Hey gang. Kinda new here for Ive been dabbling with this for a few years though. I have been trying to use the ampr-ripd daemon without any luck and have come to the conclusion that my ISP blocks port 520 which I believe is the port used.
With that said, i have also come to the conclusion that at this time, the encap.txt file is still accessible via ftp from the portal.ampr.org.
Is "wget ftp://USER:PASSWORD@portal.ampr.org/encap.txt" a valid ftp solution and if so where is the USER:PASSWORD derived from?
Is it our user:password into the portal?
Thanks all
Harold K7ILO
Bill,Your VoIP system should be configured to register with the server. This would maintain the link.I'm not sure what client/server you're using, but there may be a time, timeout or keepalive (etc.) setting in the configuration options for the Callcentric service.If you are configured to receive blind SIP calls/packets into your Public IP at udp/5060 or something, Carrier Grade NAT would hinder that method.--- KB3VWG
- I believe the secure firewall the ALG would need to traverse and be installed on is the ISP's device. That seems to be the source of the current issue.- The SIP ALG is known to be vulnerable - see https://samy.pl/slipstream/
Bill,Carrier grade NAT means you aren't issued a Public IP on the WAN interface facing your ISP. There's a block of IP space (100.64.0.0/10) used for this purpose. CG NAT exists because of exhaustion of the Global IPv4 space.Yes, this would mean you cannot control receipt of protocols like: TCP, UDP and importantly for AMPR - IP Protocol No. 4.It sounds like they may have recently implemented this on their customer network. The ISP can offer their own services because they use their Public IP space on those needed servers. Another example where they use Global IPs - is on the CG NAT router that connects you to the Internet.It's possible they now offer a Public IP as an added service. You could inquire about that.73,LynwoodKB3VWG
-------- Original message --------From: Harold Kinchelow via 44net <44net(a)mailman.ampr.org> Date: 10/4/22 22:32 (GMT-05:00) To: 44net(a)mailman.ampr.org Subject: [44net] New ISP blocking VoIP
I am reposting this for William Horne because he post using a prevous message of mine but it came directly to me. Please take a look
@ his issue below.
Thanks
Harold
K7ILO
From: E. William Horne <malassimilation(a)gmail.com>
Sent: Sunday, October 2, 2022 2:57 PM
To: Harold Kinchelow <k7ilo(a)outlook.com>
Subject: New ISP blocking VoIP
OM,
I humbly request that you help me in any way you can to get around my new ISP blocking VoIP phone calls. On 9/4/2022, they stopped without warning or justification: both Callcentric and Hamshack Hotline went dead at the same time.
On Monday, 9/5, I complained to the "Tech Support" number, and I listened to their employee being told to "Blame it on his router," and then to her doing so. I told her that wouldn't cut it, and she said she would "reset my modem" and then
Callcentric came back online. I made a call with my Cisco SIP phone, and talked to my brother-in-law in Massachusetts for a few minutes, but right after we hanged up, the Callcentric line was dead again. I complained again, with nothing but gobbledygook and
shaming and finger-pointing to show for it.
The ISP had some flack call me, and he told me that they were doing "Cee-Gee-NAT," and couldn't map the ports required for Voip. I asked him how the ISP could offer it's own VoIP service, right on their public-facing website, if that were
so. He said he'd have to do some more research, and I've never heard back.
Here's a fervent "TIA" for any help you can offer.
73,
Bill Horne, W4EWH
828-380-1440 (Cell)
I am reposting this for William Horne because he post using a prevous message of mine but it came directly to me. Please take a look
@ his issue below.
Thanks
Harold
K7ILO
________________________________
From: E. William Horne <malassimilation(a)gmail.com>
Sent: Sunday, October 2, 2022 2:57 PM
To: Harold Kinchelow <k7ilo(a)outlook.com>
Subject: New ISP blocking VoIP
OM,
I humbly request that you help me in any way you can to get around my new ISP blocking VoIP phone calls. On 9/4/2022, they stopped without warning or justification: both Callcentric and Hamshack Hotline went dead at the same time.
On Monday, 9/5, I complained to the "Tech Support" number, and I listened to their employee being told to "Blame it on his router," and then to her doing so. I told her that wouldn't cut it, and she said she would "reset my modem" and then Callcentric came back online. I made a call with my Cisco SIP phone, and talked to my brother-in-law in Massachusetts for a few minutes, but right after we hanged up, the Callcentric line was dead again. I complained again, with nothing but gobbledygook and shaming and finger-pointing to show for it.
The ISP had some flack call me, and he told me that they were doing "Cee-Gee-NAT," and couldn't map the ports required for Voip. I asked him how the ISP could offer it's own VoIP service, right on their public-facing website, if that were so. He said he'd have to do some more research, and I've never heard back.
Here's a fervent "TIA" for any help you can offer.
73,
Bill Horne, W4EWH
828-380-1440 (Cell)
Hey Amateur Radio team
I know what VPN is. I know what OpenVPN does. What are the actual uses of having a VPN into the AmprNet space.
Ive seen on so many diagrams of setups where there is a VPN into the network.
Thanks all
Harold - K7ILO
All,
FYI if you upgrade an OpenWrt node to 22.03.0 with a dynamic firewall script. The script will need to be updates to nftables.
In addition, I am running on x86_64, but those who use consumer hardware may experience loads when iptables rules were in the Wiki versus "ipset" (which is an iptables feature). See the archives about that issue.
On larger sets of IPs, the load times are slower. I'm not sure if that's due to our routing table already being in a "least-specific" notation. Nonetheless, if anyone wishes to try, feel free to have me as a resource during your upgrade. If anyone want to test installing the additional needed packages to continue using, let me know too for documenting to the Wiki. I can test on consumer software too - and you can forward the routes to it using the setting in ampr-ripd.
--
73,
- Lynwood
KB3VWG
Stations are issued an 44-net IP on their first connection, which remains permanently for all subsequent connections. It also automatically reconnects should the underlying IP change, or drop out (think cellular based links).
IRLP can handle IPs changing on the fly automatically, but our VPN users are essentially static using the same 44-net address each time they connect.
—
Dave K9DC, K9IP
> On Oct 4, 2022, at 17:56, Stephen Atkins <ve6cpu(a)proton.me> wrote:
>
> Are you using 44net so you have a "static" ip for those repeaters instead of always having to update dns for there dynamic is ones?
>
>
> Stephen Atkins
> VE6CPU/VE6STA/VE6SU
All,
Overnight, I upgraded my AMPR Gateway to OpenWrt 22.03.0. There is a major firewall change from iptables to nftables.
Feel free to test access (NOTE: only the protocols listed work).
You should be able to Trace/Ping from your Public or AMPR ranges:
- 44.60.44.1 NTP (NTP should only be configured on AMPR clients, but it is open to your public IPs by firewall as a courtesy)
- 44.60.44.3 DNS (dns-mdc.ampr.org - only from AMPR)
- 44.60.44.10 HTTP (http://44.60.44.10 and http://kb3vwg-010.ampr.org/homepage/ on AMPR and Public - AMPR access has more options/links available)
--
73,
- Lynwood
KB3VWG
