Eloy,
I had the same issue and you need to do MSS Clamping. At least that’s what I was told and it fixed mine.
Roger
VA7LBB
>
>
>
> From: Eloy Ritter de Monredont <eritter(a)me.com>
> Subject: Re: [44net] RIP problems?
> Date: April 7, 2019 at 3:47:13 PM PDT
> To: AMPRNet working group <44net(a)mailman.ampr.org>
>
>
> Bob, following your reply I remembered that that the gateway (44.98.7.1) is setup to not respond to pings and that, for now, the 44.98.7.2 is assigned to the WAN interface of a virtual router running Untangle which also does not respond to pings. I though the management interface of the hypervisor was connected and using that IP but that was a confusion on my side, it’s using my ISP’s IP.
> I’ll be changing that later on.
>
> Now the issue is that the virtual machines on the LAN side of the virtual Router do browse the internet fine when the WAN is connected to the VLAN that correspond to my ISP, but when connected to the 44/8 network most sites load well but some don’t, I can ping them though.
> The issue is the same using my personal computer when connected to the 44/8 network.
>
> Anyways, I just wanted to comment on my experience as a new user. I think that it could help improve the site.
> The browsing issue could be addressed in a different thread.
>
> Eloy
> W5ERP
>
Hi,
A while back I wrote a routing daemon for receiving RIP broadcasts and
installing them in to the routing table. I turned this in to a
complete setup script which worked on OpenWRT without needing to
compile architecture-specific binaries.
I kind of stopped working on it after I got it working, as my prefix
is BGP routed so I don't have much need for it myself, however I just
got back to it and have created a package for easy install. This
single package should work on any OpenWRT/LEDE device as it only
contains platform independent scripts and dependencies that are in the
standard repositories.
http://wiki.ampr.org/wiki/RIP44.lua
If anyone is interested in testing it, I would appreciate any
feedback. If it works well then it might be easier for new users to
install than the current OpenWRT instructions requiring a binary build
of ampr-ripd.
The source is up on github (although technically the package contains
the "source", as it's a Lua script!) if anyone wants to take a look.
It does a very rudimentary job of executing the required commands to
set up the interface, binding to a UDP socket, then parsing the
received routes.
https://github.com/NotMikeDEV/RIP44/
Thanks,
Mike, M6XCV
> I was just going through some of the portal pages and Chris has some
> extensive online help next to the various text/check boxes in the "?"
> circles. We can't hold Chris accountable for people not comprehending
> what they read on the portal. The online help did seem pretty accurate
> and well written.
It is not to hold Chris accountable, but some extra text above the form
(that also explains what a gateway is and that setting up a one may not be
what you want to do as a beginner) could be helpful.
Still, there can be problems.
> People will always make mistakes. I've seen some enter in their internal
> 192 or 10-net space IP as their commercial IP. Perhaps some sort of data
> checker can be put in place? That may help.
I hope the RFC1918 check is already made. If not it could be added.
As I wrote before, there have been reasonable checks in place but people here
have asked them to be removed because they wanted to do what the checks prevented.
(like setting up a gateway with external address in net-44)
Rob
> If there are any additional checks that can be put into the Portal, I’m happy to add them if we can reach a consensus on what those checks should be...
> Regards,
> Chris
Do you think it is viable to add another manual validation step for any gateway config
that has one of these properties:
- external gateway address is within 44.0.0.0/8
- advertised subnet is not owned by the gateway operator
This would at least prevent mishaps like we had this week, because especially a gateway
address within 44.0.0.0/8 should be throughly validated so that it is properly BGP routed
to somewhere, and the operator of that destination can properly process the IPIP packets
and not route them in a loop.
Rob
> The portal has made it easier for those to request blocks and for
> routing to become a bit more efficient through RIP vs having to download
> the encap.txt file and having to reload it every so often so the
> automation is definitely welcomed in this regard. The whole concept of
> ip encapsulation under ip is what confuses most people. Take OpenVPN for
> example - people don't want to know it's using ip encapsulation, they
> just want to configure it and have it work.
Well, that is the issue. We provide OpenVPN certificates for local amateurs
to connect to our gateway, and there rarely is any issue with that.
(apart from people making 2 connections at the same time, which of course does
not work because the certificate is directly bound to the user's IP address)
But I think what happens is: people hear about this AMPRnet/HAMNET thing, they
google a bit for information, and they get lost in technical documents not in
their language, talking about something that is not their expertise, and
expecting them to enter information in forms that they do not understand at all.
Then it is not so surprising that some bogus information ends up in the system
unless validation is improved, either in the software or in a manual step.
The whole thing with RIP was definitely a good idea, and much better than
regularly downloading and loading an encap.txt file.
However, what can be improved is the entering and maintenance of the data
that actually gets transmitted there.
> That could turn into something a bit too time consuming as well for
> those who would be in charge of taking responsibility for the
> functioning systems of others such as coordinators.
I'm not too worried about that, the assignment of IP addresses is also mostly
a manual process here (from mail to hosts file), helped with some scripts to
mail the update to the DNS robot and to place updated files on the server.
The number of updates is relatively small, I get maybe one a week or up
to 3 a week when it is a busy time.
For gateways, this should be even less.
Rob
> Rob et al;
> This user is flagged RADIO only in his config and should not be a listed
> "gateway" at all:
> ...
> If this is causing an issue, let me know and I'll send him a note asking
> him what he's looking to do and point him to a few things that may help
> him out.
Well, the recurring issue is that users do not really understand the whole
system and still are expected to manage it themselves via the portal.
This does not work well. They experiment with entering some data, see it
appear listed under their account, but do not understand what it is for.
They leave it there and move on to another experiment.
I do not blame them, it is a complicated matter and there are many options
of connecting to the network. On my own pages I strongly advise against
using the portal and instead mail me with the request they have, usually
they do not want to use IPIP anyway and registering on the portal does more
harm than good.
Of course it could be improved in the portal user interface, but it has been
claimed before that restricting people to making valid entries (i.e. the
external gateway address is NOT in net-44 and the advertised subnets are
owned by the gateway operator) causes issues in some niche situations.
Hence those checks have been removed, and users are no longer guided towards
what they should and should not (and probably don't want to) do.
Users get an address from me, and register a gateway in the portal with that
address as external address (this is what caused the mishap this week!).
Moreover, they have to add advertised networks and they do not understand
that they first have to request a network to be assigned to them, and they
pick a random network from the pulldown list (this happened with the same user).
So I am all for a change towards a system where people like coordinators or
other experienced users have to validate the entered gateway configuration
before it becomes active.
But recognizing that this would require more programming work in the portal
(and thus in practice will not happen), I am for a reduction of the complexity
and vulnerability of the system by removing dangerous capabilities that
almost nobody uses, such as having the gateway address within net-44 and the
advertisement of networks not owned by the user. They could still be allowed
for existing users and could still be modified by administrators of the portal,
but not by end-users.
Rob
Rob et al;
This user is flagged RADIO only in his config and should not be a listed
"gateway" at all:
44.118.1.1 2018-03-01 18:16:04 N1QX View
<https://portal.ampr.org/gateways_list.php?a=view&id=1403>
44.118.1.2 2018-03-01 18:16:12 N1QX View
<https://portal.ampr.org/gateways_list.php?a=view&id=1404>
44.118.1.3 2018-03-01 18:16:19 N1QX View
<https://portal.ampr.org/gateways_list.php?a=view&id=1405>
44.130.104.1 2017-10-02 18:34:13 DG8NGN View
If this is causing an issue, let me know and I'll send him a note asking
him what he's looking to do and point him to a few things that may help
him out.
I know in Maine, they prefer to use M$ and software that's 100% GUI
based. The problem however becomes that the sysop doesn't learn what
they're doing because the GUI hides the technical information.
--
I won't be like a Texas official and call Ocasio-Cortez a bimbo
but she does think Roe vs Wade are two different ways to cross a river.
-----
73 de Brian N1URO
IPv6 Certified
n1uro-dawt-ampr-dawt-org
uronode-dawt-n1uro-dawt-com
> Until a decision is made about what to do long term here, maybe the AMPR
> Portal web interface can change this name from "gateway" to "public
> Internet IP (gateway)". I think that would help some people avoid this
> issue.
Either that, and/or a descriptive text above the form that explains what a gateway
is, why you want to have it (and why not), and where to read more about it.
There are those "hover" type help texts but I am afraid it is not enough.
I think several "gateways" now listed (with no subnets) are the result of people
wanting to register/publish their system information in a way that is more like
what HamnetDB does.
It should be clearer that creating a gateway here actually sets up routes and
when done incorrectly can mess things up pretty badly.
The announced subnets list has similar risks. For a while it was limited to
subnets registered by the person logged in, there were people wanting to route
subnets for others (probably to forward them internally) and this check was
removed, and now people who do not completely understand what is going on are
randomly announcing other people's subnets without anyone knowing.
Perhaps best would be when all gateway setup had to be validated by someone with
more experience (a coordinator, an old hat in AMPRnet, etc) before it becomes
finalized, similar to the subnet allocation.
Rob
Talked to network people at the ISP, they indicate that they have changed something w.r.t.
the routing via Eurorings. It should be researched and hopefully fixed.
In the meantime I am thinking about relaying the RIP packets from my own colo host to our
gateway as an extra safeguard against things like this.
I see that ampr-ripd has options -E and -F that should relay the raw packets to a specified
address, good. That should work.
But I don't think it is possible to make ampr-ripd receive and act upon those relayed packets,
isn't it? Should I NAT them at the receiving system so they again have 224.0.0.9 as destination?
Has anyone tried such a setup and does it work without nasty issues?
(normally all RIP packets will be received twice in this case)
Rob
