Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenBGP block an AS from ISP2

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      Defoe
      last edited by

      I have 2 BGP uplink, everything worked well for quite a few months.
      Recently, incoming traffic from China Unicom (AS 4837) keeps coming in via Hurricane Electric route no matter how many times I prepend-self. They need to go via HKBNv4.
      I am able to force the outgoing traffic to 4837 with localpref.
      Is there a way for me to block a list of AS completely on HEv4?

      # This file was manually created with the help from Reiner030; use no umlauts/special chars!
AS 132597
fib-update yes

network 103.16.26.0/23
network 2001:df0:465::/48

neighbor 59.148.193.226 {
descr "HKBNv4"
announce all
remote-as 10103
local-address 59.148.193.227
}
AS_HKBN = "{ 4635, 7473, 9066, 20940, 31377 }"
AS_CN = "{ 4134, 4538, 4789, 4808, 4809, 4812, 4813, 4815, 4835, 4837, 4839, 4840, 4843, 4847, 4859, 7497, 7576, 7638, 7640, 7641, 9298, 9306, 9308, 9389, 9391, 9394, 9401, 9406, 9535, 9800, 9801, 9802, 9803, 9805, 9807, 9808, 9809, 9810, 9811, 9812, 9814, 9929, 9939, 10212, 17428, 17429, 17430, 17431, 17442, 17457, 17490, 17621, 17622, 17623, 17633, 17638, 17672, 17739, 17772, 17773, 17775, 17780, 17781, 17785, 17816, 17883, 17896, 17897, 17923, 17962, 17964, 17966, 17968, 17969, 18011, 18022, 18118, 18239, 18240, 18241, 18242, 18243, 18245, 18344, 23650, 23724, 23771, 23839, 23840, 23841, 23842, 23844, 23848, 23849, 23851, 23853, 23910, 23911, 23912, 24059, 24134, 24136, 24137, 24138, 24139, 24141, 24143, 24147, 24149, 24151, 24311, 24348, 24349, 24350, 24352, 24357, 24364, 24367, 24376, 24400, 24403, 24406, 24407, 24409, 24413, 24416, 24420, 24422, 24424, 24425, 24426, 24427, 24430, 24444, 24445, 24489, 24490, 24495, 24547, 24575, 37937, 37941, 37942, 37943, 37944, 37957, 37958, 37963, 37965, 37970, 37981, 38019, 38027, 38057, 38208, 38283, 38341, 38342, 38345, 38356, 38358, 38361, 38363, 38364, 38365, 38367, 38370, 38372, 38375, 38378, 38379, 38380, 38381, 38564, 38585, 38587, 38834, 45057, 45061, 45062, 45069, 45071, 45075, 45076, 45077, 45079, 45080, 45081, 45082, 45083, 45084, 45086, 45087, 45090, 45091, 45095, 45096, 45100, 45101, 45102, 45110, 45113, 45275, 45576, 45587, 45866, 45888, 55439, 55466, 55468, 55515, 55721, 55743, 55786, 55956, 55958, 55960, 55963, 55966, 55967, 55971, 55973, 55982, 55987, 55998, 56000, 56002, 56003, 56005, 56006, 56008, 56012, 56013, 56015, 56040, 56041, 56042, 56046, 56047, 56048, 56292, 58448, 58461, 58518, 58519, 58536, 58811, 58856, 58865, 58908, 58962, 61223, 131300, 131307, 132203, 132366, 132437, 132510 }"
AS_HE = "{ 6939, 174, 209, 701, 1239, 1299, 2828, 2914, 3257, 3356, 4323, 4436, 6453, 6461, 7018,  11855, 13789, 19151, 32475, 36351 }"
match from 59.148.193.226 { AS $AS_HKBN, AS $AS_CN } set { localpref 220, med 0, prepend-neighbor 0, prepend-self 0 }
match to 59.148.193.226 { AS $AS_HKBN, AS $AS_CN } set { localpref 220, med 0, prepend-neighbor 0, prepend-self 0 }
match from 59.148.193.226 { AS $AS_HE } set { localpref 0, med 200, prepend-neighbor 7, prepend-self 5 }
match to 59.148.193.226 { AS $AS_HE } set { localpref 0, med 200, prepend-neighbor 7, prepend-self 5 }

neighbor 27.50.33.25 {
descr "HEv4"
announce all
remote-as 6939
local-address 27.50.33.26
set prepend-neighbor 7
set prepend-self 1
}
match from 27.50.33.25 { AS $AS_HE } set { localpref 210, med 0, prepend-neighbor 1, prepend-self 1 }
match to 27.50.33.25 { AS $AS_HE } set { localpref 210, med 0, prepend-neighbor 0, prepend-self 0 }
match from 27.50.33.25 { AS $AS_HKBN, AS $AS_CN } set { localpref 0, med 200, prepend-neighbor 7, prepend-self 7 }
match to 27.50.33.25 { AS $AS_HKBN, AS $AS_CN } set { localpref 0, med 200, prepend-neighbor 7, prepend-self 7 }

neighbor 2001:470:1:215::1 {
descr "HEv6"
announce all
remote-as 6939
local-address 2001:470:1:215::2
}

deny from any
deny to any
allow from 59.148.193.226
allow to 59.148.193.226
allow from 27.50.33.25
allow to 27.50.33.25
allow from 2001:470:1:215::1
allow to 2001:470:1:215::1

# dont forget one empty line after last command to let it work

      I tried the following but no luck.

      deny from 27.50.33.25 { AS $AS_CN }
deny to 27.50.33.25 { AS $AS_CN }
      1 Reply Last reply Reply Quote 0
      • R Offline
        Reiner030
        last edited by

        Hi,

        have you checked out what bgp reads in?

        /usr/pbi/openbgpd-amd64/sbin/bgpd -nv -f /var/etc/openbgpd/bgpd.conf

        Sometimes OpenBPDd makes crazy reconfigurations…
        Also helpful - check out your actual settings: could be a combination of bgpctl  like

        • overview over a route:

        bgpctl show rib 1.2.3.4

        bgpctl show rib 1.2.3.4 details

        • show announced route from neighbour: with AS… with Source AS:

        bgpctl show rib nei <neighbor>as <as-number># bgpctl show rib nei <neighbor>source-as <as-number>Overview over all parameters which I havent tested out all yet ;)

        => http://www.openbsd.org/cgi-bin/man.cgi?query=bgpctl</as-number></neighbor></as-number></neighbor>

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.