> Subject:
> Re: [44net] Gateways with external address in net-44
> From:
> Brian <n1uro(a)n1uro.ampr.org>
> Date:
> 11/12/2014 02:07 PM
>
> To:
> AMPRNet working group <44net(a)hamradio.ucsd.edu>
>
>
> On Wed, 2014-11-12 at 10:16 +0100, Rob Janssen wrote:
>
>> >Ok, but then I think those gateway entries should not be distributed via RIP.
>> >When they are directly routable, should we use a tunnel to reach them?
> That's only half the equasion. The other half is when one is SAFed
> (Source Address FilterED) and they policy route 44/8 via their tunnel
> interface, and anything else via UCSD...
Yes that is the problem. I need to policy route on source address because of SAF
and I use a separate routing table for the tunnels with a default to UCSD. This fails with
that 44.24.240/20 with gateway 44.24.221.1 network.
We are building a gateway for 44.137.0.0/16 which in fact has already been running since
the summer but the process of getting the provider to agree to route BGP has taken much
longer than anticipated. Anyway, this gateway (which of course is not affected by SAF itself)
has a separate public IP (194.109.64.198) for use by the IPIP tunnels to other gateways.
I think that is a better method, it avoids lots of confusion and complicated policy routing
rules.
Maybe the routing will work again once we have our country gateway up and running
with BGP and direct outbound routing of net-44 traffic (without having to tunnel to UCSD).
I plan to work out a routing configuration without separate net-44 routing table at that time.
Rob
Brian Kantor wrote:
> Those are valid gateway entries; those particular 44-net addresses
> are directly routed via BGP advertisement.
> - Brian
>
Ok, but then I think those gateway entries should not be distributed via RIP.
When they are directly routable, should we use a tunnel to reach them?
There is a problem because when the destination of the tunnel is within the net-44,
the routing gets in an encapsulation loop.
Rob
+1
On November 12, 2014 12:15:25 PM EST, Tom Hayward <esarfl(a)gmail.com> wrote:
>
>I think we're getting a bit ahead of ourselves here proposing new
>special announcements.
>
>Here's another idea: don't assume anything spans the whole 44/8.
>Instead of policy-routing 44/8, policy route for each of the routes
>found in the encap. 44.24.221.0/24 isn't in the encap, so you should
>source packets to it from your commercial ISP source IP. UCSD is not
>involved.
>
>Tom KD7LXL
--
Bryan Fields
727-409-1194
http://bryanfields.net
When I was working on my gateway I noticed that stations use a 44-address as their external address.
For some time there has been the gateway to 44.24.240/20 with gateway 44.24.221.1
This morning I noticed gateways with address 44.151.94.28 and 44.140.0.1 but they have been removed
in the meantime.
I want to notice that my gateway cannot route traffic to gateways like that, due to the policy routing used
to separate internet traffic and tunnel traffic. And I think that many other gateways have a similar setup
and have the same problem.
Is there any official policy on the external gateway address? Is it allowed to be in net-44, and if not, wouldn't
it be better to check this in the portal and reject submissions like this with a suitable error message?
I suspect part of those entries are just the result of misunderstanding by a newcomer, and we help them
getting things working by hinting at this incorrect configuration.
Rob
Hello Rob/PE1CHL et al.
Rob, thank you very much for "pushing me" into right direction!
Today I made interesting and promissing tests with OpenVPN.
My question and goal was:
"Whether and how one can allocate any-in-size subnet to particular VPN
client?"
Of course, from the address space being at disposal.
Hardware setup:
- AMPRNet gateway server, Debian-7.5 (LAN + WAN)
utilizing 44.165.2.0/28 address space
- OpenVPN server running on above mentioned gateway
utilizing 44.165.15.0/24 address space
- Desktop PC - Debian-7.5 (on LAN, behind router)
- VirtualBox machines: Debian-7.5 Fedora-20 OpenBSD-5.5
(running on Desktop PC)
- Sony Xperia Z1 running OpenVPN client
OpenVPN addresses allocation:
- OpenVPN server - 44.165.15.0/24
- Desktop PC - 44.165.15.16/28
- VirtualBox Debian-7.5 - 44.165.15.32/29
- VirtualBox Fedora-20 - 44.165.15.40
- VirtualBox OpenBSD-5.5 - 44.165.15.253
- Sony Xperia Z1 - 44.165.15.2
Commands giving such nice possibility (example for Desktop PC):
- in the OpenVPN server config file
topology subnet
route 44.165.15.16 255.255.255.240 44.165.15.30
- in the OpenVPN client config file (on server!!!)
ifconfig-push 44.165.15.17 255.255.255.0
iroute 44.165.15.16 255.255.255.240
Already allocated subnets may appear and will be
reachable EXCLUSIVELY on previously assigned machines.
All other addresses may emerge anywhere.
Finally very brief answer is:
YES, it is possible to assign subnet to a particular VPN client!
For more detailed descriptions please refer to OpenVPN manual.
Best regards.
Tom - sp2lob
Hi folks
Anyone running rip44d with ubuntu server 14.04 ?
I have been for a while but after a recent update its now causing the server to hang on reboots :-(
Running kernel 3.13.0-37
I can get in to the server using recovery mode and disable the loading and all is OK so I know its a compatibility issue.
Andy
G0HXT
Hello,
Anyone here using CSF (ConfigServerFirewall) with net44...
I seem to have an issue ..
Seems Chinese hackers are obliterating my URONODE/JNOS Box... and I cannot
even run it long enough to do a tcpdump without losing all network
activity...
I have my config and allow and ignore files if anyone has an idea Id send
them off list for review..
What I see when I start it CSF does great job of stopping the hackers.. and
shortly thereafter it also stops net44..
I have in both allow and ignore files...
192.0.0.0/8
44.0.0.0/8
127.0.0.1
And I have ignore allow set to 1 in the config..
I see what I run csf -l
A line where its is deny tun0 !44.0.0.0/8
Even though just up from there is a listing of
Source and destinations where its allowed..
I think the lfd function of csf is the reason..
But from what I read in the docs if I allow and ignore an ip or /8 it should
allow via csf and lfd should ignore it.
Not sure what I am doing wrong.. But this has my system offline till figured
out.
If I turn on the CSF FW it shuts me out of the 44net altogether..
If I turn it off same results due to hackers. Plus I am off the internet as
well.
Many thanks 73 jerry N9LYA
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2015.0.5557 / Virus Database: 4181/8439 - Release Date: 10/23/14
