Harold,

Please do write up your experiences and add them to the Wiki, that’s what it’s for and it only works if folk contribute!

Thanks,
Chris - G1FEF



On 3 Oct 2022, at 05:30, Harold Kinchelow via 44net <44net@mailman.ampr.org> wrote:

You hit the nail on the nail head, PROPER DMZ.  Didn’t work on the previous equipment.
What also gave it away were other issues I started noticing with the modem/router.  I have an ALLSTARLINK repeater on my
network which uses UDP port 4569.
I noticed that my port forwards for all of my services were deleted, including ALLSTAR but it still made connections to other nodes
so that told me that there were issues deeper than what I could see in the GUI.
 
Anyway, we’re good.  I am notating my build with Debian 11 because there are some things with it that are different
from earlier versions or even Ubuntu which is documented on the WIKI.  Not many.  Ill provide em if wanted/needed.
 
Thanks again everyone.  I’m sure I’ll have some other questions as I complete this setup.
 
Harold
K7ILO
 
 
 

From: Steve L <kb9mwr@gmail.com>
Date: Sunday, October 2, 2022 at 9:18 PM
To: Harold Kinchelow <k7ilo@outlook.com>
Cc: AMPRNet working group <44net@mailman.ampr.org>
Subject: Re: [44net] Re: ftp access to encap.txt

Harold's message here is likely something that should be incorporated
into the Wiki.
Recapping
1.) Whenever possible the customer premise equipment CPE should be
something you own if you have that option.  Provider combo
modem/router units often lack features that we'd need, like proper DMZ
implementations.  As some have noted, sometimes they only forward TCP
UDP.  And other times we have seen protocol 4 being treated
statefully.
2.) Barring those options, if the availability to place the equipment
into a bridge mode or DMZ mode then point that to your ampr gateway
system.
3.) Then run  "tcpdump -I eth0 -vvv host amprgw.ucsd.edu" to verify
you are receiving the protocol 4 based RIP announcements
4.) If successful then apply firewall rules to your gateway, etc.

Glad you got it working

Steve

On Sun, Oct 2, 2022 at 4:02 PM Harold Kinchelow via 44net
<44net@mailman.ampr.org> wrote:
>
> Ok gang!!!
>
>
>
> It seems I am working now.
>
> Soooooooo lets start from the beginning.
>
>
>
> I believe the modem/router combo provided by my ISP was the problem all along so I bought a nice TP-Link AX5400 and put the
>
> ISP’s modem into bridge mode.  The WIFI was starting to fail so buying a new router or replacing theirs was on the TO-DO list anyway.
>
> Now the router gets the public ip.
>
> I also created a domain name with no-ip for my dynamic ip address issue because I knew I would be switching devices on the modem and the public
>
> Ip would be changing.  When I have an IP, it doesn’t really change but I did it anyway and updated my gateway info on the portal.  The router
>
> has a built-in updating client and works pretty quick.
>
>
>
> Next I put my proposed ampr gateway machine on a dmz port of this new router and at that point made some iptables entries which I’m not sure they were
>
> necessary for this next step but did it anyway because I may need it for the step after this one.
>
>
>
> iptables -A INPUT -p 4 -j ACCEPT
>
> iptables -A INPUT -p udp --dport 520 -j ACCEPT
>
>
>
> and for S & G’s, enabled NAT with….
>
> iptables -t nat -A PREROUTING -p 4 -j DNAT –to 10.10.0.2    <=ip address of my network card on machine
>
>
>
> I also made sure I had enabled net.ipv4.ip_forward=1
>
>
>
>
>
> I then started tcpdump with tcpdump -I eth0 -vvv host amprgw.ucsd.edu and WOO HOO!!
>
> I started seeing RIP announcements within a minute or so.
>
> At the 15 minute or so mark of this, I figured if I saw this, then ampr-ripd should work so I……
>
>
>
> Started @ 2054 UTC ampr-ripd with /usr/sbin/ampr-ripd -d -v -I tunl0
>
> and @ 2055 I started seeing RIP announcements soooooooo
>
>
>
> Again, it seems it was the router capabilities of this modem/router combo from my ISP that was the issue.
>
>
>
> This means I can move forward with the next steps of setting up this gateway.
>
>
>
> Thanks everyone for chiming in with their ideas and the added conversations in this thread.  They all helped me figure this mess out.
>
>
>
>
>
> 73 everyone
>
>
>
> Harold
>
> K7ILO
>
>
>
>
>
> From: Tim Požar via 44net <44net@mailman.ampr.org>
> Date: Friday, September 30, 2022 at 8:00 AM
> To: Barry Bahrami <barrybahrami@gmail.com>, KI5PGJ <ki5pgj@placebonol.com>
> Cc: AMPRNet working group <44net@mailman.ampr.org>
> Subject: [44net] Re: ftp access to encap.txt
>
> +1 on Vyos.  I have it running on a VM as a VPN server and router. If
> you are used to EdgeOS, you will be comfortable with Vyos as EdgeOS
> forked from it some years ago.  Very Junos-like.
>
> Tim
>
> On 9/30/22 7:18 AM, Barry Bahrami via 44net wrote:
> > If you go the bridge mode option then look at putting VyOS behind it.
> > It's a great open source router, full featured, and as fast as the
> > hardware you put it on.   It runs on regular x86 hardware. I've used it
> > for years.  It's a fork of Vyatta before it went private.  VyOS.io
> >
> >
> > Thank you,
> >
> > Barry Bahrami
> > KN6MVB
> >
> >
> >
> > On Fri, Sep 30, 2022 at 6:26 AM KI5PGJ via 44net <44net@mailman.ampr.org
> > <mailto:44net@mailman.ampr.org>> wrote:
> >
> >     Some broadband providers also support some form of bridge mode where
> >     their CPE only provides transport layer, passing through all traffic
> >     to your device.  I know Windstream supports that in my area of the US.
> >
> >     diana
> >     KI5PGJ
> >
> >     On September 28, 2022 2:08:01 PM MDT, Lee D Bengston via 44net
> >     <44net@mailman.ampr.org <mailto:44net@mailman.ampr.org>> wrote:
> >
> >         Not sure if that will work if the router is also a cable-modem
> >         or DSL-modem.
> >
> >         On Wed, Sep 28, 2022, 2:49 PM Boudewijn (Bob) Tenty via 44net
> >         <44net@mailman.ampr.org <mailto:44net@mailman.ampr.org>> wrote:
> >
> >             Just flash your router with dd-wrt if it can't pass ipip and
> >             the problem is solved.
> >
> >             Bob
> >
> >
> >             On 2022-09-28 14:33, Rob PE1CHL via 44net wrote:
> >              > There is nothing special to do, except that you need to
> >             make sure that incoming protocol-4
> >              > traffic on your internet connection arrives at your
> >             gateway system.  And with modern internet
> >              > routers as supplied by providers that is often
> >             impossible.  You often can forward TCP and UDP
> >              > ports only, not protocols.  And when there is a "DMZ"
> >             setting that promises to forward all
> >              > unsolicited incoming traffic to a specified host, more
> >             and more often it handles only TCP and UDP
> >              > traffic.
> >              > It can be deceiving that the router often passes replies
> >             to outgoing protocol-4 traffic as part
> >              > of its standard NAT function.  That is not enough.  It
> >             needs to pass unsolicited incoming traffic
> >              > or else you will not see the RIP packets.
> >              >
> >              > Rob
> >              >
> >              > On 9/28/22 20:24, David Ranch via 44net wrote:
> >              >> Hey Chris, Marius,
> >              >>
> >              >> Ok, thank you for the correction though I clearly
> >             remember that "something" additional was required before RIP
> >             updates would start flowing over the IPIP tunnel other than
> >             the user just defining their gateway IP address for the IPIP
> >             tunnel endpoint.  What is "that".
> >              >>
> >              >> --David
> >              >> KI6ZHD
> >              > _______________________________________________
> >              > 44net mailing list -- 44net@mailman.ampr.org
> >             <mailto:44net@mailman.ampr.org>
> >              > To unsubscribe send an email to
> >             44net-leave@mailman.ampr.org
> >             <mailto:44net-leave@mailman.ampr.org>
> >
> >             --
> >             There is nothing permanent except change
> >               -Heraclitus
> >
> >             _______________________________________________
> >             44net mailing list -- 44net@mailman.ampr.org
> >             <mailto:44net@mailman.ampr.org>
> >             To unsubscribe send an email to 44net-leave@mailman.ampr.org
> >             <mailto:44net-leave@mailman.ampr.org>
> >
> >     _______________________________________________
> >     44net mailing list -- 44net@mailman.ampr.org
> >     <mailto:44net@mailman.ampr.org>
> >     To unsubscribe send an email to 44net-leave@mailman.ampr.org
> >     <mailto:44net-leave@mailman.ampr.org>
> >
> >
> > _______________________________________________
> > 44net mailing list -- 44net@mailman.ampr.org
> > To unsubscribe send an email to 44net-leave@mailman.ampr.org
> _______________________________________________
> 44net mailing list -- 44net@mailman.ampr.org
> To unsubscribe send an email to 44net-leave@mailman.ampr.org
>
> _______________________________________________
> 44net mailing list -- 44net@mailman.ampr.org
> To unsubscribe send an email to 44net-leave@mailman.ampr.org
_______________________________________________
44net mailing list -- 44net@mailman.ampr.org
To unsubscribe send an email to 44net-leave@mailman.ampr.org