How to connect to dn42 using Mikrotik RouterOS
Legend
- 1.1.1.1 - peer external IP
- 2.2.2.2 - your external IP
- A private /30 range for the GRE endpoints: 192.168.200.128/30
- 192.168.200.129 - remote GRE IPv4 address
- 192.168.200.130 - local GRE IPv4 address
- fd42:c644:5222:3222::40 - remote GRE IPv6 address
- fd42:c644:5222:3222::41 - local GRE IPv6 address
- YOUR_AS - your AS number (numbers only)
- PEER_AS - peer AS number (numbers only)
RouterOS limitations
- IPSec only supports IKEv1
- OpenVPN only works in tcp mode
- OpenVPN does not support LZO compression
- You can't use /31 subnet for Point-to-Point (PtP) links
Mikrotik/RouterOS can't handle very well /32 on Point-to-Point links (like GRE). There is a separate howto to explain how to setup /32 between in a GRE link (or even a OpenVPN). What is the easy way? Just use any /30 on the GRE Link, either from your assigned DN42 pool address or use a private address like 192.168. Please don't choose from 172.16.0.0/12 or 10.0.0.0/8 because they may overlap with DN42 or ChaosVPN.
RouterOS v7.2 has some nasty bugs when using PTP configuration or IPv6 link local addresses as NEXTHOP. It won't work (confirmed for v7.2 by their support staff).
Tunnel
IPSec
First, let's add IPSec peer and encryption policy.
Peer most likely provided you with encryption details.
If not, ask them about it.
Here we're gonna use aes256-sha256-modp1536
/ip ipsec peer
add address=1.1.1.1 comment=gre-dn42-peer dh-group=modp1536 \ 
enc-algorithm=aes-256 hash-algorithm=sha256 local-address=2.2.2.2 secret=PASSWORD
/ip ipsec policy
add comment=gre-dn42-peer dst-address=1.1.1.1/32 proposal=dn42 protocol=gre \ 
sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=2.2.2.2/32GRE
Pretty straightforward here
/interface gre
add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \
remote-address=1.1.1.1IPs inside the GRE tunnel
Your peer most likely provided you with IP adresses for GRE tunnel.
As I said before, you can't use /31 for PtP links, so, in the "easy way" we will be using /30.
If you want to avoid wasting a whole /30 for your peering, please check the point-to-point configuration for RouterOS
Add the IP your peer provided you:
IPv4
/ip address
add address=192.168.200.130/30 interface=gre-dn42-peer network=192.168.200.128IPv6
Here we can use /127, so it's simple:
/ipv6 address
add address=fdc8:c633:5319:3300::41/127 advertise=no interface=gre-dn42-peerIf you configured everything correctly, you should be able to ping
BGP
Filters
Both BGP and routing filters were redone from the ground up on RoS 7.x The official migration guide can be found here
It's a good idea to setup filters for BGP instances, both IN (accept advertises) and OUT (send advertises)
In this example, we will be filtering IN: 192.168.0.0/16 and 169.254.0.0/16
OUT: 192.168.0.0/16 and 169.254.0.0/16, you really don't want to advertise this networks.
This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well.
RoS 6.x
/routing filter
add action=discard address-family=ip chain=dn42-in prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-in prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-out prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-out prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgpIf you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
/routing filter
add action=discard address-family=ip chain=dn42-in prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgpRoS 7.x
/routing filter rule
add chain=dn42-in rule="if (dst in 192.168.0.0/16 && dst-len > 16) { reject }"
add chain=dn42-in rule="if (dst in 169.254.0.0/1 && dst-len > 16) { reject }"
add chain=dn42-out rule="if (dst in 192.168.0.0/16 && dst-len > 16) { reject }"
add chain=dn42-out rule="if (dst in 169.254.0.0/1 && dst-len > 16) { reject }"If you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
/routing filter
add chain=dn42-in rule="if (dst in 10.0.0.0 && dst-len > 8) { reject }"
BGP
Now, for actual BGP configuration.
RoS v6
/routing bgp instance
set default disabled=yes
add as=YOUR_AS client-to-client-reflection=no name=bgp-dn42-somename out-filter=dn42-in router-id=1.1.1.1IPv4:
/routing bgp peer
add comment="DN42: somepeer IPv4" in-filter=dn42-in instance=bgp-dn42-somename multihop=yes \
name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=192.168.200.129 remote-as=PEER_AS \
route-reflect=yes ttl=default/routing bgp peer
add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \ 
instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \ 
remote-address=fd42:c644:5222:3222::40 remote-as=PEER_AS route-reflect=yes ttl=defaultAlso, as a note, Mikrotik doesn't deal well with BGP running over link-local addresses (the address starting with fe80). You need to use a fd42:: address in your BGP session, otherwise, BGP will not install any received route.
BGP Advertisements
You want to advertise your allocated network (most likely), it's very simple:
/routing bgp network
add network=YOUR_ALLOCATED_SUBNET synchronize=noRoS 7.x
First difference from v 6.x: There is no "network" menu. We advertise our networks now by adding them to the firewall address-list and referencing in the BGP configuration.
Adding a network list:
IPv4
/ip firewall address-list
add address=YOUR_ALLOCATED_SUBNET list=DN42_allocated_v4
IPv6
/ipv6 firewall address-list
add address=YOUR_ALLOCATED_SUBNET list=DN42_allocated_v6Let's create a template for DN42. It isn't strictly necessary, but makes our life easier.
/routing bgp template
add address=ipv4 as=YOUR_AS_NUMBER name=DN42_template_v4 router-id=1.1.1.1
add address=ipv6 as=YOUR_AS_NUMBER name=DN42_template_v6 router-id=1.1.1.1Now is time to add one peer:
Another difference from RoS v6.x is that v7.x can use link-local adresses (validated with RoS 7.14.3). The trick is to add "%INTERFACE" after the address, where "INTERFACE" is the name of the interface the link-local is allocated to - or the interface used to get to that remote link-local. So, if You want to listen on fe::1 on the "myPeer" interface, the address would be "fe::1%myPeer". You still can't set your link-local: the system will create one, based on the interface MAC address.
IPv4 peer
add address-families=ipv4 disabled=no input.filter=dn42-in \
local.address=ADDRESS_YOUR_PEER_USE_TO_CONNECT_ON_YOU .role=ebgp \
multihop=yes name=PEER_NAME output.filter-chain=dn42-out \
.network=DN42_allocated_v4 remote.address=YOUR_PEER_REMOTE_ADDRESS \
.as=PEER_AS_NUMBER routing-table=main templates=DN42_template_v4
IPv6 peer
add address-families=ipv6 disabled=no input.filter=dn42-in \
local.address=ADDRESS_YOUR_PEER_USE_TO_CONNECT_ON_YOU .role=ebgp \
multihop=yes name=PEER_NAME output.filter-chain=dn42-out \
.network=DN42_allocated_v6 remote.address=YOUR_PEER_REMOTE_ADDRESS \
.as=PEER_AS_NUMBER routing-table=main templates=DN42_template_v6Split DNS
Separate dns requests for dn42 tld from your default dns traffic with L7 filter in Mikrotik. Change network and LAN GW to mach your network configuration.
/ip firewall layer7-protocol
add name=DN42-DNS regexp="\\x04dn42.\\x01"
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to DN42 DNS" dst-address=172.23.0.53 dst-port=53 protocol=udp src-address=192.168.0.0/24 to-addresses=192.168.0.1
add action=dst-nat chain=dstnat dst-address-type=local dst-port=53 layer7-protocol=DN42-DNS protocol=udp src-address=192.168.0.0/24 to-addresses=172.23.0.53 to-ports=53
/ip dns static
add comment=DN42 forward-to=172.23.0.53 regexp=".*\\.dn42" type=FWD