Setting up a gateway in a ROS7 Mikrotik router container on arm32 arm64 and x86-64

From 44Net Wiki
Jump to navigation Jump to search

Setting up a gateway in a ROS7 Mikrotik router running in a container on arm and arm64 models and x86-64 CHR

This is an experimental software build for the 'enthusiasts' out there.

Source code is available in git.ampr.org: https://git.ampr.org/yo2loj/ampr-ros7-container/-/tree/main


Info

These are the steps for setting up a fully functional AMPR gateway on an arm/arm64 MikroTik router Tested and found working on CRS2116 and RB3011 for now.

MikroTik ARM64 devices:

Routers: CCR2004, CCR2116, CCR2216, RB5009
Switches: CRS520
Wireless & 5G: Netmetal ax, LHG-LTE6, ATL-LTE18
SOHO: hAP-ax2, cAP-ax, hAP-ax3, Chateau-ax
Others: AMPERE

MikroTik ARM32 devices:

Routers: L009, RB3011, RB4011, RB1100AHx4, 
Switches: CRS305, CRS309, CRS310, CRS317, CRS320, CRS326, CRS328
Wireless & 5G: SXTsq-5ac, NetBox-5ax, LHGXL-5ac
SOHO: hAP-ax lite, hap-ac2, cAP-ac, wAP-ac, cAPXL-ac, hAP-ac3, Chateau
Routerboard: L11UG, L23UGSR, RB450Gx4

MikroTik x86-64 devices:

Others: Cloud Hosted Router

Containers are not available on MIPSBE, MMIPS, SMIPS, TILE or PPC architectures.

General concept

Mikrotik routers running ROS 7 (7.15.3 being current at the time of writing) based on arm and arm64 processor, as well as CHR setups are able to run software containers (similar to docker). This opens the possibility to host a virtualized gateway in such a container, allowing a simple and efficient setup on modern systems.

The gateway will be hosted in a VRF on the router, providing gateway services using policy routing.

As a concept, the container has a single VETH interface which will decapsulate all incoming IPIP traffic from the tunnels, and encapsulate all outgoing traffic towards them. The container itself is isolated behind a bridge and offers some basic filtering function (e.g. restrict access from internet hosts). It will receive the RIPv2 broadcasts from the AMPR gateway and provide the obtained routes as RIP broadcasts to the router itself inside the mentioned VRF.

The container does not save anything to disk (which would be a bad idea on the router's flash memory), so the AMPR routes are lost on container or router restart, and you need to wait the now classical 5 minutes. But this should be no problem on a 24/7 on router.

Limitations

The router does not forward multicast frames at all, nor does it send out broadcasts. Incoming broadcasts are accepted and forwarded to the local VRF.

The container itself needs to sit behind a bridge due to a kernel bug in the version used by Mikrotik which sends out "Port unreachable" ICMP messages on incoming IPIP traffic if it is handled in user space (The same thing causing the need of a kernel filter in amprd. This is fixed in newer kernel releases but it will take a while for it to make its way into ROS). Bridge filtering is used to mask those messages.

New router 5 minutes set up

As a prerequisite, get your internet connection working based on the default mikrotik configuration. Basically set up your ISP uplink either via DHCP or by setting up a PPPoE or similar connection. Leave the default firewall rule as they are. Alternatively, you can start with a completely empty router, with only a active internet connection.

First you need to enable container support according to the info provided by Mikrotik. In a console type in:

/system/device-mode/update container=yes

The system will want you to do a hard reset at this point to confirm the request. This means you need physical access to the device.

Next, you need to install the container package for your firmware version. Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file. Upload it to your router and restart. This will install the package onto the router. After restart, you will have a new option available: /containers

Installation script

Next we need to install the container according to your hardware. Please chose the correct setup script variant:

ARM32 -  ampr_arm32.rsc
ARM64 -  ampr_arm64.rsc
CHRx86 - ampr_x86_64.rsc

Unfortunately, containers are not available on Mips, Tile or PowerPC devices.

The example assumes you use an arm32 device. Please use the proper one...

Open a route console window.

1. Check is the remote server is available:

[admin@MikroTik] > ping yo2loj.ro
 SEQ HOST                                     SIZE TTL TIME       STATUS                    
   0 89.33.44.100                               56  58 10ms574us 
   1 89.33.44.100                               56  58 9ms141us  
   2 89.33.44.100                               56  58 9ms5us    
   sent=3 received=3 packet-loss=0% min-rtt=9ms5us avg-rtt=9ms573us max-rtt=10ms574us

2. Download the configuration script

[admin@MikroTik] > /tool fetch url="http://yo2loj.ro/containers/ampr_arm32.rsc"
     status: finished
 downloaded: 5KiB
      total: 5KiB
   duration: 1s

3. Run the configuration script

[admin@MikroTik] > import ampr_arm32.rsc
AMPR: Creating bridge and VRF
AMPR: Setting up RIP
AMPR: Creating container envs
AMPR: Setting up firewall rules
AMPR: Creating container update script
AMPR: Creating routing rules
AMPR: Installing container
No container is installed
     status: finished
 downloaded: 366KiB
      total: 366KiB
   duration: 1s
AMPR: Script finished successful
AMPR: Now update your container envs and start the container

Your container is now installed. You need to configure its environment variables according to the description given below.

After configuration is complete, go to "containers" and star it up. It should show "running" and you should see it's messages in the log window.

After at most 5 minutes, you should get the tunnel routes in your vrf, and your gateway should be fully up and running.

If logging/debugging is not needed anymore, please disable it by clicking on the container and unchecking te logging box.

Container configuration parameters

You need to adapt the pre-existing container environment variables to your particular gateway before starting it again. The following ENV parameters are preset in Container-> Envs:

AMPR_SUBNETS - holds your local subnets as defined in the portal, as comma separated list of <SUBNET>/<MASK> tupples, e.g. "44.128.0.0/24,44.128.1.0/24"
ALL_VIA_AMPRGW - enables forwarding of all AMPR destinations via AMPRGW, values are "0" or "1"
FORWARD_INTERNET - enables forward of traffic from/to internet hosts, values are "0" or "1"
IGNORED_SUBNETS - allows you to ignore specific subnets provided by RIP, by <SUBNET>/<MASK> or gateway address e.g. "44.128.0.0/16"
CALL_HOME - the classic string, <CALLSIGN>@<LOCATOR> to show up on the map. You will get a yellow dot. e.g. "YO2LOJ@KN05OR". Leaving the field empty disables call home.

Please note that the provided default will allow you to play around, but will not provide a working set up.

Next, you need to set up a local AMPR LAN on your router router, or, if you have only a single IP address assigned, add it to one of your router's interfaces with a /32 netmask Anyway, you need to add a src-nat rule to the router's IP address to get your traffic flowing (let's assume its 44.128.0.1). The address shall be set on an interface OUTSIDE OF THE VRF.

For a single address:

/ip address add address=44.128.0.1 interface=bridge

or even on the loopback interface: For a single address:

/ip address add address=44.128.0.1 interface=lo

For a subnet:

/ip address add address=44.128.0.1/24 interface=<interface name>

And your src-nat NAT rules:

/ip firewall nat add action=src-nat chain=srcnat out-interface=bridge-ampr-gw to-addresses=44.128.0.1
/ip firewall nat add action=src-nat chain=srcnat out-interface=vrf-ampr to-addresses=44.128.0.1

Of course you need to set up additional firewall rules & stuff, but if you do not enable internet forwarding, you should be pretty safe being exposed only to AMPR partners.

Please note that for your firewall rules the incoming interface from the tunnels is "vrf_ampr" and the outgoing interface is "bridge-ampr-gw" for forwarded and "vrf-ampr" for local outgoing data.

Additional optional configuration

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1. To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from

accept;

to set your router's local AMPR IP as its preferred source

set pref-src 44.128.0.1;
accept;

Also, if you want to access the AMPR network from a LAN not using AMPR addresses, you need to set up a forwarding rule and a SRC-NAT one:

/ip firewall filter
add action=accept chain=forward comment="from LAN" in-interface=<YourLANInterface> dst-address-list=ampr_addr

and

/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to AMPR" dst-address-list=Ampr out-interface=bridge-ampr-gw \
   src-address-list=!ampr_addr to-addresses=44.128.0.1

Configuration on an existing working router - 6 steps

1 - Bridge, VETH, VRF and interface setup
2 - RIP setup
3 - Firewall rules, Filter, NAT and Mangle
4 - Container environment setup
5 - Container installation (architecture dependent)
6 - Container configuration and final touches

Preliminary: prepare the router to accept containers

First, you need to install container support on your router. In a console issue:

/system/device-mode/update container=yes

The system will want you to do a hard reset at this point to confirm the request. This means you need physical access to the device.

Next, you need to install the container package for your firmware version. Download the "extra" firmware package from MikroTik for your FW version and extract the "container-7.x.y-<arch>.npk" file. Upload it to your router and restart. This will install the package onto the router. After restart, you will have a new option available: /containers

Step 1: Bridge, VETH, VRF and interface setup

First create a bridge which will be used for your containr. Let's call it 'bridge-ampr-gw':

/interface bridge add comment="AMPR container" name=bridge-ampr-gw

Assign a network to it. The typical docker IP will be ok:

/ip address add address=172.17.0.1/24 interface=bridge-ampr-gw

Create a virtual ethernet interface for the container itself (call it veth-ampr):

/interface veth add name=veth-ampr address=172.17.0.2/24 comment="AMPR container interface" \
   gateway=172.17.0.1

Add the VETH port to the bridge we created above:

/interface bridge port add bridge=bridge-ampr-gw interface=veth-ampr

Because of a kernel anomaly preventing proper userspace IPIP handling, we need to filter icmp messages on the bridge from the container itself:

/interface bridge filter add action=drop chain=input in-interface=veth-ampr ip-protocol=icmp \
   mac-protocol=ip src-address=172.17.0.2/32

Now we create a vrf called "vrf-ampr" and add the bridge to it:

/ip vrf add interfaces=bridge-ampr-gw name=vrf-ampr

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/1_ampr_bridge_vrf.rsc

Step 2: RIP setup

First, create a simple accept routing filter to be used by RIP:

/routing filter rule add chain=rip-ampr-in disabled=no rule="accept;"

Next, create a RIP instance for your VRF using the above filter and the defined VRF:

/routing rip instance add afi=ipv4 in-filter-chain=rip-ampr-in name=rip-ampr vrf=vrf-ampr

And now add a passive (receive only) interface to our instance:

/routing rip interface-template add instance=rip-ampr interfaces=bridge-ampr-gw mode=passive

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/2_rip.rsc

Step 3: Firewall rules, Filter, NAT and Mangle

Now we need to forward out IPIP tunnels to the container, and extract our data from the VRF. For our convenience we will set up an address list to handle AMPR space as one entity (if you already have such a list on the router, you can use it)

/ip firewall address-list
add address=44.0.0.0/9 list=ampr_addr
add address=44.128.0.0/10 list=ampr_addr

Also, we can use an interface list called WAN for the internet access interfaces (like the one in the default config). If you prefer individual interfaces, you can of course use them in your rules.

Filters are needed to allow data input and forward to/from the router. Accept RIP from the VRF:

/ip firewall filter
add action=accept chain=input comment="RIP via VRF" dst-port=520 in-interface=vrf-ampr protocol=udp

Accept input from the AMPR address space to the router (important for ping and traceroute):

/ip firewall filter
add action=accept chain=input comment="AMPR via Tunnels" dst-address-list=ampr_addr in-interface=vrf-ampr \
   src-address-list=ampr_addr

And we need to accept some forwarding for the IPIP tunnels, from VRF to our AMPR space and between AMPR hosts:

/ip firewall filter
add action=accept chain=forward comment="IPIP Tunnels from ISP" in-interface-list=Internet protocol=ipencap
add action=accept chain=forward comment="IPIP Tunnels from VRF" in-interface=vrf-ampr protocol=ipencap
add action=accept chain=forward comment="VRF to AMPR" dst-address-list=ampr_addr in-interface=vrf-ampr
add action=accept chain=forward comment="AMPR to AMPR" dst-address-list=ampr_addr src-address-list=ampr_addr

Next, we need to forward incoming IPIP traffic to our container (note that WAN interface list, use your interface if you like):

/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT ENCAP" in-interface-list=WAN protocol=ipencap \
   to-addresses=172.17.0.2

Now to be able to traverse int and from the VRF, we need some mangle rules.

Incoming IPIP traffic will be marked with the vrf routing mark:

/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP incoming to VRF" in-interface-list=Internet \
   new-routing-mark=vrf-ampr passthrough=no protocol=ipencap

Outgoing IPIP traffic will be marked for the main routing table (or the one you need to reach your ISP)

/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR IPIP outgoing via ISP" in-interface=vrf-ampr \
   new-routing-mark=main passthrough=no protocol=ipencap

Traffic to our local router IPs will be directed via our bridge

/ip firewall mangle
add action=route chain=prerouting comment="AMPR VRF route local" dst-address-type=local in-interface=vrf-ampr \
   passthrough=no route-dst=172.17.0.1

And finally, the incoming AMPR traffic will go to the main routing table

/ip firewall mangle
add action=mark-routing chain=prerouting comment="AMPR VRF forward" in-interface=vrf-ampr new-routing-mark=main\
   passthrough=no

All the above steps are available here as a rsc file: http://yo2loj.ro/containers/3_firewall.rsc

Step 4 - Container environment setup

This step prepares the environment variables for the container.

/container envs

add comment="My subnets, as defined in the portal" key=AMPR_SUBNETS name=ampr-cfg value=\
   44.128.0.0/24,44.128.1.0/24
add comment="Default gateway is AMPRGW instead of Internet" key=ALL_VIA_AMPRGW name=ampr-cfg value=0
add comment="Forward internet traffic" key=FORWARD_INTERNET name=ampr-cfg value=0
add comment="Call home callsign and locator" key=CALL_HOME name=ampr-cfg value=test@AA00aa
add comment="Ignored subnets in RIP" key=IGNORED_SUBNETS name=ampr-cfg value=44.128.0.0/16

Just paste them into the console or import the rsc script as it is. You will edit those later.

The rsc file is here: http://yo2loj.ro/containers/4_container_env.rsc

Step 5 - Container installation

Now you need to download the container which fits your architecture. The following rsc files will install a script which, when run will import and install the container. The same scripts will update and replace the container if run again.

ARM32 -  http://yo2loj.ro/containers/5_container_arm32.rsc
ARM64 -  http://yo2loj.ro/containers/5_container_arm64.rsc
CHRx86 - http://yo2loj.ro/containers/5_container_x86_64.rsc

Of course, instead of the script, you can download the appropriate tar container files yourself:

ARM32 -  http://yo2loj.ro/containers/ampr-arm32.tar
ARM64 -  http://yo2loj.ro/containers/ampr-arm64.tar
CHRx86 - http://yo2loj.ro/containers/ampr-x86-64.tar

and install them manually. Please set them to use the env variables "ampr-cfg".

Or, you can compile and pack the container yourself from source. At the time of writing, the current version is 1.2.0:

http://yo2loj.ro/containers/ampr-container-1.2.0-release.tgz

Step 6 - Container configuration and final touches

You need to edit your env variables according to the description given in the new router setup.

Start your container and wait 5 min. You should see AMPR routes showing up in the VRF's routing table (Some 840 of them if ALL_VIA_AMPRGW is not enabled, otherwise you will get only 2 routes, 44.0.0.0/9 and 44.128.0.0/10).

You may notice that on an external traceroute your router's IP address will show up as 172.17.0.1. To fix this small glitch, you need to modify your existing "rip-ampr-in" RIP input filter rule to provide the correct preferred source address.

Modify the existing rule from

accept;

to set your router's local AMPR IP as its preferred source

set pref-src 44.128.0.1;
accept;

Now, activate the use of the whole system. Set up a routing rule set to force all outgoing AMPR traffic to do a lookup in the VRF routing table:

/routing rule
add action=lookup disabled=yes dst-address=44.0.0.0/9 table=vrf-ampr
add action=lookup disabled=yes dst-address=44.128.0.0/10 table=vrf-ampr

If no route is found in that table, the lookup will continue via the main table towards your default route.

Your local AMPR network and additional routing will go into the main table and the lookup will be done AFTER passing through the VRF's routing table. This means that a matching route in the VRF, including a default 0.0.0.0/0 will take precedence over any route defined in the main table.

Also, if you want to access the AMPR network from a LAN not using AMPR addresses, you need to set up a forwarding rule and a SRC-NAT one:

/ip firewall filter
add action=accept chain=forward comment="from LAN" in-interface=LAN dst-address-list=ampr_addr

and

/ip firewall nat
add action=src-nat chain=srcnat comment="NAT to AMPR" dst-address-list=Ampr out-interface=bridge-ampr-gw \
   src-address-list=!ampr_addr to-addresses=<your router's AMPR ip>

Additional Info

All available files are here: http://yo2loj.ro/containers/

Rip Rip Hurray! de YO2LOJ