4efda1cb31678e872c49c46a659b29b8670888d9
howto/mikrotik.md
| ... | ... | @@ -5,8 +5,9 @@ |
| 5 | 5 | |
| 6 | 6 | * 1.1.1.1 - peer external IP |
| 7 | 7 | * 2.2.2.2 - your external IP |
| 8 | - * 172.20.1.116 - remote GRE IPv4 address |
|
| 9 | - * 172.20.1.117 - local GRE IPv4 address |
|
| 8 | + * A private /30 range for the GRE endpoints: 192.168.200.128/30 |
|
| 9 | + * 192.168.200.129 - remote GRE IPv4 address |
|
| 10 | + * 192.168.200.130 - local GRE IPv4 address |
|
| 10 | 11 | * fd42:c644:5222:3222::40 - remote GRE IPv6 address |
| 11 | 12 | * fd42:c644:5222:3222::41 - local GRE IPv6 address |
| 12 | 13 | * YOUR_AS - your AS number (numbers only) |
| ... | ... | @@ -17,7 +18,9 @@ |
| 17 | 18 | * IPSec only supports IKEv1 |
| 18 | 19 | * OpenVPN only works in tcp mode |
| 19 | 20 | * OpenVPN does not support LZO compression |
| 20 | - * You can't use /31 subnet for PtP links |
|
| 21 | + * You can't use /31 subnet for Point-to-Point (PtP) links |
|
| 22 | + |
|
| 23 | +Also, you can't use a /32 on the GRE/PtP links. Even if you add a local route to your peer, BGP can't resolve the installed routes using "a nexthop interface". Please use any /30 on the GRE link, either from your assigned DN42 pool address or use a private address like 192.168. Please don't choose from 172.16.0.0/12 or 10.0.0.0/8 because they may overlap with DN42 or ChaosVPN. |
|
| 21 | 24 | |
| 22 | 25 | ## Tunnel |
| 23 | 26 | |
| ... | ... | @@ -48,22 +51,18 @@ add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn |
| 48 | 51 | remote-address=1.1.1.1 |
| 49 | 52 | ``` |
| 50 | 53 | |
| 51 | -### IPs and routes |
|
| 54 | +### IPs inside the GRE tunnel |
|
| 52 | 55 | Your peer most likely provided you with IP adresses for GRE tunnel. |
| 53 | -As i said before, you can't use /31 for PtP links, so we will be using two /32 with route. |
|
| 54 | -Add ip your peer provided you: |
|
| 56 | +As I said before, you can't use /31 for PtP links, so we will be using /30. |
|
| 57 | +BGP can't resolve routes if you use a /32 in the GRE link. |
|
| 58 | + |
|
| 59 | +Add the IP your peer provided you: |
|
| 55 | 60 | |
| 56 | 61 | #### IPv4 |
| 57 | 62 | |
| 58 | 63 | ``` |
| 59 | 64 | /ip address |
| 60 | -add address=172.20.1.117 interface=gre-dn42-peer network=172.20.1.117 |
|
| 61 | -``` |
|
| 62 | -Add route to your peer /32: |
|
| 63 | - |
|
| 64 | -``` |
|
| 65 | -/ip route |
|
| 66 | -add distance=1 dst-address=172.20.1.116/32 gateway=gre-dn42-peer |
|
| 65 | +add address=192.168.200.130/30 interface=gre-dn42-peer network=192.168.200.128 |
|
| 67 | 66 | ``` |
| 68 | 67 | |
| 69 | 68 | #### IPv6 |
| ... | ... | @@ -115,7 +114,7 @@ IPv4: |
| 115 | 114 | ``` |
| 116 | 115 | /routing bgp peer |
| 117 | 116 | add comment="DN42: somepeer IPv4" in-filter=dn42-in instance=bgp-dn42-somename multihop=yes \ |
| 118 | -name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=172.20.1.116 remote-as=PEER_AS \ |
|
| 117 | +name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=192.168.200.129 remote-as=PEER_AS \ |
|
| 119 | 118 | route-reflect=yes ttl=default |
| 120 | 119 | ``` |
| 121 | 120 | IPv6 (if needed): |
| ... | ... | @@ -126,6 +125,9 @@ add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \ |
| 126 | 125 | instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \ |
| 127 | 126 | remote-address=fd42:c644:5222:3222::40 remote-as=PEER_AS route-reflect=yes ttl=default |
| 128 | 127 | ``` |
| 128 | + |
|
| 129 | +Also, as a note, Mikrotik doesn't deal well with BGP running over link-local addresses (the address starting with fe80). You need to use a fd42:: address in your BGP session, otherwise, BGP will not install any received route. |
|
| 130 | + |
|
| 129 | 131 | ### BGP Advertisements |
| 130 | 132 | You want to advertise your allocated network (most likely), it's very simple: |
| 131 | 133 |