5 Mar
2019
5 Mar
'19
7:25 p.m.
The forwarded packets
that were supposed to go to my 'inner' server were also routed back to
the AMPR GW, which of course did not know anything about my local
addresses (192.168...).
However, after adding this line:
ip route add 192.168.19.0/24 dev enp0s6 table 44
everything felt in place and I'm now a happy man.
Unfortunately this is a detail that is soooooo easy to oversee that it frequently
happens.
But of course it is always educational to encounter this and fix it yourself!
E.g. I recently helped someone with a MikroTik router to setup this kind of policy
routing
and on that router the direct routes to attached interfaces also only appear in the main
routing table and not in those additional ones. There really should be an option to do
that
automatically, but until then indeed you have to add them manually.
The kernel would lookup the route in the main table when it cannot find a route in the
additional table, but of course that only works when there is no default route there.
And autorouting protocols like BGP won't distribute the route when it is in the wrong
table.
Rob
6 Mar
6 Mar
6:47 p.m.
New subject: Port-forwarding of 44-addresses
I think there is a solution for this to do it automatically. Let's
consider this startup script (tun44 is our tunnel):
#!/bin/sh
MY_IP=`ip addr list dev tun44 | grep inet | awk '{print $2}'`
MY_LOCAL = "44.182.20.0/24,44.182.21.0/24,44.182.61.0/24,yo2loj.go.ro"
# AMPR routes go to table 44
ip rule add from $MY_IP table 44
ip rule add to 44.0.0.0/8 table 44
# default AMPR reply route is in table 45
ip route add default via 169.228.34.84 dev tun44 table 45 onlink
# marke incoming and route replies via table 45
ip rule add fwmark 45 table 45
iptables -t mangle -A PREROUTING -i tun44 ! -s 44.0.0.0/8 -j CONNMARK
--set-mark 45
iptables -t mangle -A PREROUTING ! -i tun44 -m connmark --mark 45 -j
CONNMARK --restore-mark
# start ampr-ripd
ampr-ripd -s -t 44 -i tun44 -m 90 -a
44.182.20.0/24,44.182.21.0/24,44.182.61.0/24,yo2loj.go.ro
Here we use 2 tables, table 44 holds all ampr routes, table 45 only the
default gateway route for ampr.
- regular outgoing ampr connections go via 44
- regular ampr replies go via 44 because of "ip rule add to 44.0.0.0/8
table 44"
- incoming internet requests on the tunnel get connection marked,
replies with that connection mark get route mark 45, go to table 45
where they will be sent back via the ampr-gw
- because there is no default route in 44, if a connection is not found
for a specific route in that table, there will be a jump into the main
table where the local ones will be resolved as regular routes
The only adaptation needed to be done is the -a parameter to ignore the
local networks IF the router is behind NAT (otherwise it will do it
automatically)
BGP routed 44net traffic goes normally via the public IP (should be
NATed by the regular masquerade rule).
If you want it via ampr-gw just add a route into the main table:
ip route add 44.0.0.0/8 via via 169.228.34.84 dev tun44 onlink
I will put this into the EdgeRouter script as the default startup script.
Marius, YO2LOJ
On 05.03.2019 21:25, Rob Janssen wrote:
Unfortunately this is a detail that is soooooo easy to oversee that it
frequently happens.
But of course it is always educational to encounter this and fix it
yourself!
E.g. I recently helped someone with a MikroTik router to setup this
kind of policy routing
and on that router the direct routes to attached interfaces also only
appear in the main
routing table and not in those additional ones. There really should
be an option to do that
automatically, but until then indeed you have to add them manually.
The kernel would lookup the route in the main table when it cannot
find a route in the
additional table, but of course that only works when there is no
default route there.
And autorouting protocols like BGP won't distribute the route when it
is in the wrong table.
Rob
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
6:49 p.m.
New subject: Port-forwarding of 44-addresses
Please delete the MY_LOCAL line if you whish since it is not used, but
you can use it in the ampr-ripd startup line as "-a $MY_LOCAL"...
On 06.03.2019 20:47, Marius Petrescu wrote:
I think there is a solution for this to do it
automatically. Let's
consider this startup script (tun44 is our tunnel):
#!/bin/sh
MY_IP=`ip addr list dev tun44 | grep inet | awk '{print $2}'`
MY_LOCAL = "44.182.20.0/24,44.182.21.0/24,44.182.61.0/24,yo2loj.go.ro"
# AMPR routes go to table 44
ip rule add from $MY_IP table 44
ip rule add to 44.0.0.0/8 table 44
# default AMPR reply route is in table 45
ip route add default via 169.228.34.84 dev tun44 table 45 onlink
# marke incoming and route replies via table 45
ip rule add fwmark 45 table 45
iptables -t mangle -A PREROUTING -i tun44 ! -s 44.0.0.0/8 -j CONNMARK
--set-mark 45
iptables -t mangle -A PREROUTING ! -i tun44 -m connmark --mark 45 -j
CONNMARK --restore-mark
# start ampr-ripd
ampr-ripd -s -t 44 -i tun44 -m 90 -a
44.182.20.0/24,44.182.21.0/24,44.182.61.0/24,yo2loj.go.ro
Here we use 2 tables, table 44 holds all ampr routes, table 45 only
the default gateway route for ampr.
- regular outgoing ampr connections go via 44
- regular ampr replies go via 44 because of "ip rule add to
44.0.0.0/8 table 44"
- incoming internet requests on the tunnel get connection marked,
replies with that connection mark get route mark 45, go to table 45
where they will be sent back via the ampr-gw
- because there is no default route in 44, if a connection is not
found for a specific route in that table, there will be a jump into
the main table where the local ones will be resolved as regular routes
The only adaptation needed to be done is the -a parameter to ignore
the local networks IF the router is behind NAT (otherwise it will do
it automatically)
BGP routed 44net traffic goes normally via the public IP (should be
NATed by the regular masquerade rule).
If you want it via ampr-gw just add a route into the main table:
ip route add 44.0.0.0/8 via via 169.228.34.84 dev tun44 onlink
I will put this into the EdgeRouter script as the default startup script.
Marius, YO2LOJ
On 05.03.2019 21:25, Rob Janssen wrote:
Unfortunately this is a detail that is soooooo easy to oversee that
it frequently happens.
But of course it is always educational to encounter this and fix it
yourself!
E.g. I recently helped someone with a MikroTik router to setup this
kind of policy routing
and on that router the direct routes to attached interfaces also only
appear in the main
routing table and not in those additional ones. There really should
be an option to do that
automatically, but until then indeed you have to add them manually.
The kernel would lookup the route in the main table when it cannot
find a route in the
additional table, but of course that only works when there is no
default route there.
And autorouting protocols like BGP won't distribute the route when it
is in the wrong table.
Rob
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
1894
days inactive
1895
days old
2 comments
2 participants
participants (2)
-
Marius Petrescu -
Rob Janssen