Re: [44net] encapsulated ipencap packets

Hi, 86.161.255.194 is the destination for 44.131.14.128/26. Just to clarify, what you were seeing was probably stray traffic from an IPv6 tunnel which goes between my 44net addresses. Blame the main BT router not handling IPv6 encapsulated packets unless I stick an extra IPv4 header on. Normally my traffic should not traverse the gateway, but over the last couple of days I have been testing a backup system for when my BGP routes go down so you probably saw some stray packets reach the main gateway during last nights tests. If you happened to capture the inner and outer headers and it shows something other than an IPv6 encapsulated packet with a destination inside 44.131.14/24, or if you are seeing traffic whilst my BGP route is up then it might be a configuration error. Regarding the other thread about which firewall rules to use, the gateway is a little more complicated but for my home router I (normally, not last night in case you saw differently) have the equivalent to: iptables -t filter -A FORWARD -i tunl0 ! -d 44.131.14.128/26 -j REJECT iptables -t filter -A FORWARD -o tunl0 ! -s 44.131.14.128/26 -j REJECT I think this pretty much covers the requirements for a basic end network? If the main gateway receives an invalid encapsulated packet from a known gateway or a 44net address, would it be helpful to return an error instead of dropping it? An ICMP Administratively Denied packet is more likely to generate an obvious error message than packets going missing. The gateway would probably need to rate-limit the number of errors it will send out to prevent abuse, though. Thanks, Mike, M6XCV On 20 April 2017 at 00:39, Brian Kantor <Brian(a)ucsd.edu> wrote: