> Perhaps it's time to revisit UDPIP. Does Linux support the use
> of UDP port 94 for encapsulation?
It appears it has been introduced in kernel 3.18 which is quite recent and
will mean there are some issues for many users.
(requirement to install a backported kernel and "ip" program that supports
the newly introduced "ip fou" subcommand.
It is not supported on the systems we are currently running.
(Debian Wheezy and Jessie)
It also is not supported on MikroTik routers.
Rob
May someone explain to me how the "Firewall: inbound raw vs outbound encapsulated traffic" show that the encap data is bigger then the raw input ? may i misunderstand something ?
> Perhaps someone in the path between
> us and Germany inserted a protocol 4 block
That is what I suggest... it is up for us, and we can reach you, so it
is probably not a problem in either Germany nor inside your network.
Try a traceroute to a few gateways with zero traffic to find if there is
a common path or provider.
Rob
Does anyone know if the network coordinator for MA USA watches this list?
I emailed him about adding a couple A records for me to get my 44 net going
but haven't heard back. I got his callsign off the portal network page and
then had to go to QRZ to find his email. Not sure if he still checks the
email or not...so I figured I'd ask here.
Better question, why do we need to create a DNS entry for hosts to start
routing traffic from the 44 net to my gateway?
Thanks
Craig
KC1ETB
I moved the statistics files and graphs around and added some.
https://gw.ampr.org/ still redirects you to www.ampr.org
Non-sensitive info is in https://gw.ampr.org/router/
Available without a password. This is traffic counters and graphs.
Gateway-related info is in https://gw.ampr.org/private/
A username and password are still required to access this.
- Brian
> The reason I prefer IPv6 over IPv4 NAT is it gives me the option to use
> the same ports on multiple hosts on my network. IPv4 NAT is quite
> crippling for some of ujs (who also happen to know how to manage our
> firewalls ;) ).
Yes of course NAT is a pain when doing special things, but for most internet
users it is not a problem at all. Especially now that the internet has evolved
from a peer-to-peer network into a traditional client-server network where a few
big companies run all the services and the users connect only to there, even when
they want to communicate with another user.
What I like about IPv6 is that it gives me out-of-band management of IPv4
networks. Yesterday I did a major restructuring of our AMPRnet-Internet
gateway, where a MikroTik CCR has been added to the existing PC Linux solution to
take over part of the services, and I could make all the network topology changes
with confidence that I would not lock myself out, using IPv6. That is also handy
when managing the very complicated IPv4 firewall.
In fact so many users have been completely accustomed to NAT that they even apply
it to AMPRnet... Putting their systems on RFC1918 addresses and translating it to
net-44 addresses in the router. I would not do that...
Rob
Just some data points: in the last 16 hours, the firewall on amprgw has
dropped over 43 million attempts to connect to the implicated ports:
623,664,16992,16993,16994,16995. We've also dropped about 2 billion
attempts to connect to the other SMB ports: 111,135-139,445, etc.
This is AFTER having already dropped all packets from known 'security'
scanners like shodan, which therefore aren't counted in those totals.
We've dropped 63 million of those.
But by far, the most popular inbound is attempts to connect to the telnet
port (23) on amprnet hosts; we've dropped 6 billion of those.
And we've dropped another 7 billion other packets that were destined for
other ports on non-registered amprnet addresses. I don't have details
of which ports these are, but I know that port 80 (http) is one of them.
At 25 MB/s inbound traffic, receiving packets and filtering them is
taking about 10-12% of the machine, leaving it around 85% idle. The DNS
nameserver accounts for about 2% of the load. The encap/decap process
resource consumption is negligible. It spends about 95% of its time
waiting for packets.
- Brian
Hi there
I have investigated the High drops that my Router get from UCSD with the help of the new PCAP files that Brian Made available for us
it tern out that my router MikroTik that sit on the DMZ of the Cable modem
Is Probed from the outside world in its Commercial IP and send its Trafic to the UCSD interface which is its default route
How can I redirect packets from the outside world that sent to the router commercial IP to go back to the ISP and not go to the UCSD interface ?
is there any Mikrotik Expert that can tell me what to do ?
I need only to route the ip of the router that sit on the DMZ
I saw that another Mikrotik on the AMPRNT get a lot of drops and it looks it have something similar
Any help is welcome
As i Stated before Im willing to give web telnet Or SSH access
Just for Info the router connected on the DMZ of the Main Cable router it uses 192.168.1.x address and the DMZ point to this address
Regards
Any info is more then welcome
Regards
Ronen - 4Z4ZQ
http://www.ronen.org
Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/>
www.ronen.orgronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
Yes, please.
<div>-------- Original message --------</div><div>From: Brian Kantor <Brian(a)UCSD.Edu> </div><div>Date:05/15/2017 19:26 (GMT-05:00) </div><div>To: AMPRNet working group <44net(a)hamradio.ucsd.edu> </div><div>Cc: </div><div>Subject: Re: [44net] some amprgw filtering statistics </div><div>
</div>(Please trim inclusions from previous messages)
_______________________________________________
I see from the web server logs that some people are attempting
to retrieve the graphs but don't have login credentials.
My apologies for the hassle; email to me and I'll send some to you.
- Brian
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
Hey all, I am new to the 44 net stuff and had a couple basic questions. I
went to the archive site and didn't see a search feature so I figured I
would start here.
I've got my block allocated and am trying to setup my Juniper SRX firewall
to tunnel to the 44 net.
However, I can't seem to find a place where the tunnel destination address
is listed or if there is anything special I need to do on the AMPR site to
activate traffic tunneling.
I'd be happy to share the config of my Juniper SRX with the community once
I get it working.
Thanks
Craig Brauckmiller
KC1ETB
