Subject: [44net] Scripts From: Steve L kb9mwr@gmail.com Date: 08/05/2015 03:57 AM
To: "44net@hamradio.ucsd.edu" 44net@hamradio.ucsd.edu
So that got me thinking maybe this same concept could be applied to the BGP'd subnets, forcing them to use masquerading. But rather a rule on the source address, we set it for destinations.
Here is what I came up with. (Untested)
http://www.qsl.net/kb9mwr/wapr/tcpip/startampr-bgp
Basically I download a list of all the BGP'd subnets, and set a flag like before and force them out as masqueraded.
I think it is preferable to IPIP encapsulate the traffic to a place where it can be sent with its original source address, over masquerading it to the public IP. When you have a default route in table 44 pointing to AMPRGW it will work OK without requiring exceptions for BGP routed subnets and it will also work to public internet. When you want to route only to AMPRnet you can use a 44.0.0.0/8 route to AMPRGW instead. (instead of AMPRGW, you can also use a more specific gateway that is on a not source-address filtered host and is closer to you, when they want to provide that service. e.g. for 44.137.0.0/16 hosts our gateway can be used for that)
Unfortunately this still breaks in case an IPIP gateway is using an endpoint address within 44.0.0.0/8
Rob
-
Rob Janssen