92
edits
Changes
DMVPN (Phase 3) with OSPF configuration example (view source)
Revision as of 15:24, 24 May 2024
, 24 MayFirst version
<p style="color:red">The information on this page is updated in accordance with the [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.07.1'''] firmware version .</p>
=Introduction=
If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''"
[[File:Networking rutos manual webui basic advanced mode 75.gif|none|border|center|class=tlt-border]]
=Topology=
(Topology image)
<ul>
<li> DMVPN HUB - GRE interface address - 10.0.0.254 - LAN interface address 192.168.254.1</li>
<li> DMVPN SPOKE1 - GRE interface address - 10.0.0.1 - LAN interface address 192.168.1.1</li>
<li> DMVPN SPOKE2 - GRE interface address - 10.0.0.2 - LAN interface address 192.168.2.1</li>
</ul>
=Creating DMVPN network=
==HUB's configuration==
Navigate to '''Services → VPN → DMVPN'''
Create a new instance with a name of Your choice. In this example, we will name it '''"HUB"'''
(Image)
Configure the HUB as shown:
(Image)
(Image)
<ul>
<li>'''Enable''' - On</li>
<li>'''Working mode''' - Hub</li>
<li>'''Local GRE interface IP address''' - 10.0.0.254</li>
<li>'''Local GRE interface netmask''' - 255.255.255.255</li>
<li>'''Pre-shared key''' - Create a password which will be used in authentication</li>
<li>'''Redirect''' - On</li>
<li>'''NFLOG group''' - 123</li>
<li>'''NHRP multicast NFLOG group''' - 124 (different than NFLOG group number)</li>
</ul>
==SPOKE's configuration==
Navigate to '''Services → VPN → DMVPN'''
Create a new instance with a name of Your choice. In this example, we will name it '''"SPOKE1"'''
(Image)
Configure the SPOKE1 as shown:
(Image)
(Image)
<ul>
<li>'''Enable''' - On</li>
<li>'''Working mode''' - Spoke</li>
<li>'''Hub address''' - Public IP address of the Hub</li>
<li>'''Local GRE interface IP address''' - 10.0.0.1</li>
<li>'''Remote GRE interface IP address''' - 10.0.0.254</li>
<li>'''Pre-shared key''' - Use the same password that was created in the Hub's configuration</li>
<li>'''Redirect''' - On</li>
<li>'''Multicast''' - On</li>
<li>'''NHRP multicast NFLOG group''' - 124 (same number that was in the Hub's configuration)</li>
</ul>
Configuration for the SPOKE2 will be analog to SPOKE1, with the exception of name being SPOKE2 and Local GRE interface IP address being 10.0.0.2
=Testing DMVPN's connectivity=
Pinging SPOKE1 from the HUB:
root@RUTXR1:~# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: seq=0 ttl=64 time=52.890 ms
64 bytes from 10.0.0.1: seq=1 ttl=64 time=416.808 ms
64 bytes from 10.0.0.1: seq=2 ttl=64 time=246.881 ms
64 bytes from 10.0.0.1: seq=3 ttl=64 time=222.941 ms
Pinging SPOKE2 from the HUB:
root@RUTXR1:~# ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: seq=0 ttl=64 time=119.929 ms
64 bytes from 10.0.0.2: seq=1 ttl=64 time=79.639 ms
64 bytes from 10.0.0.2: seq=2 ttl=64 time=294.173 ms
64 bytes from 10.0.0.2: seq=3 ttl=64 time=318.533 ms
=OSPF configuration=
==Hub configuration==
On the Hub router, navigate to '''Network → Routing → Dynamic Routes → OSPF''' and configure OSPF as shown:
(image)
(image2)
(image3)
<ul>
<li>'''Enable Service''' - On</li>
<li>'''Router ID''' - 10.0.0.254</li>
<li>'''Passive interfaces''' - br-lan (all LAN interfaces)</li>
<li>'''Redistribution options''' - NHRP </li>
<li>'''OSPF Interfaces''' - Create an entry, choose '''Type''' as '''Point-to-Multipoint''' and choose DMVPN interface as OSPF Interface and enable it</li>
<li>'''OSPF Area''' - Create an entry, input '''0''' to the '''Zone''' parameter and enable it </li>
<li>'''OSPF Networks''' - Create 2 entries, one network will be named GRE for VPN addresses '''10.0.0.0/24''', another networking will be named LAN for LAN addresses '''192.168.254.0/24.'''
Choose previously created OSPF Area entry and enable OSPF Networks</li>
</ul>
==Spokes configuration==
On the Spoke1 router, navigate to '''Network → Routing → Dynamic Routes → OSPF''' and configure OSPF as shown:
(image)
(image2)
(image3)
<ul>
<li>'''Enable Service''' - On</li>
<li>'''Router ID''' - 10.0.0.1</li>
<li>'''Passive interfaces''' - br-lan (all LAN interfaces)</li>
<li>'''Redistribution options''' - None </li>
<li>'''OSPF Interfaces''' - Create an entry, choose '''Type''' as '''Point-to-Multipoint''' and choose DMVPN interface as OSPF Interface and enable it</li>
<li>'''OSPF Area''' - Create an entry, input '''0''' to the '''Zone''' parameter and enable it </li>
<li>'''OSPF Networks''' - Create 2 entries, one network will be named GRE for VPN addresses '''10.0.0.0/24''', another networking will be named LAN for LAN addresses '''192.168.1.0/24.'''
Choose previously created OSPF Area entry and enable OSPF Networks</li>
</ul>
Configuration for the SPOKE2 will be analog to SPOKE1, with the exception of Router ID being 10.0.0.2 and OSPF Networks LAN entry's address being 192.168.2.0/24
=Firewall Zones=
This step should be done on DMVPN '''Hub and all spokes''' for OSPF to allow OSPF routes to their LAN networks.
Navigate to '''Network -> Firewall -> General settings -> Zones''', set GRE zone to forward traffic to LAN and disable masquerading.
(image)
=Testing the setup=
If You have followed the steps correctly, configuration should be finished. These should be the results that You will be getting:
<br>
=See also=
<ul>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
</ul>
=External links=
=Introduction=
If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''"
[[File:Networking rutos manual webui basic advanced mode 75.gif|none|border|center|class=tlt-border]]
=Topology=
(Topology image)
<ul>
<li> DMVPN HUB - GRE interface address - 10.0.0.254 - LAN interface address 192.168.254.1</li>
<li> DMVPN SPOKE1 - GRE interface address - 10.0.0.1 - LAN interface address 192.168.1.1</li>
<li> DMVPN SPOKE2 - GRE interface address - 10.0.0.2 - LAN interface address 192.168.2.1</li>
</ul>
=Creating DMVPN network=
==HUB's configuration==
Navigate to '''Services → VPN → DMVPN'''
Create a new instance with a name of Your choice. In this example, we will name it '''"HUB"'''
(Image)
Configure the HUB as shown:
(Image)
(Image)
<ul>
<li>'''Enable''' - On</li>
<li>'''Working mode''' - Hub</li>
<li>'''Local GRE interface IP address''' - 10.0.0.254</li>
<li>'''Local GRE interface netmask''' - 255.255.255.255</li>
<li>'''Pre-shared key''' - Create a password which will be used in authentication</li>
<li>'''Redirect''' - On</li>
<li>'''NFLOG group''' - 123</li>
<li>'''NHRP multicast NFLOG group''' - 124 (different than NFLOG group number)</li>
</ul>
==SPOKE's configuration==
Navigate to '''Services → VPN → DMVPN'''
Create a new instance with a name of Your choice. In this example, we will name it '''"SPOKE1"'''
(Image)
Configure the SPOKE1 as shown:
(Image)
(Image)
<ul>
<li>'''Enable''' - On</li>
<li>'''Working mode''' - Spoke</li>
<li>'''Hub address''' - Public IP address of the Hub</li>
<li>'''Local GRE interface IP address''' - 10.0.0.1</li>
<li>'''Remote GRE interface IP address''' - 10.0.0.254</li>
<li>'''Pre-shared key''' - Use the same password that was created in the Hub's configuration</li>
<li>'''Redirect''' - On</li>
<li>'''Multicast''' - On</li>
<li>'''NHRP multicast NFLOG group''' - 124 (same number that was in the Hub's configuration)</li>
</ul>
Configuration for the SPOKE2 will be analog to SPOKE1, with the exception of name being SPOKE2 and Local GRE interface IP address being 10.0.0.2
=Testing DMVPN's connectivity=
Pinging SPOKE1 from the HUB:
root@RUTXR1:~# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: seq=0 ttl=64 time=52.890 ms
64 bytes from 10.0.0.1: seq=1 ttl=64 time=416.808 ms
64 bytes from 10.0.0.1: seq=2 ttl=64 time=246.881 ms
64 bytes from 10.0.0.1: seq=3 ttl=64 time=222.941 ms
Pinging SPOKE2 from the HUB:
root@RUTXR1:~# ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: seq=0 ttl=64 time=119.929 ms
64 bytes from 10.0.0.2: seq=1 ttl=64 time=79.639 ms
64 bytes from 10.0.0.2: seq=2 ttl=64 time=294.173 ms
64 bytes from 10.0.0.2: seq=3 ttl=64 time=318.533 ms
=OSPF configuration=
==Hub configuration==
On the Hub router, navigate to '''Network → Routing → Dynamic Routes → OSPF''' and configure OSPF as shown:
(image)
(image2)
(image3)
<ul>
<li>'''Enable Service''' - On</li>
<li>'''Router ID''' - 10.0.0.254</li>
<li>'''Passive interfaces''' - br-lan (all LAN interfaces)</li>
<li>'''Redistribution options''' - NHRP </li>
<li>'''OSPF Interfaces''' - Create an entry, choose '''Type''' as '''Point-to-Multipoint''' and choose DMVPN interface as OSPF Interface and enable it</li>
<li>'''OSPF Area''' - Create an entry, input '''0''' to the '''Zone''' parameter and enable it </li>
<li>'''OSPF Networks''' - Create 2 entries, one network will be named GRE for VPN addresses '''10.0.0.0/24''', another networking will be named LAN for LAN addresses '''192.168.254.0/24.'''
Choose previously created OSPF Area entry and enable OSPF Networks</li>
</ul>
==Spokes configuration==
On the Spoke1 router, navigate to '''Network → Routing → Dynamic Routes → OSPF''' and configure OSPF as shown:
(image)
(image2)
(image3)
<ul>
<li>'''Enable Service''' - On</li>
<li>'''Router ID''' - 10.0.0.1</li>
<li>'''Passive interfaces''' - br-lan (all LAN interfaces)</li>
<li>'''Redistribution options''' - None </li>
<li>'''OSPF Interfaces''' - Create an entry, choose '''Type''' as '''Point-to-Multipoint''' and choose DMVPN interface as OSPF Interface and enable it</li>
<li>'''OSPF Area''' - Create an entry, input '''0''' to the '''Zone''' parameter and enable it </li>
<li>'''OSPF Networks''' - Create 2 entries, one network will be named GRE for VPN addresses '''10.0.0.0/24''', another networking will be named LAN for LAN addresses '''192.168.1.0/24.'''
Choose previously created OSPF Area entry and enable OSPF Networks</li>
</ul>
Configuration for the SPOKE2 will be analog to SPOKE1, with the exception of Router ID being 10.0.0.2 and OSPF Networks LAN entry's address being 192.168.2.0/24
=Firewall Zones=
This step should be done on DMVPN '''Hub and all spokes''' for OSPF to allow OSPF routes to their LAN networks.
Navigate to '''Network -> Firewall -> General settings -> Zones''', set GRE zone to forward traffic to LAN and disable masquerading.
(image)
=Testing the setup=
If You have followed the steps correctly, configuration should be finished. These should be the results that You will be getting:
<br>
=See also=
<ul>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
<li></li>
</ul>
=External links=