44Net Wiki - User contributions [en]

Ampr-map

2025-09-06T21:08:25Z

Yo2loj:

== Viewing the map ==

We have a visual map of the AMPR network available, on which users can choose to voluntarily publish their callsign/locator, which is then shown on a vector map of the world.
Generally, the positions will time out after 1 hour.

On click on the dots on the map, additional information will be shown: type, IP, locator and seconds since the last information received.

No information are permanently stored on the server side.

To opt out, just stop sending position reports...

Some technical info:
<blockquote>
The server uses the following incoming ports: 
  - ampr-ripd uses UDP/59001, 
  - amprd uses UDP/59002, 
  - all other http requests use TCP/59001 
Map events sent to your browser are in json format and use websockets or event-stream as a fallback.
</blockquote>

The map can be reached via these URLs:

http://www.yo2loj.ro/ampr-map/
http://yo2loj.ampr.org/ampr-map/

== Sending the location to the map ==

Depending on your system setup and node type, there are 5 methods to get your positions on the map.

Please replace the callsign and position with your own in the given examples.

Position reports are case insensitive and will all be converted to upper case.

;; 1. ampr-ripd:

Add the parameter '-L <callsign@<locator>' to the ampr-ripd command line.

ampr-ripd [...other parameters...] -L N0CALL-T@kn01aa

Positions will be shown as green dots.

;; 2. amprd:

Add your locator in the configuration file, under your interface section:

call_home = N0CALL-T@KN05or

Positions will be shown as blue dots.

;; 3. Mikrotik routers

Set up a cyclic job to run a script in which you request a specific URL, using the command, e.g. every 5 minutes:

/tool fetch mode=http url="<nowiki>http://44.182.21.1:59001/mikrotik?id=N0CALL-T@kn01aa</nowiki>" keep-result=no

Positions will be shown as pink dots.

;; 4. 'Radio' positions

These positions are dedicated to stations not directly reachable via 44net, and are sent out by other systems in their name.

To do this, do a periodic fetch on the following URL:

<nowiki>http://44.182.21.1:59001/radio_gateway?id=n0call-t@kn01aa</nowiki>

For radio stations, the position time-out is 3 hours.

Positions will be shown as yellow antenna symbols.

;; 5. Generic position reports

For other (generic) systems, do a periodic fetch on the following URL:

<nowiki>http://44.182.21.1:59001/generic?id=n0call-t@kn01aa</nowiki>

Positions will be shown as grey dots.

== Map Server Source Code ==

The map server's source code can be found in the AMPR GIT repository:

<nowiki>https://git.ampr.org/yo2loj/ampr-map-server</nowiki>

[[Category:Reference]]

Services

2024-08-28T21:34:06Z

Yo2loj: Link update

{| class="wikitable sortable"
|-
! Maintainer !! Service Name!! URL/IP !! Service Type !! Description !! Other Information
|-
| AMPR ||[[Portal]] || https://portal.ampr.org || HTTPS || Used to request allocations, manage user profile information, [[Gateway]] entries, [[Encap.txt]] preferences and ampr.org DNS entries|| NONE
|-
| AMPR ||Website || https://www.ampr.org || HTTPS || AMPRNet Main Page|| NONE
|-
| AMPR ||Wiki || https://wiki.ampr.org || HTTPS || This Wiki|| NONE
|-
| AMPR ||44Net discussion group || https://ardc.groups.io/g/44net || HTTPS || AMPR discussion group|| NONE
|-
| AMPR ||ARDC announcements || https://ardc.groups.io/g/main || HTTPS || ARDC announcements|| NONE
|-
| AMPR ||AMPRNet Gateway [[Amprgw|(AMPRGW)]] || amprgw.ucsd.edu/169.228.34.84 || IP and IPENCAP [[Tunnel]]|| Routes traffic between the public internet and AMPRNet hosts connected via the IPIP mesh and originates [[RIP]] packets || Gateways use IP Protocol 4 (IPENCAP) to receive traffic via AMPRGW. Allocation must be registered in the [[Portal]] with a ampr.org DNS entry, and gateways must run an AMPRNet routing protocol (i.e. [[RIP]]44 or [[munge script]])
|-
| AMPR ||[[RIP]]44 || provided via [https://en.wikipedia.org/wiki/Broadcasting_%28networking%29 broadcast] from 44.0.0.1 to all [[gateway]]s registered in the [[portal]] || Routing Information (modified RIPv2 protocol) || distributed by main AMPRNet Router to multicast address 224.0.0.9|| 1.) an enabled IPENCAP tunnel, and 2.) [[ampr-ripd]] or [[rip44d]] must be running and properly configured on your registered gateway
|-
| AMPR ||[[Encap.txt]] || N/A || Routing Information (EMAIL/FTP/HTTP)|| routing information for download|| file must be must be parsed by a self-developed [[munge script]]
|-
| Various Operators||[[Ampr.org]] DNS and Reverse DNS (44.in-addr.arpa) ||
ns.ardc.net 
a.gw4.uk 
ns2.us.ardc.net 
ns1.de.ardc.net 
(These hosts are authoritative for AMPR.ORG and most of the '[0-191].44.in-addr.arpa' reverse zones. 
 
44.0.0.0/9 thru 44.128.0.0/10 hosts may use dns-mdc.ampr.org (44.60.44.3) as a recursive DNS server. It also has a copy of HAMWAN.ORG 
srv.kz2x.ampr.org (44.44.48.29) is a recursive resolver available to 44.0.0.0/9 and 44.128.0.0/10 
|| DNS || name resolution services||
|-
| Various Operators||Network Tools||
http://whatismyip.ampr.org 
http://yo2loj.ampr.org/nettools.php 
http://kb3vwg-010.ampr.org/tools 
http://speedtest.ampr.org 
|| HTTP|| source IP checker, speed test, Ping, Traceroute, etc.|| '''kb3vwg-010.ampr.org''' only available from hosts with an AMPRNet IP address
|-
| Various Operators ||Network Time Protocol || ntp.vk2hff.ampr.org (Stratum 1, AU) time.kz2x.ampr.org (Stratum 1, US) kb3vwg-001.ampr.org (Stratum 2, US) gw-44-137.pi9noz.ampr.org (Stratum 2)|| NTP|| Stratum 2 Network Time Server - References US, Canadian and Mexican|| '''kb3vwg-001.ampr.org''' only available from hosts with an AMPRNet IP address '''time.kz2x.ampr.org''' only available from hosts with an AMPRNet IP address
|-
| N1URO ||AMPRNet/RF faxing || http://wiki.ampr.org/wiki/axMail-FAX || Facsimile || Online IP based Facsimile service. You have the ability to send emergency communications from packet via Fax. || [http://axmail.sourceforge.net axMail-FAX] Sofware is here.
|-
| [http://allstarlink.org AllStar Link] || AllStar || http://allstarlink.org || Linking of repeaters || AllStar Link core network services are provided via redundant datacenters using 44net IP space. || [https://wiki.allstarlink.org/wiki/Main_Page ASL wiki]
|-
| N2NOV and G1FEF || Hub_NA and Hub_EU for WWconvers Chat System || 44.68.41.2:3600 convers.g1fef.co.uk:3600 || Telnet || Only connections from other 44Net addresses allowed using port 3600. Stations like JNOS with a built-in local chat server can link to it. Individuals without a local chat portal can use an IRC client to a public IP address that must be arranged with the owner. || None
|-
| N2NOV || AMPRNet NE US Regional Portal || http://n2nov.ampr.org/hamgate.html || HTTP || AMPRNet NE US Regional Portal || None
|-
| [https://flscg.org/ FSG]|| HamWAN Remote || https://flscg.org/2022/04/hamwan-remote/ || VPN/BGP || We provide a VPN based remote site connection to [https://flscg.org/hamwan/ HamWAN Tampa] and can announce your IP space. Performance of over 1gbit/s is possible and we provide an local connection point for amateurs in the South Eastern United States. || https://wiki.w9cr.net/index.php/HamWAN_Remote_Site
|-
| [https://hamwan.org HamWAN]||HamWAN Open Peering||https://hamwan.org/Labs/Open%20Peering%20Policy.html||BGP/IPSec(AH)||We provide IPsec VPN w/ BGP peering + Internet announcing.||
|-}

Services previously available on AMPRNet but no longer actively supported can be viewed on the [[Services/Historic|Historic Services]] page.

Ampr-map

2024-08-28T21:31:17Z

Yo2loj:

Archive/Main Page

2024-08-13T13:14:31Z

Yo2loj: /* How to connect to the 44Net */

Welcome to the AMPRNet Wiki.

44Net is shorthand for Internet network 44 (44.0.0.0/9 & 44.128.0.0/10), also known as AMPRNet. Since its allocation to amateur radio in the mid-1980s, the network has been used by amateur radio operators to conduct scientific research and to experiment with digital communications over radio. The goals are to of advance the state of the art of Amateur Radio networking, and to educate amateur radio operators in these techniques.

To request an assignment of IPv4 addresses see below.

__NOTOC__
== Starting points ==
* [[Quickstart]] guide for getting onto the 44Net
* Basic information about 44Net and the [[ampr.org]] domain
* [[Services]] available on 44Net
* If you are looking to get an IP assignment from ARDC please read the [[Portal]] page.
* Frequently Asked Questions (FAQ) [[FAQ]]
* [[Getting started with Linux and packet radio]]
* [[Networks that use 44Net]]

== How to connect to the 44Net ==

* Instructions for [[Setting up a gateway on Linux|setting up a Linux gateway]]
* Instructions for [[setting up a gateway on MikroTik Routers|setting up a gateway on MikroTik Routers running ROS6]].
* Instructions for [[Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64|setting up a gateway on MikroTik Routers running ROS7 using a container on arm32, arm64 and x86-64]]
* Instructions for [[Setting up a gateway on OpenBSD|setting up an OpenBSD gateway]]
* Instructions for [[setting up a gateway on Cisco Routers|setting up a gateway on Cisco Routers]].
* Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].
* Instructions for [[setting up a gateway on Ubiquiti EdgeRouter|setting up a gateway on Ubiquiti EdgeRouter]].
* Instructions for [[setting up a gateway on a VyOS instance|setting up a gateway on a VyOS instance]].
* Instructions for [[Installing ampr-ripd on a Ubiquiti EdgeRouter or EdgeRouter X|Installing ampr-ripd on a Ubiquiti EdgeRouter or EdgeRouter X]].
* Instructions for [[Announcing_your_allocation_directly|directly announcing your assignment via your Internet Service Provider (ISP)]].
* Instructions for [[OH7LZB_VPN|Accessing 44Net via VPN]] (experimental).
* [[Why can't I just route my AMPRNet allocation directly myself ?]]
* If you already operate a [[gateway]] please ensure you have registered on the [[portal]] and "claimed" your [[gateway]].
* After your gateway is operational, consider '''[[Firewalls]]''' and other best practices

== Groups.io ==
We are now on Groups.io Please consider joining https://ardc.groups.io/g/44net

== Mailing List ==
To keep up-to-date on AMPRNet information please consider joining the [[44Net mailing list]].

== Contribute! ==
If you wish to contribute to the wiki, please send an email to <tt>wiki (at) ampr.org</tt> introducing yourself. Please specify your full name and your amateur radio callsign. A login will then be created for you.

== Terms of Service ==
Use of AMPRNet address space is governed by these [https://www.ampr.org/terms-of-service/ Terms of Service]

== Other useful features ==
* Instruction on using the [[ampr-map]] position reporting

== All Pages ==
[https://wiki.ampr.org/wiki/Special:AllPages Here's a list of all pages currently on the 44Net Wiki]

Setting up a gateway in a ROS7 Mikrotik router container on arm32, arm64 and x86-64

2024-08-13T13:13:49Z

Yo2loj: Yo2loj moved page Setting up a gateway in a ROS7 Mikrotik router container on arm32, arm64 and x86-64 to Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64: Comma in the URL breaks some clients

#REDIRECT [[Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64]]

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-13T13:13:49Z

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

Source code is available in git.ampr.org: https://git.ampr.org/yo2loj/ampr-ros7-container/-/tree/main

<h1>Info</h1>

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 MikroTik router
Tested and found working on CRS2116 and RB3011 for now.

MikroTik ARM64 devices:
Routers: CCR2004, CCR2116, CCR2216, RB5009
Switches: CRS520
Wireless & 5G: Netmetal ax, LHG-LTE6, ATL-LTE18
SOHO: hAP-ax2, cAP-ax, hAP-ax3, Chateau-ax
Others: AMPERE

MikroTik ARM32 devices:
Routers: L009, RB3011, RB4011, RB1100AHx4,
Switches: CRS305, CRS309, CRS310, CRS317, CRS320, CRS326, CRS328
Wireless & 5G: SXTsq-5ac, NetBox-5ax, LHGXL-5ac
SOHO: hAP-ax lite, hap-ac2, cAP-ac, wAP-ac, cAPXL-ac, hAP-ac3, Chateau
Routerboard: L11UG, L23UGSR, RB450Gx4

MikroTik x86-64 devices:
Others: Cloud Hosted Router

Containers are not available on MIPSBE, MMIPS, SMIPS, TILE or PPC architectures.

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

<h1>New router 5 minutes set up</h1>

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the default firewall rule as they are.
Alternatively, you can start with a completely empty router, with only a active internet connection.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request. This means you need physical access to the device.

Next, you need to install the container package for your firmware version. Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file. Upload it to your router and restart. This will install the package onto the router. After restart, you will have a new option available: /containers

== Installation script ==
Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiB
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).
The address shall be set on an interface OUTSIDE OF THE VRF.

For a single address:
/ip address add address=44.128.0.1 interface=bridge
or even on the loopback interface:
For a single address:
/ip address add address=44.128.0.1 interface=lo

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rules:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1
/ip firewall nat add action=src-nat chain=srcnat out-interface=vrf-ampr to-addresses=44.128.0.1

Of course you need to set up additional firewall rules & stuff, but if you do not enable internet forwarding, you should be pretty safe being exposed only to AMPR partners.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw" for forwarded and "vrf-ampr" for local outgoing data.

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

Also, if you want to access the AMPR network from a LAN not using AMPR addresses, you need to set up a forwarding rule and a SRC-NAT one:

/ip firewall filter
add action=accept chain=forward comment="from LAN" in-interface=<YourLANInterface> dst-address-list=ampr_addr
and
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to AMPR" dst-address-list=Ampr out-interface=bridge-ampr-gw \
src-address-list=!ampr_addr to-addresses=44.128.0.1

<h1>Configuration on an existing working router - 6 steps</h1>

1 - Bridge, VETH, VRF and interface setup
2 - RIP setup
3 - Firewall rules, Filter, NAT and Mangle
4 - Container environment setup
5 - Container installation (architecture dependent)
6 - Container configuration and final touches

== Preliminary: prepare the router to accept containers ==
First, you need to install container support on your router.
In a console issue:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request.
This means you need physical access to the device.

Next, you need to install the container package for your firmware version.
Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file.
Upload it to your router and restart. This will install the package onto the router.
After restart, you will have a new option available: /containers

== Step 1: Bridge, VETH, VRF and interface setup ==

First create a bridge which will be used for your containr. Let's call it 'bridge-ampr-gw':
/interface bridge add comment="AMPR container" name=bridge-ampr-gw
Assign a network to it. The typical docker IP will be ok:
/ip address add address=172.17.0.1/24 interface=bridge-ampr-gw
Create a virtual ethernet interface for the container itself (call it veth-ampr):
/interface veth add name=veth-ampr address=172.17.0.2/24 comment="AMPR container interface" \
gateway=172.17.0.1
Add the VETH port to the bridge we created above:
/interface bridge port add bridge=bridge-ampr-gw interface=veth-ampr
Because of a kernel anomaly preventing proper userspace IPIP handling, we need to filter icmp messages on the bridge from the container itself:
/interface bridge filter add action=drop chain=input in-interface=veth-ampr ip-protocol=icmp \
mac-protocol=ip src-address=172.17.0.2/32
Now we create a vrf called "vrf-ampr" and add the bridge to it:
/ip vrf add interfaces=bridge-ampr-gw name=vrf-ampr

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc

== Step 2: RIP setup ==

First, create a simple accept routing filter to be used by RIP:
/routing filter rule add chain=rip-ampr-in disabled=no rule="accept;"
Next, create a RIP instance for your VRF using the above filter and the defined VRF:
/routing rip instance add afi=ipv4 in-filter-chain=rip-ampr-in name=rip-ampr vrf=vrf-ampr
And now add a passive (receive only) interface to our instance:
/routing rip interface-template add instance=rip-ampr interfaces=bridge-ampr-gw mode=passive

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/2_rip.rsc

== Step 3: Firewall rules, Filter, NAT and Mangle ==

Now we need to forward out IPIP tunnels to the container, and extract our data from the VRF.
For our convenience we will set up an address list to handle AMPR space as one entity
(if you already have such a list on the router, you can use it)
/ip firewall address-list
add address=44.0.0.0/9 list=ampr_addr
add address=44.128.0.0/10 list=ampr_addr
Also, we can use an interface list called WAN for the internet access interfaces (like the one in the default config).
If you prefer individual interfaces, you can of course use them in your rules.

Filters are needed to allow data input and forward to/from the router.
Accept RIP from the VRF:
/ip firewall filter
add action=accept chain=input comment="RIP via VRF" dst-port=520 in-interface=vrf-ampr protocol=udp
Accept input from the AMPR address space to the router (important for ping and traceroute):
/ip firewall filter
add action=accept chain=input comment="AMPR via Tunnels" dst-address-list=ampr_addr in-interface=vrf-ampr \
src-address-list=ampr_addr
And we need to accept some forwarding for the IPIP tunnels, from VRF to our AMPR space and between AMPR hosts:
/ip firewall filter
add action=accept chain=forward comment="IPIP Tunnels from ISP" in-interface-list=Internet protocol=ipencap
add action=accept chain=forward comment="IPIP Tunnels from VRF" in-interface=vrf-ampr protocol=ipencap
add action=accept chain=forward comment="VRF to AMPR" dst-address-list=ampr_addr in-interface=vrf-ampr
add action=accept chain=forward comment="AMPR to AMPR" dst-address-list=ampr_addr src-address-list=ampr_addr

Next, we need to forward incoming IPIP traffic to our container (note that WAN interface list, use your interface if you like):
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT ENCAP" in-interface-list=WAN protocol=ipencap \
to-addresses=172.17.0.2

Now to be able to traverse int and from the VRF, we need some mangle rules.

Incoming IPIP traffic will be marked with the vrf routing mark:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP incoming to VRF" in-interface-list=Internet \
new-routing-mark=vrf-ampr passthrough=no protocol=ipencap
Outgoing IPIP traffic will be marked for the main routing table (or the one you need to reach your ISP)
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP outgoing via ISP" in-interface=vrf-ampr \
new-routing-mark=main passthrough=no protocol=ipencap
Traffic to our local router IPs will be directed via our bridge
/ip firewall mangle
add action=route chain=prerouting comment="AMPR VRF route local" dst-address-type=local in-interface=vrf-ampr \
passthrough=no route-dst=172.17.0.1
And finally, the incoming AMPR traffic will go to the main routing table
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR VRF forward" in-interface=vrf-ampr new-routing-mark=main\
passthrough=no

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/3_firewall.rsc

== Step 4 - Container environment setup ==
This step prepares the environment variables for the container.

/container envs
add comment="My subnets, as defined in the portal" key=AMPR_SUBNETS name=ampr-cfg value=\
44.128.0.0/24,44.128.1.0/24
add comment="Default gateway is AMPRGW instead of Internet" key=ALL_VIA_AMPRGW name=ampr-cfg value=0
add comment="Forward internet traffic" key=FORWARD_INTERNET name=ampr-cfg value=0
add comment="Call home callsign and locator" key=CALL_HOME name=ampr-cfg value=test@AA00aa
add comment="Ignored subnets in RIP" key=IGNORED_SUBNETS name=ampr-cfg value=44.128.0.0/16

Just paste them into the console or import the rsc script as it is. You will edit those later.

The rsc file is here: http://yo2loj.ro/containers/4_container_env.rsc

== Step 5 - Container installation ==
Now you need to download the container which fits your architecture.
The following rsc files will install a script which, when run will import and install the container.
The same scripts will update and replace the container if run again.

ARM32 - http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64 - http://yo2loj.ro/containers/5_container_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/5_container_x86_64.rsc

Of course, instead of the script, you can download the appropriate tar container files yourself:
ARM32 - http://yo2loj.ro/containers/ampr-arm32.tar
ARM64 - http://yo2loj.ro/containers/ampr-arm64.tar
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar
and install them manually. Please set them to use the env variables "ampr-cfg".

Or, you can compile and pack the container yourself from source. At the time of writing, the current version is 1.2.0:
http://yo2loj.ro/containers/ampr-container-1.2.0-release.tgz

== Step 6 - Container configuration and final touches ==

You need to edit your env variables according to the description given in the new router setup.

Start your container and wait 5 min. You should see AMPR routes showing up in the VRF's routing table
(Some 840 of them if ALL_VIA_AMPRGW is not enabled, otherwise you will get only 2 routes, 44.0.0.0/9 and 44.128.0.0/10).

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

Now, activate the use of the whole system.
Set up a routing rule set to force all outgoing AMPR traffic to do a lookup in the VRF routing table:
/routing rule
add action=lookup disabled=yes dst-address=44.0.0.0/9 table=vrf-ampr
add action=lookup disabled=yes dst-address=44.128.0.0/10 table=vrf-ampr
If no route is found in that table, the lookup will continue via the main table towards your default route.

Your local AMPR network and additional routing will go into the main table and the lookup will be done AFTER passing through the VRF's routing table.
This means that a matching route in the VRF, including a default 0.0.0.0/0 will take precedence over any route defined in the main table.

Also, if you want to access the AMPR network from a LAN not using AMPR addresses, you need to set up a forwarding rule and a SRC-NAT one:

/ip firewall filter
add action=accept chain=forward comment="from LAN" in-interface=LAN dst-address-list=ampr_addr
and
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to AMPR" dst-address-list=Ampr out-interface=bridge-ampr-gw \
src-address-list=!ampr_addr to-addresses=<your router's AMPR ip>

== Additional Info ==
All available files are here: http://yo2loj.ro/containers/

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-13T06:17:29Z

Yo2loj: /* Container configuration parameters */

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-12T12:27:02Z

Yo2loj: /* Container configuration parameters */

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

Source code is available in git.ampr.org: https://git.ampr.org/yo2loj/ampr-ros7-container/-/tree/main

<h1>Info</h1>

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 MikroTik router
Tested and found working on CRS2116 and RB3011 for now.

MikroTik ARM64 devices:
Routers: CCR2004, CCR2116, CCR2216, RB5009
Switches: CRS520
Wireless & 5G: Netmetal ax, LHG-LTE6, ATL-LTE18
SOHO: hAP-ax2, cAP-ax, hAP-ax3, Chateau-ax
Others: AMPERE

MikroTik ARM32 devices:
Routers: L009, RB3011, RB4011, RB1100AHx4,
Switches: CRS305, CRS309, CRS310, CRS317, CRS320, CRS326, CRS328
Wireless & 5G: SXTsq-5ac, NetBox-5ax, LHGXL-5ac
SOHO: hAP-ax lite, hap-ac2, cAP-ac, wAP-ac, cAPXL-ac, hAP-ac3, Chateau
Routerboard: L11UG, L23UGSR, RB450Gx4

MikroTik x86-64 devices:
Others: Cloud Hosted Router

Containers are not available on MIPSBE, MMIPS, SMIPS, TILE or PPC architectures.

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

<h1>New router 5 minutes set up</h1>

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the default firewall rule as they are.
Alternatively, you can start with a completely empty router, with only a active internet connection.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request. This means you need physical access to the device.

Next, you need to install the container package for your firmware version. Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file. Upload it to your router and restart. This will install the package onto the router. After restart, you will have a new option available: /containers

== Installation script ==
Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiB
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).
The address shall be set on an interface OUTSIDE OF THE VRF.

For a single address:
/ip address add address=44.128.0.1 interface=bridge
or even on the loopback interface:
For a single address:
/ip address add address=44.128.0.1 interface=lo

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rules:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1
/ip firewall nat add action=src-nat chain=srcnat out-interface=vrf-ampr to-addresses=44.128.0.1

Of course you need to set up additional firewall rules & stuff, but if you do not enable internet forwarding, you should be pretty safe being exposed only to AMPR partners.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

Also, if you want to access the AMPR network from a LAN not using AMPR addresses, you need to set up a forwarding rule and a SRC-NAT one:

/ip firewall filter
add action=accept chain=forward comment="from LAN" in-interface=<YourLANInterface> dst-address-list=ampr_addr
and
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to AMPR" dst-address-list=Ampr out-interface=bridge-ampr-gw \
src-address-list=!ampr_addr to-addresses=44.128.0.1

<h1>Configuration on an existing working router - 6 steps</h1>

1 - Bridge, VETH, VRF and interface setup
2 - RIP setup
3 - Firewall rules, Filter, NAT and Mangle
4 - Container environment setup
5 - Container installation (architecture dependent)
6 - Container configuration and final touches

== Preliminary: prepare the router to accept containers ==
First, you need to install container support on your router.
In a console issue:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request.
This means you need physical access to the device.

Next, you need to install the container package for your firmware version.
Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file.
Upload it to your router and restart. This will install the package onto the router.
After restart, you will have a new option available: /containers

== Step 1: Bridge, VETH, VRF and interface setup ==

First create a bridge which will be used for your containr. Let's call it 'bridge-ampr-gw':
/interface bridge add comment="AMPR container" name=bridge-ampr-gw
Assign a network to it. The typical docker IP will be ok:
/ip address add address=172.17.0.1/24 interface=bridge-ampr-gw
Create a virtual ethernet interface for the container itself (call it veth-ampr):
/interface veth add name=veth-ampr address=172.17.0.2/24 comment="AMPR container interface" \
gateway=172.17.0.1
Add the VETH port to the bridge we created above:
/interface bridge port add bridge=bridge-ampr-gw interface=veth-ampr
Because of a kernel anomaly preventing proper userspace IPIP handling, we need to filter icmp messages on the bridge from the container itself:
/interface bridge filter add action=drop chain=input in-interface=veth-ampr ip-protocol=icmp \
mac-protocol=ip src-address=172.17.0.2/32
Now we create a vrf called "vrf-ampr" and add the bridge to it:
/ip vrf add interfaces=bridge-ampr-gw name=vrf-ampr

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc

== Step 2: RIP setup ==

First, create a simple accept routing filter to be used by RIP:
/routing filter rule add chain=rip-ampr-in disabled=no rule="accept;"
Next, create a RIP instance for your VRF using the above filter and the defined VRF:
/routing rip instance add afi=ipv4 in-filter-chain=rip-ampr-in name=rip-ampr vrf=vrf-ampr
And now add a passive (receive only) interface to our instance:
/routing rip interface-template add instance=rip-ampr interfaces=bridge-ampr-gw mode=passive

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/2_rip.rsc

== Step 3: Firewall rules, Filter, NAT and Mangle ==

Now we need to forward out IPIP tunnels to the container, and extract our data from the VRF.
For our convenience we will set up an address list to handle AMPR space as one entity
(if you already have such a list on the router, you can use it)
/ip firewall address-list
add address=44.0.0.0/9 list=ampr_addr
add address=44.128.0.0/10 list=ampr_addr
Also, we can use an interface list called WAN for the internet access interfaces (like the one in the default config).
If you prefer individual interfaces, you can of course use them in your rules.

Filters are needed to allow data input and forward to/from the router.
Accept RIP from the VRF:
/ip firewall filter
add action=accept chain=input comment="RIP via VRF" dst-port=520 in-interface=vrf-ampr protocol=udp
Accept input from the AMPR address space to the router (important for ping and traceroute):
/ip firewall filter
add action=accept chain=input comment="AMPR via Tunnels" dst-address-list=ampr_addr in-interface=vrf-ampr \
src-address-list=ampr_addr
And we need to accept some forwarding for the IPIP tunnels, from VRF to our AMPR space and between AMPR hosts:
/ip firewall filter
add action=accept chain=forward comment="IPIP Tunnels from ISP" in-interface-list=Internet protocol=ipencap
add action=accept chain=forward comment="IPIP Tunnels from VRF" in-interface=vrf-ampr protocol=ipencap
add action=accept chain=forward comment="VRF to AMPR" dst-address-list=ampr_addr in-interface=vrf-ampr
add action=accept chain=forward comment="AMPR to AMPR" dst-address-list=ampr_addr src-address-list=ampr_addr

Next, we need to forward incoming IPIP traffic to our container (note that WAN interface list, use your interface if you like):
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT ENCAP" in-interface-list=WAN protocol=ipencap \
to-addresses=172.17.0.2

Now to be able to traverse int and from the VRF, we need some mangle rules.

Incoming IPIP traffic will be marked with the vrf routing mark:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP incoming to VRF" in-interface-list=Internet \
new-routing-mark=vrf-ampr passthrough=no protocol=ipencap
Outgoing IPIP traffic will be marked for the main routing table (or the one you need to reach your ISP)
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP outgoing via ISP" in-interface=vrf-ampr \
new-routing-mark=main passthrough=no protocol=ipencap
Traffic to our local router IPs will be directed via our bridge
/ip firewall mangle
add action=route chain=prerouting comment="AMPR VRF route local" dst-address-type=local in-interface=vrf-ampr \
passthrough=no route-dst=172.17.0.1
And finally, the incoming AMPR traffic will go to the main routing table
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR VRF forward" in-interface=vrf-ampr new-routing-mark=main\
passthrough=no

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/3_firewall.rsc

== Step 4 - Container environment setup ==
This step prepares the environment variables for the container.

/container envs
add comment="My subnets, as defined in the portal" key=AMPR_SUBNETS name=ampr-cfg value=\
44.128.0.0/24,44.128.1.0/24
add comment="Default gateway is AMPRGW instead of Internet" key=ALL_VIA_AMPRGW name=ampr-cfg value=0
add comment="Forward internet traffic" key=FORWARD_INTERNET name=ampr-cfg value=0
add comment="Call home callsign and locator" key=CALL_HOME name=ampr-cfg value=test@AA00aa
add comment="Ignored subnets in RIP" key=IGNORED_SUBNETS name=ampr-cfg value=44.128.0.0/16

Just paste them into the console or import the rsc script as it is. You will edit those later.

The rsc file is here: http://yo2loj.ro/containers/4_container_env.rsc

== Step 5 - Container installation ==
Now you need to download the container which fits your architecture.
The following rsc files will install a script which, when run will import and install the container.
The same scripts will update and replace the container if run again.

ARM32 - http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64 - http://yo2loj.ro/containers/5_container_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/5_container_x86_64.rsc

Of course, instead of the script, you can download the appropriate tar container files yourself:
ARM32 - http://yo2loj.ro/containers/ampr-arm32.tar
ARM64 - http://yo2loj.ro/containers/ampr-arm64.tar
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar
and install them manually. Please set them to use the env variables "ampr-cfg".

Or, you can compile and pack the container yourself from source. At the time of writing, the current version is 1.2.0:
http://yo2loj.ro/containers/ampr-container-1.2.0-release.tgz

== Step 6 - Container configuration and final touches ==

You need to edit your env variables according to the description given in the new router setup.

Start your container and wait 5 min. You should see AMPR routes showing up in the VRF's routing table
(Some 840 of them if ALL_VIA_AMPRGW is not enabled, otherwise you will get only 2 routes, 44.0.0.0/9 and 44.128.0.0/10).

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

Now, activate the use of the whole system.
Set up a routing rule set to force all outgoing AMPR traffic to do a lookup in the VRF routing table:
/routing rule
add action=lookup disabled=yes dst-address=44.0.0.0/9 table=vrf-ampr
add action=lookup disabled=yes dst-address=44.128.0.0/10 table=vrf-ampr
If no route is found in that table, the lookup will continue via the main table towards your default route.

Your local AMPR network and additional routing will go into the main table and the lookup will be done AFTER passing through the VRF's routing table.
This means that a matching route in the VRF, including a default 0.0.0.0/0 will take precedence over any route defined in the main table.

Also, if you want to access the AMPR network from a LAN not using AMPR addresses, you need to set up a forwarding rule and a SRC-NAT one:

/ip firewall filter
add action=accept chain=forward comment="from LAN" in-interface=LAN dst-address-list=ampr_addr
and
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to AMPR" dst-address-list=Ampr out-interface=bridge-ampr-gw \
src-address-list=!ampr_addr to-addresses=<your router's AMPR ip>

== Additional Info ==
All available files are here: http://yo2loj.ro/containers/

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-12T11:55:48Z

Yo2loj: /* Container configuration parameters */

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

Source code is available in git.ampr.org: https://git.ampr.org/yo2loj/ampr-ros7-container/-/tree/main

<h1>Info</h1>

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 MikroTik router
Tested and found working on CRS2116 and RB3011 for now.

MikroTik ARM64 devices:
Routers: CCR2004, CCR2116, CCR2216, RB5009
Switches: CRS520
Wireless & 5G: Netmetal ax, LHG-LTE6, ATL-LTE18
SOHO: hAP-ax2, cAP-ax, hAP-ax3, Chateau-ax
Others: AMPERE

MikroTik ARM32 devices:
Routers: L009, RB3011, RB4011, RB1100AHx4,
Switches: CRS305, CRS309, CRS310, CRS317, CRS320, CRS326, CRS328
Wireless & 5G: SXTsq-5ac, NetBox-5ax, LHGXL-5ac
SOHO: hAP-ax lite, hap-ac2, cAP-ac, wAP-ac, cAPXL-ac, hAP-ac3, Chateau
Routerboard: L11UG, L23UGSR, RB450Gx4

MikroTik x86-64 devices:
Others: Cloud Hosted Router

Containers are not available on MIPSBE, MMIPS, SMIPS, TILE or PPC architectures.

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

<h1>New router 5 minutes set up</h1>

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the default firewall rule as they are.
Alternatively, you can start with a completely empty router, with only a active internet connection.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request. This means you need physical access to the device.

Next, you need to install the container package for your firmware version. Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file. Upload it to your router and restart. This will install the package onto the router. After restart, you will have a new option available: /containers

== Installation script ==
Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiB
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).
The address shall be set on an interface OUTSIDE OF THE VRF.

For a single address:
/ip address add address=44.128.0.1 interface=bridge
or even on the loopback interface:
For a single address:
/ip address add address=44.128.0.1 interface=lo

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rule:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

Also, if you want to access the AMPR network from a LAN not using AMPR addresses, you need to set up a forwarding rule and a SRC-NAT one:

/ip firewall filter
add action=accept chain=forward comment="from LAN" in-interface=<YourLANInterface> dst-address-list=ampr_addr
and
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to AMPR" dst-address-list=Ampr out-interface=bridge-ampr-gw \
src-address-list=!ampr_addr to-addresses=44.128.0.1

<h1>Configuration on an existing working router - 6 steps</h1>

1 - Bridge, VETH, VRF and interface setup
2 - RIP setup
3 - Firewall rules, Filter, NAT and Mangle
4 - Container environment setup
5 - Container installation (architecture dependent)
6 - Container configuration and final touches

== Preliminary: prepare the router to accept containers ==
First, you need to install container support on your router.
In a console issue:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request.
This means you need physical access to the device.

Next, you need to install the container package for your firmware version.
Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file.
Upload it to your router and restart. This will install the package onto the router.
After restart, you will have a new option available: /containers

== Step 1: Bridge, VETH, VRF and interface setup ==

First create a bridge which will be used for your containr. Let's call it 'bridge-ampr-gw':
/interface bridge add comment="AMPR container" name=bridge-ampr-gw
Assign a network to it. The typical docker IP will be ok:
/ip address add address=172.17.0.1/24 interface=bridge-ampr-gw
Create a virtual ethernet interface for the container itself (call it veth-ampr):
/interface veth add name=veth-ampr address=172.17.0.2/24 comment="AMPR container interface" \
gateway=172.17.0.1
Add the VETH port to the bridge we created above:
/interface bridge port add bridge=bridge-ampr-gw interface=veth-ampr
Because of a kernel anomaly preventing proper userspace IPIP handling, we need to filter icmp messages on the bridge from the container itself:
/interface bridge filter add action=drop chain=input in-interface=veth-ampr ip-protocol=icmp \
mac-protocol=ip src-address=172.17.0.2/32
Now we create a vrf called "vrf-ampr" and add the bridge to it:
/ip vrf add interfaces=bridge-ampr-gw name=vrf-ampr

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc

== Step 2: RIP setup ==

First, create a simple accept routing filter to be used by RIP:
/routing filter rule add chain=rip-ampr-in disabled=no rule="accept;"
Next, create a RIP instance for your VRF using the above filter and the defined VRF:
/routing rip instance add afi=ipv4 in-filter-chain=rip-ampr-in name=rip-ampr vrf=vrf-ampr
And now add a passive (receive only) interface to our instance:
/routing rip interface-template add instance=rip-ampr interfaces=bridge-ampr-gw mode=passive

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/2_rip.rsc

== Step 3: Firewall rules, Filter, NAT and Mangle ==

Now we need to forward out IPIP tunnels to the container, and extract our data from the VRF.
For our convenience we will set up an address list to handle AMPR space as one entity
(if you already have such a list on the router, you can use it)
/ip firewall address-list
add address=44.0.0.0/9 list=ampr_addr
add address=44.128.0.0/10 list=ampr_addr
Also, we can use an interface list called WAN for the internet access interfaces (like the one in the default config).
If you prefer individual interfaces, you can of course use them in your rules.

Filters are needed to allow data input and forward to/from the router.
Accept RIP from the VRF:
/ip firewall filter
add action=accept chain=input comment="RIP via VRF" dst-port=520 in-interface=vrf-ampr protocol=udp
Accept input from the AMPR address space to the router (important for ping and traceroute):
/ip firewall filter
add action=accept chain=input comment="AMPR via Tunnels" dst-address-list=ampr_addr in-interface=vrf-ampr \
src-address-list=ampr_addr
And we need to accept some forwarding for the IPIP tunnels, from VRF to our AMPR space and between AMPR hosts:
/ip firewall filter
add action=accept chain=forward comment="IPIP Tunnels from ISP" in-interface-list=Internet protocol=ipencap
add action=accept chain=forward comment="IPIP Tunnels from VRF" in-interface=vrf-ampr protocol=ipencap
add action=accept chain=forward comment="VRF to AMPR" dst-address-list=ampr_addr in-interface=vrf-ampr
add action=accept chain=forward comment="AMPR to AMPR" dst-address-list=ampr_addr src-address-list=ampr_addr

Next, we need to forward incoming IPIP traffic to our container (note that WAN interface list, use your interface if you like):
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT ENCAP" in-interface-list=WAN protocol=ipencap \
to-addresses=172.17.0.2

Now to be able to traverse int and from the VRF, we need some mangle rules.

Incoming IPIP traffic will be marked with the vrf routing mark:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP incoming to VRF" in-interface-list=Internet \
new-routing-mark=vrf-ampr passthrough=no protocol=ipencap
Outgoing IPIP traffic will be marked for the main routing table (or the one you need to reach your ISP)
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP outgoing via ISP" in-interface=vrf-ampr \
new-routing-mark=main passthrough=no protocol=ipencap
Traffic to our local router IPs will be directed via our bridge
/ip firewall mangle
add action=route chain=prerouting comment="AMPR VRF route local" dst-address-type=local in-interface=vrf-ampr \
passthrough=no route-dst=172.17.0.1
And finally, the incoming AMPR traffic will go to the main routing table
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR VRF forward" in-interface=vrf-ampr new-routing-mark=main\
passthrough=no

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/3_firewall.rsc

== Step 4 - Container environment setup ==
This step prepares the environment variables for the container.

/container envs
add comment="My subnets, as defined in the portal" key=AMPR_SUBNETS name=ampr-cfg value=\
44.128.0.0/24,44.128.1.0/24
add comment="Default gateway is AMPRGW instead of Internet" key=ALL_VIA_AMPRGW name=ampr-cfg value=0
add comment="Forward internet traffic" key=FORWARD_INTERNET name=ampr-cfg value=0
add comment="Call home callsign and locator" key=CALL_HOME name=ampr-cfg value=test@AA00aa
add comment="Ignored subnets in RIP" key=IGNORED_SUBNETS name=ampr-cfg value=44.128.0.0/16

Just paste them into the console or import the rsc script as it is. You will edit those later.

The rsc file is here: http://yo2loj.ro/containers/4_container_env.rsc

== Step 5 - Container installation ==
Now you need to download the container which fits your architecture.
The following rsc files will install a script which, when run will import and install the container.
The same scripts will update and replace the container if run again.

ARM32 - http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64 - http://yo2loj.ro/containers/5_container_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/5_container_x86_64.rsc

Of course, instead of the script, you can download the appropriate tar container files yourself:
ARM32 - http://yo2loj.ro/containers/ampr-arm32.tar
ARM64 - http://yo2loj.ro/containers/ampr-arm64.tar
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar
and install them manually. Please set them to use the env variables "ampr-cfg".

Or, you can compile and pack the container yourself from source. At the time of writing, the current version is 1.2.0:
http://yo2loj.ro/containers/ampr-container-1.2.0-release.tgz

== Step 6 - Container configuration and final touches ==

You need to edit your env variables according to the description given in the new router setup.

Start your container and wait 5 min. You should see AMPR routes showing up in the VRF's routing table
(Some 840 of them if ALL_VIA_AMPRGW is not enabled, otherwise you will get only 2 routes, 44.0.0.0/9 and 44.128.0.0/10).

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

Now, activate the use of the whole system.
Set up a routing rule set to force all outgoing AMPR traffic to do a lookup in the VRF routing table:
/routing rule
add action=lookup disabled=yes dst-address=44.0.0.0/9 table=vrf-ampr
add action=lookup disabled=yes dst-address=44.128.0.0/10 table=vrf-ampr
If no route is found in that table, the lookup will continue via the main table towards your default route.

Your local AMPR network and additional routing will go into the main table and the lookup will be done AFTER passing through the VRF's routing table.
This means that a matching route in the VRF, including a default 0.0.0.0/0 will take precedence over any route defined in the main table.

Also, if you want to access the AMPR network from a LAN not using AMPR addresses, you need to set up a forwarding rule and a SRC-NAT one:

/ip firewall filter
add action=accept chain=forward comment="from LAN" in-interface=LAN dst-address-list=ampr_addr
and
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to AMPR" dst-address-list=Ampr out-interface=bridge-ampr-gw \
src-address-list=!ampr_addr to-addresses=<your router's AMPR ip>

== Additional Info ==
All available files are here: http://yo2loj.ro/containers/

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-09T21:05:34Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

Source code is available in git.ampr.org: https://git.ampr.org/yo2loj/ampr-ros7-container/-/tree/main

<h1>Info</h1>

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 MikroTik router
Tested and found working on CRS2116 and RB3011 for now.

MikroTik ARM64 devices:
Routers: CCR2004, CCR2116, CCR2216, RB5009
Switches: CRS520
Wireless & 5G: Netmetal ax, LHG-LTE6, ATL-LTE18
SOHO: hAP-ax2, cAP-ax, hAP-ax3, Chateau-ax
Others: AMPERE

MikroTik ARM32 devices:
Routers: L009, RB3011, RB4011, RB1100AHx4,
Switches: CRS305, CRS309, CRS310, CRS317, CRS320, CRS326, CRS328
Wireless & 5G: SXTsq-5ac, NetBox-5ax, LHGXL-5ac
SOHO: hAP-ax lite, hap-ac2, cAP-ac, wAP-ac, cAPXL-ac, hAP-ac3, Chateau
Routerboard: L11UG, L23UGSR, RB450Gx4

MikroTik x86-64 devices:
Others: Cloud Hosted Router

Containers are not available on MIPSBE, MMIPS, SMIPS, TILE or PPC architectures.

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

<h1>New router 5 minutes set up</h1>

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the default firewall rule as they are.
Alternatively, you can start with a completely empty router, with only a active internet connection.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request. This means you need physical access to the device.

Next, you need to install the container package for your firmware version. Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file. Upload it to your router and restart. This will install the package onto the router. After restart, you will have a new option available: /containers

== Installation script ==
Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiB
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).

For a single address:
/ip address add address=44.128.0.1 interface=bridge

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rule:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

Also, if you want to access the AMPR network from a LAN not using AMPR addresses, you need to set up a forwarding rule and a SRC-NAT one:

/ip firewall filter
add action=accept chain=forward comment="from LAN" in-interface=<YourLANInterface> dst-address-list=ampr_addr
and
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to AMPR" dst-address-list=Ampr out-interface=bridge-ampr-gw \
src-address-list=!ampr_addr to-addresses=44.128.0.1

<h1>Configuration on an existing working router - 6 steps</h1>

1 - Bridge, VETH, VRF and interface setup
2 - RIP setup
3 - Firewall rules, Filter, NAT and Mangle
4 - Container environment setup
5 - Container installation (architecture dependent)
6 - Container configuration and final touches

== Preliminary: prepare the router to accept containers ==
First, you need to install container support on your router.
In a console issue:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request.
This means you need physical access to the device.

Next, you need to install the container package for your firmware version.
Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file.
Upload it to your router and restart. This will install the package onto the router.
After restart, you will have a new option available: /containers

== Step 1: Bridge, VETH, VRF and interface setup ==

First create a bridge which will be used for your containr. Let's call it 'bridge-ampr-gw':
/interface bridge add comment="AMPR container" name=bridge-ampr-gw
Assign a network to it. The typical docker IP will be ok:
/ip address add address=172.17.0.1/24 interface=bridge-ampr-gw
Create a virtual ethernet interface for the container itself (call it veth-ampr):
/interface veth add name=veth-ampr address=172.17.0.2/24 comment="AMPR container interface" \
gateway=172.17.0.1
Add the VETH port to the bridge we created above:
/interface bridge port add bridge=bridge-ampr-gw interface=veth-ampr
Because of a kernel anomaly preventing proper userspace IPIP handling, we need to filter icmp messages on the bridge from the container itself:
/interface bridge filter add action=drop chain=input in-interface=veth-ampr ip-protocol=icmp \
mac-protocol=ip src-address=172.17.0.2/32
Now we create a vrf called "vrf-ampr" and add the bridge to it:
/ip vrf add interfaces=bridge-ampr-gw name=vrf-ampr

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc

== Step 2: RIP setup ==

First, create a simple accept routing filter to be used by RIP:
/routing filter rule add chain=rip-ampr-in disabled=no rule="accept;"
Next, create a RIP instance for your VRF using the above filter and the defined VRF:
/routing rip instance add afi=ipv4 in-filter-chain=rip-ampr-in name=rip-ampr vrf=vrf-ampr
And now add a passive (receive only) interface to our instance:
/routing rip interface-template add instance=rip-ampr interfaces=bridge-ampr-gw mode=passive

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/2_rip.rsc

== Step 3: Firewall rules, Filter, NAT and Mangle ==

Now we need to forward out IPIP tunnels to the container, and extract our data from the VRF.
For our convenience we will set up an address list to handle AMPR space as one entity
(if you already have such a list on the router, you can use it)
/ip firewall address-list
add address=44.0.0.0/9 list=ampr_addr
add address=44.128.0.0/10 list=ampr_addr
Also, we can use an interface list called WAN for the internet access interfaces (like the one in the default config).
If you prefer individual interfaces, you can of course use them in your rules.

Filters are needed to allow data input and forward to/from the router.
Accept RIP from the VRF:
/ip firewall filter
add action=accept chain=input comment="RIP via VRF" dst-port=520 in-interface=vrf-ampr protocol=udp
Accept input from the AMPR address space to the router (important for ping and traceroute):
/ip firewall filter
add action=accept chain=input comment="AMPR via Tunnels" dst-address-list=ampr_addr in-interface=vrf-ampr \
src-address-list=ampr_addr
And we need to accept some forwarding for the IPIP tunnels, from VRF to our AMPR space and between AMPR hosts:
/ip firewall filter
add action=accept chain=forward comment="IPIP Tunnels from ISP" in-interface-list=Internet protocol=ipencap
add action=accept chain=forward comment="IPIP Tunnels from VRF" in-interface=vrf-ampr protocol=ipencap
add action=accept chain=forward comment="VRF to AMPR" dst-address-list=ampr_addr in-interface=vrf-ampr
add action=accept chain=forward comment="AMPR to AMPR" dst-address-list=ampr_addr src-address-list=ampr_addr

Next, we need to forward incoming IPIP traffic to our container (note that WAN interface list, use your interface if you like):
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT ENCAP" in-interface-list=WAN protocol=ipencap \
to-addresses=172.17.0.2

Now to be able to traverse int and from the VRF, we need some mangle rules.

Incoming IPIP traffic will be marked with the vrf routing mark:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP incoming to VRF" in-interface-list=Internet \
new-routing-mark=vrf-ampr passthrough=no protocol=ipencap
Outgoing IPIP traffic will be marked for the main routing table (or the one you need to reach your ISP)
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP outgoing via ISP" in-interface=vrf-ampr \
new-routing-mark=main passthrough=no protocol=ipencap
Traffic to our local router IPs will be directed via our bridge
/ip firewall mangle
add action=route chain=prerouting comment="AMPR VRF route local" dst-address-type=local in-interface=vrf-ampr \
passthrough=no route-dst=172.17.0.1
And finally, the incoming AMPR traffic will go to the main routing table
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR VRF forward" in-interface=vrf-ampr new-routing-mark=main\
passthrough=no

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/3_firewall.rsc

== Step 4 - Container environment setup ==
This step prepares the environment variables for the container.

/container envs
add comment="My subnets, as defined in the portal" key=AMPR_SUBNETS name=ampr-cfg value=\
44.128.0.0/24,44.128.1.0/24
add comment="Default gateway is AMPRGW instead of Internet" key=ALL_VIA_AMPRGW name=ampr-cfg value=0
add comment="Forward internet traffic" key=FORWARD_INTERNET name=ampr-cfg value=0
add comment="Call home callsign and locator" key=CALL_HOME name=ampr-cfg value=test@AA00aa
add comment="Ignored subnets in RIP" key=IGNORED_SUBNETS name=ampr-cfg value=44.128.0.0/16

Just paste them into the console or import the rsc script as it is. You will edit those later.

The rsc file is here: http://yo2loj.ro/containers/4_container_env.rsc

== Step 5 - Container installation ==
Now you need to download the container which fits your architecture.
The following rsc files will install a script which, when run will import and install the container.
The same scripts will update and replace the container if run again.

ARM32 - http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64 - http://yo2loj.ro/containers/5_container_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/5_container_x86_64.rsc

Of course, instead of the script, you can download the appropriate tar container files yourself:
ARM32 - http://yo2loj.ro/containers/ampr-arm32.tar
ARM64 - http://yo2loj.ro/containers/ampr-arm64.tar
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar
and install them manually. Please set them to use the env variables "ampr-cfg".

Or, you can compile and pack the container yourself from source. At the time of writing, the current version is 1.2.0:
http://yo2loj.ro/containers/ampr-container-1.2.0-release.tgz

== Step 6 - Container configuration and final touches ==

You need to edit your env variables according to the description given in the new router setup.

Start your container and wait 5 min. You should see AMPR routes showing up in the VRF's routing table
(Some 840 of them if ALL_VIA_AMPRGW is not enabled, otherwise you will get only 2 routes, 44.0.0.0/9 and 44.128.0.0/10).

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

Now, activate the use of the whole system.
Set up a routing rule set to force all outgoing AMPR traffic to do a lookup in the VRF routing table:
/routing rule
add action=lookup disabled=yes dst-address=44.0.0.0/9 table=vrf-ampr
add action=lookup disabled=yes dst-address=44.128.0.0/10 table=vrf-ampr
If no route is found in that table, the lookup will continue via the main table towards your default route.

Your local AMPR network and additional routing will go into the main table and the lookup will be done AFTER passing through the VRF's routing table.
This means that a matching route in the VRF, including a default 0.0.0.0/0 will take precedence over any route defined in the main table.

Also, if you want to access the AMPR network from a LAN not using AMPR addresses, you need to set up a forwarding rule and a SRC-NAT one:

/ip firewall filter
add action=accept chain=forward comment="from LAN" in-interface=LAN dst-address-list=ampr_addr
and
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to AMPR" dst-address-list=Ampr out-interface=bridge-ampr-gw \
src-address-list=!ampr_addr to-addresses=<your router's AMPR ip>

== Additional Info ==
All available files are here: http://yo2loj.ro/containers/

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-09T08:44:02Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

<h1>Info</h1>

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 MikroTik router
Tested and found working on CRS2116 and RB3011 for now.

MikroTik ARM64 devices:
Routers: CCR2004, CCR2116, CCR2216, RB5009
Switches: CRS520
Wireless & 5G: Netmetal ax, LHG-LTE6, ATL-LTE18
SOHO: hAP-ax2, cAP-ax, hAP-ax3, Chateau-ax
Others: AMPERE

MikroTik ARM32 devices:
Routers: L009, RB3011, RB4011, RB1100AHx4,
Switches: CRS305, CRS309, CRS310, CRS317, CRS320, CRS326, CRS328
Wireless & 5G: SXTsq-5ac, NetBox-5ax, LHGXL-5ac
SOHO: hAP-ax lite, hap-ac2, cAP-ac, wAP-ac, cAPXL-ac, hAP-ac3, Chateau
Routerboard: L11UG, L23UGSR, RB450Gx4

MikroTik x86-64 devices:
Others: Cloud Hosted Router

Containers are not available on MIPSBE, MMIPS, SMIPS, TILE or PPC architectures.

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

<h1>New router 5 minutes set up</h1>

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the default firewall rule as they are.
Alternatively, you can start with a completely empty router, with only a active internet connection.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request. This means you need physical access to the device.

Next, you need to install the container package for your firmware version. Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file. Upload it to your router and restart. This will install the package onto the router. After restart, you will have a new option available: /containers

== Installation script ==
Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiB
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).

For a single address:
/ip address add address=44.128.0.1 interface=bridge

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rule:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

Also, if you want to access the AMPR network from a LAN not using AMPR addresses, you need to set up a forwarding rule and a SRC-NAT one:

/ip firewall filter
add action=accept chain=forward comment="from LAN" in-interface=<YourLANInterface> dst-address-list=ampr_addr
and
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to AMPR" dst-address-list=Ampr out-interface=bridge-ampr-gw \
src-address-list=!ampr_addr to-addresses=44.128.0.1

<h1>Configuration on an existing working router - 6 steps</h1>

1 - Bridge, VETH, VRF and interface setup
2 - RIP setup
3 - Firewall rules, Filter, NAT and Mangle
4 - Container environment setup
5 - Container installation (architecture dependent)
6 - Container configuration and final touches

== Preliminary: prepare the router to accept containers ==
First, you need to install container support on your router.
In a console issue:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request.
This means you need physical access to the device.

Next, you need to install the container package for your firmware version.
Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file.
Upload it to your router and restart. This will install the package onto the router.
After restart, you will have a new option available: /containers

== Step 1: Bridge, VETH, VRF and interface setup ==

First create a bridge which will be used for your containr. Let's call it 'bridge-ampr-gw':
/interface bridge add comment="AMPR container" name=bridge-ampr-gw
Assign a network to it. The typical docker IP will be ok:
/ip address add address=172.17.0.1/24 interface=bridge-ampr-gw
Create a virtual ethernet interface for the container itself (call it veth-ampr):
/interface veth add name=veth-ampr address=172.17.0.2/24 comment="AMPR container interface" \
gateway=172.17.0.1
Add the VETH port to the bridge we created above:
/interface bridge port add bridge=bridge-ampr-gw interface=veth-ampr
Because of a kernel anomaly preventing proper userspace IPIP handling, we need to filter icmp messages on the bridge from the container itself:
/interface bridge filter add action=drop chain=input in-interface=veth-ampr ip-protocol=icmp \
mac-protocol=ip src-address=172.17.0.2/32
Now we create a vrf called "vrf-ampr" and add the bridge to it:
/ip vrf add interfaces=bridge-ampr-gw name=vrf-ampr

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc

== Step 2: RIP setup ==

First, create a simple accept routing filter to be used by RIP:
/routing filter rule add chain=rip-ampr-in disabled=no rule="accept;"
Next, create a RIP instance for your VRF using the above filter and the defined VRF:
/routing rip instance add afi=ipv4 in-filter-chain=rip-ampr-in name=rip-ampr vrf=vrf-ampr
And now add a passive (receive only) interface to our instance:
/routing rip interface-template add instance=rip-ampr interfaces=bridge-ampr-gw mode=passive

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/2_rip.rsc

== Step 3: Firewall rules, Filter, NAT and Mangle ==

Now we need to forward out IPIP tunnels to the container, and extract our data from the VRF.
For our convenience we will set up an address list to handle AMPR space as one entity
(if you already have such a list on the router, you can use it)
/ip firewall address-list
add address=44.0.0.0/9 list=ampr_addr
add address=44.128.0.0/10 list=ampr_addr
Also, we can use an interface list called WAN for the internet access interfaces (like the one in the default config).
If you prefer individual interfaces, you can of course use them in your rules.

Filters are needed to allow data input and forward to/from the router.
Accept RIP from the VRF:
/ip firewall filter
add action=accept chain=input comment="RIP via VRF" dst-port=520 in-interface=vrf-ampr protocol=udp
Accept input from the AMPR address space to the router (important for ping and traceroute):
/ip firewall filter
add action=accept chain=input comment="AMPR via Tunnels" dst-address-list=ampr_addr in-interface=vrf-ampr \
src-address-list=ampr_addr
And we need to accept some forwarding for the IPIP tunnels, from VRF to our AMPR space and between AMPR hosts:
/ip firewall filter
add action=accept chain=forward comment="IPIP Tunnels from ISP" in-interface-list=Internet protocol=ipencap
add action=accept chain=forward comment="IPIP Tunnels from VRF" in-interface=vrf-ampr protocol=ipencap
add action=accept chain=forward comment="VRF to AMPR" dst-address-list=ampr_addr in-interface=vrf-ampr
add action=accept chain=forward comment="AMPR to AMPR" dst-address-list=ampr_addr src-address-list=ampr_addr

Next, we need to forward incoming IPIP traffic to our container (note that WAN interface list, use your interface if you like):
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT ENCAP" in-interface-list=WAN protocol=ipencap \
to-addresses=172.17.0.2

Now to be able to traverse int and from the VRF, we need some mangle rules.

Incoming IPIP traffic will be marked with the vrf routing mark:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP incoming to VRF" in-interface-list=Internet \
new-routing-mark=vrf-ampr passthrough=no protocol=ipencap
Outgoing IPIP traffic will be marked for the main routing table (or the one you need to reach your ISP)
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP outgoing via ISP" in-interface=vrf-ampr \
new-routing-mark=main passthrough=no protocol=ipencap
Traffic to our local router IPs will be directed via our bridge
/ip firewall mangle
add action=route chain=prerouting comment="AMPR VRF route local" dst-address-type=local in-interface=vrf-ampr \
passthrough=no route-dst=172.17.0.1
And finally, the incoming AMPR traffic will go to the main routing table
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR VRF forward" in-interface=vrf-ampr new-routing-mark=main\
passthrough=no

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/3_firewall.rsc

== Step 4 - Container environment setup ==
This step prepares the environment variables for the container.

/container envs
add comment="My subnets, as defined in the portal" key=AMPR_SUBNETS name=ampr-cfg value=\
44.128.0.0/24,44.128.1.0/24
add comment="Default gateway is AMPRGW instead of Internet" key=ALL_VIA_AMPRGW name=ampr-cfg value=0
add comment="Forward internet traffic" key=FORWARD_INTERNET name=ampr-cfg value=0
add comment="Call home callsign and locator" key=CALL_HOME name=ampr-cfg value=test@AA00aa
add comment="Ignored subnets in RIP" key=IGNORED_SUBNETS name=ampr-cfg value=44.128.0.0/16

Just paste them into the console or import the rsc script as it is. You will edit those later.

The rsc file is here: http://yo2loj.ro/containers/4_container_env.rsc

== Step 5 - Container installation ==
Now you need to download the container which fits your architecture.
The following rsc files will install a script which, when run will import and install the container.
The same scripts will update and replace the container if run again.

ARM32 - http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64 - http://yo2loj.ro/containers/5_container_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/5_container_x86_64.rsc

Of course, instead of the script, you can download the appropriate tar container files yourself:
ARM32 - http://yo2loj.ro/containers/ampr-arm32.tar
ARM64 - http://yo2loj.ro/containers/ampr-arm64.tar
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar
and install them manually. Please set them to use the env variables "ampr-cfg".

Or, you can compile and pack the container yourself from source. At the time of writing, the current version is 1.2.0:
http://yo2loj.ro/containers/ampr-container-1.2.0-release.tgz

== Step 6 - Container configuration and final touches ==

You need to edit your env variables according to the description given in the new router setup.

Start your container and wait 5 min. You should see AMPR routes showing up in the VRF's routing table
(Some 840 of them if ALL_VIA_AMPRGW is not enabled, otherwise you will get only 2 routes, 44.0.0.0/9 and 44.128.0.0/10).

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

Now, activate the use of the whole system.
Set up a routing rule set to force all outgoing AMPR traffic to do a lookup in the VRF routing table:
/routing rule
add action=lookup disabled=yes dst-address=44.0.0.0/9 table=vrf-ampr
add action=lookup disabled=yes dst-address=44.128.0.0/10 table=vrf-ampr
If no route is found in that table, the lookup will continue via the main table towards your default route.

Your local AMPR network and additional routing will go into the main table and the lookup will be done AFTER passing through the VRF's routing table.
This means that a matching route in the VRF, including a default 0.0.0.0/0 will take precedence over any route defined in the main table.

Also, if you want to access the AMPR network from a LAN not using AMPR addresses, you need to set up a forwarding rule and a SRC-NAT one:

/ip firewall filter
add action=accept chain=forward comment="from LAN" in-interface=LAN dst-address-list=ampr_addr
and
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to AMPR" dst-address-list=Ampr out-interface=bridge-ampr-gw \
src-address-list=!ampr_addr to-addresses=<your router's AMPR ip>

== Additional Info ==
All available files are here: http://yo2loj.ro/containers/

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-08T23:51:48Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

<h1>Info</h1>

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 MikroTik router
Tested and found working on CRS2116 and RB3011 for now.

MikroTik ARM64 devices:
Routers: CCR2004, CCR2116, CCR2216, RB5009
Switches: CRS520
Wireless & 5G: Netmetal ax, LHG-LTE6, ATL-LTE18
SOHO: hAP-ax2, cAP-ax, hAP-ax3, Chateau-ax
Others: AMPERE

MikroTik ARM32 devices:
Routers: L009, RB3011, RB4011, RB1100AHx4,
Switches: CRS305, CRS309, CRS310, CRS317, CRS320, CRS326, CRS328
Wireless & 5G: SXTsq-5ac, NetBox-5ax, LHGXL-5ac
SOHO: hAP-ax lite, hap-ac2, cAP-ac, wAP-ac, cAPXL-ac, hAP-ac3, Chateau
Routerboard: L11UG, L23UGSR, RB450Gx4

MikroTik x86-64 devices:
Others: Cloud Hosted Router

Containers are not available on MIPSBE, MMIPS, SMIPS, TILE or PPC architectures.

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

<h1>New router 5 minutes set up</h1>

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the default firewall rule as they are.
Alternatively, you can start with a completely empty router, with only a active internet connection.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request. This means you need physical access to the device.

Next, you need to install the container package for your firmware version. Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file. Upload it to your router and restart. This will install the package onto the router. After restart, you will have a new option available: /containers

== Installation script ==
Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiB
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).

For a single address:
/ip address add address=44.128.0.1 interface=bridge

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rule:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

<h1>Configuration on an existing working router - 6 steps</h1>

1 - Bridge, VETH, VRF and interface setup
2 - RIP setup
3 - Firewall rules, Filter, NAT and Mangle
4 - Container environment setup
5 - Container installation (architecture dependent)
6 - Container configuration and final touches

== Preliminary: prepare the router to accept containers ==
First, you need to install container support on your router.
In a console issue:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request.
This means you need physical access to the device.

Next, you need to install the container package for your firmware version.
Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file.
Upload it to your router and restart. This will install the package onto the router.
After restart, you will have a new option available: /containers

== Step 1: Bridge, VETH, VRF and interface setup ==

First create a bridge which will be used for your containr. Let's call it 'bridge-ampr-gw':
/interface bridge add comment="AMPR container" name=bridge-ampr-gw
Assign a network to it. The typical docker IP will be ok:
/ip address add address=172.17.0.1/24 interface=bridge-ampr-gw
Create a virtual ethernet interface for the container itself (call it veth-ampr):
/interface veth add name=veth-ampr address=172.17.0.2/24 comment="AMPR container interface" \
gateway=172.17.0.1
Add the VETH port to the bridge we created above:
/interface bridge port add bridge=bridge-ampr-gw interface=veth-ampr
Because of a kernel anomaly preventing proper userspace IPIP handling, we need to filter icmp messages on the bridge from the container itself:
/interface bridge filter add action=drop chain=input in-interface=veth-ampr ip-protocol=icmp \
mac-protocol=ip src-address=172.17.0.2/32
Now we create a vrf called "vrf-ampr" and add the bridge to it:
/ip vrf add interfaces=bridge-ampr-gw name=vrf-ampr

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc

== Step 2: RIP setup ==

First, create a simple accept routing filter to be used by RIP:
/routing filter rule add chain=rip-ampr-in disabled=no rule="accept;"
Next, create a RIP instance for your VRF using the above filter and the defined VRF:
/routing rip instance add afi=ipv4 in-filter-chain=rip-ampr-in name=rip-ampr vrf=vrf-ampr
And now add a passive (receive only) interface to our instance:
/routing rip interface-template add instance=rip-ampr interfaces=bridge-ampr-gw mode=passive

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/2_rip.rsc

== Step 3: Firewall rules, Filter, NAT and Mangle ==

Now we need to forward out IPIP tunnels to the container, and extract our data from the VRF.
For our convenience we will set up an address list to handle AMPR space as one entity
(if you already have such a list on the router, you can use it)
/ip firewall address-list
add address=44.0.0.0/9 list=ampr_addr
add address=44.128.0.0/10 list=ampr_addr
Also, we can use an interface list called WAN for the internet access interfaces (like the one in the default config).
If you prefer individual interfaces, you can of course use them in your rules.

Filters are needed to allow data input and forward to/from the router.
Accept RIP from the VRF:
/ip firewall filter
add action=accept chain=input comment="RIP via VRF" dst-port=520 in-interface=vrf-ampr protocol=udp
Accept input from the AMPR address space to the router (important for ping and traceroute):
/ip firewall filter
add action=accept chain=input comment="AMPR via Tunnels" dst-address-list=ampr_addr in-interface=vrf-ampr \
src-address-list=ampr_addr
And we need to accept some forwarding for the IPIP tunnels, from VRF to our AMPR space and between AMPR hosts:
/ip firewall filter
add action=accept chain=forward comment="IPIP Tunnels from ISP" in-interface-list=Internet protocol=ipencap
add action=accept chain=forward comment="IPIP Tunnels from VRF" in-interface=vrf-ampr protocol=ipencap
add action=accept chain=forward comment="VRF to AMPR" dst-address-list=ampr_addr in-interface=vrf-ampr
add action=accept chain=forward comment="AMPR to AMPR" dst-address-list=ampr_addr src-address-list=ampr_addr

Next, we need to forward incoming IPIP traffic to our container (note that WAN interface list, use your interface if you like):
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT ENCAP" in-interface-list=WAN protocol=ipencap \
to-addresses=172.17.0.2

Now to be able to traverse int and from the VRF, we need some mangle rules.

Incoming IPIP traffic will be marked with the vrf routing mark:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP incoming to VRF" in-interface-list=Internet \
new-routing-mark=vrf-ampr passthrough=no protocol=ipencap
Outgoing IPIP traffic will be marked for the main routing table (or the one you need to reach your ISP)
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP outgoing via ISP" in-interface=vrf-ampr \
new-routing-mark=main passthrough=no protocol=ipencap
Traffic to our local router IPs will be directed via our bridge
/ip firewall mangle
add action=route chain=prerouting comment="AMPR VRF route local" dst-address-type=local in-interface=vrf-ampr \
passthrough=no route-dst=172.17.0.1
And finally, the incoming AMPR traffic will go to the main routing table
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR VRF forward" in-interface=vrf-ampr new-routing-mark=main\
passthrough=no

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/3_firewall.rsc

== Step 4 - Container environment setup ==
This step prepares the environment variables for the container.

/container envs
add comment="My subnets, as defined in the portal" key=AMPR_SUBNETS name=ampr-cfg value=\
44.128.0.0/24,44.128.1.0/24
add comment="Default gateway is AMPRGW instead of Internet" key=ALL_VIA_AMPRGW name=ampr-cfg value=0
add comment="Forward internet traffic" key=FORWARD_INTERNET name=ampr-cfg value=0
add comment="Call home callsign and locator" key=CALL_HOME name=ampr-cfg value=test@AA00aa
add comment="Ignored subnets in RIP" key=IGNORED_SUBNETS name=ampr-cfg value=44.128.0.0/16

Just paste them into the console or import the rsc script as it is. You will edit those later.

The rsc file is here: http://yo2loj.ro/containers/4_container_env.rsc

== Step 5 - Container installation ==
Now you need to download the container which fits your architecture.
The following rsc files will install a script which, when run will import and install the container.
The same scripts will update and replace the container if run again.

ARM32 - http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64 - http://yo2loj.ro/containers/5_container_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/5_container_x86_64.rsc

Of course, instead of the script, you can download the appropriate tar container files yourself:
ARM32 - http://yo2loj.ro/containers/ampr-arm32.tar
ARM64 - http://yo2loj.ro/containers/ampr-arm64.tar
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar
and install them manually. Please set them to use the env variables "ampr-cfg".

Or, you can compile and pack the container yourself from source. At the time of writing, the current version is 1.2.0:
http://yo2loj.ro/containers/ampr-container-1.2.0-release.tgz

== Step 6 - Container configuration and final touches ==

You need to edit your env variables according to the description given in the new router setup.

Start your container and wait 5 min. You should see AMPR routes showing up in the VRF's routing table
(Some 840 of them if ALL_VIA_AMPRGW is not enabled, otherwise you will get only 2 routes, 44.0.0.0/9 and 44.128.0.0/10).

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

Now, activate the use of the whole system.
Set up a routing rule set to force all outgoing AMPR traffic to do a lookup in the VRF routing table:
/routing rule
add action=lookup disabled=yes dst-address=44.0.0.0/9 table=vrf-ampr
add action=lookup disabled=yes dst-address=44.128.0.0/10 table=vrf-ampr
If no route is found in that table, the lookup will continue via the main table towards your default route.

Your local AMPR network and additional routing will go into the main table and the lookup will be done AFTER passing through the VRF's routing table.
This means that a matching route in the VRF, including a default 0.0.0.0/0 will take precedence over any route defined in the main table.

Also, if you want to access the AMPR network from a LAN not using AMPR addresses, you need to set up a forwarding rule and a SRC-NAT one:

/ip firewall filter
add action=accept chain=forward comment="from LAN" in-interface=LAN dst-address-list=ampr_addr
and
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to AMPR" dst-address-list=Ampr out-interface=bridge-ampr-gw \
src-address-list=!ampr_addr to-addresses=<your router's AMPR ip>

== Additional Info ==
All available files are here: http://yo2loj.ro/containers/

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-08T22:22:49Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

<h1>Info</h1>

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 MikroTik router
Tested and found working on CRS2116 and RB3011 for now.

MikroTik ARM64 devices:
Routers: CCR2004, CCR2116, CCR2216, RB5009
Switches: CRS520
Wireless & 5G: Netmetal ax, LHG-LTE6, ATL-LTE18
SOHO: hAP-ax2, cAP-ax, hAP-ax3, Chateau-ax
Others: AMPERE

MikroTik ARM32 devices:
Routers: L009, RB3011, RB4011, RB1100AHx4,
Switches: CRS305, CRS309, CRS310, CRS317, CRS320, CRS326, CRS328
Wireless & 5G: SXTsq-5ac, NetBox-5ax, LHGXL-5ac
SOHO: hAP-ax lite, hap-ac2, cAP-ac, wAP-ac, cAPXL-ac, hAP-ac3, Chateau
Routerboard: L11UG, L23UGSR, RB450Gx4

MikroTik x86-64 devices:
Others: Cloud Hosted Router

Containers are not available on MIPSBE, MMIPS, SMIPS, TILE or PPC architectures.

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

<h1>New router 5 minutes set up</h1>

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the default firewall rule as they are.
Alternatively, you can start with a completely empty router, with only a active internet connection.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request. This means you need physical access to the device.

Next, you need to install the container package for your firmware version. Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file. Upload it to your router and restart. This will install the package onto the router. After restart, you will have a new option available: /containers

== Installation script ==
Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiB
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).

For a single address:
/ip address add address=44.128.0.1 interface=bridge

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rule:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

<h1>Configuration on an existing working router - 6 steps</h1>

1 - Bridge, VETH, VRF and interface setup
2 - RIP setup
3 - Firewall rules, Filter, NAT and Mangle
4 - Container environment setup
5 - Container installation (architecture dependent)
6 - Container configuration and final touches

== Preliminary: prepare the router to accept containers ==
First, you need to install container support on your router.
In a console issue:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request.
This means you need physical access to the device.

Next, you need to install the container package for your firmware version.
Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file.
Upload it to your router and restart. This will install the package onto the router.
After restart, you will have a new option available: /containers

== Step 1: Bridge, VETH, VRF and interface setup ==

First create a bridge which will be used for your containr. Let's call it 'bridge-ampr-gw':
/interface bridge add comment="AMPR container" name=bridge-ampr-gw
Assign a network to it. The typical docker IP will be ok:
/ip address add address=172.17.0.1/24 interface=bridge-ampr-gw
Create a virtual ethernet interface for the container itself (call it veth-ampr):
/interface veth add name=veth-ampr address=172.17.0.2/24 comment="AMPR container interface" \
gateway=172.17.0.1
Add the VETH port to the bridge we created above:
/interface bridge port add bridge=bridge-ampr-gw interface=veth-ampr
Because of a kernel anomaly preventing proper userspace IPIP handling, we need to filter icmp messages on the bridge from the container itself:
/interface bridge filter add action=drop chain=input in-interface=veth-ampr ip-protocol=icmp \
mac-protocol=ip src-address=172.17.0.2/32
Now we create a vrf called "vrf-ampr" and add the bridge to it:
/ip vrf add interfaces=bridge-ampr-gw name=vrf-ampr

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc

== Step 2: RIP setup ==

First, create a simple accept routing filter to be used by RIP:
/routing filter rule add chain=rip-ampr-in disabled=no rule="accept;"
Next, create a RIP instance for your VRF using the above filter and the defined VRF:
/routing rip instance add afi=ipv4 in-filter-chain=rip-ampr-in name=rip-ampr vrf=vrf-ampr
And now add a passive (receive only) interface to our instance:
/routing rip interface-template add instance=rip-ampr interfaces=bridge-ampr-gw mode=passive

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/2_rip.rsc

== Step 3: Firewall rules, Filter, NAT and Mangle ==

Now we need to forward out IPIP tunnels to the container, and extract our data from the VRF.
For our convenience we will set up an address list to handle AMPR space as one entity
(if you already have such a list on the router, you can use it)
/ip firewall address-list
add address=44.0.0.0/9 list=ampr_addr
add address=44.128.0.0/10 list=ampr_addr
Also, we can use an interface list called WAN for the internet access interfaces (like the one in the default config).
If you prefer individual interfaces, you can of course use them in your rules.

Filters are needed to allow data input and forward to/from the router.
Accept RIP from the VRF:
/ip firewall filter
add action=accept chain=input comment="RIP via VRF" dst-port=520 in-interface=vrf-ampr protocol=udp
Accept input from the AMPR address space to the router (important for ping and traceroute):
/ip firewall filter
add action=accept chain=input comment="AMPR via Tunnels" dst-address-list=ampr_addr in-interface=vrf-ampr \
src-address-list=ampr_addr
And we need to accept some forwarding for the IPIP tunnels, from VRF to our AMPR space and between AMPR hosts:
/ip firewall filter
add action=accept chain=forward comment="IPIP Tunnels from ISP" in-interface-list=Internet protocol=ipencap
add action=accept chain=forward comment="IPIP Tunnels from VRF" in-interface=vrf-ampr protocol=ipencap
add action=accept chain=forward comment="VRF to AMPR" dst-address-list=ampr_addr in-interface=vrf-ampr
add action=accept chain=forward comment="AMPR to AMPR" dst-address-list=ampr_addr src-address-list=ampr_addr

Next, we need to forward incoming IPIP traffic to our container (note that WAN interface list, use your interface if you like):
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT ENCAP" in-interface-list=WAN protocol=ipencap \
to-addresses=172.17.0.2

Now to be able to traverse int and from the VRF, we need some mangle rules.

Incoming IPIP traffic will be marked with the vrf routing mark:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP incoming to VRF" in-interface-list=Internet \
new-routing-mark=vrf-ampr passthrough=no protocol=ipencap
Outgoing IPIP traffic will be marked for the main routing table (or the one you need to reach your ISP)
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP outgoing via ISP" in-interface=vrf-ampr \
new-routing-mark=main passthrough=no protocol=ipencap
Traffic to our local router IPs will be directed via our bridge
/ip firewall mangle
add action=route chain=prerouting comment="AMPR VRF route local" dst-address-type=local in-interface=vrf-ampr \
passthrough=no route-dst=172.17.0.1
And finally, the incoming AMPR traffic will go to the main routing table
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR VRF forward" in-interface=vrf-ampr new-routing-mark=main\
passthrough=no

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/3_firewall.rsc

== Step 4 - Container environment setup ==
This step prepares the environment variables for the container.

/container envs
add comment="My subnets, as defined in the portal" key=AMPR_SUBNETS name=ampr-cfg value=\
44.128.0.0/24,44.128.1.0/24
add comment="Default gateway is AMPRGW instead of Internet" key=ALL_VIA_AMPRGW name=ampr-cfg value=0
add comment="Forward internet traffic" key=FORWARD_INTERNET name=ampr-cfg value=0
add comment="Call home callsign and locator" key=CALL_HOME name=ampr-cfg value=test@AA00aa
add comment="Ignored subnets in RIP" key=IGNORED_SUBNETS name=ampr-cfg value=44.128.0.0/16

Just paste them into the console or import the rsc script as it is. You will edit those later.

The rsc file is here: http://yo2loj.ro/containers/4_container_env.rsc

== Step 5 - Container installation ==
Now you need to download the container which fits your architecture.
The following rsc files will install a script which, when run will import and install the container.
The same scripts will update and replace the container if run again.

ARM32 - http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64 - http://yo2loj.ro/containers/5_container_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/5_container_x86_64.rsc

Of course, instead of the script, you can download the appropriate tar container files yourself:
ARM32 - http://yo2loj.ro/containers/ampr-arm32.tar
ARM64 - http://yo2loj.ro/containers/ampr-arm64.tar
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar
and install them manually. Please set them to use the env variables "ampr-cfg".

Or, you can compile and pack the container yourself from source. At the time of writing, the current version is 1.2.0:
http://yo2loj.ro/containers/ampr-container-1.2.0-release.tgz

== Step 6 - Container configuration and final touches ==

You need to edit your env variables according to the description given in the new router setup.

Start your container and wait 5 min. You should see AMPR routes showing up in the VRF's routing table
(Some 840 of them if ALL_VIA_AMPRGW is not enabled, otherwise you will get only 2 routes, 44.0.0.0/9 and 44.128.0.0/10).

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

Now, activate the use of the whole system.
Set up a routing rule set to force all outgoing AMPR traffic to do a lookup in the VRF routing table:
/routing rule
add action=lookup disabled=yes dst-address=44.0.0.0/9 table=vrf-ampr
add action=lookup disabled=yes dst-address=44.128.0.0/10 table=vrf-ampr
If no route is found in that table, the lookup will continue via the main table towards your default route.

Your local AMPR network and additional routing will go into the main table and the lookup will be done AFTER passing through the VRF's routing table.
This means that a matching route in the VRF, including a default 0.0.0.0/0 will take precedence over any route defined in the main table.

Also, if you want to access the AMPR network from a LAN not using AMPR addresses, you need to set up a forwarding rule and a SRC-NAT one:

/ip firewall filter
add action=accept chain=forward comment="from LAN" in-interface=LAN dst-address-list=ampr_addr
and
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to AMPR" dst-address-list=Ampr out-interface=bridge-ampr-gw \
src-address-list=!ampr_addr to-addresses=<your router's AMPR ip>

== Additional Info ==
All available files are here: http://yo2loj.ro/containers/

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-08T22:21:47Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

<h1>Info</h1>

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 MikroTik router
Tested and found working on CRS2116 and RB3011 for now.

MikroTik ARM64 devices:
Routers: CCR2004, CCR2116, CCR2216, RB5009
Switches: CRS520
Wireless & 5G: Netmetal ax, LHG-LTE6, ATL-LTE18
SOHO: hAP-ax2, cAP-ax, hAP-ax3, Chateau-ax
Others: AMPERE

MikroTik ARM32 devices:
Routers: L009, RB3011, RB4011, RB1100AHx4,
Switches: CRS305, CRS309, CRS310, CRS317, CRS320, CRS326, CRS328
Wireless & 5G: SXTsq-5ac, NetBox-5ax, LHGXL-5ac
SOHO: hAP-ax lite, hap-ac2, cAP-ac, wAP-ac, cAPXL-ac, hAP-ac3, Chateau
Routerboard: L11UG, L23UGSR, RB450Gx4

MikroTik x86-64 devices:
Others: Cloud Hosted Router

Containers are not available on MIPSBE, MMIPS, SMIPS, TILE or PPC architectures.

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

<h1>New router set up</h1>

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the default firewall rule as they are.
Alternatively, you can start with a completely empty router, with only a active internet connection.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request. This means you need physical access to the device.

Next, you need to install the container package for your firmware version. Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file. Upload it to your router and restart. This will install the package onto the router. After restart, you will have a new option available: /containers

== Installation script ==
Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiB
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).

For a single address:
/ip address add address=44.128.0.1 interface=bridge

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rule:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

<h1>Configuration on an existing working router - 6 steps</h1>

1 - Bridge, VETH, VRF and interface setup
2 - RIP setup
3 - Firewall rules, Filter, NAT and Mangle
4 - Container environment setup
5 - Container installation (architecture dependent)
6 - Container configuration and final touches

== Preliminary: prepare the router to accept containers ==
First, you need to install container support on your router.
In a console issue:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request.
This means you need physical access to the device.

Next, you need to install the container package for your firmware version.
Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file.
Upload it to your router and restart. This will install the package onto the router.
After restart, you will have a new option available: /containers

== Step 1: Bridge, VETH, VRF and interface setup ==

First create a bridge which will be used for your containr. Let's call it 'bridge-ampr-gw':
/interface bridge add comment="AMPR container" name=bridge-ampr-gw
Assign a network to it. The typical docker IP will be ok:
/ip address add address=172.17.0.1/24 interface=bridge-ampr-gw
Create a virtual ethernet interface for the container itself (call it veth-ampr):
/interface veth add name=veth-ampr address=172.17.0.2/24 comment="AMPR container interface" \
gateway=172.17.0.1
Add the VETH port to the bridge we created above:
/interface bridge port add bridge=bridge-ampr-gw interface=veth-ampr
Because of a kernel anomaly preventing proper userspace IPIP handling, we need to filter icmp messages on the bridge from the container itself:
/interface bridge filter add action=drop chain=input in-interface=veth-ampr ip-protocol=icmp \
mac-protocol=ip src-address=172.17.0.2/32
Now we create a vrf called "vrf-ampr" and add the bridge to it:
/ip vrf add interfaces=bridge-ampr-gw name=vrf-ampr

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc

== Step 2: RIP setup ==

First, create a simple accept routing filter to be used by RIP:
/routing filter rule add chain=rip-ampr-in disabled=no rule="accept;"
Next, create a RIP instance for your VRF using the above filter and the defined VRF:
/routing rip instance add afi=ipv4 in-filter-chain=rip-ampr-in name=rip-ampr vrf=vrf-ampr
And now add a passive (receive only) interface to our instance:
/routing rip interface-template add instance=rip-ampr interfaces=bridge-ampr-gw mode=passive

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/2_rip.rsc

== Step 3: Firewall rules, Filter, NAT and Mangle ==

Now we need to forward out IPIP tunnels to the container, and extract our data from the VRF.
For our convenience we will set up an address list to handle AMPR space as one entity
(if you already have such a list on the router, you can use it)
/ip firewall address-list
add address=44.0.0.0/9 list=ampr_addr
add address=44.128.0.0/10 list=ampr_addr
Also, we can use an interface list called WAN for the internet access interfaces (like the one in the default config).
If you prefer individual interfaces, you can of course use them in your rules.

Filters are needed to allow data input and forward to/from the router.
Accept RIP from the VRF:
/ip firewall filter
add action=accept chain=input comment="RIP via VRF" dst-port=520 in-interface=vrf-ampr protocol=udp
Accept input from the AMPR address space to the router (important for ping and traceroute):
/ip firewall filter
add action=accept chain=input comment="AMPR via Tunnels" dst-address-list=ampr_addr in-interface=vrf-ampr \
src-address-list=ampr_addr
And we need to accept some forwarding for the IPIP tunnels, from VRF to our AMPR space and between AMPR hosts:
/ip firewall filter
add action=accept chain=forward comment="IPIP Tunnels from ISP" in-interface-list=Internet protocol=ipencap
add action=accept chain=forward comment="IPIP Tunnels from VRF" in-interface=vrf-ampr protocol=ipencap
add action=accept chain=forward comment="VRF to AMPR" dst-address-list=ampr_addr in-interface=vrf-ampr
add action=accept chain=forward comment="AMPR to AMPR" dst-address-list=ampr_addr src-address-list=ampr_addr

Next, we need to forward incoming IPIP traffic to our container (note that WAN interface list, use your interface if you like):
/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT ENCAP" in-interface-list=WAN protocol=ipencap \
to-addresses=172.17.0.2

Now to be able to traverse int and from the VRF, we need some mangle rules.

Incoming IPIP traffic will be marked with the vrf routing mark:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP incoming to VRF" in-interface-list=Internet \
new-routing-mark=vrf-ampr passthrough=no protocol=ipencap
Outgoing IPIP traffic will be marked for the main routing table (or the one you need to reach your ISP)
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP outgoing via ISP" in-interface=vrf-ampr \
new-routing-mark=main passthrough=no protocol=ipencap
Traffic to our local router IPs will be directed via our bridge
/ip firewall mangle
add action=route chain=prerouting comment="AMPR VRF route local" dst-address-type=local in-interface=vrf-ampr \
passthrough=no route-dst=172.17.0.1
And finally, the incoming AMPR traffic will go to the main routing table
/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR VRF forward" in-interface=vrf-ampr new-routing-mark=main\
passthrough=no

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/3_firewall.rsc

== Step 4 - Container environment setup ==
This step prepares the environment variables for the container.

/container envs
add comment="My subnets, as defined in the portal" key=AMPR_SUBNETS name=ampr-cfg value=\
44.128.0.0/24,44.128.1.0/24
add comment="Default gateway is AMPRGW instead of Internet" key=ALL_VIA_AMPRGW name=ampr-cfg value=0
add comment="Forward internet traffic" key=FORWARD_INTERNET name=ampr-cfg value=0
add comment="Call home callsign and locator" key=CALL_HOME name=ampr-cfg value=test@AA00aa
add comment="Ignored subnets in RIP" key=IGNORED_SUBNETS name=ampr-cfg value=44.128.0.0/16

Just paste them into the console or import the rsc script as it is. You will edit those later.

The rsc file is here: http://yo2loj.ro/containers/4_container_env.rsc

== Step 5 - Container installation ==
Now you need to download the container which fits your architecture.
The following rsc files will install a script which, when run will import and install the container.
The same scripts will update and replace the container if run again.

ARM32 - http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64 - http://yo2loj.ro/containers/5_container_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/5_container_x86_64.rsc

Of course, instead of the script, you can download the appropriate tar container files yourself:
ARM32 - http://yo2loj.ro/containers/ampr-arm32.tar
ARM64 - http://yo2loj.ro/containers/ampr-arm64.tar
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar
and install them manually. Please set them to use the env variables "ampr-cfg".

Or, you can compile and pack the container yourself from source. At the time of writing, the current version is 1.2.0:
http://yo2loj.ro/containers/ampr-container-1.2.0-release.tgz

== Step 6 - Container configuration and final touches ==

You need to edit your env variables according to the description given in the new router setup.

Start your container and wait 5 min. You should see AMPR routes showing up in the VRF's routing table
(Some 840 of them if ALL_VIA_AMPRGW is not enabled, otherwise you will get only 2 routes, 44.0.0.0/9 and 44.128.0.0/10).

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

Now, activate the use of the whole system.
Set up a routing rule set to force all outgoing AMPR traffic to do a lookup in the VRF routing table:
/routing rule
add action=lookup disabled=yes dst-address=44.0.0.0/9 table=vrf-ampr
add action=lookup disabled=yes dst-address=44.128.0.0/10 table=vrf-ampr
If no route is found in that table, the lookup will continue via the main table towards your default route.

Your local AMPR network and additional routing will go into the main table and the lookup will be done AFTER passing through the VRF's routing table.
This means that a matching route in the VRF, including a default 0.0.0.0/0 will take precedence over any route defined in the main table.

Also, if you want to access the AMPR network from a LAN not using AMPR addresses, you need to set up a forwarding rule and a SRC-NAT one:

/ip firewall filter
add action=accept chain=forward comment="from LAN" in-interface=LAN dst-address-list=ampr_addr
and
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to AMPR" dst-address-list=Ampr out-interface=bridge-ampr-gw \
src-address-list=!ampr_addr to-addresses=<your router's AMPR ip>

== Additional Info ==
All available files are here: http://yo2loj.ro/containers/

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-08T21:08:45Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

<h1>Info</h1>

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 MikroTik router
Tested and found working on CRS2116 and RB3011 for now.

MikroTik ARM64 devices:
Routers: CCR2004, CCR2116, CCR2216, RB5009
Switches: CRS520
Wireless & 5G: Netmetal ax, LHG-LTE6, ATL-LTE18
SOHO: hAP-ax2, cAP-ax, hAP-ax3, Chateau-ax
Others: AMPERE

MikroTik ARM32 devices:
Routers: L009, RB3011, RB4011, RB1100AHx4,
Switches: CRS305, CRS309, CRS310, CRS317, CRS320, CRS326, CRS328
Wireless & 5G: SXTsq-5ac, NetBox-5ax, LHGXL-5ac
SOHO: hAP-ax lite, hap-ac2, cAP-ac, wAP-ac, cAPXL-ac, hAP-ac3, Chateau
Routerboard: L11UG, L23UGSR, RB450Gx4

MikroTik x86-64 devices:
Others: Cloud Hosted Router

Containers are not available on MIPSBE, MMIPS, SMIPS, TILE or PPC architectures.

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

<h1>New router set up</h1>

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the default firewall rule as they are.
Alternatively, you can start with a completely empty router, with only a active internet connection.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request. This means you need physical access to the device.

Next, you need to install the container package for your firmware version. Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file. Upload it to your router and restart. This will install the package onto the router. After restart, you will have a new option available: /containers

== Installation script ==
Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiB
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).

For a single address:
/ip address add address=44.128.0.1 interface=bridge

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rule:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

<h1>Configuration on an existing working router - 6 steps</h1>

1 - Bridge, VETH, VRF and interface setup
2 - RIP setup
3 - Firewall rules, Filter, NAT and Mangle
4 - Container environment setup
5 - Container installation (architecture dependent)
6 - Container configuration

== Preliminary: prepare the router to accept containers ==
First, you need to install container support on your router.
In a console issue:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request.
This means you need physical access to the device.

Next, you need to install the container package for your firmware version.
Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file.
Upload it to your router and restart. This will install the package onto the router.
After restart, you will have a new option available: /containers

== Step 1: Bridge, VETH, VRF and interface setup ==

First create a bridge which will be used for your containr. Let's call it 'bridge-ampr-gw':
/interface bridge add comment="AMPR container" name=bridge-ampr-gw
Assign a network to it. The typical docker IP will be ok:
/ip address add address=172.17.0.1/24 interface=bridge-ampr-gw
Create a virtual ethernet interface for the container itself (call it veth-ampr):
/interface veth add name=veth-ampr address=172.17.0.2/24 comment="AMPR container interface" \
gateway=172.17.0.1
Add the VETH port to the bridge we created above:
/interface bridge port add bridge=bridge-ampr-gw interface=veth-ampr
Because of a kernel anomaly preventing proper userspace IPIP handling, we need to filter icmp messages on the bridge from the container itself:
/interface bridge filter add action=drop chain=input in-interface=veth-ampr ip-protocol=icmp \
mac-protocol=ip src-address=172.17.0.2/32
Now we create a vrf called "vrf-ampr" and add the bridge to it:
/ip vrf add interfaces=bridge-ampr-gw name=vrf-ampr

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc

== Step 2: RIP setup ==

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-08T21:05:47Z

Yo2loj: /* Info */

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

<h1>Info</h1>

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 MikroTik router
Tested and found working on CRS2116 and RB3011 for now.

MikroTik ARM64 devices:
Routers: CCR2004, CCR2116, CCR2216, RB5009
Switches: CRS520
Wireless & 5G: Netmetal ax, LHG-LTE6, ATL-LTE18
SOHO: hAP-ax2, cAP-ax, hAP-ax3, Chateau-ax
Others: AMPERE

MikroTik ARM32 devices:
Routers: L009, RB3011, RB4011, RB1100AHx4,
Switches: CRS305, CRS309, CRS310, CRS317, CRS320, CRS326, CRS328
Wireless & 5G: SXTsq-5ac, NetBox-5ax, LHGXL-5ac
SOHO: hAP-ax lite, hap-ac2, cAP-ac, wAP-ac, cAPXL-ac, hAP-ac3, Chateau
Routerboard: L11UG, L23UGSR, RB450Gx4

MikroTik x86-64 devices:
Others: Cloud Hosted Router

Containers are not available on MIPSBE, MMIPS, SMIPS, TILE or PPC architectures.

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

<h1>New router set up</h1>

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the default firewall rule as they are.
Alternatively, you can start with a completely empty router, with only a active internet connection.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).

Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiB
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).

For a single address:
/ip address add address=44.128.0.1 interface=bridge

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rule:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

<h1>Configuration on an existing working router - 6 steps</h1>

1 - Bridge, VETH, VRF and interface setup
2 - RIP setup
3 - Firewall rules, Filter, NAT and Mangle
4 - Container environment setup
5 - Container installation (architecture dependent)
6 - Container configuration

== Preliminary: prepare the router to accept containers ==
First, you need to install container support on your router.
In a console issue:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request.
This means you need physical access to the device.

Next, you need to install the container package for your firmware version.
Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file.
Upload it to your router and restart. This will install the package onto the router.
After restart, you will have a new option available: /containers

== Step 1: Bridge, VETH, VRF and interface setup ==

First create a bridge which will be used for your containr. Let's call it 'bridge-ampr-gw':
/interface bridge add comment="AMPR container" name=bridge-ampr-gw
Assign a network to it. The typical docker IP will be ok:
/ip address add address=172.17.0.1/24 interface=bridge-ampr-gw
Create a virtual ethernet interface for the container itself (call it veth-ampr):
/interface veth add name=veth-ampr address=172.17.0.2/24 comment="AMPR container interface" \
gateway=172.17.0.1
Add the VETH port to the bridge we created above:
/interface bridge port add bridge=bridge-ampr-gw interface=veth-ampr
Because of a kernel anomaly preventing proper userspace IPIP handling, we need to filter icmp messages on the bridge from the container itself:
/interface bridge filter add action=drop chain=input in-interface=veth-ampr ip-protocol=icmp \
mac-protocol=ip src-address=172.17.0.2/32
Now we create a vrf called "vrf-ampr" and add the bridge to it:
/ip vrf add interfaces=bridge-ampr-gw name=vrf-ampr

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc

== Step 2: RIP setup ==

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-08T21:05:00Z

Yo2loj: /* New router set up */

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 MikroTik router
Tested and found working on CRS2116 and RB3011 for now.

MikroTik ARM64 devices:
Routers: CCR2004, CCR2116, CCR2216, RB5009
Switches: CRS520
Wireless & 5G: Netmetal ax, LHG-LTE6, ATL-LTE18
SOHO: hAP-ax2, cAP-ax, hAP-ax3, Chateau-ax
Others: AMPERE

MikroTik ARM32 devices:
Routers: L009, RB3011, RB4011, RB1100AHx4,
Switches: CRS305, CRS309, CRS310, CRS317, CRS320, CRS326, CRS328
Wireless & 5G: SXTsq-5ac, NetBox-5ax, LHGXL-5ac
SOHO: hAP-ax lite, hap-ac2, cAP-ac, wAP-ac, cAPXL-ac, hAP-ac3, Chateau
Routerboard: L11UG, L23UGSR, RB450Gx4

MikroTik x86-64 devices:
Others: Cloud Hosted Router

Containers are not available on MIPSBE, MMIPS, SMIPS, TILE or PPC architectures.

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

<h1>New router set up</h1>

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the default firewall rule as they are.
Alternatively, you can start with a completely empty router, with only a active internet connection.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).

Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiB
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).

For a single address:
/ip address add address=44.128.0.1 interface=bridge

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rule:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

<h1>Configuration on an existing working router - 6 steps</h1>

1 - Bridge, VETH, VRF and interface setup
2 - RIP setup
3 - Firewall rules, Filter, NAT and Mangle
4 - Container environment setup
5 - Container installation (architecture dependent)
6 - Container configuration

== Preliminary: prepare the router to accept containers ==
First, you need to install container support on your router.
In a console issue:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request.
This means you need physical access to the device.

Next, you need to install the container package for your firmware version.
Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file.
Upload it to your router and restart. This will install the package onto the router.
After restart, you will have a new option available: /containers

== Step 1: Bridge, VETH, VRF and interface setup ==

First create a bridge which will be used for your containr. Let's call it 'bridge-ampr-gw':
/interface bridge add comment="AMPR container" name=bridge-ampr-gw
Assign a network to it. The typical docker IP will be ok:
/ip address add address=172.17.0.1/24 interface=bridge-ampr-gw
Create a virtual ethernet interface for the container itself (call it veth-ampr):
/interface veth add name=veth-ampr address=172.17.0.2/24 comment="AMPR container interface" \
gateway=172.17.0.1
Add the VETH port to the bridge we created above:
/interface bridge port add bridge=bridge-ampr-gw interface=veth-ampr
Because of a kernel anomaly preventing proper userspace IPIP handling, we need to filter icmp messages on the bridge from the container itself:
/interface bridge filter add action=drop chain=input in-interface=veth-ampr ip-protocol=icmp \
mac-protocol=ip src-address=172.17.0.2/32
Now we create a vrf called "vrf-ampr" and add the bridge to it:
/ip vrf add interfaces=bridge-ampr-gw name=vrf-ampr

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc

== Step 2: RIP setup ==

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-08T21:04:17Z

Yo2loj: /* Configuration on an existing working router */

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 MikroTik router
Tested and found working on CRS2116 and RB3011 for now.

MikroTik ARM64 devices:
Routers: CCR2004, CCR2116, CCR2216, RB5009
Switches: CRS520
Wireless & 5G: Netmetal ax, LHG-LTE6, ATL-LTE18
SOHO: hAP-ax2, cAP-ax, hAP-ax3, Chateau-ax
Others: AMPERE

MikroTik ARM32 devices:
Routers: L009, RB3011, RB4011, RB1100AHx4,
Switches: CRS305, CRS309, CRS310, CRS317, CRS320, CRS326, CRS328
Wireless & 5G: SXTsq-5ac, NetBox-5ax, LHGXL-5ac
SOHO: hAP-ax lite, hap-ac2, cAP-ac, wAP-ac, cAPXL-ac, hAP-ac3, Chateau
Routerboard: L11UG, L23UGSR, RB450Gx4

MikroTik x86-64 devices:
Others: Cloud Hosted Router

Containers are not available on MIPSBE, MMIPS, SMIPS, TILE or PPC architectures.

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the default firewall rule as they are.
Alternatively, you can start with a completely empty router, with only a active internet connection.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).

Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiB
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).

For a single address:
/ip address add address=44.128.0.1 interface=bridge

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rule:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

<h1>Configuration on an existing working router - 6 steps</h1>

1 - Bridge, VETH, VRF and interface setup
2 - RIP setup
3 - Firewall rules, Filter, NAT and Mangle
4 - Container environment setup
5 - Container installation (architecture dependent)
6 - Container configuration

== Preliminary: prepare the router to accept containers ==
First, you need to install container support on your router.
In a console issue:
/system/device-mode/update container=yes
The system will want you to do a hard reset at this point to confirm the request.
This means you need physical access to the device.

Next, you need to install the container package for your firmware version.
Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file.
Upload it to your router and restart. This will install the package onto the router.
After restart, you will have a new option available: /containers

== Step 1: Bridge, VETH, VRF and interface setup ==

First create a bridge which will be used for your containr. Let's call it 'bridge-ampr-gw':
/interface bridge add comment="AMPR container" name=bridge-ampr-gw
Assign a network to it. The typical docker IP will be ok:
/ip address add address=172.17.0.1/24 interface=bridge-ampr-gw
Create a virtual ethernet interface for the container itself (call it veth-ampr):
/interface veth add name=veth-ampr address=172.17.0.2/24 comment="AMPR container interface" \
gateway=172.17.0.1
Add the VETH port to the bridge we created above:
/interface bridge port add bridge=bridge-ampr-gw interface=veth-ampr
Because of a kernel anomaly preventing proper userspace IPIP handling, we need to filter icmp messages on the bridge from the container itself:
/interface bridge filter add action=drop chain=input in-interface=veth-ampr ip-protocol=icmp \
mac-protocol=ip src-address=172.17.0.2/32
Now we create a vrf called "vrf-ampr" and add the bridge to it:
/ip vrf add interfaces=bridge-ampr-gw name=vrf-ampr

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc

== Step 2: RIP setup ==

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-08T12:43:53Z

Yo2loj: /* New router set up */

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 MikroTik router
Tested and found working on CRS2116 and RB3011 for now.

MikroTik ARM64 devices:
Routers: CCR2004, CCR2116, CCR2216, RB5009
Switches: CRS520
Wireless & 5G: Netmetal ax, LHG-LTE6, ATL-LTE18
SOHO: hAP-ax2, cAP-ax, hAP-ax3, Chateau-ax
Others: AMPERE

MikroTik ARM32 devices:
Routers: L009, RB3011, RB4011, RB1100AHx4,
Switches: CRS305, CRS309, CRS310, CRS317, CRS320, CRS326, CRS328
Wireless & 5G: SXTsq-5ac, NetBox-5ax, LHGXL-5ac
SOHO: hAP-ax lite, hap-ac2, cAP-ac, wAP-ac, cAPXL-ac, hAP-ac3, Chateau
Routerboard: L11UG, L23UGSR, RB450Gx4

MikroTik x86-64 devices:
Others: Cloud Hosted Router

Containers are not available on MIPSBE, MMIPS, SMIPS, TILE or PPC architectures.

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the default firewall rule as they are.
Alternatively, you can start with a completely empty router, with only a active internet connection.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).

Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiB
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).

For a single address:
/ip address add address=44.128.0.1 interface=bridge

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rule:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-07T15:00:09Z

Yo2loj: /* Info */

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 MikroTik router
Tested and found working on CRS2116 and RB3011 for now.

MikroTik ARM64 devices:
Routers: CCR2004, CCR2116, CCR2216, RB5009
Switches: CRS520
Wireless & 5G: Netmetal ax, LHG-LTE6, ATL-LTE18
SOHO: hAP-ax2, cAP-ax, hAP-ax3, Chateau-ax
Others: AMPERE

MikroTik ARM32 devices:
Routers: L009, RB3011, RB4011, RB1100AHx4,
Switches: CRS305, CRS309, CRS310, CRS317, CRS320, CRS326, CRS328
Wireless & 5G: SXTsq-5ac, NetBox-5ax, LHGXL-5ac
SOHO: hAP-ax lite, hap-ac2, cAP-ac, wAP-ac, cAPXL-ac, hAP-ac3, Chateau
Routerboard: L11UG, L23UGSR, RB450Gx4

MikroTik x86-64 devices:
Others: Cloud Hosted Router

Containers are not available on MIPSBE, MMIPS, SMIPS, TILE or PPC architectures.

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the firewall rule as they are.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).

Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiB
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).

For a single address:
/ip address add address=44.128.0.1 interface=bridge

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rule:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-07T14:55:37Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 MikroTik router
Tested and found working on CRS2116 and RB3011 for now.

MikroTik ARM64 devices:
Routers: CCR2004, CCR2116, CCR2216, RB5009
Switches: CRS520
Wireless & 5G: Netmetal ax, LHG-LTE6, ATL-LTE18
SOHO: hAP-ax2, cAP-ax, hAP-ax3, Chateau-ax
Others: AMPERE

MikroTik ARM32 devices:
Routers: L009, RB3011, RB4011, RB1100AHx4,
Switches: CRS305, CRS309, CRS310, CRS317, CRS320, CRS326, CRS328
Wireless & 5G: SXTsq-5ac, NetBox-5ax, LHGXL-5ac
SOHO: hAP-ax lite, hap-ac2, cAP-ac, wAP-ac, cAPXL-ac, hAP-ac3, Chateau
Routerboard: L11UG, L23UGSR, RB450Gx4

MikroTik x86-64 devices:
Others: Cloud Hosted Router

Containers are not available on MIPSBE, MMIPS, SMIPS, TILE or PPC architectures.

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the firewall rule as they are.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).

Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiB
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).

For a single address:
/ip address add address=44.128.0.1 interface=bridge

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rule:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-07T14:28:22Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the firewall rule as they are.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).

Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiBC-z pause]
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).

For a single address:
/ip address add address=44.128.0.1 interface=bridge

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rule:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-07T14:27:07Z

Yo2loj: /* Additional optional configuration */

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the firewall rule as they are.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).

Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiBC-z pause]
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).

For a single address:
/ip address add address=44.128.0.1 interface=bridge

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rule:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1.
To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from
accept;

to set your router's local AMPR IP as its preferred source
set pref-src 44.128.0.1;
accept;

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-07T14:21:46Z

Yo2loj: /* Container configuration parameters */

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the firewall rule as they are.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).

Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiBC-z pause]
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1).

For a single address:
/ip address add address=44.128.0.1 interface=bridge

For a subnet:
/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rule:
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-07T14:14:17Z

Yo2loj: /* New router set up */

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the firewall rule as they are.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).

Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiBC-z pause]
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1):
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-07T14:08:26Z

Yo2loj: /* Container configuration parameters */

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the firewall rule as they are.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).

Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiBC-z pause]
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1):
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw".

== Additional optional configuration ==

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-07T13:58:29Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Limitations ==

The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the firewall rule as they are.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).

Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiBC-z pause]
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask
Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1):
/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Additional optional configuration ==

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-07T13:47:55Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== Limitations ==
The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the firewall rule as they are.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).

Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiBC-z pause]
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-07T13:44:25Z

Yo2loj: /* New router set up */

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== Limitations ==
The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the firewall rule as they are.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).

Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiBC-z pause]
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful

Your container is now installed.
You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet

Now edit the Route->filter rip-ampr-in to point to your preferred source address (your router's AMPR IP address:

(Winbox is your friend)

...and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it...
Start the container, sit back and wait 5 minutes for the routes to show up in your vrf.

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-07T13:42:10Z

Yo2loj: /* New router set up */

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== Limitations ==
The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

As a prerequisite, get your internet connection working based on the default mikrotik configuration.
Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection.
Leave the firewall rule as they are.

First you need to enable container support according to the info provided by Mikrotik.
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).

Next we need to install the container according to your hardware.
Please chose the correct setup script variant:

ARM32 - ampr_arm32.rsc
ARM64 - ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:
[admin@MikroTik] > ping yo2loj.ro
SEQ HOST SIZE TTL TIME STATUS
0 89.33.44.100 56 58 10ms574us
1 89.33.44.100 56 58 9ms141us
2 89.33.44.100 56 58 9ms5us
sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script
[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
status: finished
downloaded: 5KiBC-z pause]
total: 5KiB
duration: 1s

3. Run the configuration script
[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
status: finished
downloaded: 366KiB
total: 366KiB
duration: 1s
AMPR: Script finished successful

Your container is now installed.
You need to configure its environment variables according to the description give.

After configuration is complete, go to "containers" and star it up.
It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet

Now edit the Route->filter rip-ampr-in to point to your preferred source address (your router's AMPR IP address:

(Winbox is your friend)

...and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it...
Start the container, sit back and wait 5 minutes for the routes to show up in your vrf.

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-07T10:59:15Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== Limitations ==
The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

'''Please hold your horses - changing the script for default config'''

On a brand new router, clear its configuration completely...

For a new router setup, please download the automatic setup script depending go your router architecture.

First you need to enable container support according to the info provided by Mikrotik:

Enable container mode
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).
Next step is to install the container package for your firmware verion by downloading the complete package from Mikrotik, unpack it and upload the package called gontainer and reboot the router.

Next, get the appropiate install script for your architecture:

ARM32 - http://yo2loj.ro/containers/ampr_arm32.rsc
ARM64 - http://yo2loj.ro/containers/ampr_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

After clearing your router config (no default configuration), drag and drop the file to your file window.
Open a console and execute the command, using the proper file name downloaded above:
[admin@MikroTik] > import file-name=ampr_arm32.rsc
The system should state that the script was successfully executed.
Now set up an internet connection (the router being blank, like e.g. add a dhcp client to eth1, and wait for it to get an IP address.
With your internet connection working, navigate to /system scripts and execute the script 'install_ampr_container':
[admin@MikroTik] /system/script> run install_ampr_container
This step will download the binary container to your local storage (you need some 1-2 MB of free space on the device) depending on your system architecture and set it up.
If the script fails for some reason, please just run it again.

After the container is created, open your log and then start your container by selecting it and pressing the 'Start' button in your Winbox.
It should switch from "stopped" to "running" and stay running.
Now you have the container installed, stop it for now, and it is time to configure it.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet

Now edit the Route->filter rip-ampr-in to point to your preferred source address (your router's AMPR IP address:

(Winbox is your friend)

...and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it...
Start the container, sit back and wait 5 minutes for the routes to show up in your vrf.

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-07T10:57:54Z

Yo2loj: /* Brand new router set up */

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== Limitations ==
The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

On a brand new router, clear its configuration completely...

For a new router setup, please download the automatic setup script depending go your router architecture.

First you need to enable container support according to the info provided by Mikrotik:

Enable container mode
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).
Next step is to install the container package for your firmware verion by downloading the complete package from Mikrotik, unpack it and upload the package called gontainer and reboot the router.

Next, get the appropiate install script for your architecture:

ARM32 - http://yo2loj.ro/containers/ampr_arm32.rsc
ARM64 - http://yo2loj.ro/containers/ampr_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

After clearing your router config (no default configuration), drag and drop the file to your file window.
Open a console and execute the command, using the proper file name downloaded above:
[admin@MikroTik] > import file-name=ampr_arm32.rsc
The system should state that the script was successfully executed.
Now set up an internet connection (the router being blank, like e.g. add a dhcp client to eth1, and wait for it to get an IP address.
With your internet connection working, navigate to /system scripts and execute the script 'install_ampr_container':
[admin@MikroTik] /system/script> run install_ampr_container
This step will download the binary container to your local storage (you need some 1-2 MB of free space on the device) depending on your system architecture and set it up.
If the script fails for some reason, please just run it again.

After the container is created, open your log and then start your container by selecting it and pressing the 'Start' button in your Winbox.
It should switch from "stopped" to "running" and stay running.
Now you have the container installed, stop it for now, and it is time to configure it.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet

Now edit the Route->filter rip-ampr-in to point to your preferred source address (your router's AMPR IP address:

(Winbox is your friend)

...and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it...
Start the container, sit back and wait 5 minutes for the routes to show up in your vrf.

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Archive/Main Page

2024-08-07T10:45:46Z

Yo2loj: /* How to connect to the 44Net */

Welcome to the AMPRNet Wiki.

44Net is shorthand for Internet network 44 (44.0.0.0/9 & 44.128.0.0/10), also known as AMPRNet. Since its allocation to amateur radio in the mid-1980s, the network has been used by amateur radio operators to conduct scientific research and to experiment with digital communications over radio. The goals are to of advance the state of the art of Amateur Radio networking, and to educate amateur radio operators in these techniques.

To request an assignment of IPv4 addresses see below.

__NOTOC__
== Starting points ==
* [[Quickstart]] guide for getting onto the 44Net
* Basic information about 44Net and the [[ampr.org]] domain
* [[Services]] available on 44Net
* If you are looking to get an IP assignment from ARDC please read the [[Portal]] page.
* Frequently Asked Questions (FAQ) [[FAQ]]
* [[Getting started with Linux and packet radio]]
* [[Networks that use 44Net]]

== How to connect to the 44Net ==

* Instructions for [[Setting up a gateway on Linux|setting up a Linux gateway]]
* Instructions for [[setting up a gateway on MikroTik Routers|setting up a gateway on MikroTik Routers running ROS6]].
* Instructions for [[Setting up a gateway in a ROS7 Mikrotik router container on arm32, arm64 and x86-64|setting up a gateway on MikroTik Routers running ROS7 using a container on arm32, arm64 and x86-64]]
* Instructions for [[Setting up a gateway on OpenBSD|setting up an OpenBSD gateway]]
* Instructions for [[setting up a gateway on Cisco Routers|setting up a gateway on Cisco Routers]].
* Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].
* Instructions for [[setting up a gateway on Ubiquiti EdgeRouter|setting up a gateway on Ubiquiti EdgeRouter]].
* Instructions for [[setting up a gateway on a VyOS instance|setting up a gateway on a VyOS instance]].
* Instructions for [[Installing ampr-ripd on a Ubiquiti EdgeRouter or EdgeRouter X|Installing ampr-ripd on a Ubiquiti EdgeRouter or EdgeRouter X]].
* Instructions for [[Announcing_your_allocation_directly|directly announcing your assignment via your Internet Service Provider (ISP)]].
* Instructions for [[OH7LZB_VPN|Accessing 44Net via VPN]] (experimental).
* [[Why can't I just route my AMPRNet allocation directly myself ?]]
* If you already operate a [[gateway]] please ensure you have registered on the [[portal]] and "claimed" your [[gateway]].
* After your gateway is operational, consider '''[[Firewalls]]''' and other best practices

== Groups.io ==
We are now on Groups.io Please consider joining https://ardc.groups.io/g/44net

== Mailing List ==
To keep up-to-date on AMPRNet information please consider joining the [[44Net mailing list]].

== Contribute! ==
If you wish to contribute to the wiki, please send an email to <tt>wiki (at) ampr.org</tt> introducing yourself. Please specify your full name and your amateur radio callsign. A login will then be created for you.

== Terms of Service ==
Use of AMPRNet address space is governed by these [https://www.ampr.org/terms-of-service/ Terms of Service]

== Other useful features ==
* Instruction on using the [[ampr-map]] position reporting

== All Pages ==
[https://wiki.ampr.org/wiki/Special:AllPages Here's a list of all pages currently on the 44Net Wiki]

Archive/Main Page

2024-08-07T10:45:13Z

Yo2loj:

Welcome to the AMPRNet Wiki.

44Net is shorthand for Internet network 44 (44.0.0.0/9 & 44.128.0.0/10), also known as AMPRNet. Since its allocation to amateur radio in the mid-1980s, the network has been used by amateur radio operators to conduct scientific research and to experiment with digital communications over radio. The goals are to of advance the state of the art of Amateur Radio networking, and to educate amateur radio operators in these techniques.

To request an assignment of IPv4 addresses see below.

__NOTOC__
== Starting points ==
* [[Quickstart]] guide for getting onto the 44Net
* Basic information about 44Net and the [[ampr.org]] domain
* [[Services]] available on 44Net
* If you are looking to get an IP assignment from ARDC please read the [[Portal]] page.
* Frequently Asked Questions (FAQ) [[FAQ]]
* [[Getting started with Linux and packet radio]]
* [[Networks that use 44Net]]

== How to connect to the 44Net ==

* Instructions for [[Setting up a gateway on Linux|setting up a Linux gateway]]
* Instructions for [[setting up a gateway on MikroTik Routers|setting up a gateway on MikroTik Routers running ROS6]].
* Instructions for [[Setting up a gateway in a ROS7 Mikrotik router container on arm32, arm64 and x86-64|setting up a gateway on a MikroTik routers running ROS7 using a container on arm32, arm64 and x86-64]]
* Instructions for [[Setting up a gateway on OpenBSD|setting up an OpenBSD gateway]]
* Instructions for [[setting up a gateway on Cisco Routers|setting up a gateway on Cisco Routers]].
* Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].
* Instructions for [[setting up a gateway on Ubiquiti EdgeRouter|setting up a gateway on Ubiquiti EdgeRouter]].
* Instructions for [[setting up a gateway on a VyOS instance|setting up a gateway on a VyOS instance]].
* Instructions for [[Installing ampr-ripd on a Ubiquiti EdgeRouter or EdgeRouter X|Installing ampr-ripd on a Ubiquiti EdgeRouter or EdgeRouter X]].
* Instructions for [[Announcing_your_allocation_directly|directly announcing your assignment via your Internet Service Provider (ISP)]].
* Instructions for [[OH7LZB_VPN|Accessing 44Net via VPN]] (experimental).
* [[Why can't I just route my AMPRNet allocation directly myself ?]]
* If you already operate a [[gateway]] please ensure you have registered on the [[portal]] and "claimed" your [[gateway]].
* After your gateway is operational, consider '''[[Firewalls]]''' and other best practices

== Groups.io ==
We are now on Groups.io Please consider joining https://ardc.groups.io/g/44net

== Mailing List ==
To keep up-to-date on AMPRNet information please consider joining the [[44Net mailing list]].

== Contribute! ==
If you wish to contribute to the wiki, please send an email to <tt>wiki (at) ampr.org</tt> introducing yourself. Please specify your full name and your amateur radio callsign. A login will then be created for you.

== Terms of Service ==
Use of AMPRNet address space is governed by these [https://www.ampr.org/terms-of-service/ Terms of Service]

== Other useful features ==
* Instruction on using the [[ampr-map]] position reporting

== All Pages ==
[https://wiki.ampr.org/wiki/Special:AllPages Here's a list of all pages currently on the 44Net Wiki]

Archive/Main Page

2024-08-07T10:41:24Z

Yo2loj: /* How to connect to the 44Net */

Welcome to the AMPRNet Wiki.

44Net is shorthand for Internet network 44 (44.0.0.0/9 & 44.128.0.0/10), also known as AMPRNet. Since its allocation to amateur radio in the mid-1980s, the network has been used by amateur radio operators to conduct scientific research and to experiment with digital communications over radio. The goals are to of advance the state of the art of Amateur Radio networking, and to educate amateur radio operators in these techniques.

To request an assignment of IPv4 addresses see below.

__NOTOC__
== Starting points ==
* [[Quickstart]] guide for getting onto the 44Net
* Basic information about 44Net and the [[ampr.org]] domain
* [[Services]] available on 44Net
* If you are looking to get an IP assignment from ARDC please read the [[Portal]] page.
* Frequently Asked Questions (FAQ) [[FAQ]]
* [[Getting started with Linux and packet radio]]
* [[Networks that use 44Net]]

== How to connect to the 44Net ==

* Instructions for [[Setting up a gateway on Linux|setting up a Linux gateway]]
* Instructions for [[setting up a gateway on MikroTik Routers|setting up a gateway on MikroTik Routers running ROS6]].
* Instructions for [[Setting up a gateway in a ROS7 Mikrotik router container on arm32, arm64 and x86-64|Setting up a gateway in a ROS7 Mikrotik router container on arm32, arm64 and x86-64]]
* Instructions for [[Setting up a gateway on OpenBSD|setting up an OpenBSD gateway]]
* Instructions for [[setting up a gateway on Cisco Routers|setting up a gateway on Cisco Routers]].
* Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].
* Instructions for [[setting up a gateway on Ubiquiti EdgeRouter|setting up a gateway on Ubiquiti EdgeRouter]].
* Instructions for [[setting up a gateway on a VyOS instance|setting up a gateway on a VyOS instance]].
* Instructions for [[Installing ampr-ripd on a Ubiquiti EdgeRouter or EdgeRouter X|Installing ampr-ripd on a Ubiquiti EdgeRouter or EdgeRouter X]].
* Instructions for [[Announcing_your_allocation_directly|directly announcing your assignment via your Internet Service Provider (ISP)]].
* Instructions for [[OH7LZB_VPN|Accessing 44Net via VPN]] (experimental).
* [[Why can't I just route my AMPRNet allocation directly myself ?]]
* If you already operate a [[gateway]] please ensure you have registered on the [[portal]] and "claimed" your [[gateway]].
* After your gateway is operational, consider '''[[Firewalls]]''' and other best practices

== Groups.io ==
We are now on Groups.io Please consider joining https://ardc.groups.io/g/44net

== Mailing List ==
To keep up-to-date on AMPRNet information please consider joining the [[44Net mailing list]].

== Contribute! ==
If you wish to contribute to the wiki, please send an email to <tt>wiki (at) ampr.org</tt> introducing yourself. Please specify your full name and your amateur radio callsign. A login will then be created for you.

== Terms of Service ==
Use of AMPRNet address space is governed by these [https://www.ampr.org/terms-of-service/ Terms of Service]

== Other useful features ==
* Instruction on using the [[ampr-map]] position reporting

== All Pages ==
[https://wiki.ampr.org/wiki/Special:AllPages Here's a list of all pages currently on the 44Net Wiki]

Archive/Main Page

2024-08-07T10:40:25Z

Yo2loj: changing link title to avoid confusion

Welcome to the AMPRNet Wiki.

44Net is shorthand for Internet network 44 (44.0.0.0/9 & 44.128.0.0/10), also known as AMPRNet. Since its allocation to amateur radio in the mid-1980s, the network has been used by amateur radio operators to conduct scientific research and to experiment with digital communications over radio. The goals are to of advance the state of the art of Amateur Radio networking, and to educate amateur radio operators in these techniques.

To request an assignment of IPv4 addresses see below.

__NOTOC__
== Starting points ==
* [[Quickstart]] guide for getting onto the 44Net
* Basic information about 44Net and the [[ampr.org]] domain
* [[Services]] available on 44Net
* If you are looking to get an IP assignment from ARDC please read the [[Portal]] page.
* Frequently Asked Questions (FAQ) [[FAQ]]
* [[Getting started with Linux and packet radio]]
* [[Networks that use 44Net]]

== How to connect to the 44Net ==

* Instructions for [[Setting up a gateway on Linux|setting up a Linux gateway]]
* Instructions for [[setting up a gateway on MikroTik Routers|setting up a gateway on MikroTik Routers running ROS6]].
* Instructions for [[Setting up a gateway on OpenBSD|setting up an OpenBSD gateway]]
* Instructions for [[setting up a gateway on Cisco Routers|setting up a gateway on Cisco Routers]].
* Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].
* Instructions for [[setting up a gateway on Ubiquiti EdgeRouter|setting up a gateway on Ubiquiti EdgeRouter]].
* Instructions for [[setting up a gateway on a VyOS instance|setting up a gateway on a VyOS instance]].
* Instructions for [[Installing ampr-ripd on a Ubiquiti EdgeRouter or EdgeRouter X|Installing ampr-ripd on a Ubiquiti EdgeRouter or EdgeRouter X]].
* Instructions for [[Setting up a gateway in a ROS7 Mikrotik router container on arm32, arm64 and x86-64|Setting up a gateway in a ROS7 Mikrotik router container on arm32, arm64 and x86-64]]
* Instructions for [[Announcing_your_allocation_directly|directly announcing your assignment via your Internet Service Provider (ISP)]].
* Instructions for [[OH7LZB_VPN|Accessing 44Net via VPN]] (experimental).
* [[Why can't I just route my AMPRNet allocation directly myself ?]]
* If you already operate a [[gateway]] please ensure you have registered on the [[portal]] and "claimed" your [[gateway]].
* After your gateway is operational, consider '''[[Firewalls]]''' and other best practices

== Groups.io ==
We are now on Groups.io Please consider joining https://ardc.groups.io/g/44net

== Mailing List ==
To keep up-to-date on AMPRNet information please consider joining the [[44Net mailing list]].

== Contribute! ==
If you wish to contribute to the wiki, please send an email to <tt>wiki (at) ampr.org</tt> introducing yourself. Please specify your full name and your amateur radio callsign. A login will then be created for you.

== Terms of Service ==
Use of AMPRNet address space is governed by these [https://www.ampr.org/terms-of-service/ Terms of Service]

== Other useful features ==
* Instruction on using the [[ampr-map]] position reporting

== All Pages ==
[https://wiki.ampr.org/wiki/Special:AllPages Here's a list of all pages currently on the 44Net Wiki]

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-07T09:39:12Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== Limitations ==
The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

For a new router setup, please download the automatic setup script depending go your router architecture.

First you need to enable container support according to the info provided by Mikrotik:

Enable container mode
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).
Next step is to install the container package for your firmware verion by downloading the complete package from Mikrotik, unpack it and upload the package called gontainer and reboot the router.

Next, get the appropiate install script for your architecture:

ARM32 - http://yo2loj.ro/containers/ampr_arm32.rsc
ARM64 - http://yo2loj.ro/containers/ampr_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

After clearing your router config (no default configuration), drag and drop the file to your file window.
Open a console and execute the command, using the proper file name downloaded above:
[admin@MikroTik] > import file-name=ampr_arm32.rsc
The system should state that the script was successfully executed.
Now set up an internet connection (the router being blank, like e.g. add a dhcp client to eth1, and wait for it to get an IP address.
With your internet connection working, navigate to /system scripts and execute the script 'install_ampr_container':
[admin@MikroTik] /system/script> run install_ampr_container
This step will download the binary container to your local storage (you need some 1-2 MB of free space on the device) depending on your system architecture and set it up.
If the script fails for some reason, please just run it again.

After the container is created, open your log and then start your container by selecting it and pressing the 'Start' button in your Winbox.
It should switch from "stopped" to "running" and stay running.
Now you have the container installed, stop it for now, and it is time to configure it.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet

Now edit the Route->filter rip-ampr-in to point to your preferred source address (your router's AMPR IP address:

(Winbox is your friend)

...and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it...
Start the container, sit back and wait 5 minutes for the routes to show up in your vrf.

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-07T09:36:45Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== Limitations ==
The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

For a new router setup, please download the automatic setup script depending go your router architecture.

First you need to enable container support according to the info provided by Mikrotik:

Enable container mode
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).
Next step is to install the container package for your firmware verion by downloading the complete package from Mikrotik, unpack it and upload the package called gontainer and reboot the router.

Next, get the appropiate install script for your architecture:

ARM32 - http://yo2loj.ro/containers/ampr_arm32.rsc
ARM64 - http://yo2loj.ro/containers/ampr_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

After clearing your router config (no default configuration), drag and drop the file to your file window.
Open a console and execute the command, using the proper file name downloaded above:
[admin@MikroTik] > import file-name=ampr_arm32.rsc
The system should state that the script was successfully executed.
Now set up an internet connection (the router being blank, like e.g. add a dhcp client to eth1, and wait for it to get an IP address.
With your internet connection working, navigate to /system scripts and execute the script 'install_ampr_container':
[admin@MikroTik] /system/script> run install_ampr_container
This step will download the binary container to your local storage (you need some 1-2 MB of free space on the device) depending on your system architecture and set it up.
If the script fails for some reason, please just run it again.

After the container is created, open your log and then start your container by selecting it and pressing the 'Start' button in your Winbox.
It should switch from "stopped" to "running" and stay running.
Now you have the container installed, stop it for now, and it is time to configure it.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet

Now edit the Route->filter rip-ampr-in to point to your preferred source address (your router's AMPR IP address:

(Winbox is your friend)

...and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it...
Start the container, sit back and wait 5 minutes for the routes to show up in your vrf.

Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-06T15:14:04Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== Limitations ==
The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

For a new router setup, please download the automatic setup script depending go your router architecture.

First you need to enable container support according to the info provided by Mikrotik:

Enable container mode
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).
Next step is to install the container package for your firmware verion by downloading the complete package from Mikrotik, unpack it and upload the package called gontainer and reboot the router.

Next, get the appropiate install script for your architecture:

ARM32 - http://yo2loj.ro/containers/ampr_arm32.rsc
ARM64 - http://yo2loj.ro/containers/ampr_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

After clearing your router config (no default configuration), drag and drop the file to your file window.
Open a console and execute the command, using the proper file name downloaded above:
[admin@MikroTik] > import file-name=ampr_arm32.rsc
The system should state that the script was successfully executed.
Now set up an internet connection (the router being blank, like e.g. add a dhcp client to eth1, and wait for it to get an IP address.
With your internet connection working, navigate to /system scripts and execute the script 'install_ampr_container':
[admin@MikroTik] /system/script> run install_ampr_container
This step will download the binary container to your local storage (you need some 1-2 MB of free space on the device) depending on your system architecture and set it up.
If the script fails for some reason, please just run it again.

After the container is created, open your log and then start your container by selecting it and pressing the 'Start' button in your Winbox.
It should switch from "stopped" to "running" and stay running.
Now you have the container installed, stop it for now, and it is time to configure it.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet

Now edit the Route->filter rip-ampr-in to point to your preferred source address (your router's AMPR IP address:

(Winbox is your friend)

...and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it... Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-06T14:40:41Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== Limitations ==
The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

For a new router setup, please download the automatic setup script depending go your router architecture.

First you need to enable container support according to the info provided by Mikrotik:

Enable container mode
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).
Next step is to install the container package for your firmware verion by downloading the complete package from Mikrotik, unpack it and upload the package called gontainer and reboot the router.

Next, get the appropiate install script for your architecture:

ARM32 - http://yo2loj.ro/containers/ampr_arm32.rsc
ARM64 - http://yo2loj.ro/containers/ampr_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

After clearing your router config (no default configuration), drag and drop the file to your file window.
Open a console and execute the command, using the proper file name downloaded above:
[admin@MikroTik] > import file-name=ampr_arm32.rsc
The system should state that the script was successfully executed.
Now set up an internet connection (the router being blank, like e.g. add a dhcp client to eth1, and wait for it to get an IP address.
With your internet connection working, navigate to /system scripts and execute the script 'install_ampr_container':
[admin@MikroTik] /system/script> run install_ampr_container
This step will download the binary container to your local storage (you need some 1-2 MB of free space on the device) depending on your system architecture and set it up.
If the script fails for some reason, please just run it again.

After the container is created, open your log and then start your container by selecting it and pressing the 'Start' button in your Winbox.
It should switch from "stopped" to "running" and stay running.
Now you have the container installed, stop it for now, and it is time to configure it.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet
and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it... Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

All available files are here: http://yo2loj.ro/containers/

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-06T14:38:53Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== Limitations ==
The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

For a new router setup, please download the automatic setup script depending go your router architecture.

First you need to enable container support according to the info provided by Mikrotik:

Enable container mode
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).
Next step is to install the container package for your firmware verion by downloading the complete package from Mikrotik, unpack it and upload the package called gontainer and reboot the router.

Next, get the appropiate install script for your architecture:

ARM32 - http://yo2loj.ro/containers/ampr_arm32.rsc
ARM64 - http://yo2loj.ro/containers/ampr_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

After clearing your router config (no default configuration), drag and drop the file to your file window.
Open a console and execute the command, using the proper file name downloaded above:
[admin@MikroTik] > import file-name=ampr_arm32.rsc
The system should state that the script was successfully executed.
Now set up an internet connection (the router being blank, like e.g. add a dhcp client to eth1, and wait for it to get an IP address.
With your internet connection working, navigate to /system scripts and execute the script 'install_ampr_container':
[admin@MikroTik] /system/script> run install_ampr_container
This step will download the binary container to your local storage (you need some 1-2 MB of free space on the device) depending on your system architecture and set it up.
If the script fails for some reason, please just run it again.

After the container is created, open your log and then start your container by selecting it and pressing the 'Start' button in your Winbox.
It should switch from "stopped" to "running" and stay running.
Now you have the container installed, stop it for now, and it is time to configure it.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet
and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it... Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-06T14:38:31Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== Limitations ==
The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== New router set up ==

For a new router setup, please download the automatic setup script depending go your router architecture.

First you need to enable container support according to the info provided by Mikrotik:

Enable container mode
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).
Next step is to install the container package for your firmware verion by downloading the complete package from Mikrotik, unpack it and upload the package called gontainer and reboot the router.

Next, get the appropiate install script for your architecture:

ARM32 - http://yo2loj.ro/containers/ampr_arm32.rsc
ARM64 - http://yo2loj.ro/containers/ampr_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

After clearing your router config (no default configuration), drag and drop the file to your file window.
Open a console and execute the command, using the proper file name downloaded above:
[admin@MikroTik] > import file-name=ampr_arm32.rsc
The system should state that the script was successfully executed.
Now set up an internet connection (the router being blank, like e.g. add a dhcp client to eth1, and wait for it to get an IP address.
With your internet connection working, navigate to /system scripts and execute the script 'install_ampr_container':
[admin@MikroTik] /system/script> run install_ampr_container
This step will download the binary container to your local storage (you need some 1-2 MB of free space on the device) depending on your system architecture and set it up.
If the script fails for some reason, please just run it again.

After the container is created, open your log and then start your container by selecting it and pressing the 'Start' button in your Winbox.
It should switch from "stopped" to "running" and stay running.
Now you have the container installed, stop it for now, and it is time to configure it.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet
and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it... Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-06T14:37:08Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== Limitations ==
The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

== New router set up ==

For a new router setup, please download the automatic setup script depending go your router architecture.

First you need to enable container support according to the info provided by Mikrotik:

Enable container mode
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).
Next step is to install the container package for your firmware verion by downloading the complete package from Mikrotik, unpack it and upload the package called gontainer and reboot the router.

Next, get the appropiate install script for your architecture:

ARM32 - http://yo2loj.ro/containers/ampr_arm32.rsc
ARM64 - http://yo2loj.ro/containers/ampr_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

After clearing your router config (no default configuration), drag and drop the file to your file window.
Open a console and execute the command, using the proper file name downloaded above:
[admin@MikroTik] > import file-name=ampr_arm32.rsc
The system should state that the script was successfully executed.
Now set up an internet connection (the router being blank, like e.g. add a dhcp client to eth1, and wait for it to get an IP address.
With your internet connection working, navigate to /system scripts and execute the script 'install_ampr_container':
[admin@MikroTik] /system/script> run install_ampr_container
This step will download the binary container to your local storage (you need some 1-2 MB of free space on the device) depending on your system architecture and set it up.
If the script fails for some reason, please just run it again.

After the container is created, open your log and then start your container by selecting it and pressing the 'Start' button in your Winbox.
It should switch from "stopped" to "running" and stay running.
Now you have the container installed, stop it for now, and it is time to configure it.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet
and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it... Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-06T14:35:48Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (this is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== Limitations ==
The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

== New router set up ==

For a new router setup, please download the automatic setup script depending go your router architecture.

First you need to enable container support according to the info provided by Mikrotik:

Enable container mode
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).
Next step is to install the container package for your firmware verion by downloading the complete package from Mikrotik, unpack it and upload the package called gontainer and reboot the router.

Next, get the appropiate install script for your architecture:

ARM32 - http://yo2loj.ro/containers/ampr_arm32.rsc
ARM64 - http://yo2loj.ro/containers/ampr_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

After clearing your router config (no default configuration), drag and drop the file to your file window.
Open a console and execute the command, using the proper file name downloaded above:
[admin@MikroTik] > import file-name=ampr_arm32.rsc
The system should state that the script was successfully executed.
Now set up an internet connection (the router being blank, like e.g. add a dhcp client to eth1, and wait for it to get an IP address.
With your internet connection working, navigate to /system scripts and execute the script 'install_ampr_container':
[admin@MikroTik] /system/script> run install_ampr_container
This step will download the binary container to your local storage (you need some 1-2 MB of free space on the device) depending on your system architecture and set it up.
If the script fails for some reason, please just run it again.

After the container is created, open your log and then start your container by selecting it and pressing the 'Start' button in your Winbox.
It should switch from "stopped" to "running" and stay running.
Now you have the container installed, stop it for now, and it is time to configure it.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet
and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it... Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-06T14:35:01Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (this is fixed in newer releases). Bridge filtering is used to mask those messages.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== Limitations ==
The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

== New router set up ==

For a new router setup, please download the automatic setup script depending go your router architecture.

First you need to enable container support according to the info provided by Mikrotik:

Enable container mode
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).
Next step is to install the container package for your firmware verion by downloading the complete package from Mikrotik, unpack it and upload the package called gontainer and reboot the router.

Next, get the appropiate install script for your architecture:

ARM32 - http://yo2loj.ro/containers/ampr_arm32.rsc
ARM64 - http://yo2loj.ro/containers/ampr_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

After clearing your router config (no default configuration), drag and drop the file to your file window.
Open a console and execute the command, using the proper file name downloaded above:
[admin@MikroTik] > import file-name=ampr_arm32.rsc
The system should state that the script was successfully executed.
Now set up an internet connection (the router being blank, like e.g. add a dhcp client to eth1, and wait for it to get an IP address.
With your internet connection working, navigate to /system scripts and execute the script 'install_ampr_container':
[admin@MikroTik] /system/script> run install_ampr_container
This step will download the binary container to your local storage (you need some 1-2 MB of free space on the device) depending on your system architecture and set it up.
If the script fails for some reason, please just run it again.

After the container is created, open your log and then start your container by selecting it and pressing the 'Start' button in your Winbox.
It should switch from "stopped" to "running" and stay running.
Now you have the container installed, stop it for now, and it is time to configure it.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet
and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it... Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-06T14:27:19Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== Limitations ==
The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

== New router set up ==

For a new router setup, please download the automatic setup script depending go your router architecture.

First you need to enable container support according to the info provided by Mikrotik:

Enable container mode
In a console type in:
/system/device-mode/update container=yes
The device will ask you to reset it by hand (you can not do this remotely).
Next step is to install the container package for your firmware verion by downloading the complete package from Mikrotik, unpack it and upload the package called gontainer and reboot the router.

Next, get the appropiate install script for your architecture:

ARM32 - http://yo2loj.ro/containers/ampr_arm32.rsc
ARM64 - http://yo2loj.ro/containers/ampr_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

After clearing your router config (no default configuration), drag and drop the file to your file window.
Open a console and execute the command, using the proper file name downloaded above:
[admin@MikroTik] > import file-name=ampr_arm32.rsc
The system should state that the script was successfully executed.
Now set up an internet connection (the router being blank, like e.g. add a dhcp client to eth1, and wait for it to get an IP address.
With your internet connection working, navigate to /system scripts and execute the script 'install_ampr_container':
[admin@MikroTik] /system/script> run install_ampr_container
This step will download the binary container to your local storage (you need some 1-2 MB of free space on the device) depending on your system architecture and set it up.
If the script fails for some reason, please just run it again.

After the container is created, open your log and then start your container by selecting it and pressing the 'Start' button in your Winbox.
It should switch from "stopped" to "running" and stay running.
Now you have the container installed, stop it for now, and it is time to configure it.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet
and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it... Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-06T14:22:13Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== Limitations ==
The router does not forward multicast frames at all, nor does it send out broadcasts.
Incoming broadcasts are accepted and forwarded to the local VRF.

== New router set up ==

For a new router setup, please download the automatic setup script depending go your router architecture:

ARM32 - http://yo2loj.ro/containers/ampr_arm32.rsc
ARM64 - http://yo2loj.ro/containers/ampr_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

After clearing your router config (no default configuration), drag and drop the file to your file window.
Open a console and execute the command, using the proper file name downloaded above:
[admin@MikroTik] > import file-name=ampr_arm32.rsc
The system should state that the script was successfully executed.
Now set up an internet connection (the router being blank, like e.g. add a dhcp client to eth1, and wait for it to get an IP address.
With your internet connection working, navigate to /system scripts and execute the script 'install_ampr_container':
[admin@MikroTik] /system/script> run install_ampr_container
This step will download the binary container to your local storage (you need some 1-2 MB of free space on the device) depending on your system architecture and set it up.
If the script fails for some reason, please just run it again.

After the container is created, open your log and then start your container by selecting it and pressing the 'Start' button in your Winbox.
It should switch from "stopped" to "running" and stay running.
Now you have the container installed, stop it for now, and it is time to configure it.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet
and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it... Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-06T14:08:09Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== New router set up ==

For a new router setup, please download the automatic setup script depending go your router architecture:

ARM32 - http://yo2loj.ro/containers/ampr_arm32.rsc
ARM64 - http://yo2loj.ro/containers/ampr_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

After clearing your router config (no default configuration), drag and drop the file to your file window.
Open a console and execute the command, using the proper file name downloaded above:
[admin@MikroTik] > import file-name=ampr_arm32.rsc
The system should state that the script was successfully executed.
Now set up an internet connection (the router being blank, like e.g. add a dhcp client to eth1, and wait for it to get an IP address.
With your internet connection working, navigate to /system scripts and execute the script 'install_ampr_container':
[admin@MikroTik] /system/script> run install_ampr_container
This step will download the binary container to your local storage (you need some 1-2 MB of free space on the device) depending on your system architecture and set it up.
If the script fails for some reason, please just run it again.

After the container is created, open your log and then start your container by selecting it and pressing the 'Start' button in your Winbox.
It should switch from "stopped" to "running" and stay running.
Now you have the container installed, stop it for now, and it is time to configure it.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet
and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it... Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-06T14:00:01Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== New router set up ==

For a new router setup, please download the automatic setup script depending go your router architecture:

ARM32 - http://yo2loj.ro/containers/ampr_arm32.rsc
ARM64 - http://yo2loj.ro/containers/ampr_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

After clearing your router config (no default configuration), drag and drop the file to your file window.
Open a console and execute the command, using the proper file name downloaded above:
[admin@MikroTik] > import file-name=ampr_arm32.rsc
The system should state that the script was successfully executed.
Now set up an internet connection (the router being blank, like e.g. add a dhcp client to eth1, and wait for it to get an IP address.
With your internet connection working, navigate to /system scripts and execute the script 'install_ampr_container':
[admin@MikroTik] /system/script> run install_ampr_container
This step will download the binary container to your local storage (you need some 1-2 MB of free space on the device) depending on your system architecture and set it up.
If the script fails for some reason, please just run it again.

After the container is created, open your log and then start your container by selecting it and pressing the 'Start' button in your Winbox.
It should switch from "stopped" to "running" and stay running.
Now you have the container installed, stop it for now, and it is time to configure it.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet
and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it... Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
ARM32: http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64: http://yo2loj.ro/containers/5_container_arm64.rsc
x86_64: http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

(Details are coming...)

Rip Rip Hurray! de YO2LOJ

Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

2024-08-06T13:59:15Z

Yo2loj:

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

'''This is an experimental software build for the 'enthusiasts' out there.'''

== Info ==

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 Mikrotik router
Tested and found working on CRS2116 and RB3011 for now.

'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''

== General concept ==
Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker).
This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them.
The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts).
It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

== Initial steps ==

The steps to be taken depend on the fact if you set up a new router or want to add the container to an existing running one.

== New router set up ==

For a new router setup, please download the automatic setup script depending go your router architecture:

ARM32 - http://yo2loj.ro/containers/ampr_arm32.rsc
ARM64 - http://yo2loj.ro/containers/ampr_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

After clearing your router config (no default configuration), drag and drop the file to your file window.
Open a console and execute the command, using the proper file name downloaded above:
[admin@MikroTik] > import file-name=ampr_arm32.rsc
The system should state that the script was successfully executed.
Now set up an internet connection (the router being blank, like e.g. add a dhcp client to eth1, and wait for it to get an IP address.
With your internet connection working, navigate to /system scripts and execute the script 'install_ampr_container':
[admin@MikroTik] /system/script> run install_ampr_container
This step will download the binary container to your local storage (you need some 1-2 MB of free space on the device) depending on your system architecture and set it up.
If the script fails for some reason, please just run it again.

After the container is created, open your log and then start your container by selecting it and pressing the 'Start' button in your Winbox.
It should switch from "stopped" to "running" and stay running.
Now you have the container installed, stop it for now, and it is time to configure it.

== Container configuration parameters ==
You need to adapt the pre-existing container environment variables to your particular gateway before starting it again.
The following ENV parameters are preset in Container-> Envs:
AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

After finishing the configuration, add your internet interface to the interface list called "Internet":
/interface list member add interface=ether1 list=Internet
and enable the 2 disabled routing rules under Routing->Rule:
[admin@MikroTik] /routing/rule> set 0 disabled=no
[admin@MikroTik] /routing/rule> set 1 disabled=no

This should do it... Of course you need to set up firewall rules & stuff, but if you do not enable internet forward, you should be pretty safe.

== Configuration on an existing working router ==

Basically you need to do 6 steps by snooping around in the provided rsc files:
1 - Bridge, VETH and VRF setup: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc
2 - RIP setup: http://yo2loj.ro/containers/2_rip.rsc
3 - Firewall rules, Filter, NAT and Mangle: http://yo2loj.ro/containers/3_firewall.rsc
4 - Container environment setup: http://yo2loj.ro/containers/4_container_env.rsc
5 - Container installation, architecture dependent. Files hold the download and update script:
http://yo2loj.ro/containers/5_container_arm32.rsc
http://yo2loj.ro/containers/5_container_arm64.rsc
http://yo2loj.ro/containers/5_container_x86_64.rsc
6 - final routing rules: http://yo2loj.ro/containers/6_rules.rsc

(Details are coming...)

Rip Rip Hurray! de YO2LOJ