How to Configure BGP on MikroTik Router (Step-by-Step Guide)

byZihad -
How to Configure BGP on MikroTik Router (Step-by-Step Guide)

BGP (Border Gateway Protocol) is the standard protocol for inter-autonomous system routing on the Internet. If you run an ISP, multi-homed network, or plan to peer with upstream providers or Internet Exchanges (IXPs), configuring BGP on a MikroTik router is essential. This article provides a clear, step-by-step guide with practical commands, explanations, filters, firewall rules, and troubleshooting tips — written so that beginners and network engineers both can follow.



What you will learn

  • Core BGP concepts and when to use BGP
  • Required information and prerequisites
  • Step-by-step MikroTik BGP configuration (RouterOS v6 & v7 examples)
  • How to advertise prefixes and receive routes
  • Route filtering, import/export policies, and safety
  • Firewall, monitoring and troubleshooting tips

Table of Contents

  1. Introduction to BGP
  2. Prerequisites & Planning
  3. Basic Topology Example
  4. Step 1: Create BGP Instance
  5. Step 2: Add BGP Peer
  6. Step 3: Advertise Your Prefixes
  7. Step 4: Monitor BGP Sessions & Routes
  8. Best Practices & Security
  9. Troubleshooting
  10. FAQ
  11. Conclusion

Introduction to BGP

Border Gateway Protocol (BGP) is used to exchange routing information between Autonomous Systems (AS). An Autonomous System is a network or group of networks under a single administrative domain identified by an ASN (Autonomous System Number). BGP is policy-driven — you control which prefixes you advertise, which you accept, and how traffic flows using attributes (AS path, local-pref, communities, etc.).

For MikroTik users, BGP lets you peer with upstream ISPs, multi-home for redundancy, and participate in IXPs. This guide includes both RouterOS v6 and v7 command examples where appropriate. If you are on RouterOS v7, the commands are in the /routing bgp namespace; v6 uses /routing bgp similarly — I’ll note differences as we proceed.


Prerequisites & Planning

Before configuring BGP, gather the following from your upstream provider or peering partner:

  • Your own ASN (public or private for testing)
  • Your advertised prefix(es) (e.g. 103.151.213.240/28)
  • Peer IP addresses (your side & their side)
  • Remote ASN (peer's ASN)
  • Any required auth method (often MD5 password) or routing policy
  • Decide Router ID (best to use a stable loopback IP)

Plan your addressing: create a loopback (stable IP) to use as BGP router-id and ensure your WAN interfaces are reachable between you and the peer. Use a small diagram on paper or whiteboard to visualize ASNs, peers, and the prefixes you will advertise.

Basic Topology Example

A simple peering topology looks like this: 

Upstream ISP (ASN 38493) 172.31.15.177
                 |
            (peer IP)
                 |
        Your MikroTik (ASN 64564) — Loopback 103.151.213.20 (Router ID)
                 |
         — internal network / clients —

We will configure a BGP instance on the MikroTik, add the peer, advertise an example prefix, allow BGP TCP/179 through the firewall, and add basic route filters to avoid accidental leaks.


Step 1: Create a BGP Instance (RouterOS v7 & v6)

The BGP instance identifies your ASN and router-id. The router-id should be a stable IP (commonly a loopback). If you already have an instance, verify the ASN and router-id. Below are CLI examples for both RouterOS v7 and v6. Use the one that matches your RouterOS version.

RouterOS v7 (recommended syntax)

/routing/bgp/template
add as=64564 disabled=no name=Private-AS router-id=103.151.213.20 routing-table=main

RouterOS v6 (older syntax)

/routing bgp instance
add as=64564 name=Private-AS router-id=103.151.213.20 disabled=yes

After adding the instance or template, verify it with v6 /routing bgp instance print or for v7 /routing bgp template print. The instance must reflect your ASN and router-id correctly before adding peers.



Step 2: Add a BGP Peer (Create Peering or Connection)

We have established point-to-point External BGP by doing IP addressing against Multivlans. If you want, you can come and see the Full ISP Setup on MikroTik Router (Complete Step-by-Step Guide for Beginners). Okay, below we have provided how to configure BGP peering and connections.
In BGP peering, there are several important points to keep in mind. The method used for BGP peering in Mikrotik RouterOS v6 cannot be applied the same way in RouterOS v7. This topic is somewhat sensitive, so please take your time and try to understand it patiently.

We will first cover BGP peering in OS v6, and then proceed to the method used in OS v7. Detailed scripts and explanations are provided separately below.

BGP With OS v6 & v7

Before creating BGP peering in RouterOS Version 6, you must first configure the BGP Instance. If your organization has its own AS number, you should use that. If not, you may use a private AS number. In many cases, if you plan to use a private AS, your upstream provider may also specify which AS you should use. Below is the script for configuring the AS and creating BGP peering in RouterOS v6.

Script For v6 
*instance
/routing bgp instance
add as=64564 name=Private-AS router-id=10.110.110.10

*Filter
/routing filter
add action=accept chain=OUT prefix=103.151.213.240/28
add action=discard chain=OUT prefix=0.0.0.0/0 prefix-length=0-32

*Peering
/routing bgp peer
add name=IIG-Peer instance=Private-AS out-filter=OUT remote-address=172.31.15.177 remote-as=38493 disabled=no
add name=GGC-Peer instance=Private-AS out-filter=OUT remote-address=172.31.15.181 remote-as=38493 disabled=no
add name=FNA-PEER instance=Private-AS out-filter=OUT remote-address=172.31.15.185 remote-as=38493 disabled=no
add name=IX-Peer instance=Private-AS out-filter=OUT remote-address=172.31.15.193 remote-as=38493 disabled=no
add name=CDN-Peer instance=Private-AS out-filter=OUT remote-address=172.31.15.189 remote-as=38493 disabled=no

Script For v7 
*Template
/routing bgp template
add as=64564 disabled=no name=Private-AS output.network=RGL-NETWORK router-id=103.151.213.20 routing-table=main

*connection
add as=64564 disabled=no hold-time=20s local.role=ebgp name=RGL-IIG-PRI output.network=RGL-NETWORK remote.address=172.31.15.177/32 .as=38493 router-id=103.151.213.20 routing-table=main templates=Private-AS

add as=64564 disabled=no hold-time=20s local.role=ebgp name=RGL-GGC-PRI output.network=RGL-NETWORK remote.address=172.31.15.181/32 .as=38493 router-id=103.151.213.20 routing-table=main templates=Private-AS

add as=64564 disabled=no hold-time=20s local.role=ebgp name=RGL-FNA-PRI output.network=RGL-NETWORK remote.address=172.31.15.185/32 .as=38493 router-id=103.151.213.20 routing-table=main templates=Private-AS

add as=64564 disabled=no hold-time=20s local.role=ebgp name=RGL-CDN-PRI output.network=RGL-NETWORK remote.address=172.31.15.189/32 .as=38493 router-id=103.151.213.20 routing-table=main templates=Private-AS

add as=64564 disabled=no hold-time=20s local.role=ebgp name=RGL-IX-PRI output.network=RGL-NETWORK remote.address=172.31.15.193/32 .as=38493 router-id=103.151.213.20 routing-table=main templates=Private-AS

Step 3: Advertise Your Prefixes (Announce Networks)

In this step, we will learn the proper method of Public IP advertisement. We will cover two different approaches one for OS Version 6 and the other for OS Version 7 as each operating system handles the advertisement process differently. We will begin by demonstrating how to advertise Public IP prefixes in OS Version 6. After that, we will proceed to the method used for Public IP advertisement in OS Version 7.

IP Adversing OS v6

/routing bgp network
add network=103.151.213.240/28 synchronize=no diabled=no

By completing these steps, your router will successfully advertise the Public IP prefix to your upstream router.Please note that this method applies only to Mikrotik RouterOS Version 6.

IP Adversing OS v7

In this step, we will learn how to advertise Public IPs on Mikrotik RouterOS Version 7.

Although advertising Public or Real IPs in Version 7 is a bit more complex than in Version 6, don’t worry we will explain it in a simple way so that everyone can understand. Below, we have provided the advertisement script for Version 7. You just need to replace the placeholders with your own Public IP addresses.

*1
/ip/firewall> address-list/
add address=103.151.213.240/28 list=RGL-NETWORK

*2
/ip/route
add dst-address=103.151.213.240/28 blackhole disabled=no

or

/interface/bridge
add name=LoopBack disabled=no
/ip address
add address=103.151.213.240/28 interface=LoopBack disabled=no

Step 4: Monitoring BGP Sessions & Route Table

Once sessions are up, monitor them regularly. MikroTik provides commands and GUI views to check peer state, prefix counts, and advertised/received routes. 

# Check BGP connections and state (v7)
 /routing/bgp/connection print
 /routing/bgp> session print
 /ip route print

# Check BGP peers and state (v6)
 routing bgp peer print
 routing bgp network print
 ip route print

Look for state established, prefix counts increasing, and stable session uptime. If routes are missing, check logs, firewall, and filters.

Best Practices & Security

  • Use loopback + update-source: Peering via loopbacks improves stability. Use static routes or IGP to reach peer loopback.
  • Implement max-prefix: Protect against accidental large advertisements. Example: /routing bgp peer set upstream-peer max-prefix=1000
  • Use RPKI/IRR filters: Validate that prefixes are legitimate.
  • Limit inbound BGP to known IPs: firewall rules must only accept TCP/179 from peers.
  • Monitor & Alert: SNMP, Netflow, and syslog help detect session flaps or route leaks quickly.

Troubleshooting Tips

If your BGP session is not establishing:

  • Check basic IP connectivity: ping between your router and peer IP.
  • Verify AS numbers: ensure local AS and remote AS are correct.
  • If using loopback peering, verify static routes and multihop settings.
  • Inspect logs: /log print where message~"bgp".
  • Confirm you are advertising networks (network statements) or origin routes exist.
# Useful commands
/routing bgp peer print
/routing bgp advertisements print
/routing bgp routes print
/log print where message~"bgp"

FAQ

Q: Which RouterOS version should I use — v6 or v7?

A: RouterOS v7 is the modern version with enhanced routing features and is recommended for new deployments. However, many production networks still run v6. The examples above work for both; if you use v7 prefer the /routing bgp namespace and the newer CLI.

Q: Can I peer with multiple upstreams?

A: Yes — multi-homing is one of BGP's strengths. Peer with multiple providers (each with its ASN and peer IP) and use local-pref / AS-path prepending to control inbound/outbound preferences.

Q: Do I need a public ASN?

A: For production peering on the global Internet you typically need a public ASN and PI (provider independent) IP space. For testing or small private setups you can use private ASNs, but public peering requires public ASNs.

Conclusion

Configuring BGP on MikroTik is straightforward when you follow a plan: set up a BGP instance with correct ASN and router-id, add peers with correct remote-AS and remote-address, advertise only authorized prefixes, protect the control plane with firewall rules, and implement route filters to prevent leaks. Monitor sessions and use best practices (MD5, max-prefix, RPKI/IRR) to keep your routing resilient and secure.



Tags

Post a Comment

Previous Post Next Post

Contact Form