dn42/wiki
1
Fork 0
mirror of https://git.dn42.dev/wiki/wiki.git synced 2025-02-24 18:35:54 +01:00
Code Releases Activity
wiki/howto/mikrotik.md
Mic92 d76b346cda Created mikrotik (markdown)
2016-08-28 12:51:21 +00:00

136 lines
4.0 KiB
Markdown
Raw Blame History

# How to connect to dn42 using Mikrotik RouterOS
## Legend
* 1.1.1.1 - peer external IP
* 2.2.2.2 - your external IP
* 172.20.1.116 - remote GRE IPv4 address
* 172.20.1.117 - local GRE IPv4 address
* fd42:c644:5222:3222::40 - remote GRE IPv6 address
* fd42:c644:5222:3222::41 - local GRE IPv6 address
* YOUR_AS - your AS number (numbers only)
* PEER_AS - peer AS number (numbers only)
## RouterOS limitations
* IPSec only supports IKEv1
* OpenVPN only works in tcp mode
* OpenVPN does not support LZO compression
* You can't use /31 subnet for PtP links
## Tunnel
### IPSec
First, let's add IPSec peer and encryption policy.
Peer most likely provided you with encryption details.
If not, ask him about it.
Here we're gonna use aes256-sha256-modp1536
```
/ip ipsec peer
add address=1.1.1.1 comment=gre-dn42-peer dh-group=modp1536 \
enc-algorithm=aes-256 hash-algorithm=sha256 local-address=2.2.2.2 secret=PASSWORD
```
```
/ip ipsec policy
add comment=gre-dn42-peer dst-address=1.1.1.1/32 proposal=dn42 protocol=gre \
sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=2.2.2.2/32
```
### GRE
Pretty straightforward here
```
/interface gre
add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \
remote-address=1.1.1.1
```
### IPs and routes
Your peer most likely provided you with IP adresses for GRE tunnel.
As i said before, you can't use /31 for PtP links, so we will be using two /32 with route.
Add ip your peer provided you:
#### IPv4
```
/ip address
add address=172.20.1.117 interface=gre-dn42-peer network=172.20.1.117
```
Add route to your peer /32:
```
/ip route
add distance=1 dst-address=172.20.1.116/32 gateway=gre-dn42-peer
```
#### IPv6
Here we can use /127, so it's simple:
```
/ipv6 address
add address=fdc8:c633:5319:3300::41/127 advertise=no interface=gre-dn42-moos
```
If you configured everything correctly, you should be able to ping
## BGP
### Filters
It's a good idea to setup filters for BGP instances, both IN (accept advertises) and OUT (send advertises)
In this example, we will be filtering IN: 192.168.0.0/16 and 169.254.0.0/16
OUT: 192.168.0.0/16 and 169.254.0.0/16, you really don't want to advertise this networks.
This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well.
```
/routing filter
add action=discard address-family=ip chain=dn42-in prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-in prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-out prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-out prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
```
Now, if you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
```
/routing filter
add action=discard address-family=ip chain=dn42-in prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp
```
### BGP
Now, for actual BGP configuration.
```
/routing bgp instance
set default disabled=yes
add as=YOUR_AS client-to-client-reflection=no name=bgp-dn42-somename out-filter=dn42-in \
router-id=1.1.1.1
```
Let's add some peers. Right now we have just one, but we still need two connections - to IPv4 and IPv6
IPv4:
```
/routing bgp peer
add comment="DN42: somepeer IPv4" in-filter=dn42-in instance=bgp-dn42-somename multihop=yes \
name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=172.20.1.116 remote-as=PEER_AS \
route-reflect=yes ttl=default
```
IPv6 (if needed):
```
/routing bgp peer
add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \
instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \
remote-address=fd42:c644:5222:3222::40 remote-as=PEER_AS route-reflect=yes ttl=default
```
### BGP Advertisements
You want to advertise your allocated network (most likely), it's very simple:
```
/routing bgp network
add network=YOUR_ALLOCATED_SUBNET synchronize=no
```
You can repeat that with as much IPv4 and IPv6 networks which you own.
View Git Blame Copy Permalink