard chain=ospf-in disabled=no prefix=12.1.1.0/24 prefix-length=24 This would accept any routes from ospf EXCEPT a route to 12.1.1.0/24. Keep in mind that the default behavior in the filter is to accept. This works in a way that is very similar to the firewall filters. In other words, the first match from top to bottom is the one that is applied. The filters are not hard to understand once you grasp the concept. It is difficult to explain how it works, though. Think of it like this: Suppose you have a sorting machine. This machine has 3 holes on the top level. One is square, one is round and one is triangular. This level of the filter represents the prefix. Any route being shared by OSPF will fit into only ONE of these holes in the top layer. Below this top layer of your machine is another mechanism that has a few more holes that further filters whatever you are sorting. This level represents the prefix-length parameter. The only concern at this level is what the actual length of the mask is (hence the name prefix-length). At this level, you will ONLY see the possible range of subnets already filtered by the top layer (prefix parameter). Some of the holes at this second layer will lead to accept and some will lead to discard or other actions. Some of them will lead to still more filter layers. This is quite difficult to explain (especially by email), but I hope this helps. -- * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/* Network Engineering * * http://store.wispgear.net/* Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * *NOTE THE NEW PHONE NUMBER: 702-537-0979 * ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] OSPF over PPtP link
if I wanted to block just the network on the pptp connection what would I put I tried everything I can think of... best guess is /routing filter add action=discard chain=ospf-in disabled=no \ prefix=172.16.0.2/32 Im just not grabbing how it works correctly From: Butch Evans but...@butchevans.com Sent: Wednesday, November 24, 2010 2:57 PM To: Mikrotik discussions mikrotik@mail.butchevans.com Subject: Re: [Mikrotik] OSPF over PPtP link On Wed, 2010-11-24 at 09:23 -0600, John Babineaux wrote: I know there is a way to propagate OSPF over the link or atleast not shut off that side of the network. John, I was supposed to send this to you directly, but here is even better. Here are the steps. First, assume the following network (forgive the poor ascii artwork): pvt 10.0.0.0/16 (RTR1)12.12.12.12--13.13.13.13(RTR2) pvt 10.1.0.0/16 I am assuming that both RTR1 and RTR2 are sharing OSPF with the rest of their private lan segments and have redistribute-default turned on (which is the source of your problem). We will first build a tunnel between RTR1 and RTR2 and assign IP space as follows: RTR1 is the server and has the user secret for RTR2 set with local-address as 172.16.0.1 and remote-address as 172.16.0.2, which means that if you look at RTR1 ip addresses (when the tunnel is connected), you will see: IP: 172.16.0.1 BROADCAST: 172.16.0.2 On RTR2, you will see: IP: 172.16.0.2 BROADCAST: 172.16.0.1 On RTR1, you need to add the broadcast address as a network in OSPF like this: /routing ospf network add network=172.16.0.2 area=backbone RTR2 would have: /routing ospf network add network=172.16.0.1 area=backbone The problem is that these 2 routers would share routes that you do NOT want to see. SO, you can just filter the routes you will insert from OSPF on these 2 routers like this: /routing filter add action=accept chain=ospf-in comment=Allow 10.x disabled=no \ prefix=10.0.0.0/8 prefix-length=8-32 add action=discard chain=ospf-in disabled=no invert-match=no These rules would cause OSPF to ONLY accept routes in the 10.x.x.x range from ANY router in the OSPF network. You would, of course, add the specific network ranges that you want to accept from either side. Your filter may (or may not) be different on the two routers. While this is not a 100% tutorial, hopefully, it will be enough to get you going. -- * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/ * Network Engineering * * http://store.wispgear.net/ * Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS -- next part -- An HTML attachment was scrubbed... URL: http://www.butchevans.com/pipermail/mikrotik/attachments/20110214/2d4d6df1/attachment.html ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] OSPF over PPtP link
I don't know if it is the problem, but you do not have the prefix-length clause. On 2/14/2011 5:05 PM, John Babineaux wrote: if I wanted to block just the network on the pptp connection what would I put I tried everything I can think of... best guess is /routing filter add action=discard chain=ospf-in disabled=no \ prefix=172.16.0.2/32 Im just not grabbing how it works correctly From: Butch Evansbut...@butchevans.com Sent: Wednesday, November 24, 2010 2:57 PM To: Mikrotik discussionsmikrotik@mail.butchevans.com Subject: Re: [Mikrotik] OSPF over PPtP link On Wed, 2010-11-24 at 09:23 -0600, John Babineaux wrote: I know there is a way to propagate OSPF over the link or atleast not shut off that side of the network. John, I was supposed to send this to you directly, but here is even better. Here are the steps. First, assume the following network (forgive the poor ascii artwork): pvt 10.0.0.0/16 (RTR1)12.12.12.12--13.13.13.13(RTR2) pvt 10.1.0.0/16 I am assuming that both RTR1 and RTR2 are sharing OSPF with the rest of their private lan segments and have redistribute-default turned on (which is the source of your problem). We will first build a tunnel between RTR1 and RTR2 and assign IP space as follows: RTR1 is the server and has the user secret for RTR2 set with local-address as 172.16.0.1 and remote-address as 172.16.0.2, which means that if you look at RTR1 ip addresses (when the tunnel is connected), you will see: IP: 172.16.0.1 BROADCAST: 172.16.0.2 On RTR2, you will see: IP: 172.16.0.2 BROADCAST: 172.16.0.1 On RTR1, you need to add the broadcast address as a network in OSPF like this: /routing ospf network add network=172.16.0.2 area=backbone RTR2 would have: /routing ospf network add network=172.16.0.1 area=backbone The problem is that these 2 routers would share routes that you do NOT want to see. SO, you can just filter the routes you will insert from OSPF on these 2 routers like this: /routing filter add action=accept chain=ospf-in comment=Allow 10.x disabled=no \ prefix=10.0.0.0/8 prefix-length=8-32 add action=discard chain=ospf-in disabled=no invert-match=no These rules would cause OSPF to ONLY accept routes in the 10.x.x.x range from ANY router in the OSPF network. You would, of course, add the specific network ranges that you want to accept from either side. Your filter may (or may not) be different on the two routers. While this is not a 100% tutorial, hopefully, it will be enough to get you going. -- Scott Reed Owner NewWays Networking, LLC Wireless Networking Network Design, Installation and Administration Mikrotik Advanced Certified www.nwwnet.net (765) 855-1060 ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] OSPF over PPtP link
Are you experiencing a problem like this? http://forum.mikrotik.com/viewtopic.php?t=31819f=2 -- Blake Covarrubias On Nov 24, 2010, at 8:23, John Babineaux j...@rcsaccess.net wrote: I know there is a way to propagate OSPF over the link or atleast not shut off that side of the network. John Babineaux Radio Communications Service -- next part -- An HTML attachment was scrubbed... URL: http://www.butchevans.com/pipermail/mikrotik/attachments/20101124/c265a8ba/attachment.html ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] OSPF over PPtP link
If you have a static route, and you have OSPF set to redistribute static, then your tunnel will flap as OSPF learns/unlearns the static route over your physical/tunnel interface. I've solved this a couple of ways. I think the easiest way is to exclude the route in your ospf-in filter. Something like... /routing filter add chain=ospf-in protocol=static prefix=a.b.c.d/nn action=discard ...where a.b.c.d/nn is the static route. You can also put the static route in a different routing table, and then mark your PPTP packets with routing-mark=tunnel in the mangle output chain. OSPF won't learn the route from the other routing table, so it has the same effect. This is all off the top of my head. Let me know if you need more clarification. Regards, -Kristian On Wed, 2010-11-24 at 09:23 -0600, John Babineaux wrote: I know there is a way to propagate OSPF over the link or atleast not shut off that side of the network. John Babineaux Radio Communications Service -- next part -- An HTML attachment was scrubbed... URL: http://www.butchevans.com/pipermail/mikrotik/attachments/20101124/c265a8ba/attachment.html ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] OSPF over PPtP link
On Wed, 2010-11-24 at 09:23 -0600, John Babineaux wrote: I know there is a way to propagate OSPF over the link or atleast not shut off that side of the network. Composing a reply now. Will take a bit. -- * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/* Network Engineering * * http://store.wispgear.net/* Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
Re: [Mikrotik] OSPF over PPtP link
On Wed, 2010-11-24 at 09:23 -0600, John Babineaux wrote: I know there is a way to propagate OSPF over the link or atleast not shut off that side of the network. John, I was supposed to send this to you directly, but here is even better. Here are the steps. First, assume the following network (forgive the poor ascii artwork): pvt 10.0.0.0/16 (RTR1)12.12.12.12--13.13.13.13(RTR2) pvt 10.1.0.0/16 I am assuming that both RTR1 and RTR2 are sharing OSPF with the rest of their private lan segments and have redistribute-default turned on (which is the source of your problem). We will first build a tunnel between RTR1 and RTR2 and assign IP space as follows: RTR1 is the server and has the user secret for RTR2 set with local-address as 172.16.0.1 and remote-address as 172.16.0.2, which means that if you look at RTR1 ip addresses (when the tunnel is connected), you will see: IP: 172.16.0.1 BROADCAST: 172.16.0.2 On RTR2, you will see: IP: 172.16.0.2 BROADCAST: 172.16.0.1 On RTR1, you need to add the broadcast address as a network in OSPF like this: /routing ospf network add network=172.16.0.2 area=backbone RTR2 would have: /routing ospf network add network=172.16.0.1 area=backbone The problem is that these 2 routers would share routes that you do NOT want to see. SO, you can just filter the routes you will insert from OSPF on these 2 routers like this: /routing filter add action=accept chain=ospf-in comment=Allow 10.x disabled=no \ prefix=10.0.0.0/8 prefix-length=8-32 add action=discard chain=ospf-in disabled=no invert-match=no These rules would cause OSPF to ONLY accept routes in the 10.x.x.x range from ANY router in the OSPF network. You would, of course, add the specific network ranges that you want to accept from either side. Your filter may (or may not) be different on the two routers. While this is not a 100% tutorial, hopefully, it will be enough to get you going. -- * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/* Network Engineering * * http://store.wispgear.net/* Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * ___ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
