I'm trying to slowly migrate away from an existing edgerouter setup to a mikrotik one, and have point to point 0/0, ::0/0 /31 tunnels established just fine between the existing network running ospf for link state, with bgp connecting loopbacks.
When I added the mikrotik in, the peers try to establish, but never complete and I'm trying to figure out which side has the ospf bug here (leaning towards mikrotik here since I've made this work with other devices as well like ciscos / opnsense). I'd look at the packet exchange, but trying to get a clean packet dump from an encrypted tunnel on the wan side isn't exactly easy.
From what I see, the nodes see each other's hellos, and begin exchange, but the mikrotik side never sees the DD reply from the far side so it just continually fails to establish and times out.
What am I missing here, or did I find a bug in how mikrotik (or the edgerouters) are adhering to the OSPF RFCs?
Relevant log bits from ospf debug mikrotik side:
Code: Select all
09:47:17 route,ospf,packet ospf_v2 { version: 2 router-id: 192.168.50.1 } backbone_v4 { 0.0.0.0 } interface { p2p 192.168.17.2%wg1 } neighbor { router-id: 192.168.50.2 state: Exchange } receive DD from 192.168.17.3 Init Master More sequence 3202
09:47:17 route,ospf,packet ospf_v2 { version: 2 router-id: 192.168.50.1 } backbone_v4 { 0.0.0.0 } interface { p2p 192.168.17.2%wg1 } neighbor { router-id: 192.168.50.2 state: Exchange } send DD to 192.168.17.3 sequence 3202
09:47:22 route,ospf,packet ospf_v2 { version: 2 router-id: 192.168.50.1 } backbone_v4 { 0.0.0.0 } interface { p2p 192.168.17.2%wg1 } send hello
09:47:22 route,ospf,packet ospf_v2 { version: 2 router-id: 192.168.50.1 } backbone_v4 { 0.0.0.0 } interface { p2p 192.168.17.2%wg1 } neighbor { router-id: 192.168.50.2 state: Exchange } receive DD from 192.168.17.3 Init Master More sequence 3202
09:47:22 route,ospf,packet ospf_v2 { version: 2 router-id: 192.168.50.1 } backbone_v4 { 0.0.0.0 } interface { p2p 192.168.17.2%wg1 } neighbor { router-id: 192.168.50.2 state: Exchange } send DD to 192.168.17.3 sequence 3202
09:47:25 route,ospf,packet ospf_v2 { version: 2 router-id: 192.168.50.1 } backbone_v4 { 0.0.0.0 } interface { p2p 192.168.17.2%wg1 } neighbor { router-id: 192.168.50.2 state: Exchange } hello
09:47:27 route,ospf,packet ospf_v2 { version: 2 router-id: 192.168.50.1 } backbone_v4 { 0.0.0.0 } interface { p2p 192.168.17.2%wg1 } neighbor { router-id: 192.168.50.2 state: Exchange } receive DD from 192.168.17.3 Init Master More sequence 3202
09:47:27 route,ospf,packet ospf_v2 { version: 2 router-id: 192.168.50.1 } backbone_v4 { 0.0.0.0 } interface { p2p 192.168.17.2%wg1 } neighbor { router-id: 192.168.50.2 state: Exchange } send DD to 192.168.17.3 sequence 3202
09:47:32 route,ospf,packet ospf_v2 { version: 2 router-id: 192.168.50.1 } backbone_v4 { 0.0.0.0 } interface { p2p 192.168.17.2%wg1 } send hello
09:47:32 route,ospf,packet ospf_v2 { version: 2 router-id: 192.168.50.1 } backbone_v4 { 0.0.0.0 } interface { p2p 192.168.17.2%wg1 } neighbor { router-id: 192.168.50.2 state: Exchange } receive DD from 192.168.17.3 Init Master More sequence 3202
09:47:32 route,ospf,packet ospf_v2 { version: 2 router-id: 192.168.50.1 } backbone_v4 { 0.0.0.0 } interface { p2p 192.168.17.2%wg1 } neighbor { router-id: 192.168.50.2 state: Exchange } send DD to 192.168.17.3 sequence 3202
fw1csc2 mikrotik side below
Code: Select all
# model = RB5009UG+S+
# serial number = [snip]
/interface bridge
add admin-mac=[snip] auto-mac=no comment=defconf name=bridge
add name=lo1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireguard
add comment=fw1csc1 listen-port=51821 mtu=1420 name=wg1
/interface vlan
add interface=bridge name=vlan2 vlan-id=2
/interface ethernet switch port
set 7 mirror-egress=yes mirror-ingress=yes mirror-ingress-target=ether3
/interface ethernet switch
set 0 mirror-egress-target=ether3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=WG_tun
add include=LAN,WG_tun name=NoBlock
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.10.50-192.168.10.254
add name=dhcp_prod ranges=192.168.11.50-192.168.11.250
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=23h59m59s name=defconf
add address-pool=dhcp_prod interface=vlan2 lease-time=23h59m59s name=dhcp_prod
/queue type
add kind=fq-codel name=FQ_Codel
/queue interface
set ether1 queue=FQ_Codel
/routing ospf instance
add disabled=no name=ospf_v2
add disabled=yes name=ospf_v3 version=3
/routing ospf area
add disabled=no instance=ospf_v2 name=backbone_v4
add disabled=no instance=ospf_v3 name=backbone_v6
/routing bgp template
set default as=65510 disabled=no output.no-client-to-client-reflection=yes routing-table=main
add as=65010 disabled=no multihop=yes name=peer nexthop-choice=propagate output.keep-sent-attributes=yes .no-client-to-client-reflection=yes routing-table=main templates=\
default
/certificate settings
set crl-download=yes crl-use=yes
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 trusted=yes
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=2
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether7
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set accept-router-advertisements=yes
/interface bridge vlan
add bridge=bridge tagged=ether4,ether7 untagged=vlan2 vlan-ids=2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=lo1 list=LAN
add interface=vlan2 list=LAN
add interface=wg1 list=WG_tun
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=fw1csc1 endpoint-address=fw1csc.[snip] endpoint-port=51820 interface=wg1 persistent-keepalive=25s public-key=\
"[snip]"
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=192.168.10.0
add address=192.168.50.1 interface=lo1 network=192.168.50.1
add address=192.168.11.1/24 comment=prod interface=vlan2 network=192.168.11.0
add address=192.168.17.2/31 comment=fw1csc1 interface=wg1 network=192.168.17.2
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 domain=[snip] gateway=192.168.10.1 netmask=24
add address=192.168.11.0/24 comment=prod dns-server=192.168.11.1 domain=[snip] gateway=192.168.11.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment=vpn_local_in in-interface-list=WG_tun
add action=accept chain=input comment="wireguard 1" dst-port=51821 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!NoBlock
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=dns dst-port=53 in-interface-list=WAN protocol=udp to-addresses=192.168.10.15 to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ipv6 address
add address=::7a9a:18ff:feab:79ae eui-64=yes from-pool=global interface=bridge
add eui-64=yes from-pool=global interface=*E
add address=::874:bff:fed3:e88d eui-64=yes from-pool=global interface=lo1
/ipv6 dhcp-client
add interface=ether1 pool-name=global prefix-hint=::/48 request=address,prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
add advertise-dns=no hop-limit=64 interface=ether1 ra-preference=low reachable-time=5m
/routing bfd configuration
add disabled=yes interfaces=WG_tun
/routing bgp connection
add as=65010 connect=yes disabled=no listen=yes local.address=192.168.50.1 .role=ebgp-peer multihop=yes name=fw1csc1 nexthop-choice=propagate output.keep-sent-attributes=yes \
.no-client-to-client-reflection=yes remote.address=192.168.50.3 .as=65030 routing-table=main templates=peer
/routing ospf interface-template
add area=backbone_v4 cost=10 disabled=no interfaces=lo1 passive
add area=backbone_v6 cost=10 disabled=no interfaces=lo1 passive
add area=backbone_v4 cost=50 disabled=no interfaces=WG_tun priority=1 type=ptp use-bfd=no
add area=backbone_v6 cost=50 disabled=no interfaces=WG_tun type=ptp use-bfd=no
/system clock
set time-zone-name=America/Chicago
/system identity
set name=fw1.[snip]
/system logging
add disabled=yes topics=ospf
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes use-local-clock=yes
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool romon port
add cost=200 disabled=no forbid=yes interface=ether1
fw1csc1 - er-x side - tried to get the relevant pieces, let me know if I missed something.
Code: Select all
firewall {
broadcast-ping disable
group {
port-group Wireguard {
description ""
port 51820-51822
}
}
name VPN_IN {
default-action accept
rule 10 {
action accept
description Estab
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description invalid
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 30 {
action accept
description http(s)
destination {
port 80,443
}
log disable
protocol tcp_udp
state {
established disable
invalid disable
new enable
related disable
}
}
rule 40 {
action accept
description icmp
log disable
protocol icmp
}
rule 50 {
action accept
description bgp
destination {
address 192.168.50.0/24
port bgp
}
log disable
protocol tcp
source {
address 192.168.50.0/24
}
state {
established disable
invalid disable
new enable
related disable
}
}
rule 60 {
action accept
description ssh
destination {
port 22
}
log disable
protocol tcp
state {
established disable
invalid disable
new enable
related disable
}
}
rule 61 {
action accept
description proxmox
destination {
port 8006
}
log enable
protocol tcp_udp
state {
established disable
invalid disable
new enable
related disable
}
}
}
name VPN_LOCAL {
default-action accept
rule 10 {
action accept
description Estab
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description invalid
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 30 {
action accept
description ospf
log disable
protocol ospf
}
rule 40 {
action accept
description dns
destination {
port 53
}
log disable
protocol tcp_udp
}
rule 50 {
action accept
description bgp
destination {
address 192.168.50.1
port bgp
}
log disable
protocol tcp
source {
address 192.168.50.0/24
}
state {
established disable
invalid disable
new enable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description WireGuard
destination {
group {
port-group Wireguard
}
}
log disable
protocol udp
}
rule 21 {
action accept
description "backup https"
destination {
port 8443
}
log enable
protocol tcp_udp
state {
established disable
invalid disable
new enable
related disable
}
}
}
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
dhcp-options {
default-route update
default-route-distance 210
name-server no-update
}
dhcpv6-pd {
no-dns
pd 0 {
interface switch0 {
host-address ::1
prefix-id :0
service slaac
}
interface switch0.2 {
host-address ::1
prefix-id :1
service slaac
}
prefix-length /60
}
rapid-commit enable
}
duplex auto
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
interface wireguard wg0 {
address 192.168.17.3/31
address fe80::250:55ff:fec0/64
description fw1csc2
firewall {
in {
ipv6-name VPNv6_IN
name VPN_IN
}
local {
ipv6-name VPNv6_IN
name VPN_LOCAL
}
}
ip {
ospf {
cost 50
dead-interval 40
hello-interval 10
priority 1
retransmit-interval 5
transmit-delay 1
}
}
listen-port 51820
mtu 1420
peer [snip] {
allowed-ips 0.0.0.0/0
allowed-ips ::0/0
endpoint [snip].sn.mynetname.net:51821
persistent-keepalive 25
}
private-key /config/auth/wg.key
route-allowed-ips false
}
loopback lo {
address 192.168.50.1/32
}
}
protocols {
ospf {
area 0.0.0.0 {
area-type {
normal
}
network 192.168.17.0/24
network 192.168.50.0/24
network 192.168.10.0/24
}
log-adjacency-changes {
}
parameters {
abr-type cisco
router-id 192.168.50.1
}
passive-interface default
passive-interface-exclude wg0
}
}
Basic diagram
