17 Jan
2017
17 Jan
'17
3:55 p.m.
Hi,
I received a 44 net allocation and am successfully advertising it to the internet via my
ISP.
I have been reading on the AMPRNet Wiki about IPIP tunnelling and Startampr. Are there
best practices or anything else I need to be aware of before venturing into building the
gateway?
On a related note, I have been using OpenVPN to provide publicly routable /32 IP addresses
to individual Windows PC. I don’t see support for IPIP on Windows, are there any other
tunnelling methods worth looking at, for Windows7 specifically, or is OpenVPN my best
bet?
Thanks,
Adi
VA3ADI
18 Jan
18 Jan
1:53 a.m.
You could look into some other tunneling protocols such as GRE or
VXLAN for internal subnet allocations.
Or, depending on how fancy you really want to get and the architecture
of your environment (I.e. All clients are "local" and not going
through some other network), you could run an IGP such as iBGP or OSPF
if you don't have to worry about tunneling for all hosts.
Andrew
Kc2LTO
On Jan 17, 2017, at 2:57 PM, Adi Linden via 44Net
<44net(a)hamradio.ucsd.edu> wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Hi,
I received a 44 net allocation and am successfully advertising it to the internet via my
ISP.
I have been reading on the AMPRNet Wiki about IPIP tunnelling and Startampr. Are there
best practices or anything else I need to be aware of before venturing into building the
gateway?
On a related note, I have been using OpenVPN to provide publicly routable /32 IP
addresses to individual Windows PC. I don’t see support for IPIP on Windows, are there
any other tunnelling methods worth looking at, for Windows7 specifically, or is OpenVPN my
best bet?
Thanks,
Adi
VA3ADI
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
21 Jan
21 Jan
8:52 a.m.
I have two Windows hosts that will be roaming onto other networks. I have been using a
/32 tunnelled address and OpenVPN. Looks like OpenVPN is the easiest to reply on the
client (Windows) side.
The idea is to use interior routing where possible and resort to tunnelling only for the
few sites that are not on the same network.
Still, I am having trouble getting the IPIP tunnels to come up. I am not sure if this is
because of the fact that I am also BGP routed, or whether this is because I am doing
something wrong.
Sorry this is rather lengthy, I did truncate command output to limit to what’s relevant.
My assigned address space is 44.135.197.0/24, the gateway public IP is 64.184.193.14. I
created a gateway in the portal for that with both “direct” and “ipip” checked off.
This what I am doing to get IPIP up on Linux:
ip tunnel add ampr0 mode ipip local 64.184.193.14 ttl 255
ip link set dev ampr0 up
ifconfig ampr0 multicast
ip addr add 44.135.197.253/32 dev ampr0
ip rule add to 44.0.0.0/8 table 44 priority 44
ip rule add from 44.0.0.0/8 table 44 priority 45
./ampr-ripd -t 44 -i ampr0 -d -v -p <secret pwd>
Ifconfig shows my ampr0 interface properly
ampr0 Link encap:IPIP Tunnel HWaddr
inet addr:44.135.197.253 Mask:255.255.255.255
UP RUNNING NOARP MULTICAST MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
My routing table looks ok, not sure why the 44.0.0.0/8 source route would be needed, but
the few example I’ve seen all have it.
root@amprnetgw:~# ip rule show
0: from all lookup local
44: from all to 44.0.0.0/8 lookup 44
45: from 44.0.0.0/8 lookup 44
32766: from all lookup main
32767: from all lookup default
The ripd daemon populated the table
root@amprnetgw:~# ip route show table 44 | head -5
44.2.2.0/24 via 24.52.189.1 dev ampr0 proto 44 onlink window 840
44.2.5.0/25 via 176.183.139.74 dev ampr0 proto 44 onlink window 840
44.2.10.0/29 via 104.49.12.130 dev ampr0 proto 44 onlink window 840
44.2.14.0/29 via 50.79.156.221 dev ampr0 proto 44 onlink window 840
44.2.50.0/29 via 75.140.109.173 dev ampr0 proto 44 onlink window 840
Bt no go pinging various amor.org hosts:
root@amprnetgw:~# ping -c 3 f4gve.ampr.org
PING f4gve.ampr.org (44.151.74.102) 56(84) bytes of data.
--- f4gve.ampr.org ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2015ms
Looking at what’s happening with tcpdump, I see packets going out via ampr0, but it almost
looks like something unrecognizable coming back???
On ampr0 I see packet going out and “defective” replies:
root@amprnetgw:~/ampr_tun_docs/src# tcpdump -i ampr0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ampr0, link-type RAW (Raw IP), capture size 262144 bytes
08:41:16.537532 IP truncated-ip - 26540 bytes missing! 151.80.196.50 >
169.228.66.251: ip-proto-4
08:41:17.396730 IP 44.135.197.253 > 44.151.74.102: ICMP echo request, id 9059, seq
23, length 64
08:41:17.545379 IP truncated-ip - 26540 bytes missing! 151.80.196.50 >
169.228.66.251: ip-proto-4
08:41:18.404691 IP 44.135.197.253 > 44.151.74.102: ICMP echo request, id 9059, seq
24, length 64
On eth0 I see replies
root@amprnetgw:~/ampr_tun_docs/src# tcpdump -i eth0 -n host 169.228.66.251
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:40:59.409308 IP 169.228.66.251 > 64.184.193.14: IP truncated-ip - 26540 bytes
missing! 151.80.196.50 > 169.228.66.251: ip-proto-4 (ipip-proto-4)
08:41:00.417480 IP 169.228.66.251 > 64.184.193.14: IP truncated-ip - 26540 bytes
missing! 151.80.196.50 > 169.228.66.251: ip-proto-4 (ipip-proto-4)
08:41:01.416735 IP 169.228.66.251 > 64.184.193.14: IP truncated-ip - 26540 bytes
missing! 151.80.196.50 > 169.228.66.251: ip-proto-4 (ipip-proto-4)
It almost looks like I am seeing encapsulated packets coming in over the tunnel interface?
Per routing table 151.80.196.50 is the gateway for f4gve.ampr.org/44.151.74.102.
root@amprnetgw:~# ip route show table 44 | grep 151.80.196.50
44.151.74.102 via 151.80.196.50 dev ampr0 proto 44 onlink window 840
Thanks,
Adi
VA3ADI
9:12 a.m.
On 21/01/17 15:52, Adi Linden via 44Net wrote:
Bt no go pinging various amor.org hosts:
root@amprnetgw:~# ping -c 3 f4gve.ampr.org
PING f4gve.ampr.org (44.151.74.102) 56(84) bytes of data.
Adi.
Above host is _NOT_ reachable at all.
Instead try: 44.151.44.55 - 24h/day on line.
My own: 44.165.2.2 / .3 / .5 / .8 and 44.165.15.1
Best regards.
--
Tom - SP2L
------------------------------------
It is nice to be important.
But it is more important to be nice!
5:54 p.m.
Hi Tom,
Thank you for providing some IP addresses I can work with for testing. I did try
confirming f4gve.ampr.org is alive before I selected it as a host for testing. It is
still alive.
adi@Jazz:~/Working$ ping -c 3 f4gve.ampr.org
PING f4gve.ampr.org (44.151.74.102): 56 data bytes
64 bytes from 44.151.74.102: icmp_seq=0 ttl=48 time=249.300 ms
64 bytes from 44.151.74.102: icmp_seq=1 ttl=48 time=286.401 ms
64 bytes from 44.151.74.102: icmp_seq=2 ttl=48 time=256.990 ms
--- f4gve.ampr.org ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 249.300/264.230/286.401/15.988 ms
Adi
root@amprnetgw:~# ping -c 3 f4gve.ampr.org
PING f4gve.ampr.org (44.151.74.102) 56(84) bytes of data.
Above host is _NOT_ reachable at all.
Instead try: 44.151.44.55 - 24h/day on line.
My own: 44.165.2.2 / .3 / .5 / .8 and 44.165.15.1 
9:47 a.m.
Because you are advertising a route to your subnet via BGP,
packets addressed to that subnet will go to you directly and
will not reach the gateway at UCSD, and so therefore cannot
reach you over a tunnel.
- Brian
On Sat, Jan 21, 2017 at 08:52:56AM -0600, Adi Linden via 44Net wrote:
I have two Windows hosts that will be roaming onto
other networks. ??I have been using a /32 tunnelled address and OpenVPN. ??Looks like
OpenVPN is the easiest to reply on the client (Windows) side.
5:49 p.m.
With the BGP advertisement my subnet is reachable via internet and can reach anywhere via
internet. Other 44 networks can reach my subnet as long as they are also advertised via
BGP or have appropriate NAT rules to allow internet access. I can reach any BGP
advertised 44 net addresses. However, I should not be able to reach any non-BGP
advertised 44 net addresses unless there is a gateway (at USCD?) that allows for access to
IPIP only 44 networks from 44 networks.
I guess I don’t know the network topology of the 44 net or the functions that are provided
at the UCSD gateway.
I assumed that in order to reach IPIP only networks I would have to also establish IPIP
tunnelling from each 44 host or gateway using subnets of my BGP advertised subnet.
Adi
Because you are advertising a route to your subnet via
BGP,
packets addressed to that subnet will go to you directly and
will not reach the gateway at UCSD, and so therefore cannot
reach you over a tunnel.
- Brian
2864
days inactive
2869
days old
7 comments
4 participants
participants (4)
-
Adi Linden -
Andrew Ragone -
Brian Kantor -
Tom SP2L