44net April 2016

44net@mailman.ampr.org

29 participants
39 discussions

ISP Router and Pi Cohabitation
by Geoff Joy -KE6QH- 05 Apr '16

05 Apr '16

I'm on FiOS (was Verizon now Frontier Comm.) and I'm considering buying a Pi for ampr.org connection. I'm pretty much stuck with the Verizon Actiontec MI424WR on the WAN due to ISP requirements and I'm wondering how it might be best to place the Pi on the LAN. Should it be in the DMZ or should it stay behind NAT? Feel free to email me off list if this is OT. -- Geoff Joy - ke6qh - AmprNet IP Address Coordinator for San Bernardino & Riverside Counties. (44.18/16)

4 4

Re: [44net] ISP Router and Pi Cohabitation
by Assi Friedman 05 Apr '16

05 Apr '16

Many of the Linux based routers do allow you to add non-standard rules. It surprised me that the current ASUS family of consumer routers allowed me to configure a porthole for IPIP without having to use the CLI. Assi -----Original Message----- From: 44Net [mailto:44net-bounces+assi=kiloxray.com@hamradio.ucsd.edu] On Behalf Of Brian Kantor Sent: Tuesday, April 05, 2016 11:11 AM To: AMPRNet working group <44net(a)hamradio.ucsd.edu> Subject: Re: [44net] ISP Router and Pi Cohabitation (Please trim inclusions from previous messages) _______________________________________________ On Tue, Apr 05, 2016 at 11:05:38AM -0700, Geoff Joy -KE6QH- wrote: > I'm on FiOS (was Verizon now Frontier Comm.) and I'm considering > buying a Pi for ampr.org connection. I'm pretty much stuck with the > Verizon Actiontec MI424WR on the WAN due to ISP requirements and I'm > wondering how it might be best to place the Pi on the LAN. Should it > be in the DMZ or should it stay behind NAT? I'm not familiar with that particular router, but most residential routers don't have a provision for allowing the IPIP protocol through the NAT so you pretty much have to use the DMZ for AMPRNet tunneling. - Brian _________________________________________ 44Net mailing list 44Net(a)hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net

1 0

Re: [44net] How to config mikrotik router for IPIP (and more)
by Steve L 05 Apr '16

05 Apr '16

Step one would be to create an interactive script that asks some basic questions like your ampr address allocation and sets up the routes and rules. I have been meaning to do this. Sadly winter is pretty much over. I documented the way I did it in pretty good detail: http://www.qsl.net/kb9mwr/wapr/tcpip/ampr-ripd.html Of course there is more than one way to skin a cat. You don't have to add a USB Nic, you could use a VLAN capable switch for example. That is always the rub, one size may not fit all. I skipped explaining a basic firewall, as I think its a bitch much for most people already, and is documented elsewhere. The best info I had at the time was LX1DUC's info, but I wanted to take explaining certain things a bit more that I initially thought weren't the most clear. http://marc.storck.lu/blog/2013/08/howto-setup-an-amprnet-gateway-on-linux/ http://marc.storck.lu/blog/2013/08/basic-paranoid-iptables-firewall-for-an-… I have found everyone in any aspect of the hobby has a different level of understanding. Writing a disk image to a SD card might be a first timer for someone for example. Then you need to explain that. A good start would be for more people to share details on their gateway setup. >Maybe this is a good opportunity for someone to create a basic distribution >that gets AMPRnet working on a RPi. 8G SD cards are incredibly cheap and >ship well or someone can write the image directly on them. Maybe if it's >packaged, profits could be sent to Brian for gateway maintenance/growth.

1 0

Re: [44net] strange login attempts to AMPR Hosts
by Assi Friedman 05 Apr '16

05 Apr '16

For those of you running Linux, Iptables + Fail2ban work very well against port exploit and brute force attempts. Obviously, it also helps using a mainstream distribution with active maintenance. Assi kk7kx. -----Original Message----- From: 44Net [mailto:44net-bounces+assi=kiloxray.com@hamradio.ucsd.edu] On Behalf Of Geoff Joy -KE6QH- Sent: Tuesday, April 05, 2016 8:20 AM To: AMPRNet working group <44net(a)hamradio.ucsd.edu> Subject: Re: [44net] strange login attempts to AMPR Hosts Probes of IP addresses are VERY common. T ...snip.. Geoff Joy - ke6qh - AmprNet IP Address Coordinator for San Bernardino & Riverside Counties. (44.18/16)

1 0

strange login attempts to AMPR Hosts
by R P 05 Apr '16

05 Apr '16

Hi group The mikrotik router log show me every half minute a telnet and SSH login attempt it last for hours the strange thing is that the IP it is using was not active in the AMR DNS up to yesterday and right after i have add it to the DNS and connected the router the login attempt tried I have traced two off the breakers and one is in Poland and other is in China Is it common that someone try to brake our network hosts ? do you see such things at your hosts too ? how someone discover so quick about an active host in a Whole class A network ? What is your solution \ reaction for such a brake attempts ?? Thanks for every clarifications Regards Ronen - 4Z4ZQ http://www.ronen.org Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/> www.ronen.org ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com

3 2

How to config mikrotik router for IPIP (and more)
by R P 05 Apr '16

05 Apr '16

Hi there I got few hours ago Mikrotik router I must say it look impressive from the web interface it have I have some questions May anyone send me the commands needed to make an IPIP tunnel (lets start with IPIP Tunnel to the UCSD Router) and if any route command needed to be add please write it to me as well Im new to the mikrotik routers but they look very professional certainly comparing the TP-link stuff 2) can a interface of the microtik (say the lan port) have two ip addresses (like the Cisco Router do with the command : ip address a.b.c.d 1.2.3.4 (subnet) secondary ) ? 3) The router lan port have no default gateway and therefore if i connect the router lan (which is also connected to the wifi part of it) Is there any way to connect the router lan port to the net and have it to be able to get a default gateway ? Thanks For any help Regards Ronen - 4Z4ZQ http://www.ronen.org Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/> www.ronen.org ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com

6 15

Re: [44net] How to config mikrotik router for IPIP (and more)
by Rob Janssen 05 Apr '16

05 Apr '16

> The best for now is to give up, and use some Linux device (like > Raspberry Pi) to set 44networking. We've been telling him that for weeks now... Of course, now he has a MikroTik router which is much more flexible than the average router. These things (as tiny as they are) can run a virtual machine! (the feature called Metarouter) It may be possible to run a small virtual machine with Linux on it, that either does the tunnel and RIP processing, or is running the script to re-configure the main router all the time to add/remove the tunnels. That way it may be possible to get it working even on this low-end router, with the advantage that it has multiple ethernet ports and even WiFi. It would actually be nice to have a solution for the appliance operator to get an IPIP tunnel, although there of course are many challenges to overcome. I should find time to play with the Metarouter running plain Linux... Rob

3 5

Re: [44net] How to config mikrotik router for IPIP (and more)
by Rob Janssen 05 Apr '16

05 Apr '16

> I can set it up to run with > cron so that it emails you the list of commands needed to update it > every hour. After a few hours of this, you may understand why it is > provided as an automatic script! This is why a Linux system (e.g. Raspberry Pi) running ampr-ripd is so much easier! Did you ever try to run Linux under Metarouter and run ampr-ripd on that? I think an OpenWRT image is available that could be stripped down to a bare Linux system that could handle the tunnel routing as a Metarouter on certain types of MikroTik. (RB750, RB2011 etc) Of course Ronen will not be able to figure that out himself, but maybe he could run it when a ready-made image is available for download. I have not yet tried Metarouter myself, always enough things to do :-) Rob

2 1

UCSD gateway filters
by Marius Petrescu 01 Apr '16

01 Apr '16

Lately I have a lot of domain response traffic from china, probably a dns amplification attack targeting the host 42.202.148.15. The used address which gets that traffic is mainly 44.182.20.27. Other hosts of this subnet also receive traffic via the ucsd tunnel (44.182.20.*, 44.182.230.*). These addresses have no registered host name and thus should be dropped by the gateway, but this is not happening. Anyone knows an explanation or is it a gateway bug? Marius, YO2LOJ

2 2

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net April 2016