> Subject:
> Re: [44net] Is there raceroutre machine on 44 net available for public ?
> From:
> Antonio Querubin <tony(a)lavanauts.org>
> Date:
> 03/07/2016 08:52 PM
>
> To:
> AMPRNet working group <44net(a)hamradio.ucsd.edu>
>
>
>
> You should NOT assume that all gateways actually have the entire mesh encap table loaded. Some only load a partial table to those networks they want to reach. You'd have to check with each gateway operator to verify which encap routes are
> actually loaded if you can't reach any of the net-44 nodes behind their gateway.
And of course the encap table does not tell you anything about which 44-net address is used by the gateway itself.
So there is no way you can check if you can reach the gateway.
(even if you would know the address of the gateway there is no guarantee that it will reply to detection attempts)
It has already been made clear to mr "Please Advice" that lots of operators do not appreciate what he is doing.
Unfortunately, he rarely listens to the advice he is constantly asking for....
Rob
> Is there a amprnet wiki page with recommendations and notes on just
> how to do this?
It depends too much on the layout of your network and the equipment and software you are
using how to do this. I normally use tshark (terminal version), unfortunately it can only
display a condensed version of each packet that does not show how it is tunneled, or a
way-to-verbose version where one packet takes up multiple screens full of data.
The GUI version 'wireshark' can nicely fold and unfold all levels of detail but of course
it is more difficult to run it inside a router or small Linux system used as a router.
Rob
I just use tcpdump:
tcpdump -i eth0 -vvv host amprgw.sysnet.ucsd.edu or ip proto \\icmp
tcpdump -vvv -s0 -n proto ipencap
> I would recommend amprnet operators starting a network analyzer on your
> network
> (like wireshark) every time you have made a configuration change, added some
> equipment,
> or just have a few minutes of time to spend.
Ronen,
Feel free to use mine:
http://44.92.21.1/tools/
These tools reside on my gateway (IPIP not BGP) and it does have a DNS
entry so it should be accessible from the world wide internet as well
as 44net.
I have a ip route lookup tool, so you can see what my local routing
table has for a return route.
73
Steve KB9MWR
>Hi there
>
>I have unexplained 44 net routing problem
>
>There are some gateways i can reach from my 44 net address and others not ...
>
>I can access any of my 44 net equipment from any non 44 net IP with no problem
>
>the Encap text is most updated....
>
>The gateways i cant reach are accessible from their non AMPRNET side
>
>I need a tool (beside this one http://44.60.44.10 ) to be able to do traceroute and ping to me and > to other 44 net
>
>Is there anyone that have such a thing open for the public (or willing to give me access ) on his >machine (that sit on 44 net IP via tunnel (not via BGP) ?
>
>Please Advice
>
>Thanks Forward
>
>Ronen - 4Z4ZQ
>
>http://www.ronen.org
Thanks Tal.. I'll be looking forward to the email. It should help.
>Hello,
>The time here is 23:53 and i'm not next to my computer.
>Tomorrow I'll send configuration file for the openvpn server and one to the
>client, also i have script that generate key files & config files for
>clients.
>
>Sorry that i can't send them now.
>
>Regards,
>Tal.
>
>> Brian, thanks for the update.
>>
>> I know I asked before on how to build openvpn server keys and other
>> configuration details that will let a openvpn server I build work with
>> any hams lotw key clients that has previously documented:
>>
>> http://wiki.ampr.org/wiki/AMPRNet_VPN
>>
>> This is what I have built my own generated certificate authority,
>> server keys, with before using the
>>
>> ./clean-all
>> ./build-ca
>> ./build-key-server server
>> ./build-key client1
>> ./build-dh
>>
>> I could really use something detailed on the values for the keys and
>> certificates parameters to make a server work with the lotw based keys
>>
>> Its not clear to me where one gets the the LoTW root CA certificate(s)
>> that need to be installed on the server. And I assume these are
>> Diffie hellman parameters?
>>
>> Steve
Hi there
I have unexplained 44 net routing problem
There are some gateways i can reach from my 44 net address and others not ...
I can access any of my 44 net equipment from any non 44 net IP with no problem
the Encap text is most updated....
The gateways i cant reach are accessible from their non AMPRNET side
I need a tool (beside this one http://44.60.44.10 ) to be able to do traceroute and ping to me and to other 44 net
Is there anyone that have such a thing open for the public (or willing to give me access ) on his machine (that sit on 44 net IP via tunnel (not via BGP) ?
Please Advice
Thanks Forward
Ronen - 4Z4ZQ
http://www.ronen.org
> I've been observing the following:
> a. - gateways sending RFC1918 addresses in the inside header (e.g.
> 192.168.11.0/24)
Unfortunately it is very common. Not only on IPIP tunnels but also on other
connections we have (OpenVPN, IPsec tunnels, radio access points).
Some weeks ago I mentioned it on the list, the sender claimed he would act on it,
but it just continues.
Unfortunately not many users understand iptables well enough to just block
invalid traffic on their own gatewat and even fewer are actively monitoring
their equipment so they would notice they are sending stuff like this and receiving
"prohibited" replies all the time :-(
I would recommend amprnet operators starting a network analyzer on your network
(like wireshark) every time you have made a configuration change, added some equipment,
or just have a few minutes of time to spend. It will teach you a lot and make
the other operators happy.
Rob
> Phil has dropped the project. I doubt he'll take it up again.
> - Brian
Why? It was quite easy to implement on our gateway. And I did some extra work
to make it easier for me to maintain, else it would have been even simpler.
Maybe there were other reasons?
Rob
> I suspect they were personal reasons; Phil has retired from networking
> entirely and between battling cancer and turning his remaining time to
> teaching high-school students about science and engineering, I know he's
> not interested in AMPRNet anymore. He said so when we had dinner a few
> weeks ago.
> - Brian
I'm sorry to hear that... please send him my best wishes when you have
contact with him.
It is his work that made the AMPRNet possible in the early days...
Rob
About 5 years ago I thought I read that Phil Karn was working on
getting OpenVPN implemented on the AMPRGW. Is there a status update
on that?
The reason I ask is once again, I have a situation where we could
really use some sort of statefull way to connect some HSMM links.
There is always a lot of arm twisting needed to convince folks who are
donating us an internet connection that we need access to the firewall
to forward ports for IRLP and the like.
Steve
