Mikrotik and OSPF. What had to face and how we overcame it
Good day. Today I would like to talk about what prevented us from living, our brains exploded for a long time - Mikrotik and OSPF.
Mikrotik is in itself a good piece of hardware, with low cost, a lot of opportunity, but unfortunately, not without flaws.
We have the following network diagram:
ROU1 - Cisco c3845
ROU2 - Cisco c3845
MT1 - Mikrotik 1100Ahx2
MT2 - Mikrotik 1100Ahx2
c3550 - Cisco c3550
GW68 - MikroTik RB751U-2HnD
GW69 - MikroTik RB751U-2HnD
On ROU1 and ROU2, we have tunnels to MT1 and to MT2 (IPSec will be skipped), the OSPF process for the backbone is started. The following subnet is 10.0.0.0/19:
On MT1 and MT2, the tunnel addresses are 172.20.64.2 and 172.20.64.6 respectively. The area backbone is already there by default.
But we must also have a connection between MT1 and MT2 directly.
For this we use a new area IRK. Cisco c3550 is not only a switch, it is our root device, all the vlans are set on it, providers are thrown through it, vrf is created on it, etc. (if it will be interesting, then I will describe the whole network organization)
Create an IRK on the c3550 area and two vlan to connect with MT1 and MT2. Area IRK is the main area of the RU - the regional node in which all routers connected to the router work.
Now let's take these vlans on MT1 and MT2, and get a new ospf instance and area, add a link between MT1 and MT2 and add the address.
It seems that I did not forget what we got:
1. We have two tunnels to the central routers, with each microtic one by one.
2. Cost 10 and 40 respectively. That is, with the live main router (provider) MT1, the route from backbone 10.0.0.0/19 we get through the tunnel to ROU1, while dead through the tunnel to ROU2
3. We have a direct link between MT1 and MT2, in order not to drive traffic always through the c3550.
Set, set. Everything is working:
# MT1
ADo dst-address = 10.0.0.0 / 19 gateway = 172.20.64.1 gateway-status = 172.20.64.1 reachable via ipip_yyy_vl03_rou1 distance = 110 scope = 20 target-scope = 10 ospf-metric = 40 ospf-type = external-type-1
# MT2
ADo dst-address = 10.0.0.0 / 19 gateway = 172.20.64.105 gateway-status = 172.20.64.105 reachable via ether2 distance = 110 scope = 20 target-scope = 10 ospf-metric = 50 ospf-type = external-type-1
On MT2 route up to 10ki via ether2, as it should be in principle.
Problem number 1:
Once, on MT1 the provider dies. Subnet 10.0.0.0/19 becomes available through the tunnel to ROU2, everything should be as follows:
# MT2
ADo dst-address = 10.0.0.0 / 19 gateway = 172.20.64.5 gateway-status = 172.20.64.5 reachable via ipip_yyy_vl03_rou2 distance = 110 scope = 20 target-scope = 10 ospf-metric = 70 ospf-type = external-type-1
BUT! As soon as the provider on MT1 comes to life, we see the following:
# MT1
ADo dst-address = 10.0.0.0 / 19 gateway = 172.20.64.1 gateway-status = 172.20.64.1 reachable via ipip_yyy_vl03_rou1 distance = 110 scope = 20 target-scope = 10 ospf-metric = 40 ospf-type = external-type-1
# MT2
ADo dst-address = 10.0.0.0 / 19 gateway = 172.20.64.5 gateway-status = 172.20.64.5 reachable via ipip_yyy_vl03_rou2 distance = 110 scope = 20 target-scope = 10 ospf-metric = 70 ospf-type = external-type-1
We see that each router is looking into its own tunnel. That does not suit us at all. Reboot MT2. It begins to receive a route through ether2 from MT1. Disorder.
As a temporary solution, we got all of the regional nodes on ROU1 and ROU2. Everything worked very nicely until one day our tsisk said: too many routing processes
And we again returned to the problem with the backbone. Long support battles do not lead to anything, but one fine moment we get the answer that the microtic during the redistribution of the routes between the arias (in this case the route from the backbone is redistributed via IRK)
starts incorrectly install routes. And we get the picture that every router looks into its tunnel.
Then the solution comes by itself:
We add IP on ether2, we bring a new subnet in backbone.
# MT1
/ ip address add address = 172.20.64.121 / 30 comment = "MT-MT BB" interface = ether2
/ routing ospf network add area = backbone network = 172.20.64.120 / 30
# Do not redistribute the route through IRK
/ routing filter add action = discard chain = ospf-in prefix = 10.0.0.0 / 19
# MT2
/ ip address add address = 172.20.64.122 / 30 comment = "MT-MT BB" interface = ether2
/ routing ospf network add area = backbone network = 172.20.64.120 / 30
# Do not redistribute the route through IRK
/ routing filter add action = discard chain = ospf-in prefix = 10.0.0.0 / 19
And we get that the 10.0.0.0/19 route is not redistributed through someone else's erie, but is received within one. Fuf, one problem won.
Now for consideration of the second problem, we give the GW config, I will omit the config on MT1 and MT2, there is nothing complicated there.
In the figure we have GW68 and GW69, I will give the settings for only one and in abbreviation:
On Mikrotik 751:
ether2 - backup provider
ether3 - primary provider
ether5 - LAN
The question arises why not ether2 primary provider. We first made ether1 - the main provider, but it turned out that some kind of polusoftovy port and IPSec performance was completely nonexistent, just transferred to ether3, in order not to edit the config much.
How it all works:
GW68 establishes two tunnels to MT1 and to MT2, each through its own provider. There is no default on microtics, addresses MT1 and MT2 are prescribed by statics.
On the tunnel to MT1 there is a cost 10, on the tunnel to MT2 cost 40. As soon as the tunnel comes to life, we get the default and all routes with MT1 through OSPF. All traffic is wrapped on MT1. As soon as the main provider falls off,
after the expiration of the OSPF timer, routs through the tunnel to MT2 become active.
Problem 2:
With a live main channel, we see in the GW68 log
20:12:26 route, packet, ospf, info database, packet has different master status flag
20:12:26 route, ospf, info new master flag = false
At this moment, our traffic itself begins to run through the tunnel to MT2. The tunnel to MT1 is live, and the traffic runs through the tunnel to MT2. And since stores usually have a reserve of megabytes,
then we get sucking money for no reason.
To return everything to the tunnel before the MT1, it was necessary to turn off on the MT1 and again turn on the tunnel to GW68. Moreover, this problem occurred only in some cities, and not on all routers.
On the forum Mikrotik, in those. support no one helped us. One day, my colleague, trying to raise the tunnel MT1-Juniper SRX-650, armed with a bunch of alcohol, sniffer and debugger :)
And debugging IPSec, I came across authorization errors OSPF microtic. We disabled authorization on the OSPF interfaces and voila, the problem disappeared by itself.
How does the authorization go there, where it fails, neither he nor I now remember. But the issue is resolved. Why somewhere worked fine and with authorization, I can not say.
With the microtic, you can only guess at the coffee grounds, since each answer of the support is a new question, each new firmware gives a new problem :)
Mikrotik is in itself a good piece of hardware, with low cost, a lot of opportunity, but unfortunately, not without flaws.
We have the following network diagram:
ROU1 - Cisco c3845
ROU2 - Cisco c3845
MT1 - Mikrotik 1100Ahx2
MT2 - Mikrotik 1100Ahx2
c3550 - Cisco c3550
GW68 - MikroTik RB751U-2HnD
GW69 - MikroTik RB751U-2HnD
On ROU1 and ROU2, we have tunnels to MT1 and to MT2 (IPSec will be skipped), the OSPF process for the backbone is started. The following subnet is 10.0.0.0/19:
ROU1 and ROU2 configuration
# ROU1
interface Tunnel100641
description # XXX_IRK64_YYY #
ip address 172.20.64.1 255.255.255.252
ip access-group DMZ_IN in
ip access-group DMZ_OUT out
ip mtu 1450
ip ospf network point-to-point
ip ospf cost 10
ip ospf mtu-ignore
ip ospf 1 area 0.0.0.0
tunnel source 194.xxx
tunnel mode ipip
tunnel destination 195.xxx
')
router ospf 1
router-id 255.255.255.255
redistribute ospf 100 metric-type 1 subnets route-map OSPF_100_to_BB
network 172.20.64.0 0.0.0.3 area 0.0.0.0
# ROU2
interface Tunnel100642
description # XXX_IRK64_YYY #
ip address 172.20.64.5 255.255.255.252
ip access-group DMZ_IN in
ip access-group DMZ_OUT out
ip mtu 1450
ip ospf network point-to-point
ip ospf cost 40
ip ospf mtu-ignore
ip ospf 1 area 0.0.0.0
tunnel source 109.xxx
tunnel mode ipip
tunnel destination 85.xxx
router ospf 1
router-id 255.255.255.254
redistribute ospf 100 metric-type 1 subnets route-map OSPF_100_to_BB
network 172.20.64.4 0.0.0.3 area 0.0.0.0
interface Tunnel100641
description # XXX_IRK64_YYY #
ip address 172.20.64.1 255.255.255.252
ip access-group DMZ_IN in
ip access-group DMZ_OUT out
ip mtu 1450
ip ospf network point-to-point
ip ospf cost 10
ip ospf mtu-ignore
ip ospf 1 area 0.0.0.0
tunnel source 194.xxx
tunnel mode ipip
tunnel destination 195.xxx
')
router ospf 1
router-id 255.255.255.255
redistribute ospf 100 metric-type 1 subnets route-map OSPF_100_to_BB
network 172.20.64.0 0.0.0.3 area 0.0.0.0
# ROU2
interface Tunnel100642
description # XXX_IRK64_YYY #
ip address 172.20.64.5 255.255.255.252
ip access-group DMZ_IN in
ip access-group DMZ_OUT out
ip mtu 1450
ip ospf network point-to-point
ip ospf cost 40
ip ospf mtu-ignore
ip ospf 1 area 0.0.0.0
tunnel source 109.xxx
tunnel mode ipip
tunnel destination 85.xxx
router ospf 1
router-id 255.255.255.254
redistribute ospf 100 metric-type 1 subnets route-map OSPF_100_to_BB
network 172.20.64.4 0.0.0.3 area 0.0.0.0
On MT1 and MT2, the tunnel addresses are 172.20.64.2 and 172.20.64.6 respectively. The area backbone is already there by default.
MT1 and MT2 configuration
# MT1
# Create tunnel
/ interface ipip add comment = YYY_VL03_ROU1 disabled = no local-address = 195.xxx mtu = 1450 name = ipip_yyy_vl03_rou1 remote-address = 194.xxx
# We put the address on it
/ ip address add address = 172.20.64.2 / 30 comment = YYY_VL03_XXX interface = ipip_yyyvl03_rou1
# Fix instance by adding filters and id
/ routing ospf instance set [find default = yes] in-filter = ospf-default-in out-filter = ospf-default-out redistribute-other-ospf = as-type-1 router-id = 30.0.64.1
# Add subnet to area backbone
/ routing ospf network add area = backbone comment = "Backbone Network VL" network = 172.20.64.0 / 30
# Make filters
/ routing filter add action = accept chain = ospf-default-out prefix = 10.0.64.0 / 19
/ routing filter add action = accept chain = ospf-default-out prefix = 172.20.64.0 / 19
/ routing filter add action = discard chain = ospf-default-out
/ routing filter add action = accept chain = ospf-default-in prefix = 10.0.0.0 / 19
/ routing filter add action = accept chain = ospf-default-in prefix = 172.20.0.0 / 19
/ routing filter add action = discard chain = ospf-default-in
# Create an OSPF interface
/ routing ospf interface add authentication-key = 0 interface = ipip_yyy_vl03_rou1 network-type = point-to-point priority = 255
# MT2
# Create tunnel
/ interface ipip add comment = YYY_VL03_ROU2 disabled = no local-address = 85.xxx mtu = 1450 name = ipip_yyy_vl03_rou2 remote-address = 109.xxx
# We put the address on it
/ ip address add address = 172.20.64.6 / 30 comment = YYY_VL03_ROU2 interface = ipip_yyy_vl03_rou2
# Fix instance by adding filters and id
/ routing ospf instance set [find default = yes] in-filter = ospf-default-in out-filter = ospf-default-out redistribute-other-ospf = as-type-1 router-id = 30.0.64.2
# Add subnet to area backbone
/ routing ospf network add area = backbone comment = "Backbone Network VL" network = 172.20.64.4 / 30
# Make filters
/ routing filter add action = accept chain = ospf-default-out prefix = 10.0.64.0 / 19
/ routing filter add action = accept chain = ospf-default-out prefix = 172.20.64.0 / 19
/ routing filter add action = discard chain = ospf-default-out
/ routing filter add action = accept chain = ospf-default-in prefix = 10.0.0.0 / 19
/ routing filter add action = accept chain = ospf-default-in prefix = 172.20.0.0 / 19
/ routing filter add action = discard chain = ospf-default-in
# Create an OSPF interface
/ routing ospf interface add authentication-key = 0 cost = 40 interface = ipip_yyy_vl03_rou2 network-type = point-to-point priority = 200
# Create tunnel
/ interface ipip add comment = YYY_VL03_ROU1 disabled = no local-address = 195.xxx mtu = 1450 name = ipip_yyy_vl03_rou1 remote-address = 194.xxx
# We put the address on it
/ ip address add address = 172.20.64.2 / 30 comment = YYY_VL03_XXX interface = ipip_yyyvl03_rou1
# Fix instance by adding filters and id
/ routing ospf instance set [find default = yes] in-filter = ospf-default-in out-filter = ospf-default-out redistribute-other-ospf = as-type-1 router-id = 30.0.64.1
# Add subnet to area backbone
/ routing ospf network add area = backbone comment = "Backbone Network VL" network = 172.20.64.0 / 30
# Make filters
/ routing filter add action = accept chain = ospf-default-out prefix = 10.0.64.0 / 19
/ routing filter add action = accept chain = ospf-default-out prefix = 172.20.64.0 / 19
/ routing filter add action = discard chain = ospf-default-out
/ routing filter add action = accept chain = ospf-default-in prefix = 10.0.0.0 / 19
/ routing filter add action = accept chain = ospf-default-in prefix = 172.20.0.0 / 19
/ routing filter add action = discard chain = ospf-default-in
# Create an OSPF interface
/ routing ospf interface add authentication-key = 0 interface = ipip_yyy_vl03_rou1 network-type = point-to-point priority = 255
# MT2
# Create tunnel
/ interface ipip add comment = YYY_VL03_ROU2 disabled = no local-address = 85.xxx mtu = 1450 name = ipip_yyy_vl03_rou2 remote-address = 109.xxx
# We put the address on it
/ ip address add address = 172.20.64.6 / 30 comment = YYY_VL03_ROU2 interface = ipip_yyy_vl03_rou2
# Fix instance by adding filters and id
/ routing ospf instance set [find default = yes] in-filter = ospf-default-in out-filter = ospf-default-out redistribute-other-ospf = as-type-1 router-id = 30.0.64.2
# Add subnet to area backbone
/ routing ospf network add area = backbone comment = "Backbone Network VL" network = 172.20.64.4 / 30
# Make filters
/ routing filter add action = accept chain = ospf-default-out prefix = 10.0.64.0 / 19
/ routing filter add action = accept chain = ospf-default-out prefix = 172.20.64.0 / 19
/ routing filter add action = discard chain = ospf-default-out
/ routing filter add action = accept chain = ospf-default-in prefix = 10.0.0.0 / 19
/ routing filter add action = accept chain = ospf-default-in prefix = 172.20.0.0 / 19
/ routing filter add action = discard chain = ospf-default-in
# Create an OSPF interface
/ routing ospf interface add authentication-key = 0 cost = 40 interface = ipip_yyy_vl03_rou2 network-type = point-to-point priority = 200
But we must also have a connection between MT1 and MT2 directly.
For this we use a new area IRK. Cisco c3550 is not only a switch, it is our root device, all the vlans are set on it, providers are thrown through it, vrf is created on it, etc. (if it will be interesting, then I will describe the whole network organization)
Create an IRK on the c3550 area and two vlan to connect with MT1 and MT2. Area IRK is the main area of the RU - the regional node in which all routers connected to the router work.
C3550 configuration
interface Vlan66
description # MGM 1 VLAN #
ip address 172.20.64.98 255.255.255.252
ip policy route-map test
ip ospf cost 10
ip ospf hello-interval 5
ip ospf dead-interval 10
ip ospf priority 100
!
interface Vlan67
description # MGM 2 VLAN #
ip address 172.20.64.102 255.255.255.252
ip ospf cost 10
ip ospf hello-interval 5
ip ospf dead-interval 10
ip ospf priority 50
router ospf 100
router-id 10.0.64.0
log-adjacency-changes
redistribute connected metric-type 1 subnets
redistribute static metric-type 1 subnets
network 172.20.64.96 0.0.0.3 area 10.0.64.0
network 172.20.64.100 0.0.0.3 area 10.0.64.0
# Two nulls
ip route 10.0.64.0 255.255.224.0 Null0 250
ip route 172.20.64.0 255.255.224.0 Null0 250
description # MGM 1 VLAN #
ip address 172.20.64.98 255.255.255.252
ip policy route-map test
ip ospf cost 10
ip ospf hello-interval 5
ip ospf dead-interval 10
ip ospf priority 100
!
interface Vlan67
description # MGM 2 VLAN #
ip address 172.20.64.102 255.255.255.252
ip ospf cost 10
ip ospf hello-interval 5
ip ospf dead-interval 10
ip ospf priority 50
router ospf 100
router-id 10.0.64.0
log-adjacency-changes
redistribute connected metric-type 1 subnets
redistribute static metric-type 1 subnets
network 172.20.64.96 0.0.0.3 area 10.0.64.0
network 172.20.64.100 0.0.0.3 area 10.0.64.0
# Two nulls
ip route 10.0.64.0 255.255.224.0 Null0 250
ip route 172.20.64.0 255.255.224.0 Null0 250
Now let's take these vlans on MT1 and MT2, and get a new ospf instance and area, add a link between MT1 and MT2 and add the address.
MT1 and MT2 configuration
# MT1
# Accept vlan
/ interface vlan add interface = ether1 l2mtu = 1594 name = vlan_66_mgm vlan-id = 66
# Create an area
/ routing ospf area add area-id = 10.0.64.0 instance = IRK name = IRK
# Create an instance
/ routing ospf instance add distribute-default = if-installed-as-type-1 name = IRK redistribute-other-ospf = as-type-1 redistribute-static = as-type-1 router-id = 10.0.64.1
# We hang IP
/ ip address add address = 172.20.64.97 / 30 comment = MGM_Interface interface = vlan_66_mgm
/ ip address add address = 172.20.64.105 / 30 comment = MT-MT_Interface interface = ether2
# Add subnets to area IRK
/ routing ospf network add area = IRK network = 172.20.64.96 / 30
/ routing ospf network add area = IRK network = 172.20.64.104 / 30
# Create an ospf interface
/ routing ospf interface add dead-interval = 10s hello-interval = 5s interface = vlan_66_mgm network-type = broadcast priority = 255
# MT2
# Accept vlan
/ interface vlan add interface = ether1 l2mtu = 1594 name = vlan_67_mgm vlan-id = 67
# Create an area
/ routing ospf area add area-id = 10.0.64.0 instance = IRK name = IRK
# Create an instance
/ routing ospf instance add distribute-default = if-installed-as-type-1 name = IRK redistribute-other-ospf = as-type-1 redistribute-static = as-type-1 router-id = 10.0.64.2
# We hang IP
/ ip address add address = 172.20.64.101 / 30 comment = MGM_Interface interface = vlan_67_mgm
/ ip address add address = 172.20.64.106 / 30 comment = MT-MT_Interface interface = ether2
# Add subnets to area IRK
/ routing ospf network add area = IRK network = 172.20.64.100 / 30
/ routing ospf network add area = IRK network = 172.20.64.104 / 30
# Create an ospf interface
/ routing ospf interface add dead-interval = 10s hello-interval = 5s interface = vlan_67_mgm network-type = broadcast priority = 200
# Accept vlan
/ interface vlan add interface = ether1 l2mtu = 1594 name = vlan_66_mgm vlan-id = 66
# Create an area
/ routing ospf area add area-id = 10.0.64.0 instance = IRK name = IRK
# Create an instance
/ routing ospf instance add distribute-default = if-installed-as-type-1 name = IRK redistribute-other-ospf = as-type-1 redistribute-static = as-type-1 router-id = 10.0.64.1
# We hang IP
/ ip address add address = 172.20.64.97 / 30 comment = MGM_Interface interface = vlan_66_mgm
/ ip address add address = 172.20.64.105 / 30 comment = MT-MT_Interface interface = ether2
# Add subnets to area IRK
/ routing ospf network add area = IRK network = 172.20.64.96 / 30
/ routing ospf network add area = IRK network = 172.20.64.104 / 30
# Create an ospf interface
/ routing ospf interface add dead-interval = 10s hello-interval = 5s interface = vlan_66_mgm network-type = broadcast priority = 255
# MT2
# Accept vlan
/ interface vlan add interface = ether1 l2mtu = 1594 name = vlan_67_mgm vlan-id = 67
# Create an area
/ routing ospf area add area-id = 10.0.64.0 instance = IRK name = IRK
# Create an instance
/ routing ospf instance add distribute-default = if-installed-as-type-1 name = IRK redistribute-other-ospf = as-type-1 redistribute-static = as-type-1 router-id = 10.0.64.2
# We hang IP
/ ip address add address = 172.20.64.101 / 30 comment = MGM_Interface interface = vlan_67_mgm
/ ip address add address = 172.20.64.106 / 30 comment = MT-MT_Interface interface = ether2
# Add subnets to area IRK
/ routing ospf network add area = IRK network = 172.20.64.100 / 30
/ routing ospf network add area = IRK network = 172.20.64.104 / 30
# Create an ospf interface
/ routing ospf interface add dead-interval = 10s hello-interval = 5s interface = vlan_67_mgm network-type = broadcast priority = 200
It seems that I did not forget what we got:
1. We have two tunnels to the central routers, with each microtic one by one.
2. Cost 10 and 40 respectively. That is, with the live main router (provider) MT1, the route from backbone 10.0.0.0/19 we get through the tunnel to ROU1, while dead through the tunnel to ROU2
3. We have a direct link between MT1 and MT2, in order not to drive traffic always through the c3550.
Set, set. Everything is working:
# MT1
ADo dst-address = 10.0.0.0 / 19 gateway = 172.20.64.1 gateway-status = 172.20.64.1 reachable via ipip_yyy_vl03_rou1 distance = 110 scope = 20 target-scope = 10 ospf-metric = 40 ospf-type = external-type-1
# MT2
ADo dst-address = 10.0.0.0 / 19 gateway = 172.20.64.105 gateway-status = 172.20.64.105 reachable via ether2 distance = 110 scope = 20 target-scope = 10 ospf-metric = 50 ospf-type = external-type-1
On MT2 route up to 10ki via ether2, as it should be in principle.
Problem number 1:
Once, on MT1 the provider dies. Subnet 10.0.0.0/19 becomes available through the tunnel to ROU2, everything should be as follows:
# MT2
ADo dst-address = 10.0.0.0 / 19 gateway = 172.20.64.5 gateway-status = 172.20.64.5 reachable via ipip_yyy_vl03_rou2 distance = 110 scope = 20 target-scope = 10 ospf-metric = 70 ospf-type = external-type-1
BUT! As soon as the provider on MT1 comes to life, we see the following:
# MT1
ADo dst-address = 10.0.0.0 / 19 gateway = 172.20.64.1 gateway-status = 172.20.64.1 reachable via ipip_yyy_vl03_rou1 distance = 110 scope = 20 target-scope = 10 ospf-metric = 40 ospf-type = external-type-1
# MT2
ADo dst-address = 10.0.0.0 / 19 gateway = 172.20.64.5 gateway-status = 172.20.64.5 reachable via ipip_yyy_vl03_rou2 distance = 110 scope = 20 target-scope = 10 ospf-metric = 70 ospf-type = external-type-1
We see that each router is looking into its own tunnel. That does not suit us at all. Reboot MT2. It begins to receive a route through ether2 from MT1. Disorder.
As a temporary solution, we got all of the regional nodes on ROU1 and ROU2. Everything worked very nicely until one day our tsisk said: too many routing processes
And we again returned to the problem with the backbone. Long support battles do not lead to anything, but one fine moment we get the answer that the microtic during the redistribution of the routes between the arias (in this case the route from the backbone is redistributed via IRK)
starts incorrectly install routes. And we get the picture that every router looks into its tunnel.
Then the solution comes by itself:
We add IP on ether2, we bring a new subnet in backbone.
# MT1
/ ip address add address = 172.20.64.121 / 30 comment = "MT-MT BB" interface = ether2
/ routing ospf network add area = backbone network = 172.20.64.120 / 30
# Do not redistribute the route through IRK
/ routing filter add action = discard chain = ospf-in prefix = 10.0.0.0 / 19
# MT2
/ ip address add address = 172.20.64.122 / 30 comment = "MT-MT BB" interface = ether2
/ routing ospf network add area = backbone network = 172.20.64.120 / 30
# Do not redistribute the route through IRK
/ routing filter add action = discard chain = ospf-in prefix = 10.0.0.0 / 19
And we get that the 10.0.0.0/19 route is not redistributed through someone else's erie, but is received within one. Fuf, one problem won.
Now for consideration of the second problem, we give the GW config, I will omit the config on MT1 and MT2, there is nothing complicated there.
In the figure we have GW68 and GW69, I will give the settings for only one and in abbreviation:
On Mikrotik 751:
ether2 - backup provider
ether3 - primary provider
ether5 - LAN
The question arises why not ether2 primary provider. We first made ether1 - the main provider, but it turned out that some kind of polusoftovy port and IPSec performance was completely nonexistent, just transferred to ether3, in order not to edit the config much.
GW68 configuration
# Create tunnels
/ interface ipip add comment = X_GW64_X disabled = no local-address = 195.xxx mtu = 1440 name = ipip_x_gw64_x remote-address = 195.xxx
/ interface ipip add comment = Y_GW64_Y disabled = no local-address = 87.xxx mtu = 1440 name = ipip_y_gw64_y remote-address = 85.xxx
# Create a bridge, combine wifi ap and ether5
/ interface bridge add l2mtu = 1594 name = bridge_private
/ interface bridge port add bridge = bridge_private interface = ether5
/ interface bridge port add bridge = bridge_private interface = wlan_private
# Create DHCP
/ ip pool add name = 10.0.68.0 ranges = 10.0.68.64-10.0.68.160
/ ip dhcp-server add address-pool = 10.0.68.0 disabled = no interface = bridge_private name = 10.0.68.0
/ ip dhcp-server network add address = 10.0.68.0 / 24 dns-server = 10.0.64.14,10.0.3.6 domain = partner.ru gateway = 10.0.68.1
# Hang IP
/ ip address add address = 10.0.68.1 / 24 comment = LAN interface = bridge_private
/ ip address add address = 172.20.68.2 / 30 comment = X_GW64_X interface = ipip_x_gw64_x
/ ip address add address = 172.20.68.6 / 30 comment = Y_GW64_Y interface = ipip_y_gw64_y
/ ip address add address = 195.xxx / 30 comment = X interface = ether3
/ ip address add address = 87.xxx / 30 comment = Y interface = ether2
# Add routes to MT1 and MT2 addresses via provider gateways
/ ip route add check-gateway = ping comment = Route_over_Y_to_Y distance = 1 dst-address = 85.xxx / 32 gateway = 1.1.1.1
/ ip route add check-gateway = ping comment = Route_over_X_to_X distance = 1 dst-address = 195.xxx / 32 gateway = 2.2.2.2
# Add area and instance, network and ospf interface
/ routing ospf instance set [find default = yes] disabled = yes
/ routing ospf instance add name = IRK router-id = 10.0.68.1
/ routing ospf area add area-id = 10.0.64.0 instance = IRK name = IRK
/ routing ospf network add area = IRK network = 172.20.68.0 / 30
/ routing ospf network add area = IRK network = 172.20.68.4 / 30
/ routing ospf network add area = IRK network = 10.0.68.0 / 24
/ routing ospf interface add authentication = md5 authentication-key = 0 interface = ipip_x_gw64_x network-type = point-to-point priority = 0
/ routing ospf interface add authentication = md5 authentication-key = 0 cost = 40 interface = ipip_y_gw64_y network-type = point-to-point priority = 0
/ routing ospf interface add authentication = md5 authentication-key = 0 interface = bridge_private network-type = broadcast passive = yes
/ interface ipip add comment = X_GW64_X disabled = no local-address = 195.xxx mtu = 1440 name = ipip_x_gw64_x remote-address = 195.xxx
/ interface ipip add comment = Y_GW64_Y disabled = no local-address = 87.xxx mtu = 1440 name = ipip_y_gw64_y remote-address = 85.xxx
# Create a bridge, combine wifi ap and ether5
/ interface bridge add l2mtu = 1594 name = bridge_private
/ interface bridge port add bridge = bridge_private interface = ether5
/ interface bridge port add bridge = bridge_private interface = wlan_private
# Create DHCP
/ ip pool add name = 10.0.68.0 ranges = 10.0.68.64-10.0.68.160
/ ip dhcp-server add address-pool = 10.0.68.0 disabled = no interface = bridge_private name = 10.0.68.0
/ ip dhcp-server network add address = 10.0.68.0 / 24 dns-server = 10.0.64.14,10.0.3.6 domain = partner.ru gateway = 10.0.68.1
# Hang IP
/ ip address add address = 10.0.68.1 / 24 comment = LAN interface = bridge_private
/ ip address add address = 172.20.68.2 / 30 comment = X_GW64_X interface = ipip_x_gw64_x
/ ip address add address = 172.20.68.6 / 30 comment = Y_GW64_Y interface = ipip_y_gw64_y
/ ip address add address = 195.xxx / 30 comment = X interface = ether3
/ ip address add address = 87.xxx / 30 comment = Y interface = ether2
# Add routes to MT1 and MT2 addresses via provider gateways
/ ip route add check-gateway = ping comment = Route_over_Y_to_Y distance = 1 dst-address = 85.xxx / 32 gateway = 1.1.1.1
/ ip route add check-gateway = ping comment = Route_over_X_to_X distance = 1 dst-address = 195.xxx / 32 gateway = 2.2.2.2
# Add area and instance, network and ospf interface
/ routing ospf instance set [find default = yes] disabled = yes
/ routing ospf instance add name = IRK router-id = 10.0.68.1
/ routing ospf area add area-id = 10.0.64.0 instance = IRK name = IRK
/ routing ospf network add area = IRK network = 172.20.68.0 / 30
/ routing ospf network add area = IRK network = 172.20.68.4 / 30
/ routing ospf network add area = IRK network = 10.0.68.0 / 24
/ routing ospf interface add authentication = md5 authentication-key = 0 interface = ipip_x_gw64_x network-type = point-to-point priority = 0
/ routing ospf interface add authentication = md5 authentication-key = 0 cost = 40 interface = ipip_y_gw64_y network-type = point-to-point priority = 0
/ routing ospf interface add authentication = md5 authentication-key = 0 interface = bridge_private network-type = broadcast passive = yes
How it all works:
GW68 establishes two tunnels to MT1 and to MT2, each through its own provider. There is no default on microtics, addresses MT1 and MT2 are prescribed by statics.
On the tunnel to MT1 there is a cost 10, on the tunnel to MT2 cost 40. As soon as the tunnel comes to life, we get the default and all routes with MT1 through OSPF. All traffic is wrapped on MT1. As soon as the main provider falls off,
after the expiration of the OSPF timer, routs through the tunnel to MT2 become active.
Problem 2:
With a live main channel, we see in the GW68 log
20:12:26 route, packet, ospf, info database, packet has different master status flag
20:12:26 route, ospf, info new master flag = false
At this moment, our traffic itself begins to run through the tunnel to MT2. The tunnel to MT1 is live, and the traffic runs through the tunnel to MT2. And since stores usually have a reserve of megabytes,
then we get sucking money for no reason.
To return everything to the tunnel before the MT1, it was necessary to turn off on the MT1 and again turn on the tunnel to GW68. Moreover, this problem occurred only in some cities, and not on all routers.
On the forum Mikrotik, in those. support no one helped us. One day, my colleague, trying to raise the tunnel MT1-Juniper SRX-650, armed with a bunch of alcohol, sniffer and debugger :)
And debugging IPSec, I came across authorization errors OSPF microtic. We disabled authorization on the OSPF interfaces and voila, the problem disappeared by itself.
How does the authorization go there, where it fails, neither he nor I now remember. But the issue is resolved. Why somewhere worked fine and with authorization, I can not say.
With the microtic, you can only guess at the coffee grounds, since each answer of the support is a new question, each new firmware gives a new problem :)
Source: https://habr.com/ru/post/201042/
All Articles