Drop packages of an ip for specify isp/eth

Hello,
I dont know if my title is clearly of what i whant to do so:

I got 2 ISP with BGP… all works fine …etc
ISP 1: eth0
ISP 2: eth1

On eth3 i got my ips gateways 89.xx.xx.1/24 81.xx.xx.1/24

Is there a way to kill an ip on specific IPS/eth if i whant for an ip 89.xx.xx.20 ?

Example i whant all the incoming/outgoing traffic to ip 89.xx.xx.20 to go true eth0 and not eth1
Or to kill it.

I dont know how to explain right or with next-htop to 0.0.0.0 the incoming traffic from specific eth.
Sometimes we got flood incoming to ip 89.xx.xx.20 true ISP 1/eth0 and i whant to kill it but only to specific ISP cuz the other ISP we got packages filtering from them and is all ok

Sompting like set ethernet eth0 ip 89.xx.xx.0 blackhole or next-htop 0.0.0.0 :))

Thank you :slight_smile:

The simpliest way is to have a specific firewall instance set as IN on the eth0 interface to drop packet where destination address is you specific IP.

Your upstream may also propose a blackholing service, I.E. “Remote Triggered Black Hole Filtering” (RTBHF) but you will have to check with them.

When you announce a prefix in BGP to two different ISP you cannot have control for anything smaller than a /24 (well some ISP do announce longer prefixes but this is frowned upon), and you have no control on via which ISP the traffic will reach you.
So apart not announcing the /24 network your IP belongs to ISP1, you have only the option to drop the unwanted traffic on your own router.

Hello,
Thank you.

On my office at the moment we got PowerEdge R320 ( Vyos on it ) and from the Vyos a cable to Cisco 4948 we use it as Switch to connect the servers, i got another PowerEdge R320 with Vyos on it keep it as backup in case the one online brakes to switch it manualy.

How about if i use both of them ? ISP 1 on an Server/Roouter and the other one ISP 2 in the other server ? I was thinkin to use it like this but i think it will be conflict with the traffic because on the routers on eth3 i got the gateways, if i plug both the traffic it will not know witch provider to go to for the shortest and good one depending on the routes, or shoud i set the gateways to the Cisco 4948 ? Is layer 3 switch.

This is what i`m looking for 2 routers 1 switch each ISP seprate router as redunancy and in case i whant to blakhole an ip witch now i use: set protocols static route xx.xx.xx.xx/32 blackhole but it kills it on both ISPs.

Thank you

indeed if you put a blackhole route then it will apply on all traffic, no matter which ISP it comes from. This is why a firewall rule is more specific since you can apply it on the interface that connect the “bad” ISP.

This being said you should reconsider your whole setup, and if you have 2 VyOS routers available and two ISP its much better to have both VyOs online and configure to automatic failover.

Ideally you would setup on both VyOs a BGP session with both ISP (that means 4 BGP sessions). You need to check with each ISP if you can establish a second session to their router.

On the server facing interfaces you then use VRRP to provide redundancy.

What is the length of the prefix(es) you announce to your ISP? Is it a /24 or something else?

Ower ISP let us make connections on both routers they dont mind in case we whant to make it as redunancy.

We have /24 and /23.

Is a bit strange regarding ower ISP one of them and whant we whant to do :slight_smile: only if i make you on a “paper” i think you will understand, cuz one of the ISP it has 2 trunk (vlan) one for Metropolitan connections BGPs routers and the other one for External Connections (routes bgps) and the other ISP it just makes from them the auto null because they dont make any diffrend regarding the traffic metro or external, but if we can seprate the connections with 2 routers and one ip gets flood on the external connection and we blackhole the ip on the external connection there is no more problems with the flood and on the metro works, is a bit strage and is sompting verry usfull cuz we have using fastnetmon who make us the automation when to blackhole the ip in case it has hassive flood but it dose it on the router where both providers now but if we seprate them them it will be more ok :slight_smile: it just blackhole the external connections and the metros works.

Maybe is sompting i dont know to explain but i know this is posible to do it cuz all companys have this. 1 ISP for metro/national bgps routes connection and another one for external like (liberty global) and if you close the connection/blackhole an ip on the external it just not able to route so it drops the packages.

Or they do it like you mention true firewall on specifyc eth i think i will test this :slight_smile: thank you