Hey all,
I've been trying to configure a Mikrotik router to allow devices connectivity to the Amprnet and have been running into a bit of a snag. First off here's what my architecture looks like:
Internet------------->Edge Router------------>AMPR Mikrotik------------->Devices
I have a public IP on the edge router and a static /29 of public IPs between the Edge router and the AMPRNet router. I have confirmed I have external access to the AMPRNet router's public IP.
I followed the guide outlined by Marius here: http://www.yo2loj.ro/hamprojects/ampr-gw-README.txt and have the following WORKING as expected:
1) connectivity from the Internet to my router's 44 IP (44.135.193.129) 2) connectivity to/from the AMPRNet to my router's 44 IP 3) connectivity to/from the AMPRNet to devices behind my router (44.135.193.18)
What is not working is connectivity from the Internet to devices behind the router; i.e. I am unable to PING these devices from the Internet and am unable to access any Internet resources from these devices. If I add a layer of NAT at the AMPR router, the end devices CAN access the Internet, as the source IP is concealed and appears to UCSD to be that of the 44 IP of my router (44.135.193.129).
I have also tried to add an additional 44 IP to my ampr-gw IPIP interface (44.135.219.130/8) but am also unable to PING that IP from the Internet. When I look at a packet capture on the router I do not see any packets destined for this second IP making it to the router at all.
Is there something special that needs to be done in order to facilitate routing to more then one 44 IP via the UCSD tunnel?
Cheers,
Chris
On Tue, Oct 4, 2016 at 2:29 PM, Christopher S. Munz-Michielin christopher@ve7alb.ca wrote:
Is there something special that needs to be done in order to facilitate routing to more then one 44 IP via the UCSD tunnel?
Do each of the addresses you want to have access to the internet through amprgw have ampr.org DNS entries?
Tom
Thanks for the reply Tom, I got a similar email from Brian :)
I didn't actually think that any of them had ampr.org DNS entries, unless there's an old holdover address from whoever had the space before me.
I'll work with Brian to get some DNS records created.
Cheers! Chris
On 10/4/2016 2:39 PM, Tom Hayward wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Tue, Oct 4, 2016 at 2:29 PM, Christopher S. Munz-Michielin christopher@ve7alb.ca wrote:
Is there something special that needs to be done in order to facilitate routing to more then one 44 IP via the UCSD tunnel?
Do each of the addresses you want to have access to the internet through amprgw have ampr.org DNS entries?
Tom _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
On Tue, Oct 4, 2016 at 3:05 PM, Christopher S. Munz-Michielin christopher@ve7alb.ca wrote:
Thanks for the reply Tom, I got a similar email from Brian :)
Odd, I didn't see his reply. Well, even if you were already helped, at least my reply will remain in the archives for anyone who has this question in the future.
Tom
make sure any internet bound traffic is NATted (masquerade it)
Leon WA4ZLW
On 10/4/2016 5:29 PM, Christopher S. Munz-Michielin wrote:
(Please trim inclusions from previous messages) _______________________________________________ Hey all,
I've been trying to configure a Mikrotik router to allow devices connectivity to the Amprnet and have been running into a bit of a snag. First off here's what my architecture looks like:
Internet------------->Edge Router------------>AMPR Mikrotik------------->Devices
I have a public IP on the edge router and a static /29 of public IPs between the Edge router and the AMPRNet router. I have confirmed I have external access to the AMPRNet router's public IP.
I followed the guide outlined by Marius here: http://www.yo2loj.ro/hamprojects/ampr-gw-README.txt and have the following WORKING as expected:
- connectivity from the Internet to my router's 44 IP (44.135.193.129)
- connectivity to/from the AMPRNet to my router's 44 IP
- connectivity to/from the AMPRNet to devices behind my router
(44.135.193.18)
What is not working is connectivity from the Internet to devices behind the router; i.e. I am unable to PING these devices from the Internet and am unable to access any Internet resources from these devices. If I add a layer of NAT at the AMPR router, the end devices CAN access the Internet, as the source IP is concealed and appears to UCSD to be that of the 44 IP of my router (44.135.193.129).
I have also tried to add an additional 44 IP to my ampr-gw IPIP interface (44.135.219.130/8) but am also unable to PING that IP from the Internet. When I look at a packet capture on the router I do not see any packets destined for this second IP making it to the router at all.
Is there something special that needs to be done in order to facilitate routing to more then one 44 IP via the UCSD tunnel?
Cheers,
Chris
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
On Tue, Oct 4, 2016 at 3:16 PM, Leon Zetekoff wa4zlw@backwoodswireless.net wrote:
make sure any internet bound traffic is NATted (masquerade it)
Why? What's the point of 44net if you NAT?
Tom
if you want to go to the internet from 44net you need to NAT. you should also have a firewall to deal with those issues as well
also you want to NAT if you go from a non-routable to 44net
leon
On 10/4/2016 6:52 PM, Tom Hayward wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Tue, Oct 4, 2016 at 3:16 PM, Leon Zetekoff wa4zlw@backwoodswireless.net wrote:
make sure any internet bound traffic is NATted (masquerade it)
Why? What's the point of 44net if you NAT?
Tom _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
NAT is NOT needed to go from 44 addresses to the internet using 44-net addresses..
You need to create proper routes and rules to direct any traffic originating from a 44 address to any routable IPs (except those for which you have direct tunnels - which happens by default if the routes are in the same routing table) to be sent via the ampr-gw. And if you want incoming traffic initiated from public IPs as well, you need to add proper settings to forward it to the proper 44-net hosts and, VERY IMPORTANT, to ensures the replies go out the same way they got in (via ampr-gw).
But there is a discussion about the fact if this is really needed and if there could be another solution which reduces the load on the ampr-gw.
If you access a public internet site, it actually does not matter to much if you access it using your public gateway address or your 44 address. Google and Youtube don't care about that. And the same goes for 99.99% of internet hosts.
So in my opinion the best approach would be to send only traffic with 44 origin and 44 destination not in other routes via ampr-gw, to preserve your original 44 IP. All the rest should be NAT-ed to your public gateway IP, not your gateway's 44 net, in order to circumvent the whole 44net completely. This will give you better speed, better response times and will ease the work of the ampr gateway.
So, to wrap up: - to your routing table holding all tunnel routes, add a route like <your subnet> to 44.0.0.0/0 via ampr-gw - to your routing table holding all tunnel routes, add a route like <your subnet> to 0.0.0.0/0 via your WAN (doing NAT)
To allow incoming connections (Only if you really need to - your exposing your hosts !!!): - mark incoming new connections from ampr-gw with a connection mark - mark connections originating from your local 44 hosts having the previous connection mark with a routing mark corresponding to a routing table having its default route via ampr-gw
Marius, YO2LOJ
On 2016-10-05 02:00, Leon Zetekoff wrote:
(Please trim inclusions from previous messages) _______________________________________________ if you want to go to the internet from 44net you need to NAT. you should also have a firewall to deal with those issues as well
also you want to NAT if you go from a non-routable to 44net
leon
On 10/4/2016 6:52 PM, Tom Hayward wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Tue, Oct 4, 2016 at 3:16 PM, Leon Zetekoff wa4zlw@backwoodswireless.net wrote:
make sure any internet bound traffic is NATted (masquerade it)
Why? What's the point of 44net if you NAT?
Tom _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
-
Christopher S. Munz-Michielin -
Leon Zetekoff -
Marius Petrescu -
Tom Hayward