How-To
Services
Internal
Historical
External Tools
Mikrotik/RouterOS can't handle very well /32 on Point-to-Point links (like GRE). There is a separate howto to explain how to setup /32 between in a GRE link (or even a OpenVPN). What is the easy way? Just use any /30 on the GRE Link, either from your assigned DN42 pool address or use a private address like 192.168. Please don't choose from 172.16.0.0/12 or 10.0.0.0/8 because they may overlap with DN42 or ChaosVPN.
RouterOS v7.2 has some nasty bugs when using PTP configuration or IPv6 link local addresses as NEXTHOP. It won't work (confirmed for v7.2 by their support staff).
First, let's add IPSec peer and encryption policy.
Peer most likely provided you with encryption details.
If not, ask them about it.
Here we're gonna use aes256-sha256-modp1536
/ip ipsec peer
add address=1.1.1.1 comment=gre-dn42-peer dh-group=modp1536 \
enc-algorithm=aes-256 hash-algorithm=sha256 local-address=2.2.2.2 secret=PASSWORD
/ip ipsec policy
add comment=gre-dn42-peer dst-address=1.1.1.1/32 proposal=dn42 protocol=gre \
sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=2.2.2.2/32
Pretty straightforward here
/interface gre
add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \
remote-address=1.1.1.1
Your peer most likely provided you with IP adresses for GRE tunnel.
As I said before, you can't use /31 for PtP links, so, in the "easy way" we will be using /30.
If you want to avoid wasting a whole /30 for your peering, please check the point-to-point configuration for RouterOS
Add the IP your peer provided you:
/ip address
add address=192.168.200.130/30 interface=gre-dn42-peer network=192.168.200.128
Here we can use /127, so it's simple:
/ipv6 address
add address=fdc8:c633:5319:3300::41/127 advertise=no interface=gre-dn42-peer
If you configured everything correctly, you should be able to ping
Both BGP and routing filters were redone from the ground up on RoS 7.x The official migration guide can be found here
It's a good idea to setup filters for BGP instances, both IN (accept advertises) and OUT (send advertises)
In this example, we will be filtering IN: 192.168.0.0/16 and 169.254.0.0/16
OUT: 192.168.0.0/16 and 169.254.0.0/16, you really don't want to advertise this networks.
This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well.
/routing filter
add action=discard address-family=ip chain=dn42-in prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-in prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-out prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
add action=discard address-family=ip chain=dn42-out prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
If you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
/routing filter
add action=discard address-family=ip chain=dn42-in prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp
/routing filter rule
add chain=dn42-in rule="if (dst in 192.168.0.0/16 && dst-len > 16) { reject }"
add chain=dn42-in rule="if (dst in 169.254.0.0/1 && dst-len > 16) { reject }"
add chain=dn42-out rule="if (dst in 192.168.0.0/16 && dst-len > 16) { reject }"
add chain=dn42-out rule="if (dst in 169.254.0.0/1 && dst-len > 16) { reject }"
If you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
/routing filter
add chain=dn42-in rule="if (dst in 10.0.0.0 && dst-len > 8) { reject }"
Now, for actual BGP configuration.
/routing bgp instance
set default disabled=yes
add as=YOUR_AS client-to-client-reflection=no name=bgp-dn42-somename out-filter=dn42-in router-id=1.1.1.1
Let's add some peers. Right now we have just one, but we still need two connections - to IPv4 and IPv6
IPv4:
/routing bgp peer
add comment="DN42: somepeer IPv4" in-filter=dn42-in instance=bgp-dn42-somename multihop=yes \
name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=192.168.200.129 remote-as=PEER_AS \
route-reflect=yes ttl=default
IPv6 (if needed):
/routing bgp peer
add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \
instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \
remote-address=fd42:c644:5222:3222::40 remote-as=PEER_AS route-reflect=yes ttl=default
Also, as a note, Mikrotik doesn't deal well with BGP running over link-local addresses (the address starting with fe80). You need to use a fd42:: address in your BGP session, otherwise, BGP will not install any received route.
You want to advertise your allocated network (most likely), it's very simple:
/routing bgp network
add network=YOUR_ALLOCATED_SUBNET synchronize=no
You can repeat that with as much IPv4 and IPv6 networks which you own.
First difference from v 6.x: There is no "network" menu. We advertise our networks now by adding them to the firewall address-list and referencing in the BGP configuration.
Adding a network list:
IPv4
/ip firewall address-list
add address=YOUR_ALLOCATED_SUBNET list=DN42_allocated_v4
IPv6
/ipv6 firewall address-list
add address=YOUR_ALLOCATED_SUBNET list=DN42_allocated_v6
Let's create a template for DN42. It isn't strictly necessary, but makes our life easier.
/routing bgp template
add address=ipv4 as=YOUR_AS_NUMBER name=DN42_template_v4 router-id=1.1.1.1
add address=ipv6 as=YOUR_AS_NUMBER name=DN42_template_v6 router-id=1.1.1.1
Now is time to add one peer:
Another difference from RoS v6.x is that v7.x can use link-local adresses (validated with RoS 7.14.3). The trick is to add "%INTERFACE" after the address, where "INTERFACE" is the name of the interface the link-local is allocated to - or the interface used to get to that remote link-local. So, if You want to listen on fe::1 on the "myPeer" interface, the address would be "fe::1%myPeer". You still can't set your link-local: the system will create one, based on the interface MAC address.
IPv4 peer
add address-families=ipv4 disabled=no input.filter=dn42-in \
local.address=ADDRESS_YOUR_PEER_USE_TO_CONNECT_ON_YOU .role=ebgp \
multihop=yes name=PEER_NAME output.filter-chain=dn42-out \
.network=DN42_allocated_v4 remote.address=YOUR_PEER_REMOTE_ADDRESS \
.as=PEER_AS_NUMBER routing-table=main templates=DN42_template_v4
IPv6 peer
add address-families=ipv6 disabled=no input.filter=dn42-in \
local.address=ADDRESS_YOUR_PEER_USE_TO_CONNECT_ON_YOU .role=ebgp \
multihop=yes name=PEER_NAME output.filter-chain=dn42-out \
.network=DN42_allocated_v6 remote.address=YOUR_PEER_REMOTE_ADDRESS \
.as=PEER_AS_NUMBER routing-table=main templates=DN42_template_v6
Separate dns requests for dn42 tld from your default dns traffic with L7 filter in Mikrotik. Change network and LAN GW to mach your network configuration.
/ip firewall layer7-protocol
add name=DN42-DNS regexp="\\x04dn42.\\x01"
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to DN42 DNS" dst-address=172.23.0.53 dst-port=53 protocol=udp src-address=192.168.0.0/24 to-addresses=192.168.0.1
add action=dst-nat chain=dstnat dst-address-type=local dst-port=53 layer7-protocol=DN42-DNS protocol=udp src-address=192.168.0.0/24 to-addresses=172.23.0.53 to-ports=53
Since version 6.47 have added functionality that can redirect DNS queries according to special rules. If you used to do Layer-7 rules in the firewall, now it's simple and elegant:
/ip dns static
add comment=DN42 forward-to=172.23.0.53 regexp=".*\\.dn42" type=FWD
Hosted by: BURBLE-MNT, GRMML-MNT, XUU-MNT, JAN-MNT, LARE-MNT, SARU-MNT, ANDROW-MNT, MARK22K-MNT | Accessible via: dn42, dn42.dev, dn42.eu, wiki.dn42.us, dn42.de (IPv6-only), dn42.cc (wiki-ng), dn42.wiki, dn42.pp.ua, dn42.obl.ong
Last edited by burble.dn42 wiki mirror (us-lax1), 2024-05-04 21:08:15