howto/mikrotik.md
... ...
@@ -0,0 +1,136 @@
1
+# How to connect to dn42 using Mikrotik RouterOS
2
+
3
+
4
+## Legend
5
+
6
+ * 1.1.1.1 - peer external IP
7
+ * 2.2.2.2 - your external IP
8
+ * 172.20.1.116 - remote GRE IPv4 address
9
+ * 172.20.1.117 - local GRE IPv4 address
10
+ * fd42:c644:5222:3222::40 - remote GRE IPv6 address
11
+ * fd42:c644:5222:3222::41 - local GRE IPv6 address
12
+ * YOUR_AS - your AS number (numbers only)
13
+ * PEER_AS - peer AS number (numbers only)
14
+
15
+## RouterOS limitations
16
+
17
+ * IPSec only supports IKEv1
18
+ * OpenVPN only works in tcp mode
19
+ * OpenVPN does not support LZO compression
20
+ * You can't use /31 subnet for PtP links
21
+
22
+## Tunnel
23
+
24
+### IPSec
25
+First, let's add IPSec peer and encryption policy.
26
+Peer most likely provided you with encryption details.
27
+If not, ask him about it.
28
+Here we're gonna use aes256-sha256-modp1536
29
+
30
+```
31
+/ip ipsec peer
32
+add address=1.1.1.1 comment=gre-dn42-peer dh-group=modp1536 \
33
+enc-algorithm=aes-256 hash-algorithm=sha256 local-address=2.2.2.2 secret=PASSWORD
34
+
35
+```
36
+```
37
+/ip ipsec policy
38
+add comment=gre-dn42-peer dst-address=1.1.1.1/32 proposal=dn42 protocol=gre \
39
+sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=2.2.2.2/32
40
+```
41
+
42
+### GRE
43
+Pretty straightforward here
44
+
45
+```
46
+/interface gre
47
+add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \
48
+remote-address=1.1.1.1
49
+```
50
+
51
+### IPs and routes
52
+Your peer most likely provided you with IP adresses for GRE tunnel.
53
+As i said before, you can't use /31 for PtP links, so we will be using two /32 with route.
54
+Add ip your peer provided you:
55
+
56
+#### IPv4
57
+
58
+```
59
+/ip address
60
+add address=172.20.1.117 interface=gre-dn42-peer network=172.20.1.117
61
+```
62
+Add route to your peer /32:
63
+
64
+```
65
+/ip route
66
+add distance=1 dst-address=172.20.1.116/32 gateway=gre-dn42-peer
67
+```
68
+
69
+#### IPv6
70
+Here we can use /127, so it's simple:
71
+
72
+```
73
+/ipv6 address
74
+add address=fdc8:c633:5319:3300::41/127 advertise=no interface=gre-dn42-moos
75
+```
76
+
77
+If you configured everything correctly, you should be able to ping
78
+
79
+## BGP
80
+
81
+### Filters
82
+It's a good idea to setup filters for BGP instances, both IN (accept advertises) and OUT (send advertises)
83
+In this example, we will be filtering IN: 192.168.0.0/16 and 169.254.0.0/16
84
+OUT: 192.168.0.0/16 and 169.254.0.0/16, you really don't want to advertise this networks.
85
+This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well.
86
+
87
+```
88
+/routing filter
89
+add action=discard address-family=ip chain=dn42-in prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
90
+add action=discard address-family=ip chain=dn42-in prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
91
+add action=discard address-family=ip chain=dn42-out prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
92
+add action=discard address-family=ip chain=dn42-out prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
93
+```
94
+
95
+Now, if you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
96
+
97
+```
98
+/routing filter
99
+add action=discard address-family=ip chain=dn42-in prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp
100
+```
101
+
102
+### BGP
103
+Now, for actual BGP configuration.
104
+
105
+```
106
+/routing bgp instance
107
+set default disabled=yes
108
+add as=YOUR_AS client-to-client-reflection=no name=bgp-dn42-somename out-filter=dn42-in \
109
+router-id=1.1.1.1
110
+```
111
+Let's add some peers. Right now we have just one, but we still need two connections - to IPv4 and IPv6
112
+
113
+IPv4:
114
+
115
+```
116
+/routing bgp peer
117
+add comment="DN42: somepeer IPv4" in-filter=dn42-in instance=bgp-dn42-somename multihop=yes \
118
+name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=172.20.1.116 remote-as=PEER_AS \
119
+route-reflect=yes ttl=default
120
+```
121
+IPv6 (if needed):
122
+
123
+```
124
+/routing bgp peer
125
+add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \
126
+instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \
127
+remote-address=fd42:c644:5222:3222::40 remote-as=PEER_AS route-reflect=yes ttl=default
128
+```
129
+### BGP Advertisements
130
+You want to advertise your allocated network (most likely), it's very simple:
131
+
132
+```
133
+/routing bgp network
134
+add network=YOUR_ALLOCATED_SUBNET synchronize=no
135
+```
136
+You can repeat that with as much IPv4 and IPv6 networks which you own.
... ...
\ No newline at end of file