Changes in 0eb8762: Updated mikrotik.md (markdown)

				howto/mikrotik.md
			
          @@ -16,7 +16,7 @@

           ## RouterOS limitations

            * IPSec only supports IKEv1

          - * OpenVPN only works in tcp mode in RoS v6.x, RoS v 7.x do support it.

          + * OpenVPN only works in tcp mode

            * OpenVPN does not support LZO compression

            * You can't use /31 subnet for Point-to-Point (PtP) links

          @@ -80,11 +80,15 @@ If you configured everything correctly, you should be able to ping

           ## BGP

           ### Filters

          +Both BGP and routing filters were redone from the ground up on RoS 7.x

          +The official migration guide can be found [here](https://help.mikrotik.com/docs/display/ROS/Routing)

          +

           It's a good idea to setup filters for BGP instances, both IN (accept advertises) and OUT (send advertises)  

           In this example, we will be filtering IN: 192.168.0.0/16 and 169.254.0.0/16  

           OUT: 192.168.0.0/16 and 169.254.0.0/16, you really don't want to advertise this networks.  

           This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well.  

          +#### RoS 6.x

           ```

           /routing filter

           add action=discard address-family=ip chain=dn42-in prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp

          @@ -93,17 +97,33 @@ add action=discard address-family=ip chain=dn42-out prefix=192.168.0.0/16 prefix

           add action=discard address-family=ip chain=dn42-out prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp

           ```

          -Now, if you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):

          +If you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):

           ```

           /routing filter

           add action=discard address-family=ip chain=dn42-in prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp

           ```

          +#### RoS 7.x

          +```

          +/routing filter rule

          +add chain=dn42-in rule="if (dst in 192.168.0.0/16 && dst-len > 16) { reject }"

          +add chain=dn42-in rule="if (dst in 169.254.0.0/1 && dst-len > 16) { reject }"

          +add chain=dn42-out rule="if (dst in 192.168.0.0/16 && dst-len > 16) { reject }"

          +add chain=dn42-out rule="if (dst in 169.254.0.0/1 && dst-len > 16) { reject }"

          +```

          +

          +If you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):

          +

          +```

          +/routing filter

          +add chain=dn42-in rule="if (dst in 10.0.0.0 && dst-len > 8) { reject }"

          +

          +```

          +

           ### BGP

           Now, for actual BGP configuration.

          -```

           /routing bgp instance

           set default disabled=yes

           add as=YOUR_AS client-to-client-reflection=no name=bgp-dn42-somename out-filter=dn42-in \

...	...	@@ -16,7 +16,7 @@
16	16	## RouterOS limitations
17	17
18	18	* IPSec only supports IKEv1
19		- * OpenVPN only works in tcp mode in RoS v6.x, RoS v 7.x do support it.
	19	+ * OpenVPN only works in tcp mode
20	20	* OpenVPN does not support LZO compression
21	21	* You can't use /31 subnet for Point-to-Point (PtP) links
22	22
...	...	@@ -80,11 +80,15 @@ If you configured everything correctly, you should be able to ping
80	80	## BGP
81	81
82	82	### Filters
	83	+Both BGP and routing filters were redone from the ground up on RoS 7.x
	84	+The official migration guide can be found [here](https://help.mikrotik.com/docs/display/ROS/Routing)
	85	+
83	86	It's a good idea to setup filters for BGP instances, both IN (accept advertises) and OUT (send advertises)
84	87	In this example, we will be filtering IN: 192.168.0.0/16 and 169.254.0.0/16
85	88	OUT: 192.168.0.0/16 and 169.254.0.0/16, you really don't want to advertise this networks.
86	89	This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well.
87	90
	91	+#### RoS 6.x
88	92	```
89	93	/routing filter
90	94	add action=discard address-family=ip chain=dn42-in prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
...	...	@@ -93,17 +97,33 @@ add action=discard address-family=ip chain=dn42-out prefix=192.168.0.0/16 prefix
93	97	add action=discard address-family=ip chain=dn42-out prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
94	98	```
95	99
96		-Now, if you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
	100	+If you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
97	101
98	102	```
99	103	/routing filter
100	104	add action=discard address-family=ip chain=dn42-in prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp
101	105	```
102	106
	107	+#### RoS 7.x
	108	+```
	109	+/routing filter rule
	110	+add chain=dn42-in rule="if (dst in 192.168.0.0/16 && dst-len > 16) { reject }"
	111	+add chain=dn42-in rule="if (dst in 169.254.0.0/1 && dst-len > 16) { reject }"
	112	+add chain=dn42-out rule="if (dst in 192.168.0.0/16 && dst-len > 16) { reject }"
	113	+add chain=dn42-out rule="if (dst in 169.254.0.0/1 && dst-len > 16) { reject }"
	114	+```
	115	+
	116	+If you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
	117	+
	118	+```
	119	+/routing filter
	120	+add chain=dn42-in rule="if (dst in 10.0.0.0 && dst-len > 8) { reject }"
	121	+
	122	+```
	123	+
103	124	### BGP
104	125	Now, for actual BGP configuration.
105	126
106		-```
107	127	/routing bgp instance
108	128	set default disabled=yes
109	129	add as=YOUR_AS client-to-client-reflection=no name=bgp-dn42-somename out-filter=dn42-in \