Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Yurisk
Valued Contributor

BGP does not install route in RIB if the next hop is a blackhole, RTBH configuration

Good day everyone,

I am trying to understand why  - is it a bug/normal behavior/or my misunderstanding, and your help is much appreciated.

Problem: FGVM learns via BGP some route, then using route-map, sets its next hop to dummy address 192.0.2.1, which in turn exists as Static route with type blackhole on the very same FG. But FG refuses to actually install this learned route in RIB.

The idea is to implement Remotely Triggered Black Hole Routing (RTBH). 

The route in question is 192.168.15.15/32.

Present in routing DB, but missing in RIB:

NYC-brdr # get router info routing all

S       192.0.2.1/32 [10/0] is a summary, Null
B       192.168.15.0/24 [200/0] via 10.10.10.15 (recursive via 217.132.10.15), 05:35:14

 

 

NYC-brdr # get router info routing-table database
S    *> 192.0.2.1/32 [10/0] is a summary, Null
B *> 192.168.15.0/24 [200/0] via 10.10.10.15 (recursive via 217.132.10.15), 05:18:09
B > 192.168.15.15/32 [200/0] via 192.0.2.1, Null0 (recursive is a summary, Null, 00:00:39

 

NYC-brdr # get router info bgp network  192.168.15.15

BGP routing table entry for 192.168.15.15/32
Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised to EBGP peer)
  Not advertised to any peer
  Local
    192.0.2.1 from 10.10.10.16 (10.10.10.14)
      Origin incomplete metric 0, localpref 110, valid, internal, best
      Community: no-export
      Originator: 10.10.10.14, Cluster list: 10.10.10.16
      Last update: Thu Aug  6 10:28:49 2020

Static:

config router static
    edit 1
        set dst 192.0.2.1 255.255.255.255
        set blackhole enable
    next

 

Route-map that sets the next-hop (just in case, don't think related):

config router route-map
    edit "core-in"
        config rule
            edit 1
                set match-community "blackhole-777" <-- the route comes to this FG with this community set
                set set-community "no-export"
                set set-ip-nexthop 192.0.2.1
            next

 

If I change the static route from blackhole to regular one, to say point to Loopback, FG does install the learned route 192.168.15.15 in RIB:

config router static
    edit 1
        set status disable
        set dst 192.0.2.1 255.255.255.255
        set blackhole enable
    next
    edit 2
        set dst 192.0.2.1 255.255.255.255
        set device "Loop1"
    next

 

 

# get router info routing all


S 192.0.2.1/32 [10/0] is directly connected, Loop1
B 192.168.15.0/24 [200/0] via 10.10.10.15 (recursive via 217.132.10.15), 03:23:19
B 192.168.15.15/32 [200/0] via 192.0.2.1 (recursive is directly connected, Loop1), 00:02:49

 

Thanks in advance.

Yuri

 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
2 REPLIES 2
subramanis
Staff
Staff

Hello Yurisk,

FortiOS kernel does not support routes whose next hops resolve to black hole route; same as Linux kernel


The solution is to create a loop back interface and adding the static route for the nexthop ip  192.0.2.1 
pointing to the loopback interface

 

Thanks

Sasikumar.S

OldFortiUser
New Contributor

Hi I have found another solution for "Black Hole" routes not installing  linked to distance.

 

By default blackhole is set to 255.
Setting it to 250 forces the route to be taken into account and be advertised accordingly.


 Might be a lot simpler than adding a loopback and easier to sum up some routes.