Dual ISP bgp on Mikrotik with load-balancing and automatic failover.

January 3, 2018August 24, 2018 Timigate 2 Comments BGP, Mikrotik

The border gateway protocol is the routing protocol of the internet. It allows organizations with blocks of public IPs, known as prefixes, to advertise these addresses to other bgp-speaking routers on the internet. In this post, we will look at how to set up dual ISP bgp on MIkrotik.

The simple reason for the use of bgp is to “tell” other router on the internet how best to get to your network. BGP makes use of autonomous systems to advertise public prefixes so that other routers are informed on how to get to your autonomous system (AS).

One of the most common implementation of bgp is on a dual-ISP setup. So, in this demonstration, I will be showing us how to implement ebgp to load-balancing across two ISP links while making sure that all in-coming traffics fail over to the active ISP when the gateway of the other goes down.

dual isp bgp on Mikrotik — Image showing dual bgp peering

I have two unequal connections to the internet with a prefix of 192.168.40.0/24 that I need to advertise to the internet via the two ISPs. Why would I want to do this? To make sure that my prefix is reachable via the two ISPs and that my network stays up as long as one of the ISPs is active.

Objective:

>>>Implement bgp on the HQ router to successfully peer with the two ISP routers.

>>>For security purpose, make sure only the public prefix is being advertised to the ISPs.

>>>Using a bgp attribute, implement policies on the HQ router to ensure that higher number of in-coming packets are routed through ISP1 while the remaining goes through ISP2 but, all packets should pass through the active ISP in the event that anyone goes down.

HQ-ROUTER:

Ether4=4.4.4.1/30: connects to ISP1

Ether5=5.5.5.1/30:vconnects to ISP2

Ether3=192.168.40.0/24: (our public IP block. Yes, I know it is not on the public range. It’s just for this demo)

AS number=400

ISP1-ROUTER:

Ether4=4.4.4.2/30

Bridge1=10.0.0.1/24

AS number =200

ISP2-ROUTER:

Ether5=5.5.5.2/30

Bridge1=20.0.0.1/24

AS number =300

Configuration

HQ-ROUTER:

Interface configuration.

[[email protected]]> ip add add address=192.168.40.1/24 interface=ether3 comment=LAN

[[email protected]] > ip add add address=4.4.4.1/30 interface=ether4 comment=ISP1-connection

[[email protected]] > ip add add address=5.5.5.1/30 interface=ether5 comment=ISP2-connection

BGP setup

Frist of all, we need to create a filter rule that will be used to prepend the AS-Path of the prefix advertised to ISP2. This will ensure that ISP1 becomes the most preferred link to get to our network.

[[email protected]] > routing filter add chain=ABC-OUT prefix=192.168.40.0/24 set-bgp-prepend path=400,400

Next, we enable bgp on the HQ router and assign AS number 400 to it

[[email protected]] > routing bgp instance add as=400 name=default client-to-client -reflection=yes

( Note that a router cannot be a member of more than one AS)

Weadvertise to ISP1 without the filter rule created above, making sure that when HQ router advertises to ISP1, the AS-path is not increased. The shorter the AS-Path, the more preferred the link is.

[[email protected]] > routing bgp peer add name=peer1 instance=default remote-addre ss=4.4.4.2 remote-as=200 update-source=ether4(this establishes the neighbor relationshipwith ISP1).

Now, advertise to ISP2 with AS-path prepend.

[[email protected]] > routing bgp peer add name=peer2 instance=default remote-addre ss=5.5.5.2 remote-as=300 update-source=ether5 set out-filter=ABC-OUT

Note that the ebgp multip-hop feature was not used because the peering was done on a physical interface on all the peering ISP routers. Assuming it done using a loopback interface on the ISP routers, then the ebgp multi-hop feature would have been used.

On ISP1 router:

Assign an IP to the interface connecting HQ

[[email protected]] > ip address add address=4.4.4.2/30 interface=ether4

Create a bridge

[[email protected]] > interface bridge add name=bridge1

Assign an IP to the bridge.

[[email protected]] > ip address add address=10.0.0.1/24 interface=bridge1 ( you can use anyinterface as your LAN instead of the bridge.)

Enable BGP and assign AS number to 200 to the router.

[[email protected]] > routing bgp instance add as=200 name=default client-to-client

Peer with HQ router

[[email protected]] > routing bgp peer add name=peer1 instance=default remote-address=4.4.4.1 remote-as=400 update-source=ether4( as an ISP, you can also implement a filterrule to allow only the public prefix of a client into the routing table of ISP1 router. We will do that on ISP2)

On ISP2:

Assign an IP to the interface connecting HQ

[[email protected]] > ip address add address=5.5.5.2/30 interface=ether5

Create a bridge

[[email protected]]> interface bridge add name=bridge1

Assign an IP to the bridge.

[[email protected]] > ip address add address=20.0.0.1/24 interface=bridge1 ( you can use any interface as your LAN instead of the bridge.)

Create a filter rule to accept only the prefix on HQ router. This will make sure that ISP2 does not receive the prefixes from any other router. This feature is used to save the router from having the entire routing table of the internet dumped on it.

[[email protected]] > routing filter add chain=ABC-IN prefix=192.168.40.0/24 invert-match=yes action=discard

Enable BGP and assign AS number to 300 to the router.

[[email protected]] > routing bgp instance add as=300 name=default client-to-client

Peer with HQ router while making sure that only the prefix of HQ is allowed in.

[[email protected]] > routing bgp peer add name=peer1 instance=default remote-addre ss=5.5.5.1 remote-as=400 update-source=ether5 set in-filter=ABC-IN

To see if the bgp peering was successful, use the routing bgp peer print command to see an output similar to the one below. What to look out for is the “E” which means established

[[email protected]]> routing bgp peer print

Flags: X
– disabled, E – established

#
INSTANCE REMOTE-ADDRESS REMOTE-AS

0 E default 4.4.4.2 200

1 E default 5.5.5.2 300

[[email protected]]>

Now, we need to see how the HQ prefix is being advertised to both ISPs. First, let’s check on ISP1.

How HQ is seen from ISP1

ISP1 routing table has entries for HQ’s prefix and the prefix of ISP2. Now, let’s see how many AS it will take to get to HQ from ISP1. To see that double-click on the HQ entry in the routing table and click on attributes.

From the image above, it takes one AS to get to HQ prefix from ISP1. Now, let’s look at ISP2.

You may also like: Basic ebgp setup on Cisco router

Because of the filter rule, ISP2 has no entry for the prefix attached to ISP1(10.0.0.0/24). This is a good way of not only making sure that clients do not goof up your routing table but also saving your router’s processor. Now let’ts see how many AS it takes to get to HQ from ISP2. Remember we used AS-PATH-PREPEND for that peering with ISP2. Let’s see if it worked.

Beautiful! you can see from the image above that the 192.168.40.0/24 prefix has three AS- the original one plus the two we added. Take this like hop counts in RIP, one is better than three. When both ISPs advertise to upper providers, most of them will prefer the link from ISP1 because it has a shorter AS path to HQ.

Please, follow me on twitter, like on Facebook and subscribe to my channel on YouTube for more on Mikrotik, Cisco, and other tech-related knowledge. Thanks for reading and try to stay safe this new year and beyond.

Click here to see my Youtube video on this topic.

Spread the love

2 thoughts on “Dual ISP bgp on Mikrotik with load-balancing and automatic failover.”

BestHelaine
April 30, 2018 at 8:39 am

I see you don’t monetize your site, don’t waste your traffic, you
can earn extra cash every month because you’ve got high quality content.
If you want to know how to make extra $$$, search for: Ercannou’s essential adsense alternative
- TimigatePost author
  April 30, 2018 at 11:24 am
  
  Thanks for the advice. I will look into it.