Changes in 91065dd: Clean up wording/formatting, remove EOL whitespace General cleanup and improvements, make some of the paragraph formatting clearer. The assumption is that most readers will be using newer versions of Router OS. Future improvements will use newer peering technologies.

				howto/mikrotik.md
			
          @@ -20,33 +20,31 @@

            * OpenVPN does not support LZO compression

            * You can't use /31 subnet for Point-to-Point (PtP) links

          -Mikrotik/RouterOS can't handle very well /32 on Point-to-Point links (like GRE). There is a [separate howto](/howto/mikrotik/ptp32) to explain how to setup /32 between in a GRE link (or even a OpenVPN). What is the easy way? Just use any /30 on the GRE Link, either from your assigned DN42 pool address or use a private address like 192.168. Please don't choose from 172.16.0.0/12 or 10.0.0.0/8 because they may overlap with DN42 or ChaosVPN.

          +Mikrotik/RouterOS doesn't handle /32 addresses very well on Point-to-Point links (like GRE). There is a [separate howto](/howto/mikrotik/ptp32) to explain how to setup /32 addresses on a GRE tunnel (or even an OpenVPN tunnel). What is the easy way? Just use any /30 subnet on the GRE Link, either from your assigned DN42 pool of addresses, or use a private address like 192.168.x.x. Please don't choose from 172.16.0.0/12 or 10.0.0.0/8 because they may overlap with DN42 or ChaosVPN.

           RouterOS v7.2 has some nasty bugs when using PTP configuration or IPv6 link local addresses as NEXTHOP. It won't work (confirmed for v7.2 by their support staff).

           ## Tunnel

           ### IPSec

          -First, let's add IPSec peer and encryption policy.  

          -Peer most likely provided you with encryption details.  

          -If not, ask them about it.

          +First, let's add IPSec peer and encryption policy.

          +Your peer most likely provided you with encryption details. If not, ask them about it.

           Here we're gonna use aes256-sha256-modp1536

           ```

           /ip ipsec peer

          -add address=1.1.1.1 comment=gre-dn42-peer dh-group=modp1536 \ 

          +add address=1.1.1.1 comment=gre-dn42-peer dh-group=modp1536 \

           enc-algorithm=aes-256 hash-algorithm=sha256 local-address=2.2.2.2 secret=PASSWORD

          -

           ```

          +

           ```

           /ip ipsec policy

          -add comment=gre-dn42-peer dst-address=1.1.1.1/32 proposal=dn42 protocol=gre \ 

          +add comment=gre-dn42-peer dst-address=1.1.1.1/32 proposal=dn42 protocol=gre \

           sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=2.2.2.2/32

           ```

           ### GRE

          -Pretty straightforward here

          -

          +Pretty straightforward here:

           ```

           /interface gre

           add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \

          @@ -54,8 +52,8 @@ remote-address=1.1.1.1

           ```

           ### IPs inside the GRE tunnel

          -Your peer most likely provided you with IP adresses for GRE tunnel.  

          -As I said before, you can't use /31 for PtP links, so, in the "easy way" we will be using /30.

          +Your peer most likely provided you with IP adresses for the GRE tunnel.

          +As mentioned before, you can't use /31 for PtP links, so for the "easy way" we will be using a /30.

           If you want to avoid wasting a whole /30 for your peering, please check the [point-to-point configuration for RouterOS](/howto/mikrotik/ptp32)

           Add the IP your peer provided you:

          @@ -68,27 +66,32 @@ add address=192.168.200.130/30 interface=gre-dn42-peer network=192.168.200.128

           ```

           #### IPv6

          -Here we can use /127, so it's simple:  

          +Here we can use /127, so it's simple:

           ```

           /ipv6 address

           add address=fdc8:c633:5319:3300::41/127 advertise=no interface=gre-dn42-peer

           ```

          -If you configured everything correctly, you should be able to ping 

          +If you configured everything correctly you should be able to ping the remote end of the tunnel. In this specific example that would be 192.168.200.129 (IPv4) or fdc8:c633:5319:3300::40 (IPv6).

           ## BGP

           ### Filters

          +

           Both BGP and routing filters were redone from the ground up on RoS 7.x

           The official migration guide can be found [here](https://help.mikrotik.com/docs/display/ROS/Routing)

          -It's a good idea to setup filters for BGP instances, both IN (accept advertises) and OUT (send advertises)  

          -In this example, we will be filtering IN: 192.168.0.0/16 and 169.254.0.0/16  

          -OUT: 192.168.0.0/16 and 169.254.0.0/16, you really don't want to advertise this networks.  

          -This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well.  

          +It's a good idea to setup filters for BGP instances, both IN (accept advertisements) and OUT (send advertisements)

          +In this example, we will be filtering:

          +

          +* IN: 192.168.0.0/16 and 169.254.0.0/16, because we don't want other people's routes interfering with out network

          +* OUT: 192.168.0.0/16 and 169.254.0.0/16, because you shouldn't be advertising your private (non-DN42) network

          +

          +This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well.

           #### RoS 6.x

          +

           ```

           /routing filter

           add action=discard address-family=ip chain=dn42-in prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp

          @@ -97,28 +100,34 @@ add action=discard address-family=ip chain=dn42-out prefix=192.168.0.0/16 prefix

           add action=discard address-family=ip chain=dn42-out prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp

           ```

          -If you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):

          -

          +If you want only DN42 connectivity, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):

           ```

           /routing filter

           add action=discard address-family=ip chain=dn42-in prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp

           ```

           #### RoS 7.x

          +

          +RoS 7 now defaults to default-reject, meaning if you reach the end of the chain without matching any rules, the route will be rejected.

          +

          +As such, you need to either explicitly accept all the prefixes that you want to keep, or place a final accept at the end of the chain, after rejecting undesired prefixes.

          +

          +In this example, we will use the second method.

           ```

           /routing filter rule

           add chain=dn42-in rule="if (dst in 192.168.0.0/16 && dst-len > 16) { reject }"

           add chain=dn42-in rule="if (dst in 169.254.0.0/1 && dst-len > 16) { reject }"

          +add chain=dn42-in rule="accept"

           add chain=dn42-out rule="if (dst in 192.168.0.0/16 && dst-len > 16) { reject }"

           add chain=dn42-out rule="if (dst in 169.254.0.0/1 && dst-len > 16) { reject }"

          +add chain=dn42-out rule="accept"

           ```

          -If you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):

          +If you want only DN42 connectivity, you can also filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):

           ```

           /routing filter

           add chain=dn42-in rule="if (dst in 10.0.0.0 && dst-len > 8) { reject }"

          -

           ```

           ### BGP

          @@ -130,7 +139,7 @@ Now, for actual BGP configuration.

           set default disabled=yes

           add as=YOUR_AS client-to-client-reflection=no name=bgp-dn42-somename out-filter=dn42-in router-id=1.1.1.1

           ```

          -Let's add some peers. Right now we have just one, but we still need two connections - to IPv4 and IPv6  

          +Let's add some peers. Right now we have just one, but we still need two connections - to IPv4 and IPv6

           IPv4:

           ```

          @@ -139,19 +148,19 @@ add comment="DN42: somepeer IPv4" in-filter=dn42-in instance=bgp-dn42-somename m

           name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=192.168.200.129 remote-as=PEER_AS \

           route-reflect=yes ttl=default

           ```

          -IPv6 (if needed):  

          +IPv6 (if needed):

           ```

           /routing bgp peer

          -add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \ 

          -instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \ 

          +add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \

          +instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \

           remote-address=fd42:c644:5222:3222::40 remote-as=PEER_AS route-reflect=yes ttl=default

           ```

           Also, as a note, Mikrotik RoS 6.x doesn't deal well with BGP running over link-local addresses (the address starting with fe80). You need to use a fd42:: address in your BGP session, otherwise, BGP will not install any received route.

           #### BGP Advertisements

          -You want to advertise your allocated network (most likely), it's very simple:  

          +You want to advertise your allocated network (most likely), it's very simple:

           ```

           /routing bgp network

          @@ -161,7 +170,7 @@ You can repeat that with as much IPv4 and IPv6 networks which you own.

           #### RoS 7.x

          -First difference from v 6.x: There is no "network" menu. We advertise our networks now by adding them to the firewall address-list and referencing in the BGP configuration. Also, we can only advertise networks that are part of our static routes. Of course, we can still propagate routes received from others peers.

          +First difference from v6.x: There is no "network" menu. We advertise our networks now by adding them to the firewall address-list and referencing in the BGP configuration. Also, we can only advertise networks that are part of our static routes. Of course, we can still propagate routes received from others peers.

           Adding a network list:

           ```

          @@ -180,7 +189,7 @@ Adding a static route to your full allocated network:

           add blackhole disabled=no distance=1 dst-address=YOUR_ALLOCATED_SUBNET

           ```

          -Let's create a template for DN42. It isn't strictly necessary, but makes our life easier.

          +Let's create a template for DN42. It isn't strictly necessary, but it makes our life easier when adding more peers in future.

           ```

           /routing bgp template

           add afi=ipv4 as=YOUR_AS_NUMBER name=DN42_template_v4 output.network=DN42_allocated_v4 router-id=1.1.1.1

          @@ -196,6 +205,7 @@ RoS 7.17 and newer can set the link local address.

           ```

           IPv4 peer

          +/routing bgp connection

           add address-families=ipv4 disabled=no input.filter=dn42-in \

           local.address=ADDRESS_YOUR_PEER_USE_TO_CONNECT_ON_YOU .role=ebgp \

           multihop=yes name=PEER_NAME output.filter-chain=dn42-out \

          @@ -203,6 +213,7 @@ multihop=yes name=PEER_NAME output.filter-chain=dn42-out \

           .as=PEER_AS_NUMBER routing-table=main templates=DN42_template_v4

           IPv6 peer

          +/routing bgp connection

           add address-families=ipv6 disabled=no input.filter=dn42-in \

           local.address=ADDRESS_YOUR_PEER_USE_TO_CONNECT_ON_YOU .role=ebgp \

           multihop=yes name=PEER_NAME output.filter-chain=dn42-out \

          @@ -212,25 +223,40 @@ multihop=yes name=PEER_NAME output.filter-chain=dn42-out \

           ## Split DNS

          -Separate dns requests for dn42 tld from your default dns traffic with L7 filter in Mikrotik.

          -Change network and LAN GW to mach your network configuration.

          +

          +You can separate DNS requests for the .dn42 TLD from your default DNS traffic. This allows regular (non-DN42) lookups to work as normal, while .dn42 queries are handled on the DN42 network.

          +

          +Adjust the network and LAN GW in these examples to match your own network configuration.

          +

          +### RoS 6.47 and later

          +

          +Newer versions of RouterOS can redirect DNS queries according to special rules. We add a "static" DNS mapping that forwards matching queries to a specific DNS server:

          +```

          +/ip dns static

          +add comment=DN42 forward-to=172.23.0.53 regexp=".*\\.dn42" type=FWD

          +```

          +

          +### RoS earlier than 6.47

          +

          +DNS redirection can be achieved with a Layer 7 (L7) filter in RouterOS. We define a new L7 protocol by matching the body of the DNS query, then use NAT to redirect those queries to a DN42 DNS server.

          +

          +In this example we assume that your LAN hosts use the 192.168.0.0/24 subnet, and your gateway is 192.168.0.1

           ```

           /ip firewall layer7-protocol

           add name=DN42-DNS regexp="\\x04dn42.\\x01"

          +

           /ip firewall nat

           add action=src-nat chain=srcnat comment="NAT to DN42 DNS" dst-address=172.23.0.53 dst-port=53 protocol=udp src-address=192.168.0.0/24 to-addresses=192.168.0.1

           add action=dst-nat chain=dstnat dst-address-type=local dst-port=53 layer7-protocol=DN42-DNS protocol=udp src-address=192.168.0.0/24 to-addresses=172.23.0.53 to-ports=53

          -

          -```

          -Since version 6.47 have added functionality that can redirect DNS queries according to special rules. If you used to do Layer-7 rules in the firewall, now it's simple and elegant:

          -```

          -/ip dns static

          -add comment=DN42 forward-to=172.23.0.53 regexp=".*\\.dn42" type=FWD

           ```

           ## Specifying BGP Communities (v7)

          +See the [BGP communities](/howto/BGP-communities) page to understand what this means.

          +

          +In this example we are applying community numbers 5 (peer link latency of 55-148ms) and 41 (prefixes originate from Europe) to our advertisements.

          +

           ```

           /routing/filter/community-list

           add list=dn42 communities=64511:41

...	...	@@ -20,33 +20,31 @@
20	20	* OpenVPN does not support LZO compression
21	21	* You can't use /31 subnet for Point-to-Point (PtP) links
22	22
23		-Mikrotik/RouterOS can't handle very well /32 on Point-to-Point links (like GRE). There is a [separate howto](/howto/mikrotik/ptp32) to explain how to setup /32 between in a GRE link (or even a OpenVPN). What is the easy way? Just use any /30 on the GRE Link, either from your assigned DN42 pool address or use a private address like 192.168. Please don't choose from 172.16.0.0/12 or 10.0.0.0/8 because they may overlap with DN42 or ChaosVPN.
	23	+Mikrotik/RouterOS doesn't handle /32 addresses very well on Point-to-Point links (like GRE). There is a [separate howto](/howto/mikrotik/ptp32) to explain how to setup /32 addresses on a GRE tunnel (or even an OpenVPN tunnel). What is the easy way? Just use any /30 subnet on the GRE Link, either from your assigned DN42 pool of addresses, or use a private address like 192.168.x.x. Please don't choose from 172.16.0.0/12 or 10.0.0.0/8 because they may overlap with DN42 or ChaosVPN.
24	24
25	25	RouterOS v7.2 has some nasty bugs when using PTP configuration or IPv6 link local addresses as NEXTHOP. It won't work (confirmed for v7.2 by their support staff).
26	26
27	27	## Tunnel
28	28
29	29	### IPSec
30		-First, let's add IPSec peer and encryption policy.
31		-Peer most likely provided you with encryption details.
32		-If not, ask them about it.
	30	+First, let's add IPSec peer and encryption policy.
	31	+Your peer most likely provided you with encryption details. If not, ask them about it.
33	32	Here we're gonna use aes256-sha256-modp1536
34	33
35	34	```
36	35	/ip ipsec peer
37		-add address=1.1.1.1 comment=gre-dn42-peer dh-group=modp1536 \
	36	+add address=1.1.1.1 comment=gre-dn42-peer dh-group=modp1536 \
38	37	enc-algorithm=aes-256 hash-algorithm=sha256 local-address=2.2.2.2 secret=PASSWORD
39		-
40	38	```
	39	+
41	40	```
42	41	/ip ipsec policy
43		-add comment=gre-dn42-peer dst-address=1.1.1.1/32 proposal=dn42 protocol=gre \
	42	+add comment=gre-dn42-peer dst-address=1.1.1.1/32 proposal=dn42 protocol=gre \
44	43	sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=2.2.2.2/32
45	44	```
46	45
47	46	### GRE
48		-Pretty straightforward here
49		-
	47	+Pretty straightforward here:
50	48	```
51	49	/interface gre
52	50	add allow-fast-path=no comment="DN42 somepeer" local-address=2.2.2.2 name=gre-dn42-peer \
...	...	@@ -54,8 +52,8 @@ remote-address=1.1.1.1
54	52	```
55	53
56	54	### IPs inside the GRE tunnel
57		-Your peer most likely provided you with IP adresses for GRE tunnel.
58		-As I said before, you can't use /31 for PtP links, so, in the "easy way" we will be using /30.
	55	+Your peer most likely provided you with IP adresses for the GRE tunnel.
	56	+As mentioned before, you can't use /31 for PtP links, so for the "easy way" we will be using a /30.
59	57	If you want to avoid wasting a whole /30 for your peering, please check the [point-to-point configuration for RouterOS](/howto/mikrotik/ptp32)
60	58
61	59	Add the IP your peer provided you:
...	...	@@ -68,27 +66,32 @@ add address=192.168.200.130/30 interface=gre-dn42-peer network=192.168.200.128
68	66	```
69	67
70	68	#### IPv6
71		-Here we can use /127, so it's simple:
72	69
	70	+Here we can use /127, so it's simple:
73	71	```
74	72	/ipv6 address
75	73	add address=fdc8:c633:5319:3300::41/127 advertise=no interface=gre-dn42-peer
76	74	```
77	75
78		-If you configured everything correctly, you should be able to ping
	76	+If you configured everything correctly you should be able to ping the remote end of the tunnel. In this specific example that would be 192.168.200.129 (IPv4) or fdc8:c633:5319:3300::40 (IPv6).
79	77
80	78	## BGP
81	79
82	80	### Filters
	81	+
83	82	Both BGP and routing filters were redone from the ground up on RoS 7.x
84	83	The official migration guide can be found [here](https://help.mikrotik.com/docs/display/ROS/Routing)
85	84
86		-It's a good idea to setup filters for BGP instances, both IN (accept advertises) and OUT (send advertises)
87		-In this example, we will be filtering IN: 192.168.0.0/16 and 169.254.0.0/16
88		-OUT: 192.168.0.0/16 and 169.254.0.0/16, you really don't want to advertise this networks.
89		-This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well.
	85	+It's a good idea to setup filters for BGP instances, both IN (accept advertisements) and OUT (send advertisements)
	86	+In this example, we will be filtering:
	87	+
	88	+* IN: 192.168.0.0/16 and 169.254.0.0/16, because we don't want other people's routes interfering with out network
	89	+* OUT: 192.168.0.0/16 and 169.254.0.0/16, because you shouldn't be advertising your private (non-DN42) network
	90	+
	91	+This filter will not only catch /8 or /16 networks, but smaller networks inside this subnets as well.
90	92
91	93	#### RoS 6.x
	94	+
92	95	```
93	96	/routing filter
94	97	add action=discard address-family=ip chain=dn42-in prefix=192.168.0.0/16 prefix-length=16-32 protocol=bgp
...	...	@@ -97,28 +100,34 @@ add action=discard address-family=ip chain=dn42-out prefix=192.168.0.0/16 prefix
97	100	add action=discard address-family=ip chain=dn42-out prefix=169.254.0.0/16 prefix-length=16-32 protocol=bgp
98	101	```
99	102
100		-If you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
101		-
	103	+If you want only DN42 connectivity, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
102	104	```
103	105	/routing filter
104	106	add action=discard address-family=ip chain=dn42-in prefix=10.0.0.0/8 prefix-length=8-32 protocol=bgp
105	107	```
106	108
107	109	#### RoS 7.x
	110	+
	111	+RoS 7 now defaults to default-reject, meaning if you reach the end of the chain without matching any rules, the route will be rejected.
	112	+
	113	+As such, you need to either explicitly accept all the prefixes that you want to keep, or place a final accept at the end of the chain, after rejecting undesired prefixes.
	114	+
	115	+In this example, we will use the second method.
108	116	```
109	117	/routing filter rule
110	118	add chain=dn42-in rule="if (dst in 192.168.0.0/16 && dst-len > 16) { reject }"
111	119	add chain=dn42-in rule="if (dst in 169.254.0.0/1 && dst-len > 16) { reject }"
	120	+add chain=dn42-in rule="accept"
112	121	add chain=dn42-out rule="if (dst in 192.168.0.0/16 && dst-len > 16) { reject }"
113	122	add chain=dn42-out rule="if (dst in 169.254.0.0/1 && dst-len > 16) { reject }"
	123	+add chain=dn42-out rule="accept"
114	124	```
115	125
116		-If you want only DN42 connection, you can filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
	126	+If you want only DN42 connectivity, you can also filter IN 10.0.0.0/8 (ChaosVPN / freifunk networks):
117	127
118	128	```
119	129	/routing filter
120	130	add chain=dn42-in rule="if (dst in 10.0.0.0 && dst-len > 8) { reject }"
121		-
122	131	```
123	132
124	133	### BGP
...	...	@@ -130,7 +139,7 @@ Now, for actual BGP configuration.
130	139	set default disabled=yes
131	140	add as=YOUR_AS client-to-client-reflection=no name=bgp-dn42-somename out-filter=dn42-in router-id=1.1.1.1
132	141	```
133		-Let's add some peers. Right now we have just one, but we still need two connections - to IPv4 and IPv6
	142	+Let's add some peers. Right now we have just one, but we still need two connections - to IPv4 and IPv6
134	143
135	144	IPv4:
136	145	```
...	...	@@ -139,19 +148,19 @@ add comment="DN42: somepeer IPv4" in-filter=dn42-in instance=bgp-dn42-somename m
139	148	name=dn42-somepeer-ipv4 out-filter=dn42-out remote-address=192.168.200.129 remote-as=PEER_AS \
140	149	route-reflect=yes ttl=default
141	150	```
142		-IPv6 (if needed):
	151	+IPv6 (if needed):
143	152
144	153	```
145	154	/routing bgp peer
146		-add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \
147		-instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \
	155	+add address-families=ipv6 comment="DN42: somepeer IPv6" in-filter=dn42-in \
	156	+instance=bgp-dn42-somename multihop=yes name=dn42-somepeer-ipv6 out-filter=dn42-out \
148	157	remote-address=fd42:c644:5222:3222::40 remote-as=PEER_AS route-reflect=yes ttl=default
149	158	```
150	159
151	160	Also, as a note, Mikrotik RoS 6.x doesn't deal well with BGP running over link-local addresses (the address starting with fe80). You need to use a fd42:: address in your BGP session, otherwise, BGP will not install any received route.
152	161
153	162	#### BGP Advertisements
154		-You want to advertise your allocated network (most likely), it's very simple:
	163	+You want to advertise your allocated network (most likely), it's very simple:
155	164
156	165	```
157	166	/routing bgp network
...	...	@@ -161,7 +170,7 @@ You can repeat that with as much IPv4 and IPv6 networks which you own.
161	170
162	171	#### RoS 7.x
163	172
164		-First difference from v 6.x: There is no "network" menu. We advertise our networks now by adding them to the firewall address-list and referencing in the BGP configuration. Also, we can only advertise networks that are part of our static routes. Of course, we can still propagate routes received from others peers.
	173	+First difference from v6.x: There is no "network" menu. We advertise our networks now by adding them to the firewall address-list and referencing in the BGP configuration. Also, we can only advertise networks that are part of our static routes. Of course, we can still propagate routes received from others peers.
165	174
166	175	Adding a network list:
167	176	```
...	...	@@ -180,7 +189,7 @@ Adding a static route to your full allocated network:
180	189	add blackhole disabled=no distance=1 dst-address=YOUR_ALLOCATED_SUBNET
181	190	```
182	191
183		-Let's create a template for DN42. It isn't strictly necessary, but makes our life easier.
	192	+Let's create a template for DN42. It isn't strictly necessary, but it makes our life easier when adding more peers in future.
184	193	```
185	194	/routing bgp template
186	195	add afi=ipv4 as=YOUR_AS_NUMBER name=DN42_template_v4 output.network=DN42_allocated_v4 router-id=1.1.1.1
...	...	@@ -196,6 +205,7 @@ RoS 7.17 and newer can set the link local address.
196	205
197	206	```
198	207	IPv4 peer
	208	+/routing bgp connection
199	209	add address-families=ipv4 disabled=no input.filter=dn42-in \
200	210	local.address=ADDRESS_YOUR_PEER_USE_TO_CONNECT_ON_YOU .role=ebgp \
201	211	multihop=yes name=PEER_NAME output.filter-chain=dn42-out \
...	...	@@ -203,6 +213,7 @@ multihop=yes name=PEER_NAME output.filter-chain=dn42-out \
203	213	.as=PEER_AS_NUMBER routing-table=main templates=DN42_template_v4
204	214
205	215	IPv6 peer
	216	+/routing bgp connection
206	217	add address-families=ipv6 disabled=no input.filter=dn42-in \
207	218	local.address=ADDRESS_YOUR_PEER_USE_TO_CONNECT_ON_YOU .role=ebgp \
208	219	multihop=yes name=PEER_NAME output.filter-chain=dn42-out \
...	...	@@ -212,25 +223,40 @@ multihop=yes name=PEER_NAME output.filter-chain=dn42-out \
212	223
213	224
214	225	## Split DNS
215		-Separate dns requests for dn42 tld from your default dns traffic with L7 filter in Mikrotik.
216		-Change network and LAN GW to mach your network configuration.
	226	+
	227	+You can separate DNS requests for the .dn42 TLD from your default DNS traffic. This allows regular (non-DN42) lookups to work as normal, while .dn42 queries are handled on the DN42 network.
	228	+
	229	+Adjust the network and LAN GW in these examples to match your own network configuration.
	230	+
	231	+### RoS 6.47 and later
	232	+
	233	+Newer versions of RouterOS can redirect DNS queries according to special rules. We add a "static" DNS mapping that forwards matching queries to a specific DNS server:
	234	+```
	235	+/ip dns static
	236	+add comment=DN42 forward-to=172.23.0.53 regexp=".*\\.dn42" type=FWD
	237	+```
	238	+
	239	+### RoS earlier than 6.47
	240	+
	241	+DNS redirection can be achieved with a Layer 7 (L7) filter in RouterOS. We define a new L7 protocol by matching the body of the DNS query, then use NAT to redirect those queries to a DN42 DNS server.
	242	+
	243	+In this example we assume that your LAN hosts use the 192.168.0.0/24 subnet, and your gateway is 192.168.0.1
217	244
218	245	```
219	246	/ip firewall layer7-protocol
220	247	add name=DN42-DNS regexp="\\x04dn42.\\x01"
	248	+
221	249	/ip firewall nat
222	250	add action=src-nat chain=srcnat comment="NAT to DN42 DNS" dst-address=172.23.0.53 dst-port=53 protocol=udp src-address=192.168.0.0/24 to-addresses=192.168.0.1
223	251	add action=dst-nat chain=dstnat dst-address-type=local dst-port=53 layer7-protocol=DN42-DNS protocol=udp src-address=192.168.0.0/24 to-addresses=172.23.0.53 to-ports=53
224		-
225		-```
226		-Since version 6.47 have added functionality that can redirect DNS queries according to special rules. If you used to do Layer-7 rules in the firewall, now it's simple and elegant:
227		-```
228		-/ip dns static
229		-add comment=DN42 forward-to=172.23.0.53 regexp=".*\\.dn42" type=FWD
230	252	```
231	253
232	254	## Specifying BGP Communities (v7)
233	255
	256	+See the [BGP communities](/howto/BGP-communities) page to understand what this means.
	257	+
	258	+In this example we are applying community numbers 5 (peer link latency of 55-148ms) and 41 (prefixes originate from Europe) to our advertisements.
	259	+
234	260	```
235	261	/routing/filter/community-list
236	262	add list=dn42 communities=64511:41