We have devices that we do not trust with direct access from the internet. These include PDUs, antiquated server hardware, and separate admin interfaces on network devices to name a few. One can implement expensive firewall rules, but the best industry practice is to simple take them off the public Internet and put them on isolated management networks. We have taken this proven approach in implemented it in various portions of the PSDR HamWAN implementation. We will document he key components here. As with most implementations, we have chosen to use non-routable, RFC1918 addresses for our management network.
We have chosen to use 10.44.0.0/16 as our management network address space.
As for our publis IP space, we have set up allocation ares for various functions:
| Function | Address space allocation | Comment |
|---|---|---|
| Site subnets | 10.44.0.0/19 | /24s or smaller |
| Mgmt Point-to-Point Links | 10.44.32.0/22 | /30s or /29s |
| Mgmt Wireguard Server Pools | 10.44.40.0/22 | normally /27s |
| Mgmt Loopbacks | 10.44.48.0/24 | |
| Mgmt Anycast | 10.44.200.0/23 | redundant servers split betwee .200 and .201 |
Management Network are ideally run in a separate VRF on each router with the management interfaces part of that VRF. Management interfaces are normally either dedicated ports or vlans riding over a non-management interface. The routers run separate OSPF instances for routing mgmt traffic. Ideally each router running mgmt OSPF should have a loopback mgmt interface (an empty bridge) with an address from the management loopback range.
The management network does not currently span the entirity of PSDR HamWAN, but is used in an number of critical sites including Westin, Ziply, FMT, SnoDEM, Haystack, Everett. The list is growing. The best reference is to puruse the DNS Portal.
To access devices or interfaces on the management network, the most straight-forward approach is to use Wireguard to log into a device on the management network and bring the management network to your hopefully secure device.
Create and address a loopback interface.
/inteface bridge add name=loopback.mgmt
/ip address add address=10.44.48.7/32 interface=loopback.mgmtGet mgmt interfaces instantited.
/interface vlan add interface=LAN name=LAN.mgmt vlan-id=1044
# likewise for other interfaces that you want to layer the mgmt network overCreate a management vrf (virtual router) and place all the management interfaces in it.
/ip vrf add interfaces=LAN.mgmt,loopback.mgmt,interface2.mgmt,interface3.mgmt name=mgmtSet up OSPF on router with multiple mgmt links. Start by setting up the filter rule needed later.
/routing filter rule
add chain=mgmt rule="if (dst in 10.44.0.0/16 && dst-len >= 16) { accept }"
add chain=mgmt rule="if (dst == 0.0.0.0/0) { accept }"Set up OSPF instance and interface templates.
/routing ospf instance add disabled=no in-filter-chain=mgmt name=mgmt originate-default=if-installed out-filter-chain=mgmt redistribute=connected,ospf router-id=10.44.48.7 vrf=mgmt
/routing ospf area add disabled=no instance=mgmt name=mgmt
/routing ospf interface-template
add area=mgmt disabled=no interfaces=LAN.mgmt
add area=mgmt disabled=no interfaces=loopback.mgmt passive
add area=mgmt disabled=no interfaces=interface2.mgmt type=ptp
add area=mgmt disabled=no interfaces=interface3.mgmt type=ptpThe management network is routed over parts of HamWAN so it is not necessary that every site have a Wireguard server, but if you need set one up becuase existing ones don’t have the connectivity you need, here are the steps.
Allocate a pool of addresses for the Wireguard server, for example 10.44.40.32/27, using the DNS Portal.
Create a wireguard server on the primary router of the site. You will need to choose a port that does not conflict with any other port usage on the router. The wireguard default is 51820. 50001 is also a good number.
/interface wireguard add listen-port=50001 mtu=1420 name=mgmt-wgEdit the list of interfaces in the mgmt vrf: /ip vrf edit [ find name=mgmt-wg ] interfaces. This will place the wireguard server on the managemnt network, and hence its clients as well.
Assign an address to the interface at the bottom of the range
/ip address add address=10.44.40.33/27 comment="Incoming wireguard connections for mgmt router" interface=mgmt-wgYou are now ready for clients.
To add a wireguard client you will need to exchange public keys in both directions. Start on the client since the server’s public key is already known (/interface wireguard print).
Look at the existing peers allocated on this server and choose next free IP addres in the range. For the example network above, this would be an address in 10.44.40.32/27. The server is .33. Clients will start at .34 and work up. Lets say it is 10.44.40.35.
On your device, create a wireguard client. You will need the servers public key string. It will normally ask for a QR code or config file, but there will be option to create an empty client or do it manually. It should create a private key (don’t share) and show you the public key. Your config file will want to look like this.
[Interface]
PrivateKey = [REDACTED]
Address = 10.44.40.35/27
MTU = 1420
[Peer]
PublicKey = 4bGxj2HtUUAncDUWB8Usst33GQbQpIcUv437G+sjC3c=
AllowedIPs = 10.44.0.0/16
Endpoint = 50.54.243.191:50001Address is the address you assigned in step 1. PublicKey is the server’s public key Endpoint is the address:port of the server (ER1.Ziply in this example). It could be a 44net address as well.
On the server, create a Wireguard peer entry. Allowed addresses is the destination addresses allowed to be sent to this client.
/interface wireguard peers add allowed-address=10.44.40.35/32 name=KD7DK-PC public="zxaiwvONtqk/EDFdnnqFIn3ZyjW2k3xWLElq7/MAf0U="Test your connection. You should be functioning.