I'm trying to configure a gateway with Debian and ampr-ripd never responds. I tried several tutorials and it never works.
My network structure is as follows; eth0 (192.168.0.10) --> (192.168.0.1) [router(mkrotik)] (192.168.70.100) --> (192.168.70.1) [router (mikrotik)] --> ISP (I know, it's a little strange but I need the 2 mikrotiks)
I have configured my external IP (it is in bridge mode) with a dyndns. For this test the firewall is completely open.
First I create the tunnel: ip tunnel add ampr0 mode ip local 192.168.0.10 ttl 64 ip link set dev ampr0 up ip addr add 44.153.x.x/32 dev ampr0 ifconfig ampr0 multicast
Then I add the path: ip rule add to 44.0.0.0/8 table 44 priority 44
Finally I launch ampr-ripd: ampr-ripd -a 44.153.0.0/16 -i ampr0 -t 44 -d
This process never receives a response.
Is there some configuration missing or am I misunderstanding the process? Maybe the mikrotiks are missing some configuration? (are the connections under NAT)?
First please make sure you have IPIP protocol 4 (IPIP) forwarding in both mikrotik routers:
First router (192.168.70.1): ip firewall nat add action=dst-nat chain=dstnat in-interface=YourWanIf protocol=ipencap to-addresses=192.168.70.100
Second router (192.168.70.100): ip firewall nat add action=dst-nat chain=dstnat in-interface=YourLinkIf protocol=ipencap to-addresses=192.168.0.10
Also, make sure that on both routers you have enabled forwarding of ipencap:
ip firewall filter add action=accept chain=forward comment="IP Encap" protocol=ipencap
With these in place, you should see incoming traffic on your ampr0 interface, including RIP routing info.
Marius, YO2LOJ
On 14/02/2024 01:19, lu3vea--- via 44net wrote:
I'm trying to configure a gateway with Debian and ampr-ripd never responds. I tried several tutorials and it never works.
My network structure is as follows; eth0 (192.168.0.10) --> (192.168.0.1) [router(mkrotik)] (192.168.70.100) --> (192.168.70.1) [router (mikrotik)] --> ISP (I know, it's a little strange but I need the 2 mikrotiks)
I have configured my external IP (it is in bridge mode) with a dyndns. For this test the firewall is completely open.
First I create the tunnel: ip tunnel add ampr0 mode ip local 192.168.0.10 ttl 64 ip link set dev ampr0 up ip addr add 44.153.x.x/32 dev ampr0 ifconfig ampr0 multicast
Then I add the path: ip rule add to 44.0.0.0/8 table 44 priority 44
Finally I launch ampr-ripd: ampr-ripd -a 44.153.0.0/16 -i ampr0 -t 44 -d
This process never receives a response.
Is there some configuration missing or am I misunderstanding the process? Maybe the mikrotiks are missing some configuration? (are the connections under NAT)? _______________________________________________ 44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
I have tried it but I don't get a response either. I see the outbound traffic in the interface but nothing comes back.
I also tried this script with the same results:
#!/bin/bash
##### # Variables # my_ampr_network="44.153.0.0/16" # This is your CIDR AMPRNet Network segment my_ampr_tunnel_ip="44.153.160.32/32" # This is your Tunnel IP Address ampr_ripd_password="thePassword" # Enter the RIPD AMPRNet password external_interface="bridge0" # External interface address internal_interface="bridge0:44" # Internal interface address
echo "#### VARIABLES ####" echo "my_ampr_network= $my_ampr_network" echo "my_ampr_tunnel_ip=$my_ampr_tunnel_ip" echo "ampr_ripd_password=$ampr_ripd_password" echo "external_interface=$external_interface" echo "internal_interface=$internal_interface"
################################################################### echo "## PART I -- Enable IPIP Tunnel, Forwarding and Routing ##" ################################################################### echo "# Internal interface" ifconfig $internal_interface $my_ampr_network up wireshark -i $internal_interface &
echo "# Enable IP Forwarding" sysctl -w net.ipv4.ip_forward=1
echo "# Enable IPIP tunnel and interface" modprobe ipip ip addr add $my_ampr_tunnel_ip dev tunl0
echo "# Set some tunnel interface options" # * Give the tunnel its own TTL of 64 hops enabling traceroute over the tunnel # * Bring up the interface # * Set the tunnel MTU ip tunnel change ttl 64 mode ipip tunl0 ip link set dev tunl0 up ifconfig tunl0 mtu 1480
echo "# Set AMPRNet routing table rules" # * Any packets from any AMPRNet space use routing table 44 # * Any packets from my AMPRNet space use routing table 44 ip rule add to 44.0.0.0/9 table 44 priority 44 ip rule add to 44.128.0.0/10 table 44 priority 44 ip rule add from $my_ampr_network table 44 priority 45
echo "# Set AMPRNet routes" # * Default route out of AMPRNet is 169.228.34.84 (The Central AMPR Gateway) # * Set local route for AMPRNet on local AMPRNet interface ip route add default dev tunl0 via 169.228.34.84 onlink table 44 ip route add $my_ampr_network dev $internal_interface table 44
echo "# Rest of the routes are added dynamically by the AMPR-RIPD routing Daemon." echo "----------- START ampr-ripd -----------" /usr/sbin/ampr-ripd -s -r -t 44 -i tunl0 -a $my_ampr_network -p $ampr_ripd_password -d &
############################################################### echo "## PART II -- Enable Firewall and configure ruleset ##" ###############################################################
echo "# Start Fresh - Flush all rules" iptables -F iptables -X
echo "# Setting default filter policy" iptables -P INPUT DROP # By default drop all incoming connections iptables -P FORWARD DROP # by default drop all forwarding connections iptables -P OUTPUT ACCEPT # By default allow outgoing connections
echo "# This prevents nested ipencap (if its coming from the tunnel, dont allow protocol 4)" iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP
#################################################################### echo "## Rules for traffic leaving this gateway node, AKA OUTPUT chain. ##" ## That is, any traffic leaving from any local IP ## #################################################################### echo "# Drops destination unreachable replies to various probe responses" iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
echo "# Allow rest outgoing traffic from this gw" iptables -A OUTPUT -j ACCEPT
################################################################### echo "## Rules for traffic leaving this gateway node, AKA INPUT chain. ##" ## That is, any traffic destined to any local IP ## ###################################################################
echo "# Allow tunnel traffic (ip proto 4) on external interface" iptables -p 4 -A INPUT -i $external_interface -j ACCEPT
echo "# Allow unlimited traffic on loopback and local eth 44 Net adapters" iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i $internal_interface -j ACCEPT
echo "# Allow established sessions to receive traffic back" iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
echo "# Allow incoming ssh/icmp/ampr-ripd" iptables -A INPUT -p tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp --dport 520 -j ACCEPT
echo "# drop the rest" iptables -A INPUT -j DROP
##################################################################### echo "## Forwarding for traffic passing though this gateway ##" ## That is, any traffic going to or from the local AmprNet segment ## ##################################################################### echo "# This prevents a general loop - If the traffic comes in the tunnel, dont send it back out the same way" iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
echo "# Drop any traffic leaving via the tunnel that is not from the local AmprNet" iptables -I FORWARD ! -s $my_ampr_network -o tunl0 -j DROP
echo "# Allow established sessions to receive traffic" iptables -A FORWARD -m conntrack -d $my_ampr_network --ctstate ESTABLISHED,RELATED -j ACCEPT
echo "# Allow ssh/icmp connections to my AmprNet" iptables -A FORWARD -p tcp --sport 1024:65535 -d $my_ampr_network --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p icmp -d $my_ampr_network -m state --state NEW,ESTABLISHED -j ACCEPT
echo "#Drop unwanted traffic from leaking out-or coming in (smb discovery, etc)" iptables -A FORWARD -p udp --dport 10001 -j DROP iptables -A FORWARD -p udp --dport 137:139 -j DROP iptables -A FORWARD -p udp --dport 5678 -j DROP
echo "# Drops destination unreachable replies to various probe responses" iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j DROP
echo "# Finally, allow outgoing connections from the local AmprNet" iptables -A FORWARD -s $my_ampr_network -j ACCEPT
echo "# Anything else, drop it" iptables -A FORWARD -j DROP
You have the whole /16 all to yourself? Most likely something much smaller. You also do not have to add /32 to the single address.
On 2/16/2024 2:58 PM, lu3vea--- via 44net wrote:
my_ampr_network="44.153.0.0/16" # This is your CIDR AMPRNet Network segment my_ampr_tunnel_ip="44.153.160.32/32" # This is your Tunnel IP Address
I think even before getting into that tunnel configuration I'd be curious about whether or not those RIP packets are making it to your endpoint after making the changes suggested by Marius; try this command:
tcpdump -i any -vvv host amprgw.ucsd.edu
If your firewall/routers are configured correctly, you should see those packets even before you start configuring your tunnel.
I also took a look in the portal & noticed that your gateway doesn't appear to have any subnets associated with it. I'm not sure if that impacts whether or not the gateway will send RIP packets to the public IP of your gateway, but it'll definitely put a crimp in your connectivity once you get ripd running.
Best, -Steve kc8qba
You don’t have any IP addresses assigned so you need to get that fixed first.
Once you have a suitable block you need to add them to your gateway on the portal.
Then you can put your own, assigned block, into the script rather than just picking any block.
73, Chris - G1FEF — ARDC Administrator
Web: https://www.ardc.net
On 16 Feb 2024, at 19:58, lu3vea--- via 44net 44net@mailman.ampr.org wrote:
I have tried it but I don't get a response either. I see the outbound traffic in the interface but nothing comes back.
I also tried this script with the same results:
#!/bin/bash
##### # Variables # my_ampr_network="44.153.0.0/16" # This is your CIDR AMPRNet Network segment my_ampr_tunnel_ip="44.153.160.32/32" # This is your Tunnel IP Address ampr_ripd_password="thePassword" # Enter the RIPD AMPRNet password external_interface="bridge0" # External interface address internal_interface="bridge0:44" # Internal interface address
echo "#### VARIABLES ####" echo "my_ampr_network= $my_ampr_network" echo "my_ampr_tunnel_ip=$my_ampr_tunnel_ip" echo "ampr_ripd_password=$ampr_ripd_password" echo "external_interface=$external_interface" echo "internal_interface=$internal_interface"
################################################################### echo "## PART I -- Enable IPIP Tunnel, Forwarding and Routing ##" ################################################################### echo "# Internal interface" ifconfig $internal_interface $my_ampr_network up wireshark -i $internal_interface &
echo "# Enable IP Forwarding" sysctl -w net.ipv4.ip_forward=1
echo "# Enable IPIP tunnel and interface" modprobe ipip ip addr add $my_ampr_tunnel_ip dev tunl0
echo "# Set some tunnel interface options" # * Give the tunnel its own TTL of 64 hops enabling traceroute over the tunnel # * Bring up the interface # * Set the tunnel MTU ip tunnel change ttl 64 mode ipip tunl0 ip link set dev tunl0 up ifconfig tunl0 mtu 1480
echo "# Set AMPRNet routing table rules" # * Any packets from any AMPRNet space use routing table 44 # * Any packets from my AMPRNet space use routing table 44 ip rule add to 44.0.0.0/9 table 44 priority 44 ip rule add to 44.128.0.0/10 table 44 priority 44 ip rule add from $my_ampr_network table 44 priority 45
echo "# Set AMPRNet routes" # * Default route out of AMPRNet is 169.228.34.84 (The Central AMPR Gateway) # * Set local route for AMPRNet on local AMPRNet interface ip route add default dev tunl0 via 169.228.34.84 onlink table 44 ip route add $my_ampr_network dev $internal_interface table 44
echo "# Rest of the routes are added dynamically by the AMPR-RIPD routing Daemon." echo "----------- START ampr-ripd -----------" /usr/sbin/ampr-ripd -s -r -t 44 -i tunl0 -a $my_ampr_network -p $ampr_ripd_password -d &
############################################################### echo "## PART II -- Enable Firewall and configure ruleset ##" ###############################################################
echo "# Start Fresh - Flush all rules" iptables -F iptables -X
echo "# Setting default filter policy" iptables -P INPUT DROP # By default drop all incoming connections iptables -P FORWARD DROP # by default drop all forwarding connections iptables -P OUTPUT ACCEPT # By default allow outgoing connections
echo "# This prevents nested ipencap (if its coming from the tunnel, dont allow protocol 4)" iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP
#################################################################### echo "## Rules for traffic leaving this gateway node, AKA OUTPUT chain. ##" ## That is, any traffic leaving from any local IP ## #################################################################### echo "# Drops destination unreachable replies to various probe responses" iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
echo "# Allow rest outgoing traffic from this gw" iptables -A OUTPUT -j ACCEPT
################################################################### echo "## Rules for traffic leaving this gateway node, AKA INPUT chain. ##" ## That is, any traffic destined to any local IP ## ###################################################################
echo "# Allow tunnel traffic (ip proto 4) on external interface" iptables -p 4 -A INPUT -i $external_interface -j ACCEPT
echo "# Allow unlimited traffic on loopback and local eth 44 Net adapters" iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i $internal_interface -j ACCEPT
echo "# Allow established sessions to receive traffic back" iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
echo "# Allow incoming ssh/icmp/ampr-ripd" iptables -A INPUT -p tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp --dport 520 -j ACCEPT
echo "# drop the rest" iptables -A INPUT -j DROP
##################################################################### echo "## Forwarding for traffic passing though this gateway ##" ## That is, any traffic going to or from the local AmprNet segment ## ##################################################################### echo "# This prevents a general loop - If the traffic comes in the tunnel, dont send it back out the same way" iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
echo "# Drop any traffic leaving via the tunnel that is not from the local AmprNet" iptables -I FORWARD ! -s $my_ampr_network -o tunl0 -j DROP
echo "# Allow established sessions to receive traffic" iptables -A FORWARD -m conntrack -d $my_ampr_network --ctstate ESTABLISHED,RELATED -j ACCEPT
echo "# Allow ssh/icmp connections to my AmprNet" iptables -A FORWARD -p tcp --sport 1024:65535 -d $my_ampr_network --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p icmp -d $my_ampr_network -m state --state NEW,ESTABLISHED -j ACCEPT
echo "#Drop unwanted traffic from leaking out-or coming in (smb discovery, etc)" iptables -A FORWARD -p udp --dport 10001 -j DROP iptables -A FORWARD -p udp --dport 137:139 -j DROP iptables -A FORWARD -p udp --dport 5678 -j DROP
echo "# Drops destination unreachable replies to various probe responses" iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j DROP
echo "# Finally, allow outgoing connections from the local AmprNet" iptables -A FORWARD -s $my_ampr_network -j ACCEPT
echo "# Anything else, drop it" iptables -A FORWARD -j DROP _______________________________________________ 44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
I have an assigned IP:
nslookup lu3vea.ampr.org
Non-authoritative answer: Name: lu3vea.ampr.org Address: 44.153.160.32
On 16 Feb 2024, at 22:27, lu3vea--- via 44net 44net@mailman.ampr.org wrote:
I have an assigned IP:
nslookup lu3vea.ampr.org
You may have a DNS entry, there are a lot of old DNS entries that need clearing out, but you do not have any authorised IP addresses from ARDC.
If you want to email me off-list I can help you re-establish an assignment.
73, Chris - G1FEF
Non-authoritative answer: Name: lu3vea.ampr.org Address: 44.153.160.32 _______________________________________________ 44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
-
Charles Hargrove -
Chris -
kc8qba@wildtky.com -
lu3vea@gmail.com -
Marius Petrescu