4efda1cb31678e872c49c46a659b29b8670888d9
howto/mikrotik.md
... | ... | @@ -5,8 +5,9 @@ |
5 | 5 | |
6 | 6 | * 1.1.1.1 - peer external IP |
7 | 7 | * 2.2.2.2 - your external IP |
8 | - * 172.20.1.116 - remote GRE IPv4 address |
|
9 | - * 172.20.1.117 - local GRE IPv4 address |
|
8 | + * A private /30 range for the GRE endpoints: 192.168.200.128/30 |
|
9 | + * 192.168.200.129 - remote GRE IPv4 address |
|
10 | + * 192.168.200.130 - local GRE IPv4 address |
|
10 | 11 | * fd42:c644:5222:3222::40 - remote GRE IPv6 address |
11 | 12 | * fd42:c644:5222:3222::41 - local GRE IPv6 address |
12 | 13 | * YOUR_AS - your AS number (numbers only) |
... | ... | @@ -17,7 +18,9 @@ |
17 | 18 | * IPSec only supports IKEv1 |
18 | 19 | * OpenVPN only works in tcp mode |
19 | 20 | * OpenVPN does not support LZO compression |
20 | - * You can't use /31 subnet for PtP links |
|
21 | + * You can't use /31 subnet for Point-to-Point (PtP) links |
|
22 | + |
|
23 | +Also, you can't use a /32 on the GRE/PtP links. Even if you add a local route to your peer, BGP can't resolve the installed routes using "a nexthop interface". Please use any /30 on the GRE link, either from your assigned DN42 pool address or use a private address like 192.168. Please don't choose from 172.16.0.0/12 or 10.0.0.0/8 because they may overlap with DN42 or ChaosVPN. |
|
21 | 24 | |
22 | 25 | ## Tunnel |
23 | 26 | |
... | ... | @@ -48,22 +51,18 @@ add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn |
48 | 51 | remote-address=1.1.1.1 |
49 | 52 | ``` |
50 | 53 | |
51 | -### IPs and routes |
|
54 | +### IPs inside the GRE tunnel |
|
52 | 55 | Your peer most likely provided you with IP adresses for GRE tunnel. |
53 | -As i said before, you can't use /31 for PtP links, so we will be using two /32 with route. |
|
54 | -Add ip your peer provided you: |
|
56 | +As I said before, you can't use /31 for PtP links, so we will be using /30. |
|
57 | +BGP can't resolve routes if you use a /32 in the GRE link. |
|
58 | + |
|
59 | +Add the IP your peer provided you: |
|
55 | 60 | |
56 | 61 | #### IPv4 |
57 | 62 | |
58 | 63 | ``` |
59 | 64 | /ip address |
60 | -add address=172.20.1.117 interface=gre-dn42-peer network=172.20.1.117 |
|
61 | -``` |
|
62 | -Add route to your peer /32: |
|
63 | - |
|
64 | -``` |
|
65 | -/ip route |
|
66 | -add distance=1 dst-address=172.20.1.116/32 gateway=gre-dn42-peer |
|
65 | +add address=192.168.200.130/30 interface=gre-dn42-peer network=192.168.200.128 |
|
67 | 66 | ``` |
68 | 67 | |
69 | 68 | #### IPv6 |
... | ... | @@ -115,7 +114,7 @@ IPv4: |
115 | 114 | ``` |
116 | 115 | /routing bgp peer |
117 | 116 | add comment="DN42: somepeer IPv4" in-filter=dn42-in instance=bgp-dn42-somename multihop=yes \ |
118 | -name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=172.20.1.116 remote-as=PEER_AS \ |
|
117 | +name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=192.168.200.129 remote-as=PEER_AS \ |
|
119 | 118 | route-reflect=yes ttl=default |
120 | 119 | ``` |
121 | 120 | IPv6 (if needed): |
... | ... | @@ -126,6 +125,9 @@ add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \ |
126 | 125 | instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \ |
127 | 126 | remote-address=fd42:c644:5222:3222::40 remote-as=PEER_AS route-reflect=yes ttl=default |
128 | 127 | ``` |
128 | + |
|
129 | +Also, as a note, Mikrotik doesn't deal well with BGP running over link-local addresses (the address starting with fe80). You need to use a fd42:: address in your BGP session, otherwise, BGP will not install any received route. |
|
130 | + |
|
129 | 131 | ### BGP Advertisements |
130 | 132 | You want to advertise your allocated network (most likely), it's very simple: |
131 | 133 |