layout: page title: Ins dn42 mit MikroTik's RouterOS permalink: /blog/mikrotik-dn42/ lang: en feed: false sitemap: false
# 2024-07-23 01:06:21 by RouterOS 7.16beta4
# software id = L5YP-CBVR
#
# model = RB750Gr3
# serial number = HG409QBT01B
/interface bridge
add name=dn42 protocol-mode=none
/interface wireguard
add listen-port=52923 mtu=1420 name=bandura_laplace
/interface list
add name=mgmt
add name=wan
add name=dn42peer
add name=neighbor_discovery
#error exporting "/ppp/profile" (timeout)
#interrupted
[admin@lab] > /export
# 2024-07-23 01:06:26 by RouterOS 7.16beta4
# software id = L5YP-CBVR
#
# model = RB750Gr3
# serial number = HG409QBT01B
/interface bridge
add name=dn42 protocol-mode=none
/interface wireguard
add listen-port=52923 mtu=1420 name=bandura_laplace
/interface list
add name=mgmt
add name=wan
add name=dn42peer
add name=neighbor_discovery
/routing bgp template
add address-families=ipv6 as=4242422924 input.filter=reject-all multihop=yes name=dnroutecollector output.filter-chain=dn42-out \
router-id=172.22.242.2
add address-families=ipv6 as=4242422924 disabled=no input.filter=dn42-in .limit-process-routes-ipv6=1000 multihop=no name=dnpeer \
output.filter-chain=dn42-out router-id=172.22.242.2
/disk settings
set auto-media-interface=*7
/ip smb
set enabled=no
/ip neighbor discovery-settings
set discover-interface-list=neighbor_discovery lldp-mac-phy-config=yes lldp-max-frame-size=yes lldp-med-net-policy-vlan=1 \
lldp-vlan-info=yes protocol=lldp
/interface list member
add interface=ether2 list=mgmt
add interface=ether1 list=wan
add interface=bandura_laplace list=dn42peer
add interface=dn42 list=dn42peer
add interface=ether1 list=neighbor_discovery
/interface wireguard peers
add allowed-address=fd00::/8,fe80::/10 endpoint-address=dd5f:28a6:6bea:4242:921b:eff:fe4b:f9d8 endpoint-port=52924 interface=\
bandura_laplace name=peer2 persistent-keepalive=20s preshared-key="XXXXXXXX" public-key=\
"XXXXXXXXXXXXXXXXX"
/ip address
add address=192.168.1.1/24 comment=mgmt interface=ether2 network=192.168.1.0
/ip dhcp-client
add interface=ether1
/ip dns static
add address=fd04:234e:fc31::5353 name=dn42 type=AAAA
add address=fd10:127:fc31::5353 name=dn42 type=AAAA
add address=fd92:58b6:2b2::5353 name=dn42 type=AAAA
/ip firewall filter
add action=accept chain=input comment=lo in-interface=lo
add action=accept chain=output comment="allow output"
add action=accept chain=input comment="allow ssh" dst-port=22 protocol=tcp
add action=accept chain=input comment="mgmt: conntrack" connection-state=established,related in-interface-list=mgmt
add action=accept chain=input comment="mgmt: allow icmp" in-interface-list=mgmt protocol=icmp
add action=reject chain=input comment="mgmt: reject everything else" in-interface-list=mgmt reject-with=icmp-admin-prohibited
add action=accept chain=input comment="wan: conntrack" connection-state=established,related in-interface-list=wan
add action=accept chain=input comment="wan: allow icmp" in-interface-list=wan protocol=icmp
add action=accept chain=input comment="wan: allow dhcp" dst-port=68 in-interface-list=wan protocol=udp
add action=accept chain=input comment="wan: allow wireguard laplace" dst-port=52924 in-interface-list=wan protocol=udp
add action=reject chain=input comment="wan: drop everything else" in-interface-list=wan reject-with=icmp-admin-prohibited
add action=drop chain=input comment="dn42peer: reject everything" in-interface-list=dn42peer
/ipv6 route
add blackhole dst-address=fd00:8e13:ce5e:b9af::/64
add blackhole dst-address=fd00:8e13:ce5e::/48
add blackhole dst-address=fd00::/8
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=local host-key-type=ed25519 strong-crypto=yes
/ipv6 address
add address=fd00:8e13:ce5e::1/128 advertise=no interface=dn42 no-dad=yes
add address=fd00:8e13:ce5e:b9af:3e5b:98f:a1bd:1/127 advertise=no interface=bandura_laplace no-dad=yes
add address=fd00:8e13:ce5e::123 advertise=no interface=dn42 no-dad=yes
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 request=address
/ipv6 firewall address-list
add address=fd00:8e13:ce5e::/48 list=dn42_allocated
add address=fd00::/8 list=dn42
/ipv6 firewall filter
add action=accept chain=input comment=lo in-interface=lo
add action=accept chain=output comment="allow output"
add action=accept chain=input comment="allow ssh" dst-port=22 protocol=tcp
add action=accept chain=input comment="mgmt: conntrack" connection-state=established,related in-interface-list=mgmt
add action=accept chain=input comment="mgmt: allow icmp" in-interface-list=mgmt protocol=icmpv6
add action=reject chain=input comment="mgmt: reject everything else" in-interface-list=mgmt reject-with=icmp-admin-prohibited
add action=accept chain=input comment="wan: conntrack" connection-state=established,related in-interface-list=wan
add action=accept chain=input comment="wan: allow icmp" in-interface-list=wan protocol=icmpv6
add action=accept chain=input comment="wan: allow dhcpv6" dst-port=546 in-interface-list=wan protocol=udp
add action=accept chain=input comment="wan: allow wireguard laplace" dst-port=52924 in-interface-list=wan protocol=udp
add action=drop chain=input comment="wan: drop everything else" in-interface-list=wan
add action=drop chain=input comment="dn42peer: reject non-dn42" src-address=!fd00::/8
add action=drop chain=input comment="dn42peer: reject own network" in-interface=!dn42 in-interface-list=dn42peer src-address=\
!fd00:8e13:ce5e:b9af::/64 src-address-list=dn42_allocated
add action=drop chain=forward comment="dn42peer: reject own network" in-interface-list=dn42peer src-address-list=dn42_allocated
add action=accept chain=forward comment="dn42peer: allow forwarding" dst-address=fd00::/8 dst-address-list=dn42 in-interface-list=\
dn42peer out-interface-list=dn42peer src-address=fd00::/8 src-address-list=dn42
add action=accept chain=input comment="dn42peer: allow icmp" in-interface-list=dn42peer protocol=icmpv6
add action=accept chain=input comment="dn42peer: conntrack" connection-state=established,related in-interface-list=dn42peer
add action=accept chain=input comment="bandura_laplace: allow bgp" dst-port=179 in-interface=bandura_laplace protocol=tcp \
src-address=fd00:8e13:ce5e:b9af:3e5b:98f:a1bd:0/128
add action=accept chain=input comment="bandura_laplace: allow bfd" dst-address=fd00:8e13:ce5e:b9af:3e5b:98f:a1bd:0/127 dst-port=3784 \
in-interface=bandura_laplace protocol=udp src-address=fd00:8e13:ce5e:b9af:3e5b:98f:a1bd:0/127
/routing bfd configuration
add forbid-bfd=no interfaces=bandura_laplace
/routing bgp connection
add address-families=ipv6 as=4242422924 connect=yes disabled=no listen=yes local.role=ebgp .ttl=255 multihop=no name=bandura_laplace \
output.filter-chain=dn42-out .redistribute=static,bgp remote.address=fd00:8e13:ce5e:b9af:3e5b:98f:a1bd:0 .as=4242422923 .ttl=255 \
router-id=172.22.242.2 templates=dnpeer use-bfd=yes
add comment="Global Route Collector (GRC)" connect=yes listen=no local.role=ebgp name=grc remote.address=fd42:4242:2601:ac12::1 .as=\
4242422602 templates=dnroutecollector
/routing filter community-list
add communities=64511:0 list=dn42-invalid-communities
add comment="communities 64511:71..999" disabled=no list=dn42-invalid-communities regexp="64511:(7[01]|8-9[0-9]|[1-9][0-9][0-9])"
add comment="communities 64511:2000..65535" disabled=no list=dn42-invalid-communities regexp=\
"64511:([2-9][0-9][0-9][0-9]|[1-6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5])"
/routing filter num-list
add comment="legacy dn42 ASN space" list=dn42-as range=64600-64999
add comment="legacy dn42 ASN space" list=dn42-as range=76200-131071
add comment="NeoNetwork ASN space" list=dn42-as range=4201270000-4201279999
add comment="dn42 ASN space" list=dn42-as range=4242420000-4242429999
/routing filter rule
add chain=reject-invalid-dn42-network comment="reject: not in dn42 space" rule="if (not dst in fd00::/8) { reject; }"
add chain=reject-invalid-dn42-network comment="reject: out of bounds networks" rule="if (dst-len > 64 || dst-len < 44) { reject; } "
add chain=reject-invalid-dn42-network rule="return;"
add chain=reject-invalid-dn42-communities rule="delete bgp-communities dn42-invalid-communities;"
add chain=reject-invalid-dn42-communities rule="return;"
add chain=reject-dn42-bogus-as rule="if (not bgp-as-path [[:dn42-as:]]) { reject; }"
add chain=reject-dn42-bogus-as rule="return;"
add chain=reject-long-as-paths rule="if (bgp-path-len > 10) { reject; }"
add chain=reject-long-as-paths rule="return;"
add chain=honor-graceful-shutdown rule="if (bgp-communities includes graceful-shutdown) { set bgp-local-pref 0; }"
add chain=honor-graceful-shutdown rule="return;"
add chain=reject-all rule="reject;"
add chain=dn42-in comment="reject non-ipv6" disabled=no rule="if (not afi ipv6) { reject; }"
add chain=dn42-in rule="jump reject-invalid-dn42-network;"
add chain=dn42-in rule="jump reject-invalid-dn42-communities;"
add chain=dn42-in rule="jump reject-dn42-bogus-as;"
add chain=dn42-in rule="jump reject-long-as-paths;"
add chain=dn42-in comment="clear bgp local pref" disabled=no rule="set bgp-local-pref 100;"
add chain=dn42-in rule="jump honor-graceful-shutdown;"
add chain=dn42-in comment="reject own network" disabled=no rule="if (dst in fd00:8e13:ce5e::/48) { reject; }"
add chain=dn42-in comment="prefer local conntected routes" disabled=no rule="if (bgp-path-len == 1) { set bgp-local-pref +500; }"
add chain=dn42-in comment="set preferred source address" disabled=no rule="set pref-src fd00:8e13:ce5e::1;"
add chain=dn42-in rule="accept;"
add chain=dn42-out comment="accept own prefix" disabled=no rule="if (protocol static && dst == fd00:8e13:ce5e::/48) { accept; }"
add chain=dn42-out comment="redistribute other bgp networks" disabled=no rule=\
"if (protocol bgp && dst != fd00:8e13:ce5e::/48) { accept; }"
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=lab
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=ptbtime1.ptb.de
add address=ptbtime2.ptb.de
add address=ptbtime3.ptb.de
add address=ptbtime4.ptb.de
add address=time.cloudflare.com
add address=ntp1.lab.bandura.dn42
/system package update
set channel=testing
/tool graphing interface
add store-on-disk=no
/tool graphing queue