Setting Up 44net on a Mikrotik Using 44net.cloud for ipencap Forwarding

8 minute read

Published:

This guide will walk you through setting up a Mikrotik router with a 44net network allocation using Wireguard to 44net.cloud in order to receive ipip encapsulated packets from the UCSD 44net router. This way, you do not need to be able to forward these packets through your home router or have native IP Protocol 4 support to access 44net. In this setup, I used a Mikrotik hAp ac2 lite.

Configure 44net.cloud and 44net network

On the AMPR portal, request a subnet, and on 44net.cloud, request a tunnel.

Once you receive the tunnel, go back to the AMPR portal, and under Networks - My Gateways, click Create a Gateway. Fill in the 44net public IP address of your 44net.cloud tunnel as well as the DNS record for that IP address. You can use nslookup to determine if a DNS entry exists, or create your own with a third party service and use that domain name here.

Link this gateway to your 44net subnet allocation.

Configure AMPR Portal DNS Record for your Mikrotik gateway

On the AMPR portal, and under DNS - My Subdomains, select your subdomain (or create one if needed). Click Add a resource record and give a hostname like gw that points to an A record of your gateway IP address (the first usable address within your 44net subdomain; so 44.x.y.1 if your network is 44.x.y.0/29.

Configuring the Mikrotik

Log into your Mikrotik device.

Establishing Wireguard Connection to 44net.cloud

Execute the following commands in terminal mode to set up your Wireguard connection to 44net.cloud, assuming 44.X.Y.Z/32 is your 44net.cloud tunnel IP address:

# 1. Add the WireGuard interface - PUT YOUR WIREGUARD PRIVATE KEY BELOW
/interface/wireguard/add name=wg-44net listen-port=13231 private-key="YOUR PRIVATE KEY HERE"

# 2. Assign the IP address to the interface - PUT YOUR 44NET.CLOUD 44net IP ADDRESS BELOW
/ip/address/add address=44.X.Y.Z/32 interface=wg-44net

# 3. Set the DNS server (optional, for local resolver usage)
/ip/dns/set servers=1.1.1.1

# 4. Add the WireGuard peer - PUT YOUR 44NET.CLOUD PEER PUBLIC KEY, PRESHARED KEY, ENDPOINT ADDRESS, and PORT BELOW
/interface/wireguard/peers/add interface=wg-44net \
    public-key="YOUR PUBLIC KEY HERE" \
    preshared-key="YOUR PRESHARED KEY HERE" \
    endpoint-address=44.X.Y.Z \
    endpoint-port=YOUR 44NET.CLOUD PORT HERE \
    allowed-address=0.0.0.0/0 \
    persistent-keepalive=20

# 5. Configure traffic
/ip firewall filter add chain=input action=accept in-interface=wg-44net comment="Allow input from wg-44net" place-before=5

/ip route add dst-address=44.0.0.0/9 gateway=wg-44net comment="44Net outbound routing"
/ip route add dst-address=44.128.0.0/10 gateway=wg-44net comment="44Net outbound routing"

Configure DHCP

Set up your router’s DHCP server to use the 44net subnet you’ve been allocated by AMPR, filling in your subnet information (i.e., 44.x.y.0/29), gateway IP (i.e., 44.x.y.1), and usable IP addresses (i.e., 44.x.y.1-44.x.y.6) below. We will also set the ether1 WAN port as a DHCP client.

/ip pool
add name=dhcp ranges=44.x.y.1-44.x.y.6
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ip dhcp-server network
add address=44.x.y.0/29 gateway=44.x.y.1 dns-server=44.x.y.1
/ip dhcp-client
add interface=ether1 comment=defconf

Assigning IP addresses from your 44net Subnet and from 44net.cloud

Assign an IP address for the gateway to internal network bridge. We assume your gateway IP is 44.x.y.1 from your AMPR 44net subnet allocation.

/ip address
add address=44.x.y.1/29 interface=bridge comment=defconf

Create an IPIP Tunnel to the UCSD 44net Gateway

In order to receive IPIP packets to your gateway from UCSD, you will need an IPIP tunnel interface to UCSD (using the IP address associated with amprgw.ucsd.edu) and from your 44net.cloud IP tunnel address 44.X.Y.Z:

/interface ipip
add name=ipip-44net local-address=44.X.Y.Z remote-address=169.228.34.84 allow-fast-path=no

Configuring the Basic Routing Table

To route traffic over the Wireguard interface and over the IPIP tunnel, add the following routing tables and routes. Here, we assume 44.x.y.z is your 44net.cloud tunnel IP address, and 44.0.0.0/29 is your AMPR 44net subnet allocation.

/routing table
add name=via-wg
add name=via-ipip
add fib name=via-wg
add fib name=via-ipip

/ip route
add dst-address=44.0.0.0/9 gateway=wg-44net comment="Send all AMPRNet traffic via WireGuard"
add dst-address=44.128.0.0/10 gateway=wg-44net comment="Send all AMPRNet traffic via WireGuard"
add dst-address=0.0.0.0/0 gateway=wg-44net routing-table=via-wg comment="Send all traffic that came in over Wireguard back out via Wireguard"
add dst-address=0.0.0.0/0 gateway=ipip-44net routing-table=via-ipip comment="Send all traffic that came in over the IPIP tunnel back out via the IPIP tunnel"

/routing rule
add src-address=44.x.y.z/32 interface=wg-44net action=lookup table=via-wg 
add src-address=44.x.y.z/32 interface=ipip-44net action=lookup table=via-ipip
add src-address=44.0.0.0/29 interface=wg-44net action=lookup table=via-wg
add src-address=44.0.0.0/29 interface=ipip-44net action=lookup table=via-ipip

Configuring Basic Firewall Rules

You’ll want to add additional rules to harden this installation! These simply make the tunnel connections functional, and these rules are not intended to secure the network from the outside. Here, we assume 44.x.y.0/29 is your 44net subnet allocation from AMPR, 44.x.y.1 is your gateway IP address and that 44.x.y.2-44.x.y.6 are your remaining routable IP addresses on your subnet.

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="Allow established"
add chain=input action=drop connection-state=invalid comment="Drop invalid"
add chain=input action=accept protocol=icmp comment="Allow ICMP"
add chain=input action=accept in-interface=wg-44net comment="Allow input from wg-44net"
add chain=input action=accept dst-address=44.x.y.1 protocol=icmp comment="Allow ICMP to 44Net address"
add chain=input action=drop in-interface-list=!LAN comment="Drop non-LAN traffic"

add chain=forward action=accept connection-state=established,related,untracked
add chain=forward action=drop connection-state=invalid
add chain=forward action=fasttrack-connection connection-state=established,related hw-offload=yes comment="FastTrack"
add chain=forward action=accept dst-address=44.x.y.2-44.x.y.6 comment="Inbound to 44Net hosts"
add chain=forward action=accept dst-address=44.0.0.0/9 src-address=44.x.y.0/29
add chain=forward action=accept dst-address=44.128.0.0/10 src-address=44.x.y.0/29
add chain=forward action=accept dst-address=44.x.y.0/29 in-interface=wg-44net
add chain=forward action=accept out-interface=wg-44net src-address=44.x.y.0/29
add chain=forward action=accept dst-address=44.x.y.0/29 in-interface=ipip-44net
add chain=forward action=accept out-interface=ipip-44net src-address=44.x.y.0/29
add chain=forward out-interface=ipip-44net action=accept comment="Allow outbound to IPIP tunnel"

/ip/firewall/connection/tracking/set enabled=yes

Configuring DNS

Enable outside DNS lookups as follows (feel free to replace your favorite DNS servers for 1.1.1.1,8.8.8.8. We assume 44.x.y.1 is your gateway IP.

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add name=router.lan address=44.x.y.1 type=A comment=defconf

Adding 44net Network Gateways to your Routing Table

You can route traffic over the IPIP tunnel directly to other 44net subnets. To do this, you need to be aware of their routing table. UCSD sends this routing table periodically to all nodes, but there is not an easy way to process them on Mikrotik routers once they’re received. Instead, we can create them manually, and flush/re-create the table on-demand to receive any updates.

This Python program can be run on your local computer, and it generates a Mikrotik script that you can upload and run on your router to populate these routing entries. They are all tagged with ampr-imported-route so that they can be flushed for re-creation without modifying the rest of your routing rules.

import requests
import ipaddress

# Upload output file to router and execute with /import file-name=ampr_routes.rsc

API_TOKEN = "YOUR AMPR PORTAL API TOKEN FROM YOUR AMPR PORTAL PROFILE PAGE"
OUTPUT_FILE = "ampr_routes.rsc"
GATEWAY = "ipip-44net" # or none to use their address, if routing over ipip already for these IP ranges
ROUTE_COMMENT = "ampr-imported-route"

# List of local subnets to skip (any CIDR you handle internally)
SKIP_PREFIXES = [
    "44.x.y.0/29",     # Your allocation
]
SKIP_NETWORKS = [ipaddress.ip_network(p) for p in SKIP_PREFIXES]

# Fetch route list from AMPRNet
response = requests.get(
    "https://portal.ampr.org/api/v2/encap/routes",
    headers={
        "Authorization": f"Bearer {API_TOKEN}",
        "Accept": "application/json"
    }
)

data = response.json()
routes = data.get("encap", [])

with open(OUTPUT_FILE, "w") as f:
    # First, remove all old AMPR routes by comment
    f.write(f"/ip route remove [find comment=\"{ROUTE_COMMENT}\"]\n")

    # Now add the updated routes
    for route in routes:
        prefix = f"{route['network']}/{route['cidr']}"
        leaseholder = route.get("leaseholder", "unknown")
        
        # Skip if the prefix overlaps any local subnet
        if any(ipaddress.ip_network(prefix).overlaps(local) for local in SKIP_NETWORKS):
            continue        
            
        if GATEWAY is None:
            gateway = route['gatewayIP']
        else:
            gateway = GATEWAY
        
        f.write(
            f"/ip route add dst-address={prefix} gateway={gateway} comment=\"{ROUTE_COMMENT}\"\n"
        )

Upload the ampr_routes.rsc file to your Mikrotik router under the Files tab, and back in the terminal, execute the following command to run the script and add the routes:

/import file-name=ampr_routes.rsc

Wrapping Up

Optionally, you can configure your node as a WiFi client or hotspot to connect to the Internet or to create a hotspot. If you configure a WiFi client, be sure it (i.e., wlan1) is acting as a DHCP client in addition to the ether1 port.

Reboot the router and wait an hour for UCSD to start sending packets to your gateway.

Test by pinging your gateway (gw.<your call sign>.ampr.org or 44.x.y.1).

Be sure to set firewall rules to restrict traffic, especially inbound, to your router!