Setting Up AREDN on a Mikrotik hAp to use 44net

This guide will walk you through setting up a Mikrotik hAp device (I used a hAp ac2) to use 44net addresses, bridging AREDN and 44net services between the two networks. I set up the hAp to broadcast a WiFi hotspot SSID that, when connected to a client, enables access to both 44net and to AREDN resources simultaneously. I use 44net.cloud to route a network allocation they assigned to me through a Wireguard tunnel that they also assigned. The tunnel can be configured through their portal to route to the network. It is likely also possible to do this by decapsulating the ipencap packets from the raspberry pi directly, and using a traditional 44net subnet allocation, but this setup enables me to take the hAp setup to mobile deployments, without worring about the NAT configuration or my ability to forward ipencap traffic at my destination.

I took the following steps for this setup:

1. Obtain and use a 44net IP allocation via 44net.cloud
2. Set up a Raspberry Pi Zero 2 W as a WireGuard gateway router, including NAT and iptables firewall with fail2ban
3. Connect AREDN node (e.g., hAp2) via the 44Net tunnel
4. Write a script to configure the routing table on the AREDN node, in case it is not peristed on router reboot

Set up a 44net Allocation and Tunnel from 44net.cloud

This step could be replaced with your existing 44net allocation, but, as I mentioned, I chose to work through the 44net.cloud tunnel service and network allocation generously offered by their service. Although I have traditional 44net subnets allocated for fixed use, I felt that the tunneled approach would give me some versatility in the deployment behind a variety of WAN connections. Because I have an interest in computing and networking education, the ability to pack up and redeploy this setup in a mobile environment was advantageous for me.

Go to https://44net.cloud and create an account

Request a routed subnet (e.g., 44.x.y.z/29) and a WireGuard tunnel

You’ll receive a:

• Tunnel endpoint (e.g., a.b.c.d:44000)
• Allocated IP (e.g., 44.i.j.k/32)
• Route for your subnet via that tunnel by editing the tunnel allocation and specifying static routing to the subnet

Configure a Raspberry Pi as a Gateway to 44net.cloud for the AREDN Router

Although the router should generally support it, the AREDN firmware does not allow making a non-AREDN Wireguard connection such as the one I am using to connect to 44net.cloud in order to route this network allocation (at least as far as I’m aware at the time of this writing!). Instead, I’ve set up a Raspberry Pi Zero 2W to serve this purpose. I’ll connect the pi to the AREDN router via its WiFI LAN Hotspot connection, and give the pi an IP address on the 44net subnet allocation alongside the router, and will set it up for IPv4 forwarding.

Configure the Wireguard Tunnel

Install WireGuard

Here, we create the Wireguard tunnel connection to 44net.cloud from the Raspberry Pi, and configure the IP routes on the pi to send 44net traffic out via this Wireguard interface. In addition, we route our local 44net subnet out via our LAN connection, so that it goes directly to the AREDN router. In my case, I’m connected to the AREDN router via a wifi Part 15 connection, so I use wlan0 for this interface. If you plug the pi into the AREDN router via Ethernet, you might use eth0 here instead.

sudo apt update
sudo apt install wireguard netfilter-persistent iptables-persistent resolvconf sshpass

Create /etc/wireguard/wg0.conf, using your 44net subnet allocation for 44.x.y.z/29, your 44net.cloud Wireguard tunnel keys, and substituting wlan0 for the LAN interface you’re using from the pi to the AREDN node:

[Interface]
PrivateKey = <local private key>
Address = 44.33.192.9/24
DNS = 1.1.1.1,1.0.0.1

PostUp = ip route add 44.0.0.0/9 dev %i
PostUp = ip route add 44.128.0.0/10 dev %i
PostUp = ip route add 44.x.y.z/29 dev wlan0
PostDown = ip route del 44.0.0.0/9 dev %i
PostDown = ip route del 44.128.0.0/10 dev %i
PostDown = ip route del 44.x.y.z/29 dev wlan0

[Peer]
PublicKey = <peer public key>
PresharedKey = <preshared key>
Endpoint = a.b.c.d:44000
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 20

Enable and Start WireGuard

Create /etc/systemd/system/wg-44net-client.service:

[Unit]
Description=WireGuard Client to 44net (wg0)
After=network-online.target
Wants=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/bin/wg-quick up wg0
ExecStop=/usr/bin/wg-quick down wg0
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Enable the Service for Automatic Startup

sudo systemctl enable wg-44net-client
sudo systemctl start wg-44net-client

Set Static IP and Enable IP Forwarding

Set the AREDN router (hap2) to give a static IP to the pi. For example, if your 44net subnet is 44.a.b.32/29, then the AREDN router might take 44.a.b.33/29 and the pi could be assigned 44.a.b.34/29 as a DHCP reservation from the AREDN router.

To enable IPv4 forwarding, edit /etc/sysctl.conf and add or uncomment the following line:

net.ipv4.ip_forward=1

Apply the changes:

sudo sysctl -p

Set up NAT and Firewall on the Pi

Note that this is a minimal configuration of the firewall to enable the functionality, and should be hardened to filter traffic from the Internet. This firewall is configured to allow all traffic from AREDN (10.0.0.0/8) and 44net (44.0.0.0/9 and 44.128.0.0/10), as well as bidirectional AREDN Wireguard tunnels on UDP port 5525. We also allow ICMP ping packets, and any established connection packets. Finally, we masquerade traffic on the 44net.cloud tunnel Wireguard interface wg0. I do not explicitly allow TCP port 22 SSH traffic from the Internet, but rather allow ssh connections via the AREDN and 44net subnets (this is also overly permissive, but is presented this way to demonstrate the functionality).

Edit /etc/iptables/rules.v4, substituting your 44net subnet allocation for 44.x.y.z/29:

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -s 44.x.y.z/29 -o wg0 -j MASQUERADE
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Allow loopback
-A INPUT -i lo -j ACCEPT

# Allow established and related
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow ALL traffic from 44.0.0.0/9
-A INPUT -s 44.0.0.0/9 -j ACCEPT

# Allow ALL traffic from 44.128.0.0/10
-A INPUT -s 44.128.0.0/10 -j ACCEPT

# Allow ALL traffic from 10.0.0.0/8
-A INPUT -s 10.0.0.0/8 -j ACCEPT

# Allow AREDN tunnels
-A INPUT -p udp --dport 5525 -j ACCEPT
-A INPUT -p udp --sport 5525 -j ACCEPT

# Optional: Allow ICMP for ping and diagnostics
-A INPUT -p icmp -j ACCEPT

# Forwarding rules: Send AREDN Wireguard traffic from 44net.cloud to the AREDN router
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
COMMIT

Load and save these rules:

sudo iptables-restore < /etc/iptables/rules.v4
sudo netfilter-persistent save

Implement fail2ban on SSH

Install fail2ban:

sudo apt install fail2ban

Create /etc/fail2ban/jail.local:

[sshd]
enabled = true
backend = systemd
logpath = journal
port = ssh
maxretry = 5
findtime = 600
bantime = 86400

Start and Enable fail2ban:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Configure the AREDN Node Router

Configure the node as with a 44net allocation for its local LAN, and specify its IP address (for example, 44.x.y.33/29 for an allocation of 44.x.y.32/29). I used wan0 as a LAN hotspot so that my devices could connect to this router wirelessly over 2.4 ghz, and wlan1 as a WAN client to my home wireless internet connection.

I also created a tunnel server on my home AREDN router node, to which this new 44net AREDN node connects. Because my home AREDN node is exposed with a 44net IP address on a different subnet, the two are able to reach each other via the 44net.cloud Wireguard tunnel via the Raspberry pi. So, I used the 44net address of my home AREDN router as the public IP from which this new node connects.

Configure the Routing Table on the AREDN Router

Now, we will configure the AREDN router to route 44net traffic out via the Raspberry Pi, since the pi has a Wireguard connection to the 44net.cloud tunnel.

Custom routes on the AREDN router are overwritten on reboot (as far as I can tell). In addition, the home directory is /tmp, so I was unable to use ssh key login to script the creation of these routes via ssh when the Raspberry pi boots up.

But, for good measure, I created the following startup script on the AREDN node after logging in via ssh root@localnode.local.mesh -p 2222 and creating a file /etc/init.d/customroutes (substitute 44.x.y.z/29 for your 44net subnet allocation, and 44.x.y.A for the reserved DHCP address of your Raspberry Pi that you assigned earlier from your AREDN node out of your 44net subnet allocation:

#!/bin/sh /etc/rc.common

START=95
STOP=10

start() {
    logger -t customroutes "Adding custom IP routes"
    sleep 5
    ip route add 44.0.0.0/9 via 44.x.y.A
    ip route add 44.128.0.0/10 via 44.x.y.A
    ip route add 44.x.y.z/29 dev br-lan
    logger -t customroutes "Custom IP routes added"
}

stop() {
    logger -t customroutes "Removing custom IP routes"
    ip route del 44.0.0.0/9 via 44.x.y.A
    ip route del 44.128.0.0/10 via 44.x.y.A
    logger -t customroutes "Custom IP routes removed"
}

Enable the service to run at startup on the AREDN node (although the node might not respect it):

chmod +x /etc/init.d/customroutes
/etc/init.d/customroutes enable

Scripting This from the Rasperry Pi

In case the AREDN router fails to execute this on startup, I also made a script on the Raspberry Pi to execute these ip route commands via ssh.

On the pi, create a file /usr/local/bin/setup-mesh-routes.sh with the same commands and addresses as above:

#!/bin/bash

# Define remote host and port
REMOTE_HOST="root@localnode.local.mesh"
REMOTE_PORT=2222

# Run the routing commands over SSH
ssh -p $REMOTE_PORT $REMOTE_HOST << 'EOF'
ip route add 44.0.0.0/9 via 44.x.y.A || true
ip route add 44.128.0.0/10 via 44.x.y.A || true
ip route add 44.x.y.z/29 dev br-lan || true
EOF

Executing /usr/local/bin/setup-mesh-routes.sh from the raspberry pi will set up the routes. The || true clause at each line allows the script to continue and exit successfully even if the routes already exist on the router.

Automating the Script to Run at Startup

If the AREDN mesh could retain ssh keys for logging in, I could fully automate this by enabling an init.d service on the raspberry pi to execute this script whenever the wireless LAN becomes available. However, since this requires a password, I ssh into the pi and run this script myself. If you are willing to store your AREDN root password on your pi, you could pass it through the script to call ssh. The sshpass program does exactly this, and you can replace the line ssh -p $REMOTE_PORT $REMOTE_HOST << 'EOF' with:

sshpass -p "$PASSWORD" ssh -o StrictHostKeyChecking=no -p $REMOTE_PORT $REMOTE_HOST << 'EOF' 

Assuming you’ve set the PASSWORD environment variable in the script, from a file, or from the outside environment.

In that case, this can be established as a startup service on the pi:

Create the file /etc/system/system/aredn-routing.service:

[Unit]
Description=Configure IP routes for AREDN on boot
After=network-online.target
Wants=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/setup-mesh-routes.sh
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Enable it to run at startup via:

sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl enable aredn-routing.service
sudo systemctl start aredn-routing.service