add MikroTik aggregation routers

includes/routeros-v7-aggregation-router/dns.j2

@@ -0,0 +1,2 @@
+/ip dns
+set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1,8.8.8.8

includes/routeros-v7-aggregation-router/firewall.j2

@@ -0,0 +1,92 @@
+/ip firewall address-list
+add address=172.22.0.0/16 comment="Voneus VPN" list=allow-management
+add address=185.134.196.128/28 comment=FAELIX list=allow-management
+add address=46.227.200.128/28 comment=FAELIX list=allow-management
+add address=100.64.0.0/10 comment=RFC6598 list=customer-private
+add address=46.227.207.251 comment=core.librenms.lon.faelix.twh.voneus.net list=allow-snmp
+add address=46.227.207.250 comment=fttp.librenms.lon.faelix.twh.voneus.net list=allow-snmp
+add address=46.227.203.248 comment=fwa.librenms.lon.faelix.twh.voneus.net list=allow-snmp
+add address=46.227.203.91 comment=librenms01.man.faelix.man.voneus.net list=allow-snmp
+add address=185.134.197.214 comment=oob.librenms.gen.faelix.che.voneus.net list=allow-snmp
+add address=185.134.197.197 comment=overlord.librenms.gen.faelix.che.voneus.net list=allow-snmp
+add address=46.227.203.249 comment=systems.librenms.lon.faelix.twh.voneus.net list=allow-snmp
+add address=46.227.202.238 comment=vnms.librenms.man.faelix.man.voneus.net list=allow-snmp
+add address=192.0.2.1 comment=placeholder disabled=yes list=no-cgnat-to
+add address=192.0.2.2 comment=example disabled=yes list=provisioning
+
+/ipv6 firewall address-list
+add address=2001:db9::/32 comment="Voneus VPN" disabled=yes list=allow-management
+add address=2a01:9e00:a217:fa00::/56 comment=FAELIX list=allow-management
+add address=2a01:9e01:a217:fa00::/56 comment=FAELIX list=allow-management
+add address=2001:db9::/32 comment="Voneus VPN" disabled=yes list=allow-management
+{% for prefix in 'accept-ipv6-40-48-from-aggregation'|get_netbox_tagged_prefixes %}{% if prefix.prefix|ipv6 %}
+add address={{ prefix.prefix }} comment="{{ prefix.description }}" list=customer-public
+{% endif %}{% endfor %}
+{% for prefix in 'accept-ipv6-40-48-from-aggregation'|get_netbox_tagged_aggregates %}{% if prefix.prefix|ipv6 %}
+add address={{ prefix.prefix }} comment="{{ prefix.description }}" list=customer-public
+{% endif %}{% endfor %}
+{% for prefix in 'accept-ipv6-48-52-from-aggregation'|get_netbox_tagged_prefixes %}{% if prefix.prefix|ipv6 %}
+add address={{ prefix.prefix }} comment="{{ prefix.description }}" list=customer-public
+{% endif %}{% endfor %}
+{% for prefix in 'accept-ipv6-48-52-from-aggregation'|get_netbox_tagged_aggregates %}{% if prefix.prefix|ipv6 %}
+add address={{ prefix.prefix }} comment="{{ prefix.description }}" list=customer-public
+{% endif %}{% endfor %}
+add address=2001:db9::/32 comment=example disabled=yes list=provisioning
+
+/ip firewall filter
+add action=fasttrack-connection chain=forward comment="forward existing connections" connection-state=established,related hw-offload=yes
+add action=accept chain=forward comment="forward existing connections" connection-state=established,related
+add action=accept chain=forward comment="forward customer traffic to uplinks and linknets" in-interface-list=customer-and-linknet out-interface-list=uplink-and-linknet
+add action=accept chain=forward comment="forward traffic arriving from management interfaces" in-interface-list=mgmt
+add action=accept chain=forward comment="forward IPsec encapsulated traffic" disabled=yes in-interface-list=uplink-and-linknet ipsec-policy=in,ipsec
+add action=accept chain=forward comment="forward DNAT traffic" connection-nat-state=dstnat disabled=yes in-interface-list=uplink-and-linknet
+add action=drop chain=forward comment="prevent customers from reaching protected subnets" in-interface-list=customer-and-linknet src-address-list=block-customer
+add action=drop chain=forward comment="prevent customers from reaching protected subnets" dst-address-list=block-customer in-interface-list=customer-and-linknet
+add chain=forward comment="forward traffic between linknets" in-interface-list=linknet out-interface-list=linknet
+add action=drop chain=forward comment="block traffic from uplinks and linknets" in-interface-list=uplink-and-linknet
+add action=fasttrack-connection chain=input comment="allow established connections to router's control plane" connection-state=established,related hw-offload=yes
+add action=accept chain=input comment="allow established connections to router's control plane" connection-state=established,related
+add action=accept chain=input comment="allow DNS" dst-port=53 in-interface-list=customer-and-linknet-and-provisioning-cpe protocol=tcp
+add action=accept chain=input comment="allow DNS" dst-port=53 in-interface-list=customer-and-linknet-and-provisioning-cpe protocol=udp
+add action=accept chain=input comment="allow SNMP" dst-port=161 in-interface-list=uplink-and-linknet protocol=udp src-address-list=allow-snmp
+add action=accept chain=input comment="allow NTP" dst-port=123 in-interface-list=customer-and-linknet-and-provisioning-cpe protocol=udp
+add action=accept chain=input comment="allow management interfaces to access router's control plane" in-interface-list=mgmt
+add action=accept chain=input comment="allow public management IPs access to router's control plane" in-interface-list=uplink-and-linknet src-address-list=allow-management
+add action=accept chain=input comment="allow IPsec" disabled=yes in-interface-list=uplink-and-linknet protocol=ipsec-esp src-address-list=allow-ipsec
+add action=accept chain=input comment="allow IPsec" disabled=yes dst-port=500,4500 in-interface-list=uplink-and-linknet protocol=udp src-address-list=allow-ipsec
+add action=accept chain=input comment="allow IPsec" disabled=yes in-interface-list=uplink-and-linknet ipsec-policy=in,ipsec
+add action=accept chain=input comment="allow BGP on uplinks and linknets" dst-port=179 in-interface-list=uplink-and-linknet protocol=tcp
+add action=accept chain=input comment="allow ICMP" protocol=icmp
+add action=accept chain=input comment="allow UDP traceroute" port=33434-33534 protocol=udp
+add action=drop chain=input comment="protect router's control plane"
+/ip firewall nat
+add action=return chain=srcnat src-address-list=public-addresses
+add action=return chain=srcnat dst-address-list=no-cgnat-to
+add action=same chain=srcnat out-interface-list=uplink same-not-by-dst=yes src-address-list=customer-private to-addresses=185.66.206.1-185.66.206.3
+add action=masquerade chain=srcnat out-interface-list=uplink src-address-list=customer-private
+add chain=dstnat comment="redirect NTP to local NTP server for provisioning" dst-port=123 protocol=udp src-address-list=provisioning to-addresses=127.0.0.1
+
+/ipv6 firewall filter
+add action=accept chain=forward comment="forward existing connections" connection-state=established,related
+add action=accept chain=forward comment="forward customer traffic to uplinks and linknets" in-interface-list=customer-and-linknet out-interface-list=uplink-and-linknet
+add action=accept chain=forward comment="forward traffic arriving from management interfaces" in-interface-list=mgmt
+add action=accept chain=forward comment="forward IPsec encapsulated traffic" disabled=yes in-interface-list=uplink-and-linknet ipsec-policy=in,ipsec
+add action=drop chain=forward comment="prevent customers from reaching protected subnets" in-interface-list=customer-and-linknet src-address-list=block-customer
+add action=drop chain=forward comment="prevent customers from reaching protected subnets" dst-address-list=block-customer in-interface-list=customer-and-linknet
+add chain=forward comment="forward traffic between linknets" in-interface-list=linknet out-interface-list=linknet
+add action=accept chain=forward comment="forward ICMPv6" protocol=icmp
+add action=drop chain=forward comment="block traffic from uplinks and linknets" in-interface-list=uplink-and-linknet
+add action=accept chain=input comment="allow established connections to router's control plane" connection-state=established,related
+add action=accept chain=input comment="allow DNS" dst-port=53 in-interface-list=customer-and-linknet protocol=tcp
+add action=accept chain=input comment="allow DNS" dst-port=53 in-interface-list=customer-and-linknet protocol=udp
+add action=accept chain=input comment="allow SNMP" dst-port=161 in-interface-list=uplink-and-linknet protocol=udp src-address-list=allow-snmp
+add action=accept chain=input comment="allow NTP" dst-port=123 in-interface-list=customer-and-linknet protocol=udp
+add action=accept chain=input comment="allow management interfaces to access router's control plane" in-interface-list=mgmt
+add action=accept chain=input comment="allow public management IPs access to router's control plane" in-interface-list=uplink-and-linknet src-address-list=allow-management
+add action=accept chain=input comment="allow IPsec" disabled=yes in-interface-list=uplink-and-linknet protocol=ipsec-esp src-address-list=allow-ipsec
+add action=accept chain=input comment="allow IPsec" disabled=yes dst-port=500,4500 in-interface-list=uplink-and-linknet protocol=udp src-address-list=allow-ipsec
+add action=accept chain=input comment="allow IPsec" disabled=yes in-interface-list=uplink-and-linknet ipsec-policy=in,ipsec
+add action=accept chain=input comment="allow BGP on uplinks and linknets" dst-port=179 in-interface-list=uplink-and-linknet protocol=tcp
+add action=accept chain=input comment="allow ICMP" protocol=icmpv6
+add action=accept chain=input comment="allow UDP traceroute" port=33434-33534 protocol=udp
+add action=drop chain=input comment="protect router's control plane"

includes/routeros-v7-aggregation-router/interfaces.j2

@@ -0,0 +1,11 @@
+/ip address
+add address=172.22.1.204/24 interface=ether1 network=172.22.1.0
+add address=169.254.0.2/30 interface=vlan0666 network=169.254.0.0
+add address=185.66.206.1 interface=loopback network=185.66.206.1
+add address=169.254.0.2 interface=vlan0666 network=193.162.44.17
+add address=185.66.206.2 interface=loopback network=185.66.206.2
+add address=185.66.206.3 interface=loopback network=185.66.206.3
+
+/ipv6 address
+add address=2a04:1840:1466::/48 advertise=no interface=loopback
+add address=2a10:f0c0:1::4:666:2004/112 advertise=no interface=vlan0666

includes/routeros-v7-aggregation-router/ppp.j2

@@ -0,0 +1,4 @@
+/ppp profile
+set *0 interface-list=customer local-address=100.64.0.0 use-compression=no use-encryption=no use-mpls=no use-upnp=no
+add address-list=provisioning interface-list=provisioning-cpe local-address=100.64.0.1 name=provisioning use-compression=no use-encryption=no use-ipv6=no use-mpls=no use-upnp=no
+set *FFFFFFFE local-address=100.64.0.0 use-compression=yes use-mpls=no use-upnp=no

includes/routeros-v7-aggregation-router/routing.j2

@@ -0,0 +1,34 @@
+/routing bgp connection
+add address-families=ipv6 as=65000 connect=yes disabled=no hold-time=31s input.filter=core-in keepalive-time=10s listen=no local.address=2a10:f0c0:1::4:666:2004 .role=ebgp name=\
+   cr1.tn2.v6 output.filter-chain=core-out .redistribute=connected,static remote.address=2a10:f0c0:1::4:666:1 .as=59811 .ttl=255
+add address-families=ip as=65000 connect=yes disabled=no hold-time=31s input.filter=core-in keepalive-time=10s listen=no local.address=169.254.0.2 .role=ebgp name=cr1.tn2.ipv4 \
+   output.filter-chain=core-out .redistribute=connected,static remote.address=169.254.0.1 .as=59811 .ttl=255 routing-table=main
+
+/routing filter rule
+add chain=core-out disabled=no rule="if (afi ipv6) {\
+   \n  if (dst in 2a10:f0c0::/29) {reject}\
+   \n  if (dst-len <= 52) {accept}\
+   \n  reject\
+   \n}"
+add chain=core-out disabled=no rule="if (afi ipv4) {\
+   \n  if (dst in 10.0.0.0/8) {reject}\
+   \n  if (dst in 100.64.0.0/10) {reject}\
+   \n  if (dst in 172.16.0.0/12) {reject}\
+   \n  if (dst in 169.254.0.0/16) {reject}\
+   \n  if (dst in 192.168.0.0/16) {reject}\
+   \n  if (dst in 193.162.44.0/24) {reject}\
+   \n  if (dst-len == 32) {accept}\
+   \n  reject\
+   \n}"
+add chain=core-out disabled=no rule="reject;"
+add chain=core-in disabled=no rule="if (afi ipv6) {\
+   \n  if (dst == ::/0) {accept}\
+   \n  if (bgp-communities includes 59811:2) {accept}\
+   \n  reject\
+   \n}"
+add chain=core-in disabled=no rule="if (afi ipv4) {\
+   \n  if (dst == 0.0.0.0/0) {accept}\
+   \n  if (bgp-communities includes 59811:2) {accept}\
+   \n  reject\
+   \n}"
+add chain=core-in disabled=no rule="reject;"

includes/routeros-v7-aggregation-router/snmp.j2

@@ -0,0 +1,5 @@
+/snmp community
+add addresses=172.22.0.0/16,46.227.207.250/32,46.227.203.248/32 name=VoneusAggCCR
+
+/snmp
+set contact="Voneus NOC" enabled=yes src-address=185.66.206.1 trap-community=VoneusAggCCR trap-generators=interfaces,start-trap,temp-exception trap-interfaces=all trap-target=46.227.207.250

includes/routeros-v7-aggregation-router/static.j2

@@ -0,0 +1,2 @@
+/ip route
+add disabled=no dst-address=172.22.0.0/16 gateway=172.22.1.1

includes/routeros-v7-aggregation-router/system.j2

@@ -0,0 +1,43 @@
+/system identity
+set name={{ name }}
+
+/interface bridge
+add name=loopback protocol-mode=none
+
+/interface list
+add name=uplink
+add name=customer
+add name=mgmt
+add name=linknet
+add include=uplink,linknet name=uplink-and-linknet
+add include=customer,linknet name=customer-and-linknet
+add name=provisioning-cpe
+add include=customer,provisioning-cpe,linknet name=customer-and-linknet-and-provisioning-cpe
+add name=provisioning-uplink
+
+/ip settings
+set max-neighbor-entries=8192
+
+/ipv6 settings
+set max-neighbor-entries=8192
+
+/ip service
+set telnet address=172.22.0.0/16
+set ftp disabled=yes
+set www address=46.227.200.128/28,172.22.0.0/16
+set ssh address=172.22.0.0/16,46.227.200.128/28,185.134.196.128/28
+set api disabled=yes
+set winbox disabled=yes
+set api-ssl disabled=yes
+
+/system clock
+set time-zone-name=Europe/London
+
+/system ntp server
+set enabled=yes use-local-clock=yes
+/system ntp client servers
+add address=leontp.g.faelix.net
+add address=0.uk.pool.ntp.org
+add address=1.uk.pool.ntp.org
+add address=2.uk.pool.ntp.org
+add address=3.uk.pool.ntp.org

routeros-v7-network-aggregation-router.j2

@@ -0,0 +1,12 @@
+/* generated by bgprtrmgr using routeros-v7-network-aggregation-router.j2 at XXX */
+
+{% set device_interfaces = device|get_interfaces %}
+
+{% include "includes/routeros-v7-aggregation-router/system.j2" with context %}
+{% include "includes/routeros-v7-aggregation-router/interfaces.j2" with context %}
+{% include "includes/routeros-v7-aggregation-router/static.j2" with context %}
+{% include "includes/routeros-v7-aggregation-router/routing.j2" with context %}
+{% include "includes/routeros-v7-aggregation-router/firewall.j2" with context %}
+{% include "includes/routeros-v7-aggregation-router/snmp.j2" with context %}
+{% include "includes/routeros-v7-aggregation-router/ppp.j2" with context %}
+{% include "includes/routeros-v7-aggregation-router/dns.j2" with context %}

routeros-v7-regional-aggregation-router.j2

@@ -0,0 +1,12 @@
+/* generated by bgprtrmgr using routeros-v7-regional-aggregation-router.j2 at XXX */
+
+{% set device_interfaces = device|get_interfaces %}
+
+{% include "includes/routeros-v7-aggregation-router/system.j2" with context %}
+{% include "includes/routeros-v7-aggregation-router/interfaces.j2" with context %}
+{% include "includes/routeros-v7-aggregation-router/static.j2" with context %}
+{% include "includes/routeros-v7-aggregation-router/routing.j2" with context %}
+{% include "includes/routeros-v7-aggregation-router/firewall.j2" with context %}
+{% include "includes/routeros-v7-aggregation-router/snmp.j2" with context %}
+{% include "includes/routeros-v7-aggregation-router/ppp.j2" with context %}
+{% include "includes/routeros-v7-aggregation-router/dns.j2" with context %}