d76b346cda73dfe8d3492ff16ada582b32407055
howto/mikrotik.md
... | ... | @@ -0,0 +1,136 @@ |
1 | +# How to connect to dn42 using Mikrotik RouterOS |
|
2 | + |
|
3 | + |
|
4 | +## Legend |
|
5 | + |
|
6 | + * 1.1.1.1 - peer external IP |
|
7 | + * 2.2.2.2 - your external IP |
|
8 | + * 172.20.1.116 - remote GRE IPv4 address |
|
9 | + * 172.20.1.117 - local GRE IPv4 address |
|
10 | + * fd42:c644:5222:3222::40 - remote GRE IPv6 address |
|
11 | + * fd42:c644:5222:3222::41 - local GRE IPv6 address |
|
12 | + * YOUR_AS - your AS number (numbers only) |
|
13 | + * PEER_AS - peer AS number (numbers only) |
|
14 | + |
|
15 | +## RouterOS limitations |
|
16 | + |
|
17 | + * IPSec only supports IKEv1 |
|
18 | + * OpenVPN only works in tcp mode |
|
19 | + * OpenVPN does not support LZO compression |
|
20 | + * You can't use /31 subnet for PtP links |
|
21 | + |
|
22 | +## Tunnel |
|
23 | + |
|
24 | +### IPSec |
|
25 | +First, let's add IPSec peer and encryption policy. |
|
26 | +Peer most likely provided you with encryption details. |
|
27 | +If not, ask him about it. |
|
28 | +Here we're gonna use aes256-sha256-modp1536 |
|
29 | + |
|
30 | +``` |
|
31 | +/ip ipsec peer |
|
32 | +add address=1.1.1.1 comment=gre-dn42-peer dh-group=modp1536 \ |
|
33 | +enc-algorithm=aes-256 hash-algorithm=sha256 local-address=2.2.2.2 secret=PASSWORD |
|
34 | + |
|
35 | +``` |
|
36 | +``` |
|
37 | +/ip ipsec policy |
|
38 | +add comment=gre-dn42-peer dst-address=1.1.1.1/32 proposal=dn42 protocol=gre \ |
|
39 | +sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=2.2.2.2/32 |
|
40 | +``` |
|
41 | + |
|
42 | +### GRE |
|
43 | +Pretty straightforward here |
|
44 | + |
|
45 | +``` |
|
46 | +/interface gre |
|
47 | +add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \ |
|
48 | +remote-address=1.1.1.1 |
|
49 | +``` |
|
50 | + |
|
51 | +### IPs and routes |
|
52 | +Your peer most likely provided you with IP adresses for GRE tunnel. |
|
53 | +As i said before, you can't use /31 for PtP links, so we will be using two /32 with route. |
|
54 | +Add ip your peer provided you: |
|
55 | + |
|
56 | +#### IPv4 |
|
57 | + |
|
58 | +``` |
|
59 | +/ip address |
|
60 | +add address=172.20.1.117 interface=gre-dn42-peer network=172.20.1.117 |
|
61 | +``` |
|
62 | +Add route to your peer /32: |
|
63 | + |
|
64 | +``` |
|
65 | +/ip route |
|
66 | +add distance=1 dst-address=172.20.1.116/32 gateway=gre-dn42-peer |
|
67 | +``` |
|
68 | + |
|
69 | +#### IPv6 |
|
70 | +Here we can use /127, so it's simple: |
|
71 | + |
|
72 | +``` |
|
73 | +/ipv6 address |
|
74 | +add address=fdc8:c633:5319:3300::41/127 advertise=no interface=gre-dn42-moos |
|
75 | +``` |
|
76 | + |
|
77 | +If you configured everything correctly, you should be able to ping |
|
78 | + |
|
79 | +## BGP |
|
80 | + |
|
81 | +### Filters |
|
82 | +It's a good idea to setup filters for BGP instances, both IN (accept advertises) and OUT (send advertises) |
|
83 | +In this example, we will be filtering IN: 192.168.0.0/16 and 169.254.0.0/16 |
|
84 | +OUT: 192.168.0.0/16 and 169.254.0.0/16, you really don't want to advertise this networks. |
|
85 | +This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well. |
|
86 | + |
|
87 | +``` |
|
88 | +/routing filter |
|
89 | +add action=discard address-family=ip chain=dn42-in prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp |
|
90 | +add action=discard address-family=ip chain=dn42-in prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp |
|
91 | +add action=discard address-family=ip chain=dn42-out prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp |
|
92 | +add action=discard address-family=ip chain=dn42-out prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp |
|
93 | +``` |
|
94 | + |
|
95 | +Now, if you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks): |
|
96 | + |
|
97 | +``` |
|
98 | +/routing filter |
|
99 | +add action=discard address-family=ip chain=dn42-in prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp |
|
100 | +``` |
|
101 | + |
|
102 | +### BGP |
|
103 | +Now, for actual BGP configuration. |
|
104 | + |
|
105 | +``` |
|
106 | +/routing bgp instance |
|
107 | +set default disabled=yes |
|
108 | +add as=YOUR_AS client-to-client-reflection=no name=bgp-dn42-somename out-filter=dn42-in \ |
|
109 | +router-id=1.1.1.1 |
|
110 | +``` |
|
111 | +Let's add some peers. Right now we have just one, but we still need two connections - to IPv4 and IPv6 |
|
112 | + |
|
113 | +IPv4: |
|
114 | + |
|
115 | +``` |
|
116 | +/routing bgp peer |
|
117 | +add comment="DN42: somepeer IPv4" in-filter=dn42-in instance=bgp-dn42-somename multihop=yes \ |
|
118 | +name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=172.20.1.116 remote-as=PEER_AS \ |
|
119 | +route-reflect=yes ttl=default |
|
120 | +``` |
|
121 | +IPv6 (if needed): |
|
122 | + |
|
123 | +``` |
|
124 | +/routing bgp peer |
|
125 | +add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \ |
|
126 | +instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \ |
|
127 | +remote-address=fd42:c644:5222:3222::40 remote-as=PEER_AS route-reflect=yes ttl=default |
|
128 | +``` |
|
129 | +### BGP Advertisements |
|
130 | +You want to advertise your allocated network (most likely), it's very simple: |
|
131 | + |
|
132 | +``` |
|
133 | +/routing bgp network |
|
134 | +add network=YOUR_ALLOCATED_SUBNET synchronize=no |
|
135 | +``` |
|
136 | +You can repeat that with as much IPv4 and IPv6 networks which you own. |
|
... | ... | \ No newline at end of file |