3 Oct
2022
3 Oct
'22
12:30 a.m.
You hit the nail on the nail head, PROPER DMZ. Didn’t work on the previous equipment.
What also gave it away were other issues I started noticing with the modem/router. I have
an ALLSTARLINK repeater on my
network which uses UDP port 4569.
I noticed that my port forwards for all of my services were deleted, including ALLSTAR but
it still made connections to other nodes
so that told me that there were issues deeper than what I could see in the GUI.
Anyway, we’re good. I am notating my build with Debian 11 because there are some things
with it that are different
from earlier versions or even Ubuntu which is documented on the WIKI. Not many. Ill
provide em if wanted/needed.
Thanks again everyone. I’m sure I’ll have some other questions as I complete this setup.
Harold
K7ILO
From: Steve L <kb9mwr(a)gmail.com>
Date: Sunday, October 2, 2022 at 9:18 PM
To: Harold Kinchelow <k7ilo(a)outlook.com>
Cc: AMPRNet working group <44net(a)mailman.ampr.org>
Subject: Re: [44net] Re: ftp access to encap.txt
Harold's message here is likely something that should be incorporated
into the Wiki.
Recapping
1.) Whenever possible the customer premise equipment CPE should be
something you own if you have that option. Provider combo
modem/router units often lack features that we'd need, like proper DMZ
implementations. As some have noted, sometimes they only forward TCP
UDP. And other times we have seen protocol 4 being treated
statefully.
2.) Barring those options, if the availability to place the equipment
into a bridge mode or DMZ mode then point that to your ampr gateway
system.
3.) Then run "tcpdump -I eth0 -vvv host amprgw.ucsd.edu" to verify
you are receiving the protocol 4 based RIP announcements
4.) If successful then apply firewall rules to your gateway, etc.
Glad you got it working
Steve
On Sun, Oct 2, 2022 at 4:02 PM Harold Kinchelow via 44net
<44net(a)mailman.ampr.org> wrote:
Ok gang!!!
It seems I am working now.
Soooooooo lets start from the beginning.
I believe the modem/router combo provided by my ISP was the problem all along so I bought
a nice TP-Link AX5400 and put the
ISP’s modem into bridge mode. The WIFI was starting to fail so buying a new router or
replacing theirs was on the TO-DO list anyway.
Now the router gets the public ip.
I also created a domain name with no-ip for my dynamic ip address issue because I knew I
would be switching devices on the modem and the public
Ip would be changing. When I have an IP, it doesn’t really change but I did it anyway
and updated my gateway info on the portal. The router
has a built-in updating client and works pretty quick.
Next I put my proposed ampr gateway machine on a dmz port of this new router and at that
point made some iptables entries which I’m not sure they were
necessary for this next step but did it anyway because I may need it for the step after
this one.
iptables -A INPUT -p 4 -j ACCEPT
iptables -A INPUT -p udp --dport 520 -j ACCEPT
and for S & G’s, enabled NAT with….
iptables -t nat -A PREROUTING -p 4 -j DNAT –to 10.10.0.2 <=ip address of my network
card on machine
I also made sure I had enabled net.ipv4.ip_forward=1
I then started tcpdump with tcpdump -I eth0 -vvv host amprgw.ucsd.edu and WOO HOO!!
I started seeing RIP announcements within a minute or so.
At the 15 minute or so mark of this, I figured if I saw this, then ampr-ripd should work
so I……
Started @ 2054 UTC ampr-ripd with /usr/sbin/ampr-ripd -d -v -I tunl0
and @ 2055 I started seeing RIP announcements soooooooo
Again, it seems it was the router capabilities of this modem/router combo from my ISP
that was the issue.
This means I can move forward with the next steps of setting up this gateway.
Thanks everyone for chiming in with their ideas and the added conversations in this
thread. They all helped me figure this mess out.
73 everyone
Harold
K7ILO
From: Tim Požar via 44net <44net(a)mailman.ampr.org>
Date: Friday, September 30, 2022 at 8:00 AM
To: Barry Bahrami <barrybahrami(a)gmail.com>om>, KI5PGJ <ki5pgj(a)placebonol.com>
Cc: AMPRNet working group <44net(a)mailman.ampr.org>
Subject: [44net] Re: ftp access to encap.txt
+1 on Vyos. I have it running on a VM as a VPN server and router. If
you are used to EdgeOS, you will be comfortable with Vyos as EdgeOS
forked from it some years ago. Very Junos-like.
Tim
On 9/30/22 7:18 AM, Barry Bahrami via 44net wrote:
If you go the bridge mode option then look at
putting VyOS behind it.
It's a great open source router, full featured, and as fast as the
hardware you put it on. It runs on regular x86 hardware. I've used it
for years. It's a fork of Vyatta before it went private. VyOS.io
Thank you,
Barry Bahrami
KN6MVB
On Fri, Sep 30, 2022 at 6:26 AM KI5PGJ via 44net <44net(a)mailman.ampr.org
<mailto:44net@mailman.ampr.org>> wrote:
Some broadband providers also support some form of bridge mode where
their CPE only provides transport layer, passing through all traffic
to your device. I know Windstream supports that in my area of the US.
diana
KI5PGJ
On September 28, 2022 2:08:01 PM MDT, Lee D Bengston via 44net
<44net(a)mailman.ampr.org <mailto:44net@mailman.ampr.org>> wrote:
Not sure if that will work if the router is also a cable-modem
or DSL-modem.
On Wed, Sep 28, 2022, 2:49 PM Boudewijn (Bob) Tenty via 44net
<44net(a)mailman.ampr.org <mailto:44net@mailman.ampr.org>> wrote:
Just flash your router with dd-wrt if it can't pass ipip and
the problem is solved.
Bob
On 2022-09-28 14:33, Rob PE1CHL via 44net wrote:
<mailto:44net@mailman.ampr.org>
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org There is nothing special to do, except that you
need to
make sure that incoming protocol-4
traffic on your internet connection arrives at
your
gateway system. And with modern internet
routers as supplied by providers that is often
impossible. You often can forward TCP and UDP
ports only, not protocols. And when there is a
"DMZ"
setting that promises to forward all
unsolicited incoming traffic to a specified host,
more
and more often it handles only TCP and UDP
traffic.
It can be deceiving that the router often passes replies
to outgoing
protocol-4 traffic as part
of its standard NAT function. That is not
enough. It
needs to pass unsolicited incoming traffic
or else you will not see the RIP packets.
Rob
On 9/28/22 20:24, David Ranch via 44net wrote:
> Hey Chris, Marius,
>
> Ok, thank you for the correction though I clearly
remember that
"something" additional was required before RIP
updates would start flowing over the IPIP tunnel other than
the user just defining their gateway IP address for the IPIP
tunnel endpoint. What is "that".
--David
KI6ZHD
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org To unsubscribe send an email to
44net-leave(a)mailman.ampr.org
<mailto:44net-leave@mailman.ampr.org>
--
There is nothing permanent except change
-Heraclitus
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
<mailto:44net@mailman.ampr.org>
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
<mailto:44net-leave@mailman.ampr.org>
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
<mailto:44net@mailman.ampr.org>
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
<mailto:44net-leave@mailman.ampr.org>
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org