First, let's add IPSec peer and encryption policy.
Peer most likely provided you with encryption details.
If not, ask him about it. Here we're gonna use aes256-sha256-modp1536
/ip ipsec peer add address=126.96.36.199 comment=gre-dn42-peer dh-group=modp1536 \ enc-algorithm=aes-256 hash-algorithm=sha256 local-address=188.8.131.52 secret=PASSWORD
/ip ipsec policy add comment=gre-dn42-peer dst-address=184.108.40.206/32 proposal=dn42 protocol=gre \ sa-dst-address=220.127.116.11 sa-src-address=18.104.22.168 src-address=22.214.171.124/32
Pretty straightforward here
/interface gre add allow-fast-path=no comment="DN42 somepeer" local-address=126.96.36.199 name=gre-dn42-peer \ remote-address=188.8.131.52
Your peer most likely provided you with IP adresses for GRE tunnel.
As i said before, you can't use /31 for PtP links, so we will be using two /32 with route.
Add ip your peer provided you:
Add route to your peer /32:
/ip address add address=172.20.1.117 interface=gre-dn42-peer network=172.20.1.117
/ip route add distance=1 dst-address=172.20.1.116/32 gateway=gre-dn42-peer
Here we can use /127, so it's simple:
/ipv6 address add address=fdc8:c633:5319:3300::41/127 advertise=no interface=gre-dn42-moos
If you configured everything correctly, you should be able to ping
It's a good idea to setup filters for BGP instances, both IN (accept advertises) and OUT (send advertises)
In this example, we will be filtering IN: 192.168.0.0/16 and 169.254.0.0/16
OUT: 192.168.0.0/16 and 169.254.0.0/16, you really don't want to advertise this networks.
This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well.
/routing filter add action=discard address-family=ip chain=dn42-in prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp add action=discard address-family=ip chain=dn42-in prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp add action=discard address-family=ip chain=dn42-out prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp add action=discard address-family=ip chain=dn42-out prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
Now, if you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
/routing filter add action=discard address-family=ip chain=dn42-in prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp
Now, for actual BGP configuration.
Let's add some peers. Right now we have just one, but we still need two connections - to IPv4 and IPv6
/routing bgp instance set default disabled=yes add as=YOUR_AS client-to-client-reflection=no name=bgp-dn42-somename out-filter=dn42-in \ router-id=184.108.40.206
IPv6 (if needed):
/routing bgp peer add comment="DN42: somepeer IPv4" in-filter=dn42-in instance=bgp-dn42-somename multihop=yes \ name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=172.20.1.116 remote-as=PEER_AS \ route-reflect=yes ttl=default
/routing bgp peer add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \ instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \ remote-address=fd42:c644:5222:3222::40 remote-as=PEER_AS route-reflect=yes ttl=default
You want to advertise your allocated network (most likely), it's very simple:
You can repeat that with as much IPv4 and IPv6 networks which you own.
/routing bgp network add network=YOUR_ALLOCATED_SUBNET synchronize=no
Separate dns requests for dn42 tld from your default dns traffic with L7 filter in Mikrotik. Change network and LAN GW to mach your network configuration.
/ip firewall layer7-protocol add name=DN42-DNS regexp="\\x04dn42.\\x01" /ip firewall nat add action=src-nat chain=srcnat comment="NAT to DN42 DNS" dst-address=172.23.0.53 dst-port=53 protocol=udp src-address=192.168.0.0/24 to-addresses=192.168.0.1 add action=dst-nat chain=dstnat dst-address-type=local dst-port=53 layer7-protocol=DN42-DNS protocol=udp src-address=192.168.0.0/24 to-addresses=172.23.0.53 to-ports=53
Last edited by Mic92, 2017-06-10 06:36:25