Uplink Node Configuration

  1. Setup a Client Node
  2. Ask on the mailing list(s) if you can be an Uplink Node. There are resource, technical competency, and security requirements that need to be met.
  3. If approved, you'll be assigned a PtP IP pair and an OSPF password.
  4. Remove default gateways

    /ip dhcp-client
    set [find] add-default-route=no
  5. Remove LAN DHCP client

    /ip dhcp-client
    remove <ITEM # OF ether1 CLIENT>
  6. Remove NAT rules

    /ip firewall nat
    remove [find]
  7. Configure static IP for the modem on your LAN

    /ip address
    add address=<MODEM LAN ADDRESS>/<LAN MASK> interface=ether1
  8. Generate a private key and a Certificate Signing Request (CSR)

    # Be sure to protect the private key with a password when prompted to do so!
    openssl genrsa -des3 -out <CALLSIGN>-key.pem 4096
    # Be sure to use CN=<CALLSIGN> in your CSR
    openssl req -new -key <CALLSIGN>-key.pem -out <CALLSIGN>.csr
  9. Contact the HamWAN Certificate Authority (CA) to have your CSR signed (netops@hamwan.org)
  10. This is how the Certificate Authority operator will sign your request and generate your certificate

    openssl x509 -req -days 365 -in <CALLSIGN>.csr -CA cacert.pem -CAkey private/cakey.pem -out <CALLSIGN>-cert.pem -CAserial serial
  11. Copy the -cert.pem you got from the CA to your modem
  12. Copy the -key.pem to your modem. Be sure to leave it encrypted.
  13. Copy the K7WAN-cert.pem to your modem. This file is attached to this page. Will make this a better process later.
  14. Import the certificates and your private key IN THIS ORDER

    import file-name=K7WAN-cert.pem
    # Just hit enter when prompted for password.
    set 0 name=HamWAN
    import file-name=<CALLSIGN>-cert.pem
    # Just hit enter when prompted for password.
    set 1 name=<CALLSIGN>
    import file-name=<CALLSIGN>-key.pem
    # Provide your private key encryption password here for the modem to decrypt it.
  15. Verify that you have one certificate named "K7WAN" and one certificate named that has the K and T flags set in front of it.
  16. Configure a static route for the IPIP tunnel

    /ip route
    add comment=Corvallis-ER1 distance=1 dst-address= gateway=<LAN DEFAULT GATEWAY>
  17. Create an IPIP interface for the tunnel

    /interface ipip
    add comment="<CALLSIGN> - Corvallis.  MTU set for ESP+NAT-T." local-address=<MODEM LAN ADDRESS> mtu=1418 name=ipip1 remote-address=
  18. Define the ESP-only IPsec proposal

    /ip ipsec proposal
    add auth-algorithms=null enc-algorithms=aes-128 name=vpn-esp
  19. Define the Corvallis-ER1 IPsec peer

    /ip ipsec peer
    add address= auth-method=rsa-signature certificate=<CALLSIGN> enc-algorithm=aes-128 nat-traversal=yes remote-certificate=K7WAN
  20. Define the Corvallis-ER1 IPsec policy

    /ip ipsec policy
    add dst-address= proposal=vpn-esp protocol=ip-encap \
      sa-dst-address= sa-src-address=<MODEM LAN ADDRESS> src-address=<MODEM LAN ADDRESS>/32 tunnel=yes
  21. Configure the addresses on your IPIP tunnel

    /ip address
    add address=<HIGHER IP FROM PTP PAIR>/32 network=<LOWER IP FROM PTP PAIR> interface=ipip1
  22. Notify a HamWAN network operator to let them know IPsec is ready on your end.
  23. Once Corvallis-ER1 has been configured to accept your tunnel
    1. Initiate the IPsec association

      /ping <LOWER IP FROM PTP PAIR>
      # Initial ping may timeout, but subsequent pings should work
    2. Verify the tunnel is being used

      /tool traceroute <LOWER IP FROM PTP PAIR>
      # Should display only one hop
    3. Check for mature security associations

      /ip ipsec installed-sa print
      # Should display state=mature
    4. Verify MTUs are working OK

      /ping <LOWER IP FROM PTP PAIR> size=1418 do-not-fragment
      # Should result in clean pings with no error messages
  24. Define HamWAN routing filters

    /routing filter
    add action=accept chain=HamWAN-default prefix= prefix-length=20-32
    add action=accept chain=HamWAN-default prefix=
    add action=reject chain=HamWAN-default
    add action=accept chain=Ham-default prefix= prefix-length=8-32
    add action=accept chain=Ham-default prefix=
    add action=reject chain=Ham-default
  25. Configure OSPF instance

    /routing ospf instance
    set [ find default=yes ] distribute-default=if-installed-as-type-1 in-filter=Ham-default out-filter=Ham-default redistribute-bgp=as-type-1 \
        redistribute-connected=as-type-1 redistribute-other-ospf=as-type-1 router-id=<HIGHER IP FROM PTP PAIR>
  26. Configure OSPF interface

    /routing ospf interface
    add authentication=md5 authentication-key=<OSPF PASSWORD> interface=ipip1 network-type=point-to-point
  27. Configure OSPF network

    /routing ospf network
    add area=backbone network=<LOWER IP FROM PTP PAIR>/32
  28. Verify you are receiving routes from Corvallis-ER1

    /ip route print interval=1
    # You should see hundreds of new routes in your routing table
  29. Advertise your uplink gateway to the microwave network

    /routing ospf interface
    add authentication=md5 authentication-key=<OSPF PASSWORD> interface=wlan1 network-type=broadcast
    /routing ospf network
    # For example, wlan1 IP means a network address
    1. In the case of PtP links, you'd use network-type=point-to-point and define network= as the remote IP/32.
  30. Verify two OSPF neighbors are active

    /routing ospf neighbor print
    # Make sure state="Full" on both neighbor lines
  31. Integrate your home network (assumed on RFC1918 space) into HamWAN routing

    1. Define an RFC1918 address list

      /ip firewall address-list
      add address= list=RFC1918
      add address= list=RFC1918
      add address= list=RFC1918
    2. Perform NAT on traffic coming into HamWAN from RFC1918 space

      /ip firewall nat
      add action=masquerade chain=srcnat src-address-list=RFC1918
    3. On your main LAN router, add HamWAN + AMPR routes

      /ip route
      add comment="HamWAN + AMPR" disabled=no distance=1 dst-address= gateway=<MODEM IP ADDRESS> scope=30 target-scope=10


Filename Size Modified
K7WAN.pem 3.8KiB 2016-08-06 14:46:40