Thursday, March 21, 2019

BGP filtering on Watchguard, using prefix-list

Hello guys.

So today i ran into an issue. I am creating a tunnel with Azure using a Watchguard firewall, and BGP is required.

The issue is with the BGP configuration on the Watchguard.

router bgp 64528

network 192.168.136.0/23

network 10.61.57.16/28

ip prefix-list AZURE_IN permit 172.16.224.0/20

ip prefix-list AZURE_OUT permit 192.168.136.0/23

ip prefix-list AZURE_OUT permit 10.61.57.16/28

neighbor 172.16.227.254 remote-as 64525

neighbor 172.16.227.254 activate

neighbor 172.16.227.254 prefix-list AZURE_IN in

neighbor 172.16.227.254 prefix-list AZURE_OUT out

172.16.227.254 is the Azure peer. The adjacency is established without issues.

However, this is actually filtering everything from the Azure side. The moment i filter Azure peer "in" i dont get any routes at all, and neither does Azure.

If i leave only the "out" statement Azure receives my routes, but i receive everything from them and that is not intended.

I have tried a million ways. A prefix list denying specific networks didnt work either, tried with a route-map, pretty much anything i specify "in", i get no routes after.

This adjancency needs to be filtered for several reasons, to list a couple, i dont want some random Chinese app devs even receiving routes for systems that i use, and i dont like the possibility of assymetric routing.

Thoughts?



No comments:

Post a Comment