44net December 2014

44net@mailman.ampr.org

16 participants
10 discussions

by Fredric Moses

I know a couple of groups now have proper reverse delegation of DNS for their subnets… Wondering who to drop a line to so I can get 44.103.0.0/19 delegated to a.ns.mi6wan.net and b.ns.mi6wan.net ? Didn’t see it in the portal or wiki and my notes from a few months ago are foggy... -- Fredric Moses - W8FSM - WQOG498 fred(a)moses.bz

10 years, 4 months

Test New Tool - APRS Code Recovery

by lleachii＠aol.com

All, I've added a new tool that I'd like you to test. This web application should provide the registration code required by APRS software suites. In order to use it, you must browse to: http://kb3vwg-010.ampr.org/tools/aprscode or http://44.60.44.10/tools/aprscode If you're on AMPRNet, you should be able to enter the callsign and look up the registration code. If you access it from outside of AMPRNet, you will be prompted for an access code (1234). Please let me know how it works 73, KB3VWG

10 years, 7 months

Linux policy routing explained briefly

by Brian

There seems to be a bit of confusion as to how linux routes via policy routing. The tool which appears to be the most flexible is "ip" found in the iproute2 package. The two key switches are "route" and "rule", and they do exactly what they sound like; one manages routes and route-tables, while the other manages the ruleset in which these routes/tables are called upon. Linux begins with a main route table and a default ruleset in which that table is used. Typically you don't even notice this as it's created with the configuration of the standard network devices upon boot. Two rules will be applied for this main route table: 1) main 2) default The rules are such that the priority to these tables is so low almost any other rule will take priority over it. That's what makes amprnet routing for linux quite simple. The rule you want to make for amprnet is such that any inbound OR outbound routing sourced as 44-net uses it's own route table, with a priority higher than the main table rule. As long as the routes are in this matched table, the kernel will act as an amprnet router just fine even to entities such as xNOS, Xnet, etc. So if you want proper packet flow make sure all paths and rules match for the source you wish to route - in our case it's 44/8: A sample standard path would look like: commercial to commercial/nat inet/0 <----> linux-nat or com IP table main commercial to your ampr inet/0 <----> ucsd/bgp host ucsd/bgp host <---> linux 44-tunl0 via rule 1/table 1 <---> node/bbs/dxc ampr to ampr (tunnel only shown) 44/8-tunl0 <---> linux tunl0/rule 1/table 1 <---> node/bbs/dxc ampr to ampr to xNOS/Xnet (tunnel only shown) 44/8-tunl0 <---> linux tunl0/rule 1/table 1 <---> tun0/tap0-xNOS/Xnet This shows that the Xnet or xNOS tun/tap interfaces need to be included within the ruleset that matches table 1 or else it will become unroutable. Also you need to insure ip_forwarding is enabled, and your firewalling permits ip protocol 4 (ipencap), and ip protocol 93 (AX.25) A simple script which can do this for you is found at http://n1uro.ampr.org/linuxconf/dotun.html # --- dotun.sh --- #! /bin/bash # dotun.sh script written by N1URO # June, 2013 # enter in your information below, these are used for creating a # gateway and linking to the amprnet: AMPRIP='x.x.x.x' IPMASK='x.x.x.x' COMMIP='x.x.x.x' NOSIP='x.x.x.x' case "$1" in start) # Load your ipencap module in the kernel: modprobe ipip # Allow ip forwarding from amprnet to your ethernet interface echo "1" > /proc/sys/net/ipv4/ip_forward # load RIPv2 routing using the ampr-ripd daemon /usr/local/sbin/ampr-ripd -t 1 -a $COMMIP -p <password> -i tunl0 -v -s -r # Configure your ipencap tunnel interface - required for the amprnet ifconfig tunl0 $AMPRIP netmask $IPMASK up # Allow traceroutes to work on the amprnet: ip tunnel change tunl0 mode ipip ttl 64 tunl0 pmtudisc # If you run xNOS, configure a tun/tap interface: ifconfig tun0 $AMPRIP pointopoint $NOSIP up # configure your rointing accordingly: ip route add $NOSIP dev tun0 onlink table 1 src $AMPRIP ip route add default via 169.228.66.251 dev tunl0 src $AMPRIP onlink table 1 # configure policy routing so that frames from/to your 44-net IP # know how to route accordingly: ip rule add from 44/8 pref 1 table 1 ip rule add to 44/8 pref 1 table 1 # script is done, exit as a clean flush. exit 0 ;; stop) # Unload what we loaded above: ip rule del to 44/8 pref 1 table 1 ip rule del from 44/8 pref 1 table 1 ifconfig tunl0 down ifconfig tun0 down killall -TERM ampr-ripd modprobe -r ipip exit 0 ;; restart) dotun stop sleep 3 dotun start exit 0 ;; *) echo "Usage: dotun {start|stop|restart}" exit 0 ;; esac exit 0 --- EOF --- -- If Microsoft intended Windows to be for ham usage, they would have incorporated our protocols into their kernel. 73 de Brian Rogers - N1URO email: <n1uro(a)n1uro.ampr.org> Web: http://www.n1uro.net/ Ampr1: http://n1uro.ampr.org/ Ampr2: http://nos.n1uro.ampr.org Linux Amateur Radio Services axMail-Fax & URONode AmprNet coordinator for: Connecticut, Delaware, Maine, Maryland, Massachusetts, New Hampshire, Pennsylvania, Rhode Island, and Vermont.

11 years, 1 month

Attn. Brian ref IP address.

by trcarswell

I sent an email over a year ago...(it seems) to remove me from being an IP coord. I guess you missed it. I just got a email for a request...that was over a year old....the guy is pissed... as I would be....lol Pls remove me ...I hope someone can take my place... My wife got sick right after I became the the NC coord. Sorry. Trip - KT4WO

11 years, 1 month

How to make traffic coming in on the tunnel interface get answered from that interface?

by Arno Verhoeven

Hi, I am looking for help setting up a conditional routing table. I have my tunnel up and running. I can reach other 44-net host. amrp-ripd is used to fill the routing table. So far so good, but I would like one of the web-sites (apache httpd vhost) to be reachable from both 44-net and non-44-net. If i check with tcpdump I see traffic coming in when I try to access the web-site (pi8zaa.ampr.org) via the Internet (I used my phone connected to t-mobile network). But it doesn't work because my server routes the replies to my ISP's Gw where they get source filtered. Basically I want/need traffic that comes in via the tunnel to get answered from the tunnel interface. I Googled for a solution. Found lots of variant of this http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.html but if I understand what is described there correctly, then that is not exactly what I need. Maybe I don't understand iproute2 and its routing table concept correctly. They way I understand it, those examples assume destination routing based on provider subnet, while in my case the destination is on the Internet, and in normal cases should be routed via my ISP except if it came in via the tunnel. Thanks for any help you can offer. 73 PE1ICQ // Arno

11 years, 1 month

Merry Christmas

by Brian Kantor

+ XXX XXXXX XXXXXXX XXXXXXXXX "BUON ANNO" "JOYEUX NOEL" "VESELE VANOCE" "MELE KALIKIMAKA" "NODLAG SONA DHUIT" "BLWYDDYN NEWYDD DDA" "GOD JUL" "FELIZ NATAL" "BOAS FESTAS" "FELIZ NAVIDAD" "MERRY CHRISTMAS" "KALA CHRISTOUGENA" "VROLIJK KERSTFEEST" "FROHLICHE WEIHNACHTEN" "BUON NATALE-GODT NYTAR" "HUAN YING SHENG TAN CHIEH" "WESOLYCH SWIAT-SRETAN BOZIC" "MOADIM LESIMHA-LINKSMU KALEDU" "HAUSKAA JOULUA-AID SAID MOUBARK" "'N PRETTIG KERSTMIS" "ONNZLLISTA UUTTA VUOTTA" "Z ROZHDESTYOM KHRYSTOVYM" "NADOLIG LLAWEN-GOTT NYTTSAR" "FELIC NADAL-GOJAN KRISTNASKON" "S NOVYM GODOM-FELIZ ANO NUEVO" "GLEDILEG JOL-NOELINIZ KUTLU OLSUM" "EEN GELUKKIG NIEUWJAAR-SRETAN BOSIC" "KRIHSTLINDJA GEZUAR-KALA CHRISTOUGENA" "SELAMAT HARI NATAL - LAHNINGU NAJU METU" "SARBATORI FERICITE-BUON ANNO" "ZORIONEKO GABON-HRISTOS SE RODI" "BOLDOG KARACSONNY-VESELE VIANOCE " "MERRY CHRISTMAS - - HAPPY NEW YEAR" "ROOMSAID JOULU PUHI -KUNG HO SHENG TEN" "FELICES PASUAS-EIN GLUCKICHES NEWJAHR" "PRIECIGUS ZIEMAN SVETKUS SARBATORI VESLLE" "BONNE ANNEBLWYDDYN NEWYDD DDADRFELIZ NATAL" XXXXX XXXXX XXXXX XXXXXXXXXXXXX Submitted by: Gordon Joly <G.Joly(a)cs.ucl.ac.uk> Nov. 30, 1994

11 years, 1 month

Seasons Greetings

by Brian

To those on the list; Happy and memorable holiday wishes to you and your families. The amprnet has gone through many changes and developments bringing it great success. Here's to even more success in 2015 *raises glass of spiked egg nog* cheers! -- If Microsoft intended Windows to be for ham usage, they would have incorporated our protocols into their kernel. 73 de Brian Rogers - N1URO email: <n1uro(a)n1uro.ampr.org> Web: http://www.n1uro.net/ Ampr1: http://n1uro.ampr.org/ Ampr2: http://nos.n1uro.ampr.org Linux Amateur Radio Services axMail-Fax & URONode AmprNet coordinator for: Connecticut, Delaware, Maine, Maryland, Massachusetts, New Hampshire, Pennsylvania, Rhode Island, and Vermont.

11 years, 1 month

Problem with new subnet security policy

by F6CNB

Hi, I have been running a gateway since 1991 either in Texas or in France. I have a serious problem with the new security policy which does not allow to add a subnet if it is not allocated to you in the portal database. First it is preventing a single gateway to serve multiple hamradios and their subnets. This is completely against the spirit of hamradio. It is also preventing to serve IP addresses which are not registered in the portal.ampr.org. (i.e. HAMNET Europe (44.168.x.x for France) are defined in hamnetdb.net portal. Some 44.76.x.x addresses are not in the portal too but only in the host file) In the Paris area we are developing a HAMNET network using the French allocation 44.168.x.y. This network is using wifi equipments in 2.3 and 5.6GHz hamradio band. There is a single gateway (mine) and a lot of sites/subnet/host and backbones which are not mine of course. I have currently several subnets to add to my gateway but unfortunately I cannot. This is holding the deployment of several sites and applications like DMR repeaters connections thru HAMNET and other. I hope that a solution will be find very quickly. 73 de Remi F6CNB (or W5/F6CNB)

11 years, 1 month

Re: [44net] ampr-ripd 1.12 released

by Rob Janssen

44net-request(a)hamradio.ucsd.edu wrote: > Subject: > [44net] ampr-ripd 1.12 released > From: > "Marius Petrescu" <marius(a)yo2loj.ro> > Date: > 11/16/2014 01:36 PM > > To: > "'AMPRNet working group'" <44net(a)hamradio.ucsd.edu> > > > Hello OMs, > > Following the idea from Rob, PE1CHL, I added the possibility to execute a > system command from ampr-ripd if routes are set or changed. > This will happen on startup, after an existing encap is found in > /var/lib/ampr-ripd, or after 30 seconds after a RIP update, if there is a > change in the encap data (AFTER saving the new encap file if requested). Thanks Marius! I have installed it on my own gateway and the 44.137 gateway and first tests shows it works fine. For the others: I requested this feature to modify a firewall when gateways change address. Before I accepted IPIP packets from everyone, but this is a weakness in the system that maybe could be exploited. I observed rogue IPIP packets from the far east. So instead of: iptables -A firewall -p 4 -j ACCEPT on the incoming interface, I now have: iptables -A firewall -p 4 -j ipipfilter and I have the following script that inserts/updates the ipipfilter list: #!/bin/sh # load encap.txt into ipipfilter list PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" AMPRGW="169.228.66.251" gwfile="/tmp/gw" cd /var/lib/ampr-ripd || exit 1 grep addprivate encap.txt | sed -e 's/.*encap //' | sort -u >$gwfile if iptables -N ipipfilter 2>/dev/null then iptables -F ipipfilter iptables -A ipipfilter -s $AMPRGW -j ACCEPT while read ip do iptables -A ipipfilter -s $ip -j ACCEPT done <$gwfile iptables -A ipipfilter -j DROP else iptables -L ipipfilter -n | grep ACCEPT | fgrep -v $AMPRGW | \ sed -e 's/.*-- //' -e 's/ .*//' | sort | diff - $gwfile | \ while read d ip do case "$d" in ">") iptables -I ipipfilter -s $ip -j ACCEPT ;; "<") iptables -D ipipfilter -s $ip -j ACCEPT ;; *) ;; esac done fi rm -f $gwfile The full pathname of this script /usr/local/sbin/load_ipipfilter is passed with the new -x option to ampr-ripd. It will load the entire filter the first time, and later it will only update the filters that have changed. It is required that the -s option is passed as well, so the encap.txt file is created by ampr-ripd. Now I only accept IPIP packets from addresses in the gateway list, which makes me feel a bit safer. (of course sanity checks were already done on the incoming IPIP packets) Rob

11 years, 1 month

Oops what went wrong

by Erwin

Hi, Some dutch hams did a great job to bring the Gateway to Holland. Roundtrip time drops to about 17ms now. I wanted to do some tests and logged in into the portal to add a gateway and subnets. Using the portal it didn't succeed to add it and I tried the email robot instead. When I take a look to my gateway address it's in use by Chris, G1FEF. I don't see anything from me in the gateway list now. How solve this problem? 73, Erwin

11 years, 2 months

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net December 2014