> Do you have a firewall that drops by default?
> On my machine, I have to allow 520/udp from 44.0.0.1 to 520/udp at
> 244.0.0.9.
I have a firewall rule but it remains at zero. It is unclear where this packet
gets lost, when I run "tshark" the RIP transmission is seen, but when I insert
a rule "iptables -I amprinp -p udp -s 44.0.0.1 --dport 520 -j ACCEPT" at the top
of the list (this rule is selected by "iptables -A INPUT -i tunl0 -j amprinp")
it too does not see any traffic.
This worked OK in the past but it has suddenly stopped working some time ago, I
think about two years. That happened when there was a kernel update, no other changes.
Rob
Hello everyone,
I created a new ampr-ripd release according to some wishes of our members.
Changes:
- brought back option -r, to allow using multicast sockets by default
and raw sockets as a backup for systems with multicast issues. This will
hopefully sort out the firewall filtering inability on previous releases
since 1.13.
- added 2 new command line options, -F and -E (capital letters) which
allow the forwarding of raw AMPR-RIP messages on a specific interface
(-F) and optional to a specific address (-E), similar to the -f and -e
options. These RIP messages are raw copies of the incoming ones:
password it there and they appear every 5 minutes and will be missing if
no data arrives from the AMPR gateway.
- added the setting of the proper 44.0.0.1/32 route to conform to the
latest gateway changes.
Download:
http://www.yo2loj.ro/hamprojects/ampr-ripd-2.0.tgzhttp://yo2tm.ampr.org/hamprojects/ampr-ripd-2.0.tgz
Have fun,
Marius, YO2LOJ
> BTW, the encap file does not change much. On average, one line in it
> will change per hour, as a gateway with a dynamic address updates its
> address (and it's often the same gateway flipping between two or three
> addresses), but gateways come and go at a much lower rate -- I'd guess
> one or two a week. So you'd be pretty safe just FTPing and processing
> a new encap file perhaps once a day if it winds up being a chore.
The automation in the classic FTP client is a bit difficult to use, especially
when you want to use it for different sites, but the "wget" and "curl" programs
can easily fetch a fixed file from a fixed server with a fixed user/password
by combining them all into a URL: ftp://user:pass@server.domain/path/to/file
Of course when you fetch and process the file once a day, you will not
be able to use those gateways that change IP address once a day due
to local provider policy. But probably you'll never notice that... :-)
Rob
> I expect you could have more luck by looking in to SLAX scripting as it
> should not be to hard to do this fully from the junos api's
> I did not check this but i don't think the ipip driver would be
> standard.
Well, it is not very straightforward so when it is your first script you
are probably going to have a hard time...
In Linux there is a point-to-multipoint IP tunnel, much as was the case in JNOS
when this whole IPIP mesh was designed. You configure only a single IP
tunneling interface, usually called tunl0, and you put a set of routes in
the route table with the destination subnets, the tunl0 device, and the remote
endpoint of the tunnel as the gateway address. Like this:
44.2.2.0/24 via 216.218.207.198 dev tunl0 onlink
44.2.7.0/30 via 73.185.12.233 dev tunl0 onlink
44.2.10.0/29 via 104.49.12.130 dev tunl0 onlink
The onlink attribute is required to suppress the "gateway not reachable" warning
you would normally get when the gateway is not directly reachable from the system.
With this facility, the updating is relatively easy: just make sure the actual routing
table agrees with the distributed information, by adding and deleting single routes.
Without such point-to-multipoint tunneling, you will have to create a separate
tunnel interface for each gateway, and setup routes to the remote subnets pointing
to the correct gateway tunnel. Remember there are (way) more subnets than gateways,
you need to find the routes with the same remote gateway, and create only a single
tunnel device for those combinations, and point the matching subnet routes to that device.
To obtain the information about the subnets, you either listen to the RIP broadcasts
made by amprgw, or you regularly download the "encap.txt" which has this format:
route addprivate 44.2.2/24 encap 216.218.207.198
route addprivate 44.2.7/30 encap 73.185.12.233
route addprivate 44.2.10/29 encap 104.49.12.130
so you need to parse that and get the subnet and gateway fields from it.
(this format is the commandline format that JNOS used)
There is no separate "list of endpoints" so you have to create that yourself
from that list of routes (take the last field and put it in a list, removing
duplicates).
Now when you have written a script to transform this into commands to create
the proper tunnel devices and add the routes, the real fun begins!
The next time you get the information, you need to check if there are changes.
When there are, there usually will be a change of tunnel endpoint address (for
a gateway that is on a dynamic internet address). You will find several entries
in the information that suddenly have a different next hop address, but of course
they are not grouped together, they are scattered through the lines you received.
You will need to locate the correct tunnel device (which you will need to look up
using the *previous* table of received information) and change its endpoint.
But, there are other possibilities, ocurring less often: a subnet could have been
added or removed from a gateway (and maybe moved to another), a new gateway can be
added, or a gateway can be removed (with all its subnets).
And of course, combinations of the above, e.g. a gateway has its endpoint address
changed and at the same time adds or deletes a subnet.
That is probably a rare occurrence, but it should not cause disaster (like a crash).
Of course you could simplify things by just deleting everything (routes and devices)
and rebuilding it from zero whenever there is some change. But that could cause
brief interruptions of the routing and/or high load on the CPU.
Sure, it can be done. But for someone who is not experienced in programming in
general, and has to learn the scripting language for the particular platform as
well, it will be tough.
I would certainly advise to look at Marius' script for MikroTik, as it of course
has the algorithms described above. It would have to be rewritten in a different
language and the constructs to add/delete tunnel devices and routes will have to
be changed.
Rob
> I'm wondering of anyone has successfully got a gateway running in Amazon's EC2 service?
> I was thinking of using a raspberry pi with a tinc VPN to the EC2 instance to tie into my RF connection regardless of my IP address.
> I hit a wall when it came to getting ampr-ripd running.
It is a bit difficult to help you with such a problem description, but in general (I have no experience with EC2) you should
be aware that such services do not give you a fully virtualized machine where you can do what you want, but rather they
use Xen Paravirtualization where a modified kernel is running, and it often does not include the module required for
IPIP tunneling. That may be the wall you are hitting, but it would not be the problem of getting ampr-ripd running
but to actually get the tunl0 interface working. So you need to explain better what your problem is. Maybe it can be
worked around using another program by Marius: amprd.
I have a Raspberry Pi running at a hosting company and running the usual configuration for a gateway under Linux,
and of course that does not have that limitation. I have a VPN to it from home. Indeed it is a nice way to get a gateway
running without the trouble of getting the IPIP traffic to your home system.
(but it is not used much anymore as I now have a radio connection to the network)
Rob
I built a new inbound ports display https://gw.ampr.org/router/ports.svg
which shows a significant amount of traffic that SANS and others identify
as being aimed at vulnerable ports on various pieces of equipment.
I don't want to just block them, as they have legitimate uses, but if
you're running your own firewall, you might want to block them yourself
if you don't have any need for the legitimate use.
- Brian
I'm trying to access one of Brian's help documents but the connection
attempt to http://n1uro.ampr.org/linuxconf/amprnat.txt times out. Is
there an issue somewhere that might impact on my attempts?
Ray vk2tv
As you can see from the graph https://gw.ampr.org/router/encapinpkt.svg,
there was a precipitous decline in inbound encap traffic about 19:00
UTC on May 16th. I've been wondering what happened to all that traffic.
Well, it turns out that the amount of traffic coming in before that cutoff
was anomalously high. There was a host called chocolate-nebula.mit.edu
(18.96.0.110) which was sending over 95% of the inbound traffic to amprgw,
and had been for several days, before the graph started. I jumped to
the conclusion that that amount of traffic was normal, when in fact it
was not.
So what has really happened was that inbound traffic has returned to
normal after 16 May at 19:10.
chocolate-nebula.mit.edu is registered on the portal as
amprnet-gateway1.amolbhave.com, the gateway for subnet 44.44.7.224/28,
belonging to KC1EDX. I don't yet know why it was sending all that
traffic, nor why it suddenly stopped.
So most of the mystery is solved. Maybe KC1EDX will pop up here and
explain what was going on.
- Brian
Hey,
I'm wondering of anyone has successfully got a gateway running in Amazon's EC2 service? I was thinking of using a raspberry pi with a tinc VPN to the EC2 instance to tie into my RF connection regardless of my IP address. I hit a wall when it came to getting ampr-ripd running. If anyone has such a configuration working I would love to pick your brain about your setup.
Regards,
Mark Scrano K2EXE
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
> Guys, I think I may be missing something here. I've seen a couple
> references to RIP being required. I didn't see that mentioned in any of
> the on-line docs. Perhaps I've missed it, and if so, I apologize. I'll go
> look at the Wiki to see if it is there.
> Is this required or optional?
It is optional, but I think it will be very unpractical or even impossible to
get the IPIP tunneling working on your SRX.
Note that it is NOT sufficient to setup a single IPIP tunnel to the amprgw
and route all net-44 traffic over that. You need to setup a tunnel to each
of the (about 430) gateway systems and route the defined subnets (about 615)
over those tunnels. And the IP addresses of some of the endpoints are changing
all the time because users are on a dynamic internet IP.
To keep that config uptodate in your router, you either need to do AMPR-RIP,
or you need to setup elaborate scripting to reconfigure the router whenever
required. (regularly downloading the encap.txt file and generating config for it)
In practice, you need a Linux box to do the routing, or a MikroTik router that
has scripting powerful enough to do the above on its own.
With your SRX you will need a separate machine that does the updating.
Rob
