Border Gateway Protocol (BGP) is the routing protocol that connects separate networks on the Internet and lets them exchange routes in a controlled way. This guide provides BGP configuration on MikroTik VPS.

You will configure basic BGP peering on a MikroTik VPS, CHR, or any RouterOS v7 on a VPS, and add simple, safe route filters for beginners. You will have one eBGP peer, your upstream or IXP, and you will advertise only your own prefix while filtering what you accept.

Prerequisites for BGP Configuration on MikroTik VPS

Before starting BGP configuration on MikroTik VPS, ensure you have the following:

• A MikroTik CHR or RouterOS v7 VM on a VPS.
• One public IPv4 on the VPS WAN interface.
• Your own ASN, for example, AS65010.
• Your provider’s ASN and BGP endpoint IP.

You can deploy this setup on any VPS provider that supports MikroTik CHR, such as PerLod Hosting.

Here are the example values that were used in this tutorial; you must replace them with your real data:

• Router (local):
  • WAN IP on ether1: 203.0.113.10/30
  • Local AS: 65010
  • Router ID: 203.0.113.10
• Upstream or peer:
  • Peer IP: 203.0.113.9
  • Remote AS: 65001
• Prefix to announce: 198.51.100.0/24

Once you are done with the prerequisites, proceed to the following steps to start BGP configuration on MikroTik VPS.

Base Networking Setup for BGP

First, you need a working IP setup on your MikroTik VPS so it can reach the upstream router. You must set the router identity, assign the public IP address to the WAN interface, and make sure you have basic IP connectivity to your BGP peer.

To configure identity and IP address on the VPS, you can run:

/system identity set name="MikroTik-VPS-BGP"

/ip address
add address=203.0.113.10/30 interface=ether1 network=203.0.113.8

Add a default route to reach the peer if needed for initial connectivity:

/ip route
add dst-address=0.0.0.0/0 gateway=203.0.113.9

Verify the IP connectivity to your peer with the command below:

/ping 203.0.113.9

Note: If ping does not work, check and fix your IP settings, routes, or firewall first. BGP will not establish until basic IP connectivity is working.

Define BGP AS and Router ID

Before you add any BGP peers, you must set the main BGP instance with your AS number and router ID.

On RouterOS v7, BGP is under /routing bgp. To set the AS number and router ID, you can run the command below:

/routing bgp instance
set default as=65010 router-id=203.0.113.10

To verify it, you can print the instance:

/routing bgp instance print

Create a basic BGP template in RouterOS v7

To make BGP configuration cleaner and easier to manage, RouterOS v7 uses templates that you can apply to multiple peers. You can create a basic BGP template that defines your main settings and address family for IPv4.

To create a simple IPv4 template, you can run:

/routing bgp template
add name=ebgp-upstreams as=65010 router-id=203.0.113.10 address-families=ip \
    routing-table=main

• address-families=ip: Enable IPv4 BGP for this template.
• routing-table=main: Receive and install routes in the main table.

To verify it, you can print the template:

/routing bgp template print

BGP Peer Setup with Upstream

At this point, you can create the actual BGP peer toward your upstream. You must define the remote IP and AS so your MikroTik VPS can establish an eBGP session with the provider.

Add the eBGP peer using that template with the command below:

/routing bgp connection
add name=upstream1 remote.address=203.0.113.9 remote.as=65001 \
    local.address=203.0.113.10 template=ebgp-upstreams \
    connect=yes listen=no

To check the BGP connection, you can run the command below:

/routing bgp connection print

Once established, you should see established=yes or similar flags.

Announce VPS Network with BGP

After the BGP session is up, you need to tell the router which prefixes it should advertise to the upstream. You can configure simple filters so only your own prefix is announced, and nothing else is sent by mistake.

You can create an address list for your prefix, which makes it easier to reuse your prefixes if you extend the setup later:

/ip firewall address-list
add list=my-bgp-prefixes address=198.51.100.0/24

Then, create an outbound filter chain. We want to create a chain called bgp-out-upstream1 that:

• Accepts only your prefix 198.51.100.0/24.
• Rejects everything else by default.

/routing filter rule
add chain=bgp-out-upstream1 rule="if (dst in my-bgp-prefixes) { accept; }"
add chain=bgp-out-upstream1 rule="reject"

Also, you can match by prefix directly without an address list:

/routing filter rule
add chain=bgp-out-upstream1 rule="if (dst in 198.51.100.0/24) { accept; }"
add chain=bgp-out-upstream1 rule="reject"

This ensures you never accidentally advertise routes you learned from someone else or internal or private networks.

Finally, attach the outbound filter to the BGP connection so it applies to routes you send:

/routing bgp connection
set [find name="upstream1"] output.filter-chain=bgp-out-upstream1

Verify it with the command below:

/routing bgp connection print detail where name="upstream1"

You must look for output.filter-chain=bgp-out-upstream1 in the output.

Basic Inbound Route Filters on MikroTik VPS

BGP peers can send many routes to your router, and you should not accept everything by default. In this step, you can create simple inbound filters that block private or unwanted prefixes and only keep the routes you actually need on your MikroTik VPS.

A simple and safe way is:

• Accept only prefixes up to /24.
• Drop private ranges.
• Optionally limit the total number of routes.

For example, create a chain named bgp-in-upstream1:

/routing filter rule
add chain=bgp-in-upstream1 rule="if (dst in 10.0.0.0/8) { reject; }"
add chain=bgp-in-upstream1 rule="if (dst in 172.16.0.0/12) { reject; }"
add chain=bgp-in-upstream1 rule="if (dst in 192.168.0.0/16) { reject; }"
add chain=bgp-in-upstream1 rule="if (dst in 0.0.0.0/0-0.0.0.0/24) { accept; }"
add chain=bgp-in-upstream1 rule="reject"

The line with 0.0.0.0/0-0.0.0.0/24 means accept any route whose prefix length is between /0 and /24. The final reject drops anything that didn’t match earlier rules.

Then, attach the inbound filter to the peer with the command below:

/routing bgp connection
set [find name="upstream1"] input.filter-chain=bgp-in-upstream1

Check the configuration with the following command:

/routing bgp connection print detail where name="upstream1"

You should see both input.filter-chain and output.filter-chain set.

Use Route Filters to Advertise Your Prefix

RouterOS v7 gives you fine control over which routes are advertised by using BGP filters. You can explicitly mark and export your own prefix through filter rules so you know exactly what your MikroTik VPS is sending to the upstream.

If your provider sends this whole prefix to your VPS, you must add a blackhole route so the prefix appears in the routing table:

/ip route
add dst-address=198.51.100.0/24 type=blackhole

This just ensures the router owns the prefix in its table, so BGP can advertise it.

A more detailed RouterOS v7 method is to tag routes with set-bgp-* or match them directly. For a simple setup, the previous outbound chain is enough, but here is a clearer alternative example:

/routing filter rule
set [find chain=bgp-out-upstream1] rule="if (dst in 198.51.100.0/24) { accept; }"

As long as the route for 198.51.100.0/24 exists in the routing table and matches the filter, it will be advertised.

Verify BGP Status and Routes

After you finish the BGP configuration on MikroTik VPS, you should verify that the session is up and that the router is sending and receiving the correct routes.

Check BGP sessions with the command below:

/routing bgp connection print

You must look for established=yes and check uptime and received prefixes.

Check BGP routes with the following command:

/routing route print where protocol=bgp

You should see:

• Incoming routes from upstream that passed your bgp-in-upstream1 filters.
• Your own prefix that you are sending to the peer. You usually confirm this with your upstream, for example, by asking their NOC or checking their side of the BGP session.

Allow BGP Through the Firewall

Even with correct BGP settings, the session will not establish if the firewall blocks TCP port 179 between your VPS and the upstream. You must add a simple allow rule so BGP traffic can pass while keeping your other firewall rules in place.

To do this, you can run the command below:

/ip firewall filter
add chain=input action=accept protocol=tcp dst-port=179 src-address=203.0.113.9 \
    in-interface=ether1 comment="Allow BGP from upstream1"

That’s it, you are done with BGP configuration on MikroTik VPS.

FAQs

Conclusion

In this guide, you learned how to build a clean BGP configuration on MikroTik VPS by preparing the VPS network, creating a basic BGP session, and applying simple inbound and outbound filters. RouterOS v7 uses templates and filters to safely manage your routes. By advertising only your own prefix, your MikroTik VPS is now ready for basic BGP peering and future growth.

We hope you enjoy this BGP configuration on MikroTik VPS. Subscribe to our X and Facebook channels to get the latest updates.

For further reading:

Best VPN Protocols for RouterOS v7

WireGuard VPN MikroTik Setup Tutorial