Dual ISP bgp on Mikrotik with load-balancing and automatic failover.

The border gateway protocol is the routing protocol of the internet. It allows organizations with blocks of public IPs, known as prefixes, to advertise these addresses to other bgp-speaking routers on the internet. In this post, we will look at how to set up dual ISP bgp on MIkrotik.
The simple reason for the use of bgp is to “tell” other router on the internet how best to get to your network. BGP makes use of autonomous systems to advertise public prefixes so that other routers are informed on how to get to your autonomous system (AS).
One of the most common implementation of bgp is on a dual-ISP setup. So, in this demonstration, I will be showing us how to implement ebgp to load-balancing across two ISP links while making sure that all in-coming traffics fail over to the active ISP when the gateway of the other goes down.
dual isp bgp on Mikrotik
Image showing dual bgp peering

I have two unequal connections to the internet with a prefix of 192.168.40.0/24 that I need to advertise to the internet via the two ISPs. Why would I want to do this? To make sure that my prefix is reachable via the two ISPs and that my network stays up as long as one of the ISPs is active.

Objective:

 

>>>Implement bgp on the HQ router to successfully peer with the two ISP routers.
>>>For security purpose, make sure only the public prefix is being advertised to the ISPs.
>>>Using a bgp attribute, implement policies on the HQ router to ensure that higher number of in-coming packets are routed through ISP1 while the remaining goes through ISP2 but, all packets should pass through the active ISP in the event that anyone goes down.

HQ-ROUTER:

Ether4=4.4.4.1/30: connects to ISP1
Ether5=5.5.5.1/30:vconnects to ISP2
Ether3=192.168.40.0/24: (our public IP block. Yes, I know it is not on the public range. It’s just for this demo)
AS number=400

ISP1-ROUTER:

Ether4=4.4.4.2/30
Bridge1=10.0.0.1/24
AS number =200

ISP2-ROUTER:

Ether5=5.5.5.2/30
Bridge1=20.0.0.1/24
AS number =300

Configuration

HQ-ROUTER:
Interface configuration.
[admin@HQ-ROUTER]> ip add add address=192.168.40.1/24 interface=ether3 comment=LAN
[admin@HQ-ROUTER] > ip add add address=4.4.4.1/30 interface=ether4 comment=ISP1-connection
[admin@HQ-ROUTER] > ip add add address=5.5.5.1/30 interface=ether5 comment=ISP2-connection

BGP setup

Frist of all, we need to create a filter rule that will be used to prepend the AS-Path of the prefix advertised to ISP2. This will ensure that ISP1 becomes the most preferred link to get to our network.

[admin@HQ-ROUTER] > routing filter add chain=ABC-OUT prefix=192.168.40.0/24 set-bgp-prepend path=400,400

 

Next, we enable bgp on the HQ router and assign AS number 400 to it

[admin@HQ-ROUTER] > routing bgp instance add as=400 name=default client-to-client -reflection=yes

( Note that a router cannot be a member of more than one AS)

Weadvertise to ISP1 without the filter rule created above, making sure that when HQ router advertises to ISP1, the AS-path is not increased. The shorter the AS-Path, the more preferred the link is.

[admin@HQ-ROUTER] > routing bgp peer add name=peer1 instance=default remote-addre ss=4.4.4.2 remote-as=200 update-source=ether4(this establishes the neighbor relationshipwith ISP1).

Now, advertise to ISP2 with AS-path prepend.

[admin@HQ-ROUTER] > routing bgp peer add name=peer2 instance=default remote-addre ss=5.5.5.2 remote-as=300 update-source=ether5 set out-filter=ABC-OUT

Note that the ebgp multip-hop feature was not used because the peering was done on a physical interface on all the peering ISP routers. Assuming it done using a loopback interface on the ISP routers, then the ebgp multi-hop feature would have been used.

On ISP1 router:

Assign an IP to the interface connecting HQ

[admin@ISP1] > ip address add address=4.4.4.2/30 interface=ether4

Create a bridge

[admin@ISP1] > interface bridge add name=bridge1

Assign an IP to the bridge.

[admin@ISP1] > ip address add address=10.0.0.1/24 interface=bridge1 ( you can use anyinterface as your LAN instead of the bridge.)

Enable BGP and assign AS number to 200 to the router.

[admin@ISP1] > routing bgp instance add as=200 name=default  client-to-client

Peer with HQ router

[admin@ISP1] > routing bgp peer add name=peer1 instance=default  remote-address=4.4.4.1 remote-as=400 update-source=ether4( as an ISP, you can also implement a filterrule to allow only the public prefix of a client into the routing table of ISP1 router. We will do that on ISP2)

 

On ISP2:

Assign an IP to the interface connecting HQ

[admin@ISP2] > ip address add address=5.5.5.2/30 interface=ether5

Create a bridge

[admin@ISP2]> interface bridge add name=bridge1

Assign an IP to the bridge.

[admin@ISP2] > ip address add address=20.0.0.1/24 interface=bridge1 ( you can use any interface as your LAN instead of the bridge.)

Create a filter rule to accept only the prefix on HQ router. This will make sure that ISP2 does not receive the prefixes from any other router. This feature is used to save the router from having the entire routing table of the internet dumped on it.

[admin@ISP2] > routing filter add chain=ABC-IN prefix=192.168.40.0/24 invert-match=yes action=discard

Enable BGP and assign AS number to 300 to the router.

[admin@ISP2] > routing bgp instance add as=300 name=default  client-to-client

Peer with HQ router while making sure that only the prefix of HQ is allowed in.

[admin@ISP2] > routing bgp peer add name=peer1 instance=default  remote-addre ss=5.5.5.1 remote-as=400 update-source=ether5 set in-filter=ABC-IN

To see if the bgp peering was successful, use the routing bgp peer print command  to see an output similar to the one below. What to look out for is the “E” which means established
[admin@HQ-ROUTER]> routing bgp peer print
Flags: X
– disabled, E – established
 #
INSTANCE         REMOTE-ADDRESS                     REMOTE-AS
 0 E default          4.4.4.2                                        200
 1 E default          5.5.5.2                                        300
[admin@HQ-ROUTER]>
Now, we need to see how the HQ prefix is being advertised to both ISPs. First, let’s check on ISP1.
How HQ is seen from ISP1
dual isp bgp on Mikrotik
Image showing bgp route entries

ISP1 routing table has entries for HQ’s prefix and the prefix of ISP2. Now, let’s see how many AS it will take to get to HQ from ISP1. To see that double-click on the HQ entry in the routing table and click on attributes.

dual isp bgp on Mikrotik
Bgp routing table showing attributes
From the image above, it takes one AS to get to HQ prefix from ISP1. Now, let’s look at ISP2.
dual isp bgp on Mikrotik
Mikrotik bgp routing table

You may also like: Basic ebgp setup on Cisco router

 

Because of the filter rule, ISP2 has no entry for the prefix attached to ISP1(10.0.0.0/24). This is a good way of not only making sure that clients do not goof up your routing table but also saving your router’s processor. Now let’ts see how many AS it takes to get to HQ from ISP2. Remember we used AS-PATH-PREPEND for that peering with ISP2. Let’s see if it worked.

dual isp bgp on Mikrotik
Bgp routing table showing AS-Path
Beautiful! you can see from the image above that the 192.168.40.0/24 prefix has three AS- the original one plus the two we added. Take this like hop counts in RIP, one is better than three. When both ISPs advertise to upper providers, most of them will prefer the link from ISP1 because it has a shorter AS path to HQ.
Please, follow me on twitter, like on Facebook and subscribe to my channel on YouTube for more on Mikrotik, Cisco, and other tech-related knowledge. Thanks for reading and try to stay safe this new year and beyond.
Click here to see my Youtube video on this topic.
Spread the love

2 thoughts on “Dual ISP bgp on Mikrotik with load-balancing and automatic failover.”

  1. I see you don’t monetize your site, don’t waste your traffic, you
    can earn extra cash every month because you’ve got high quality content.
    If you want to know how to make extra $$$, search for: Ercannou’s essential adsense alternative

    Reply

Leave a Comment