13 Feb
2024
13 Feb
'24
11:19 p.m.
I'm trying to configure a gateway with Debian and ampr-ripd never responds. I tried
several tutorials and it never works.
My network structure is as follows;
eth0 (192.168.0.10) --> (192.168.0.1) [router(mkrotik)] (192.168.70.100) -->
(192.168.70.1) [router (mikrotik)] --> ISP
(I know, it's a little strange but I need the 2 mikrotiks)
I have configured my external IP (it is in bridge mode) with a dyndns. For this test the
firewall is completely open.
First I create the tunnel:
ip tunnel add ampr0 mode ip local 192.168.0.10 ttl 64
ip link set dev ampr0 up
ip addr add 44.153.x.x/32 dev ampr0
ifconfig ampr0 multicast
Then I add the path:
ip rule add to 44.0.0.0/8 table 44 priority 44
Finally I launch ampr-ripd:
ampr-ripd -a 44.153.0.0/16 -i ampr0 -t 44 -d
This process never receives a response.
Is there some configuration missing or am I misunderstanding the process? Maybe the
mikrotiks are missing some configuration? (are the connections under NAT)?
14 Feb
14 Feb
7:32 a.m.
First please make sure you have IPIP protocol 4 (IPIP) forwarding in
both mikrotik routers:
First router (192.168.70.1):
ip firewall nat add action=dst-nat chain=dstnat in-interface=YourWanIf
protocol=ipencap to-addresses=192.168.70.100
Second router (192.168.70.100):
ip firewall nat add action=dst-nat chain=dstnat in-interface=YourLinkIf
protocol=ipencap to-addresses=192.168.0.10
Also, make sure that on both routers you have enabled forwarding of ipencap:
ip firewall filter add action=accept chain=forward comment="IP Encap"
protocol=ipencap
With these in place, you should see incoming traffic on your ampr0
interface, including RIP routing info.
Marius, YO2LOJ
On 14/02/2024 01:19, lu3vea--- via 44net wrote:
I'm trying to configure a gateway with Debian and
ampr-ripd never responds. I tried several tutorials and it never works.
My network structure is as follows;
eth0 (192.168.0.10) --> (192.168.0.1) [router(mkrotik)] (192.168.70.100) -->
(192.168.70.1) [router (mikrotik)] --> ISP
(I know, it's a little strange but I need the 2 mikrotiks)
I have configured my external IP (it is in bridge mode) with a dyndns. For this test the
firewall is completely open.
First I create the tunnel:
ip tunnel add ampr0 mode ip local 192.168.0.10 ttl 64
ip link set dev ampr0 up
ip addr add 44.153.x.x/32 dev ampr0
ifconfig ampr0 multicast
Then I add the path:
ip rule add to 44.0.0.0/8 table 44 priority 44
Finally I launch ampr-ripd:
ampr-ripd -a 44.153.0.0/16 -i ampr0 -t 44 -d
This process never receives a response.
Is there some configuration missing or am I misunderstanding the process? Maybe the
mikrotiks are missing some configuration? (are the connections under NAT)?
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
16 Feb
16 Feb
7:58 p.m.
I have tried it but I don't get a response either.
I see the outbound traffic in the interface but nothing comes back.
I also tried this script with the same results:
#!/bin/bash
#####
# Variables
#
my_ampr_network="44.153.0.0/16" # This is your CIDR AMPRNet Network
segment
my_ampr_tunnel_ip="44.153.160.32/32" # This is your Tunnel IP Address
ampr_ripd_password="thePassword" # Enter the RIPD AMPRNet password
external_interface="bridge0" # External interface address
internal_interface="bridge0:44" # Internal interface address
echo "#### VARIABLES ####"
echo "my_ampr_network= $my_ampr_network"
echo "my_ampr_tunnel_ip=$my_ampr_tunnel_ip"
echo "ampr_ripd_password=$ampr_ripd_password"
echo "external_interface=$external_interface"
echo "internal_interface=$internal_interface"
###################################################################
echo "## PART I -- Enable IPIP Tunnel, Forwarding and Routing ##"
###################################################################
echo "# Internal interface"
ifconfig $internal_interface $my_ampr_network up
wireshark -i $internal_interface &
echo "# Enable IP Forwarding"
sysctl -w net.ipv4.ip_forward=1
echo "# Enable IPIP tunnel and interface"
modprobe ipip
ip addr add $my_ampr_tunnel_ip dev tunl0
echo "# Set some tunnel interface options"
# * Give the tunnel its own TTL of 64 hops enabling traceroute over the tunnel
# * Bring up the interface
# * Set the tunnel MTU
ip tunnel change ttl 64 mode ipip tunl0
ip link set dev tunl0 up
ifconfig tunl0 mtu 1480
echo "# Set AMPRNet routing table rules"
# * Any packets from any AMPRNet space use routing table 44
# * Any packets from my AMPRNet space use routing table 44
ip rule add to 44.0.0.0/9 table 44 priority 44
ip rule add to 44.128.0.0/10 table 44 priority 44
ip rule add from $my_ampr_network table 44 priority 45
echo "# Set AMPRNet routes"
# * Default route out of AMPRNet is 169.228.34.84 (The Central AMPR Gateway)
# * Set local route for AMPRNet on local AMPRNet interface
ip route add default dev tunl0 via 169.228.34.84 onlink table 44
ip route add $my_ampr_network dev $internal_interface table 44
echo "# Rest of the routes are added dynamically by the AMPR-RIPD routing
Daemon."
echo "----------- START ampr-ripd -----------"
/usr/sbin/ampr-ripd -s -r -t 44 -i tunl0 -a $my_ampr_network -p $ampr_ripd_password -d
&
###############################################################
echo "## PART II -- Enable Firewall and configure ruleset ##"
###############################################################
echo "# Start Fresh - Flush all rules"
iptables -F
iptables -X
echo "# Setting default filter policy"
iptables -P INPUT DROP # By default drop all incoming connections
iptables -P FORWARD DROP # by default drop all forwarding connections
iptables -P OUTPUT ACCEPT # By default allow outgoing connections
echo "# This prevents nested ipencap (if its coming from the tunnel, dont allow
protocol 4)"
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP
####################################################################
echo "## Rules for traffic leaving this gateway node, AKA OUTPUT chain. ##"
## That is, any traffic leaving from any local IP ##
####################################################################
echo "# Drops destination unreachable replies to various probe responses"
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
echo "# Allow rest outgoing traffic from this gw"
iptables -A OUTPUT -j ACCEPT
###################################################################
echo "## Rules for traffic leaving this gateway node, AKA INPUT chain. ##"
## That is, any traffic destined to any local IP ##
###################################################################
echo "# Allow tunnel traffic (ip proto 4) on external interface"
iptables -p 4 -A INPUT -i $external_interface -j ACCEPT
echo "# Allow unlimited traffic on loopback and local eth 44 Net adapters"
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $internal_interface -j ACCEPT
echo "# Allow established sessions to receive traffic back"
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
echo "# Allow incoming ssh/icmp/ampr-ripd"
iptables -A INPUT -p tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j
ACCEPT
iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 520 -j ACCEPT
echo "# drop the rest"
iptables -A INPUT -j DROP
#####################################################################
echo "## Forwarding for traffic passing though this gateway ##"
## That is, any traffic going to or from the local AmprNet segment ##
#####################################################################
echo "# This prevents a general loop - If the traffic comes in the tunnel, dont send
it back out the same way"
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
echo "# Drop any traffic leaving via the tunnel that is not from the local
AmprNet"
iptables -I FORWARD ! -s $my_ampr_network -o tunl0 -j DROP
echo "# Allow established sessions to receive traffic"
iptables -A FORWARD -m conntrack -d $my_ampr_network --ctstate ESTABLISHED,RELATED -j
ACCEPT
echo "# Allow ssh/icmp connections to my AmprNet"
iptables -A FORWARD -p tcp --sport 1024:65535 -d $my_ampr_network --dport 22 -m state
--state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p icmp -d $my_ampr_network -m state --state NEW,ESTABLISHED -j
ACCEPT
echo "#Drop unwanted traffic from leaking out-or coming in (smb discovery,
etc)"
iptables -A FORWARD -p udp --dport 10001 -j DROP
iptables -A FORWARD -p udp --dport 137:139 -j DROP
iptables -A FORWARD -p udp --dport 5678 -j DROP
echo "# Drops destination unreachable replies to various probe responses"
iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j DROP
echo "# Finally, allow outgoing connections from the local AmprNet"
iptables -A FORWARD -s $my_ampr_network -j ACCEPT
echo "# Anything else, drop it"
iptables -A FORWARD -j DROP
8:40 p.m.
You have the whole /16 all to yourself? Most likely something much smaller.
You also do not have to add /32 to the single address.
On 2/16/2024 2:58 PM, lu3vea--- via 44net wrote:
my_ampr_network="44.153.0.0/16" # This
is your CIDR AMPRNet Network segment
my_ampr_tunnel_ip="44.153.160.32/32" # This is your Tunnel IP Address
--
Charles J. Hargrove - N2NOV
NYC-ARECS/RACES Citywide Radio Officer/Skywarn Coord.
44net Coordinator - Northeast USA
NY-NBEMS Net Saturdays @ 10AM & USeast-NBEMS Net Wednesdays @ 7PM
on 7.036 Mhz USB (alt 3.536)/1500 hz waterfall spot; MFSK-16 or 32
"Information is the oxygen of the modern age. It seeps through the walls
topped
by barbed wire, it wafts across the electrified borders." - Ronald Reagan
"The more corrupt the state, the more it legislates." - Tacitus
"Molann an obair an fear" - Irish Saying
(The work praises the man.)
"No matter how big and powerful government gets, and the many services it
provides, it can never take the place of volunteers." - Ronald Reagan
8:40 p.m.
I think even before getting into that tunnel configuration I'd be curious about
whether or not those RIP packets are making it to your endpoint after making the changes
suggested by Marius; try this command:
tcpdump -i any -vvv host amprgw.ucsd.edu
If your firewall/routers are configured correctly, you should see those packets even
before you start configuring your tunnel.
I also took a look in the portal & noticed that your gateway doesn't appear to
have any subnets associated with it. I'm not sure if that impacts whether or not the
gateway will send RIP packets to the public IP of your gateway, but it'll definitely
put a crimp in your connectivity once you get ripd running.
Best,
-Steve
kc8qba
9:40 p.m.
You don’t have any IP addresses assigned so you need to get that fixed first.
Once you have a suitable block you need to add them to your gateway on the portal.
Then you can put your own, assigned block, into the script rather than just picking any
block.
73,
Chris - G1FEF
—
ARDC Administrator
Web: https://www.ardc.net
On 16 Feb 2024, at 19:58, lu3vea--- via 44net
<44net(a)mailman.ampr.org> wrote:
I have tried it but I don't get a response either.
I see the outbound traffic in the interface but nothing comes back.
I also tried this script with the same results:
#!/bin/bash
#####
# Variables
#
my_ampr_network="44.153.0.0/16" # This is your CIDR AMPRNet Network
segment
my_ampr_tunnel_ip="44.153.160.32/32" # This is your Tunnel IP Address
ampr_ripd_password="thePassword" # Enter the RIPD AMPRNet password
external_interface="bridge0" # External interface address
internal_interface="bridge0:44" # Internal interface address
echo "#### VARIABLES ####"
echo "my_ampr_network= $my_ampr_network"
echo "my_ampr_tunnel_ip=$my_ampr_tunnel_ip"
echo "ampr_ripd_password=$ampr_ripd_password"
echo "external_interface=$external_interface"
echo "internal_interface=$internal_interface"
###################################################################
echo "## PART I -- Enable IPIP Tunnel, Forwarding and Routing ##"
###################################################################
echo "# Internal interface"
ifconfig $internal_interface $my_ampr_network up
wireshark -i $internal_interface &
echo "# Enable IP Forwarding"
sysctl -w net.ipv4.ip_forward=1
echo "# Enable IPIP tunnel and interface"
modprobe ipip
ip addr add $my_ampr_tunnel_ip dev tunl0
echo "# Set some tunnel interface options"
# * Give the tunnel its own TTL of 64 hops enabling traceroute over the tunnel
# * Bring up the interface
# * Set the tunnel MTU
ip tunnel change ttl 64 mode ipip tunl0
ip link set dev tunl0 up
ifconfig tunl0 mtu 1480
echo "# Set AMPRNet routing table rules"
# * Any packets from any AMPRNet space use routing table 44
# * Any packets from my AMPRNet space use routing table 44
ip rule add to 44.0.0.0/9 table 44 priority 44
ip rule add to 44.128.0.0/10 table 44 priority 44
ip rule add from $my_ampr_network table 44 priority 45
echo "# Set AMPRNet routes"
# * Default route out of AMPRNet is 169.228.34.84 (The Central AMPR Gateway)
# * Set local route for AMPRNet on local AMPRNet interface
ip route add default dev tunl0 via 169.228.34.84 onlink table 44
ip route add $my_ampr_network dev $internal_interface table 44
echo "# Rest of the routes are added dynamically by the AMPR-RIPD routing
Daemon."
echo "----------- START ampr-ripd -----------"
/usr/sbin/ampr-ripd -s -r -t 44 -i tunl0 -a $my_ampr_network -p $ampr_ripd_password -d
&
###############################################################
echo "## PART II -- Enable Firewall and configure ruleset ##"
###############################################################
echo "# Start Fresh - Flush all rules"
iptables -F
iptables -X
echo "# Setting default filter policy"
iptables -P INPUT DROP # By default drop all incoming connections
iptables -P FORWARD DROP # by default drop all forwarding connections
iptables -P OUTPUT ACCEPT # By default allow outgoing connections
echo "# This prevents nested ipencap (if its coming from the tunnel, dont allow
protocol 4)"
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP
####################################################################
echo "## Rules for traffic leaving this gateway node, AKA OUTPUT chain. ##"
## That is, any traffic leaving from any local IP ##
####################################################################
echo "# Drops destination unreachable replies to various probe responses"
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
echo "# Allow rest outgoing traffic from this gw"
iptables -A OUTPUT -j ACCEPT
###################################################################
echo "## Rules for traffic leaving this gateway node, AKA INPUT chain. ##"
## That is, any traffic destined to any local IP ##
###################################################################
echo "# Allow tunnel traffic (ip proto 4) on external interface"
iptables -p 4 -A INPUT -i $external_interface -j ACCEPT
echo "# Allow unlimited traffic on loopback and local eth 44 Net adapters"
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $internal_interface -j ACCEPT
echo "# Allow established sessions to receive traffic back"
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
echo "# Allow incoming ssh/icmp/ampr-ripd"
iptables -A INPUT -p tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 520 -j ACCEPT
echo "# drop the rest"
iptables -A INPUT -j DROP
#####################################################################
echo "## Forwarding for traffic passing though this gateway ##"
## That is, any traffic going to or from the local AmprNet segment ##
#####################################################################
echo "# This prevents a general loop - If the traffic comes in the tunnel, dont send
it back out the same way"
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
echo "# Drop any traffic leaving via the tunnel that is not from the local
AmprNet"
iptables -I FORWARD ! -s $my_ampr_network -o tunl0 -j DROP
echo "# Allow established sessions to receive traffic"
iptables -A FORWARD -m conntrack -d $my_ampr_network --ctstate ESTABLISHED,RELATED -j
ACCEPT
echo "# Allow ssh/icmp connections to my AmprNet"
iptables -A FORWARD -p tcp --sport 1024:65535 -d $my_ampr_network --dport 22 -m state
--state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p icmp -d $my_ampr_network -m state --state NEW,ESTABLISHED -j
ACCEPT
echo "#Drop unwanted traffic from leaking out-or coming in (smb discovery,
etc)"
iptables -A FORWARD -p udp --dport 10001 -j DROP
iptables -A FORWARD -p udp --dport 137:139 -j DROP
iptables -A FORWARD -p udp --dport 5678 -j DROP
echo "# Drops destination unreachable replies to various probe responses"
iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j DROP
echo "# Finally, allow outgoing connections from the local AmprNet"
iptables -A FORWARD -s $my_ampr_network -j ACCEPT
echo "# Anything else, drop it"
iptables -A FORWARD -j DROP
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
10:27 p.m.
I have an assigned IP:
nslookup lu3vea.ampr.org
Non-authoritative answer:
Name: lu3vea.ampr.org
Address: 44.153.160.32
10:33 p.m.
On 16 Feb 2024, at 22:27, lu3vea--- via 44net
<44net(a)mailman.ampr.org> wrote:
I have an assigned IP:
nslookup lu3vea.ampr.org
You may have a DNS entry, there are a lot of old DNS entries that need clearing out, but
you do not have any authorised IP addresses from ARDC.
If you want to email me off-list I can help you re-establish an assignment.
73,
Chris - G1FEF
Non-authoritative answer:
Name: lu3vea.ampr.org
Address: 44.153.160.32
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
82
days inactive
85
days old
7 comments
5 participants
participants (5)
-
Charles Hargrove -
Chris -
kc8qba@wildtky.com -
lu3vea@gmail.com -
Marius Petrescu