1
mirror of https://git.dn42.dev/wiki/wiki.git synced 2024-11-27 11:23:37 +01:00
wiki/howto/mikrotik.md
2016-08-28 12:51:21 +00:00

4.0 KiB

How to connect to dn42 using Mikrotik RouterOS

Legend

  • 1.1.1.1 - peer external IP
  • 2.2.2.2 - your external IP
  • 172.20.1.116 - remote GRE IPv4 address
  • 172.20.1.117 - local GRE IPv4 address
  • fd42:c644:5222:3222::40 - remote GRE IPv6 address
  • fd42:c644:5222:3222::41 - local GRE IPv6 address
  • YOUR_AS - your AS number (numbers only)
  • PEER_AS - peer AS number (numbers only)

RouterOS limitations

  • IPSec only supports IKEv1
  • OpenVPN only works in tcp mode
  • OpenVPN does not support LZO compression
  • You can't use /31 subnet for PtP links

Tunnel

IPSec

First, let's add IPSec peer and encryption policy.
Peer most likely provided you with encryption details.
If not, ask him about it. Here we're gonna use aes256-sha256-modp1536

/ip ipsec peer
add address=1.1.1.1 comment=gre-dn42-peer dh-group=modp1536 \ 
enc-algorithm=aes-256 hash-algorithm=sha256 local-address=2.2.2.2 secret=PASSWORD

/ip ipsec policy
add comment=gre-dn42-peer dst-address=1.1.1.1/32 proposal=dn42 protocol=gre \ 
sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=2.2.2.2/32

GRE

Pretty straightforward here

/interface gre
add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \
remote-address=1.1.1.1

IPs and routes

Your peer most likely provided you with IP adresses for GRE tunnel.
As i said before, you can't use /31 for PtP links, so we will be using two /32 with route.
Add ip your peer provided you:

IPv4

/ip address
add address=172.20.1.117 interface=gre-dn42-peer network=172.20.1.117

Add route to your peer /32:

/ip route
add distance=1 dst-address=172.20.1.116/32 gateway=gre-dn42-peer

IPv6

Here we can use /127, so it's simple:

/ipv6 address
add address=fdc8:c633:5319:3300::41/127 advertise=no interface=gre-dn42-moos

If you configured everything correctly, you should be able to ping

BGP

Filters

It's a good idea to setup filters for BGP instances, both IN (accept advertises) and OUT (send advertises)
In this example, we will be filtering IN: 192.168.0.0/16 and 169.254.0.0/16
OUT: 192.168.0.0/16 and 169.254.0.0/16, you really don't want to advertise this networks.
This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well.

/routing filter
add action=discard address-family=ip chain=dn42-in prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-in prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-out prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-out prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp

Now, if you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):

/routing filter
add action=discard address-family=ip chain=dn42-in prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp

BGP

Now, for actual BGP configuration.

/routing bgp instance
set default disabled=yes
add as=YOUR_AS client-to-client-reflection=no name=bgp-dn42-somename out-filter=dn42-in \
router-id=1.1.1.1

Let's add some peers. Right now we have just one, but we still need two connections - to IPv4 and IPv6

IPv4:

/routing bgp peer
add comment="DN42: somepeer IPv4" in-filter=dn42-in instance=bgp-dn42-somename multihop=yes \
name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=172.20.1.116 remote-as=PEER_AS \
route-reflect=yes ttl=default

IPv6 (if needed):

/routing bgp peer
add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \ 
instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \ 
remote-address=fd42:c644:5222:3222::40 remote-as=PEER_AS route-reflect=yes ttl=default

BGP Advertisements

You want to advertise your allocated network (most likely), it's very simple:

/routing bgp network
add network=YOUR_ALLOCATED_SUBNET synchronize=no

You can repeat that with as much IPv4 and IPv6 networks which you own.