Jnos can't do this presently as it can't do routing based on the "From" address. If you want that to do that you really have to handle all your encap/ipip in linux.
Bob VE3TOK
On 13-09-05 04:19 PM, Mark Phillips wrote:
(Please trim inclusions from previous messages) _______________________________________________ It seems that everyone wants to use iptables in linux. I use JNOS on linux behind a pfsense firewall.
The encap packets are forwarded to my JNOS instance properly.
JNOS can speak to the internet directly via the linux host amd pfsense.
I only want commercially sourced packets to be responded to via ucsd.
In other words packets should go put tje same way they came in.
This should be done in JNOS as it is the target of the packets.
Question is ; how? On Sep 5, 2013 3:33 PM, "Bob Tenty" bobtenty@gmail.com wrote:
(Please trim inclusions from previous messages) _______________________________________________ The traffic from ucsd by ipip is addressed to your 44 address and arriving from some Internet address. (This is something else as from 44 address to 44 address.) Traffic in this case will be routed from your 44 address to an commercial Internet address non-encapped over your ISP who blocks traffic from 44 addresses. This is why you have to tell the linux kernel with rules that if you want to reach internet FROM your 44 address that you have to route it by ipip (encap) over ucsd.
Above is if you do your ipip routing with linux. If you do your encap in jnos you are out of luck as jnos can handle that specific case.
73,
Bob VE3TOK
On 13-09-05 02:42 PM, Mark Phillips wrote:
(Please trim inclusions from previous messages) _______________________________________________ And by IP rule you mean what? This is not a firewall issue. Traffic flows back and forth perfectly.
What JNOS should be doing is to respond to packets in the same manner in which they arrived. If they came in via encap they should go out via
encap,
if they come in directly they should go out directly.
Simply adding a default route via the encap interface is not right as it will send all non 44 traffic to ucsd even if I don't want it to go there. I'm sure ucsd could do without the extra traffic too.
Mark
On Thu, Sep 5, 2013 at 1:15 PM, Michael E. Fox - N6MEF <n6mef@mefox.org wrote:
(Please trim inclusions from previous messages) _______________________________________________ If you want to direct outbound packets from your 44.x addresses back through the UCSD gateway, you need to create an ip rule to do so.
Michael N6MEF
-----Original Message----- From: 44net-bounces+n6mef=mefox.org@hamradio.ucsd.edu [mailto:44net-bounces+n6mef=mefox.org@hamradio.ucsd.edu] On Behalf Of
Mark
Phillips Sent: Thursday, September 05, 2013 10:05 AM To: AMPRNet working group Subject: [44net] Routing and encap minor issue in JNOS
(Please trim inclusions from previous messages) _______________________________________________ Hi all,
Firstly, if this has been done to death before please forgive me. I
could
not find anything in the archive.
Secondly, I have noticed an "issue" with the routing and encap within
JNOS.
It would seem that if a 44 station tries to contact me all works fine.
For
example I can communicate with N2NOV and GB7CIP exactly how you would expect.
However, if a "public" address contacts me, I get their connect
requests in
encap format via uscd but then I send them my response directly rather
than
back the same way it came.
This means that there can be no public access to my system via the Internet.
What have I missed? JNOS will not allow me to set the default route via encap/uscd and I don't really want to send all my traffic (eg DNS
lookups)
via there anyway. How can I respond to connections in the same way that
I
received them?
Thinking about it, it makes sense that JNOS replies directly. Once it unpacks the packet and discovers an encap'd one inside it will work on
that
one exclusively.
Thanks
Mark