This may be a stop gap for low traffic sites, but I think the goal is to avoid sending everything through 44.0.0.1.
We should be working toward deprecating hacked solutions, like the IPIP tunnel set. Our model should be
Internet -> Router (BGP) -> subnet (i.e. 44.24.0.0/16) -> VPN/Tunnel/RF Link -> Local Subnet 44.24.10.0/24 -> LAN (wired or RF) -> Station ( 44.24.10.2/32)
Any incoming traffic to the router based on BGP would be routed to the subnet and filtered at the local Subnet or where the traffic hits Part 97 (or equivalent) RF.
Any outgoing (from individual /32 net) traffic is passed up the chain LAN / Local Sub-net / Subnet / Internet.
If the src address is 44.x.x.x/32 it should be routed through the BGP enabled router to the Internet. If the src address is no 44.x.x.x/32 it goes over the local ISP router.
------------------------------ John D. Hays K7VE PO Box 1223, Edmonds, WA 98020-1223 http://k7ve.org/blog http://twitter.com/#!/john_hays http://www.facebook.com/john.d.hays
On Thu, Sep 5, 2013 at 5:52 PM, Brian Rogers n1uro@n1uro.ampr.org wrote:
(Please trim inclusions from previous messages) _______________________________________________ http://n1uro.ampr.org/cgi-bin/safe-config.cgi will set up a *very* basic system for amprnet ipencap routing pending you have a tunnel interface already configured.
Field 1: 169.228.66.251 <- ucsd Field 2: 44.0.0.1 <- ucsd Field 3: 44.x.x.x <- your amprnet gw IP Field 4: eth0/wlan0/wifi0/etc
The rest gives you basic IPTable rules to allow IPEncap and ax25 frames through your firewall, route rules, and a basic route table. Load your favorite ripv2-daemon and configure it to populate "table 1" and you'll be off and running within the first rip broadcast (faster if you run the munge script - no need to wait for a broadcast).
Mine looks exactly as the cgi prints:
Add this to your rc.local, or whatever init script you wish to make:
# allow IPEncapsulation and ax25 frames to gate through... iptables -I INPUT 1 -j ACCEPT --proto 4 iptables -I INPUT 1 -j ACCEPT --proto 93 iptables -I OUTPUT 1 -j ACCEPT --proto 4 iptables -I OUTPUT 1 -j ACCEPT --proto 93 iptables -I FORWARD 1 -j ACCEPT --proto 4 iptables -I FORWARD 1 -j ACCEPT --proto 93 # Create a policy to encap forward to your host... ip rule add from 44/8 pref 1 table 1 ip rule add to 44/8 pref 1 table 1 # Now let's set the routing accordingly... ip route add 44/8 via 169.228.66.251 dev tunl0 onlink src 44.88.0.9 table 1 ip route add default via 169.228.66.251 dev tunl0 onlink table 1
*Whether or not you're SAFed (source address filtered) this should work for you. -- 73 de Brian Rogers - N1URO email: n1uro@n1uro.ampr.org Web: http://www.n1uro.net/ Ampr1: http://n1uro.ampr.org/ Ampr2: http://nos.n1uro.ampr.org Linux Amateur Radio Services axMail-Fax & URONode AmprNet coordinator for: Connecticut, Delaware, Maine, Massachusetts, New Hampshire, Pennsylvania, Rhode Island, and Vermont.