Lynwood,
The philosophy about that script is quite simple:
First, there is an isolated interface (usually called uscd-gw and the isolated virtual space is called VRF in mikrotik language) which has the gateway ip with netmask /8 (very important) which will receive RIP and is the base IPIP tunnel to 169.228.34.84. This VRF has a route tag, i use 44rip for it, and will place all received RIP routes in the 44rip routing table (this has no effect on the actual routing).
The script parses these dynamic RIP routes and does 4 things:
- creates an IPIP interface for each gateway, one endpoint being the local IP, the other being public gateway address of the mesh tunnel. Interfaces are called ampr-<gateway_ip> (except for 44.0.0.1 which gets dropped by a RIP filter - we already have that tunnel from the beginning).
- creates a static route via the systems default gateway if the endpoint is in the 44net space, thus serves a BGP routed subnet.
- creates a static route in the main routing table for the serviced subnet via the proper IPIP tunnel
- adds the interface to a interface list so that can be used for firewalling purposes (not very important, but useful)
Of course, it checks if gateways and subnets get added or get deleted, and adds/removes the appropriate entries for them.
Additional to this, the user has to ensure the following: - provide a 88.0.0.0/8 route for 44net addresses which do not fit any tunnel (BGP announced without tunnel interfacing). This could be either via the ucsd-gw tunnel, or via the default ISP gateway with NAT . - If one needs access from the internet, incoming connections via ucsd-gw need to get a connection mark and the replies a routing mark, so they can be routed back to the ucsd-gw tunnel. For this, for this routing mark, a default route has to be set up via 169.228.34.84.
I hope this helps to understand the inner working of the Tick script.
Marius, YO2LOJ
On 07.06.2017 18:17, Ruben ON3RVH wrote:
Very good policy Lynwood!
Part of my config:
/ip route add distance=1 dst-address=44.0.0.0/8 gateway=ucsd-gw pref-src=44.144.48.1 routing-mark=44rip add distance=2 gateway=194.50.91.30 pref-src=194.50.91.2 add comment="Added on 2017/06/06 17:30:14" distance=50 dst-address=44.2.2.0/24 gateway=ampr-216.218.207.198 pref-src=44.144.48.1 add comment="Added on 2017/06/06 17:30:14" distance=50 dst-address=44.2.7.0/30 gateway=ampr-73.185.12.233 pref-src=44.144.48.1 ....
/interface ipip add allow-fast-path=no disabled=yes !keepalive local-address=194.50.91.2 name=OLD_UCS_GW remote-address=169.228.66.251 add comment="Added on 2017/06/06 17:30:14" !keepalive local-address=194.50.91.2 name=ampr-216.218.207.198 remote-address=216.218.207.198 add comment="Added on 2017/06/06 17:30:14" !keepalive local-address=194.50.91.2 name=ampr-73.185.12.233 remote-address=73.185.12.233
--
That's about it for the IPIP tunnel and route towards it. There is also a dynamic route for those subnets, but those get advertised by RIP as you well know. But I omitted that part of the config as the script will go through all RIP routes and create a tunnel for each RIP route and a static route towards that IPIP tunnel.
73,
Ruben - ON3RVH
-----Original Message----- From: 44Net [mailto:44net-bounces+on3rvh=on3rvh.be@hamradio.ucsd.edu] On Behalf Of lleachii--- via 44Net Sent: woensdag 7 juni 2017 16:06 To: 44net@hamradio.ucsd.edu Cc: lleachii@aol.com Subject: Re: [44net] Mikrotik
Leon,
Thanks, I am trying to borrow a Mikrotik from a friend to understand the subnet-linked-to-tunnel thing more clearly.
I do indeed want to review Marius' scripts; but I wanted to do some research myself - prior.
Just as our good friend suggested, I don't want to run a script I don't yet understand.
73,
- Lynwood
KB3VWG
Lynwood--if you are using a mikrotik device, then the solution is to use Marius' solution of scripts that work 100%
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net