Re: [44net] amprnet routing made simple

This may be a stop gap for low traffic sites, but I think the goal is to avoid sending everything through 44.0.0.1. We should be working toward deprecating hacked solutions, like the IPIP tunnel set. Our model should be Internet -> Router (BGP) -> subnet (i.e. 44.24.0.0/16) -> VPN/Tunnel/RF Link -> Local Subnet 44.24.10.0/24 -> LAN (wired or RF) -> Station ( 44.24.10.2/32) Any incoming traffic to the router based on BGP would be routed to the subnet and filtered at the local Subnet or where the traffic hits Part 97 (or equivalent) RF. Any outgoing (from individual /32 net) traffic is passed up the chain LAN / Local Sub-net / Subnet / Internet. If the src address is 44.x.x.x/32 it should be routed through the BGP enabled router to the Internet. If the src address is no 44.x.x.x/32 it goes over the local ISP router. ------------------------------ John D. Hays K7VE PO Box 1223, Edmonds, WA 98020-1223 <http://k7ve.org/blog> <http://twitter.com/#!/john_hays> <http://www.facebook.com/john.d.hays> On Thu, Sep 5, 2013 at 5:52 PM, Brian Rogers &lt;n1uro(a)n1uro.ampr.org&gt; wrote: > (Please trim inclusions from previous messages) > _______________________________________________ > http://n1uro.ampr.org/cgi-bin/safe-config.cgi will set up a *very* basic > system for amprnet ipencap routing pending you have a tunnel interface > already configured. > > Field 1: 169.228.66.251 <- ucsd > Field 2: 44.0.0.1 <- ucsd > Field 3: 44.x.x.x <- your amprnet gw IP > Field 4: eth0/wlan0/wifi0/etc > > The rest gives you basic IPTable rules to allow IPEncap and ax25 frames > through your firewall, route rules, and a basic route table. Load your > favorite ripv2-daemon and configure it to populate "table 1" and you'll > be off and running within the first rip broadcast (faster if you run the > munge script - no need to wait for a broadcast). > > Mine looks exactly as the cgi prints: > > Add this to your rc.local, or whatever init script you wish to make: > > # allow IPEncapsulation and ax25 frames to gate through... > iptables -I INPUT 1 -j ACCEPT --proto 4 > iptables -I INPUT 1 -j ACCEPT --proto 93 > iptables -I OUTPUT 1 -j ACCEPT --proto 4 > iptables -I OUTPUT 1 -j ACCEPT --proto 93 > iptables -I FORWARD 1 -j ACCEPT --proto 4 > iptables -I FORWARD 1 -j ACCEPT --proto 93 > # Create a policy to encap forward to your host... > ip rule add from 44/8 pref 1 table 1 > ip rule add to 44/8 pref 1 table 1 > # Now let's set the routing accordingly... > ip route add 44/8 via 169.228.66.251 dev tunl0 onlink src 44.88.0.9 > table 1 > ip route add default via 169.228.66.251 dev tunl0 onlink table 1 > > *Whether or not you're SAFed (source address filtered) this should work > for you. > -- > 73 de Brian Rogers - N1URO > email: &lt;n1uro(a)n1uro.ampr.org&gt; > Web: http://www.n1uro.net/ > Ampr1: http://n1uro.ampr.org/ > Ampr2: http://nos.n1uro.ampr.org > Linux Amateur Radio Services > axMail-Fax & URONode > AmprNet coordinator for: > Connecticut, Delaware, Maine, > Massachusetts, New Hampshire, > Pennsylvania, Rhode Island, > and Vermont. >