Hi list,
I'm trying to get a mikrotik RB2011 connected to AMPRGW but not having success.
/ip route check 44.0.0.1 status: ok interface: ampr-gw nexthop: 44.0.0.1 /tool traceroute 44.0.0.1 # ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS
1 44.34.128.1 0% 2 0.5ms 0.5 0.5 0.5 0 host unreachable from 44.34.128.1
2 0% 0 0ms
Using the sniffer, I've tried to also ping my address (44.34.128.1) from the outside, but it does not get through. In addition, pinging 44.0.0.1 from the router fails as well (tracert shown above). I do however see a discovery attempt going out and not getting any response back.
/tool sniffer quick interface=ampr-gw INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE ampr-gw 33.3 1 -> 44.34.128.1:5678 (discovery) 255.255.255.255:5678 (discovery) ip:udp 114
I do have an IPIP interface to the edge router for 44.24.240.0/20, and that is operating properly; I can access their network, and they can access mine. So, I'm a bit puzzled by this.
My config amprgw:
/interface ipip add local-address=99.173.137.24 name=ampr-gw remote-address=169.228.66.251 /ip route add distance=1 dst-address=44.0.0.0/8 gateway=ampr-gw
Any help is greatly appreciated!
Hi Ryan,
Unfortunately, ampr doesn't work this way. You need an ipip interface with a direct connection to every gw from the encap file. Your set-up will encap all traffic to ampr hosts and send it to amprgw which is not what you want.
That is what the mentioned scrip accomplishes.
Marius,YO2LOJ
-----Original Message----- From: 44net-bounces+marius=yo2loj.ro@hamradio.ucsd.edu [mailto:44net-bounces+marius=yo2loj.ro@hamradio.ucsd.edu] On Behalf Of Ryan Elliott Turner Sent: Thursday, January 30, 2014 04:27 To: 44net@hamradio.ucsd.edu Subject: [44net] Getting mikrotik router gateway connected to amprgw
...
/interface ipip add local-address=99.173.137.24 name=ampr-gw remote-address=169.228.66.251 /ip route add distance=1 dst-address=44.0.0.0/8 gateway=ampr-gw
....
Hi Marius,
I understand that I'll have to make an ipip tunnel to all of the other gateways (as listed in the encap file). I was under the impression that for non-44net traffic in and out, a tunnel to amprgw was used. There is no 44.0.0.1 entry in the encap file, though, so I'm beginning to wonder if I really am misunderstanding.
Thanks for your reply.
On Wed, Jan 29, 2014 at 11:12 PM, Marius Petrescu marius@yo2loj.ro wrote:
(Please trim inclusions from previous messages) _______________________________________________ Hi Ryan,
Unfortunately, ampr doesn't work this way. You need an ipip interface with a direct connection to every gw from the encap file. Your set-up will encap all traffic to ampr hosts and send it to amprgw which is not what you want.
That is what the mentioned scrip accomplishes.
Marius,YO2LOJ
-----Original Message----- From: 44net-bounces+marius=yo2loj.ro@hamradio.ucsd.edu [mailto:44net-bounces+marius=yo2loj.ro@hamradio.ucsd.edu] On Behalf Of Ryan Elliott Turner Sent: Thursday, January 30, 2014 04:27 To: 44net@hamradio.ucsd.edu Subject: [44net] Getting mikrotik router gateway connected to amprgw
...
/interface ipip add local-address=99.173.137.24 name=ampr-gw remote-address=169.228.66.251 /ip route add distance=1 dst-address=44.0.0.0/8 gateway=ampr-gw
....
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Ryan, the route there creates the problem...
/interface ipip add local-address=99.173.137.24 name=ampr-gw remote-address=169.228.66.251 /ip route add distance=1 dst-address=44.0.0.0/8 gateway=ampr-gw
You try to push the 44.0.0.0/8 traffic to the tunnel. That traffic belongs elsewhere... The host you are pinging in 44 space expects you to do it via a direct tunnel, not via amprgw.
You need this kind of rules for outgoing traffic: - For src 44.0.0.0/8 to 44.0.0.0/8 it has to go to your ipip tunnels - For src 44.0.0.0/8 to any it is passed to amprgw if the connection originated from the ampr tunnel (connection mark is your friend here). - For src 44.0.0.0/8 to any it is passed to amprgw (I would masquerade to the public IP to reduce de load on amprgw instead of this).
FYI: amprgw does not respond to ping if addressesd via the tunnel, only if pinged from the internet.
Maybe these ideas help.
MArius, YO2LOJ
Thanks for the tips, I'll add and change the routes. I'm still curious what else I'm missing though, since my address 44.34.128.1 is not pingable from the internet (but it was via the 44.24.240.0 net that I have an ipip setup for). On Jan 30, 2014 1:02 AM, "Marius Petrescu" marius@yo2loj.ro wrote:
(Please trim inclusions from previous messages) _______________________________________________ Ryan, the route there creates the problem...
/interface ipip add local-address=99.173.137.24 name=ampr-gw
remote-address=169.228.66.251
/ip route add distance=1 dst-address=44.0.0.0/8 gateway=ampr-gw
You try to push the 44.0.0.0/8 traffic to the tunnel. That traffic belongs elsewhere... The host you are pinging in 44 space expects you to do it via a direct tunnel, not via amprgw.
You need this kind of rules for outgoing traffic:
- For src 44.0.0.0/8 to 44.0.0.0/8 it has to go to your ipip tunnels
- For src 44.0.0.0/8 to any it is passed to amprgw if the connection
originated from the ampr tunnel (connection mark is your friend here).
- For src 44.0.0.0/8 to any it is passed to amprgw (I would masquerade to
the public IP to reduce de load on amprgw instead of this).
FYI: amprgw does not respond to ping if addressesd via the tunnel, only if pinged from the internet.
Maybe these ideas help.
MArius, YO2LOJ
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Ok, I've added this now:
/ip firewall mangle add action=mark-packet chain=prerouting in-interface=ampr-gw new-packet-mark=ampr-gw /ip firewall nat add action=masquerade chain=srcnat out-interface=ampr-gw /ip route add distance=1 gateway=ampr-gw routing-mark=ampr-gw
and I still have /interface ipip add local-address=99.173.137.24 name=ampr-gw remote-address=169.228.66.251
So, it seems that is a better setup to get replies sent out to amprgw, but the trouble remains that I still haven't been getting traffic in from the gw EXCEPT for rip multicast (Im rxing traffic for dst address 224.0.0.9). The address should be 44.34.128.1.
On Thu, Jan 30, 2014 at 1:08 AM, Ryan Elliott Turner ryan.e.t@gmail.comwrote:
Thanks for the tips, I'll add and change the routes. I'm still curious what else I'm missing though, since my address 44.34.128.1 is not pingable from the internet (but it was via the 44.24.240.0 net that I have an ipip setup for). On Jan 30, 2014 1:02 AM, "Marius Petrescu" marius@yo2loj.ro wrote:
(Please trim inclusions from previous messages) _______________________________________________ Ryan, the route there creates the problem...
/interface ipip add local-address=99.173.137.24 name=ampr-gw
remote-address=169.228.66.251
/ip route add distance=1 dst-address=44.0.0.0/8 gateway=ampr-gw
You try to push the 44.0.0.0/8 traffic to the tunnel. That traffic belongs elsewhere... The host you are pinging in 44 space expects you to do it via a direct tunnel, not via amprgw.
You need this kind of rules for outgoing traffic:
- For src 44.0.0.0/8 to 44.0.0.0/8 it has to go to your ipip tunnels
- For src 44.0.0.0/8 to any it is passed to amprgw if the connection
originated from the ampr tunnel (connection mark is your friend here).
- For src 44.0.0.0/8 to any it is passed to amprgw (I would masquerade
to the public IP to reduce de load on amprgw instead of this).
FYI: amprgw does not respond to ping if addressesd via the tunnel, only if pinged from the internet.
Maybe these ideas help.
MArius, YO2LOJ
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
On Thu, Jan 30, 2014 at 08:43:59AM -0600, Ryan Elliott Turner wrote:
So, it seems that is a better setup to get replies sent out to amprgw, but the trouble remains that I still haven't been getting traffic in from the gw EXCEPT for rip multicast (Im rxing traffic for dst address 224.0.0.9). The address should be 44.34.128.1.
44.34.128.1 isn't listed in the AMPR DNS and the amprgw gateway won't pass traffic to addresses that aren't in the DNS. I can add that to the DNS if you'll tell me the hostname you want to use for it. - Brian
There is however a 44.34.128/21 in the RIP broadcasts. This resolves to 44.34.128.1 - 44.34.135.254. Is this correct?
-----Original Message----- From: 44net-bounces+marius=yo2loj.ro@hamradio.ucsd.edu [mailto:44net-bounces+marius=yo2loj.ro@hamradio.ucsd.edu] On Behalf Of Brian Kantor Sent: Thursday, January 30, 2014 18:08 To: AMPRNet working group Subject: Re: [44net] Getting mikrotik router gateway connected to amprgw
(Please trim inclusions from previous messages) _______________________________________________ On Thu, Jan 30, 2014 at 08:43:59AM -0600, Ryan Elliott Turner wrote:
So, it seems that is a better setup to get replies sent out to amprgw, but the trouble remains that I still haven't been getting traffic in from the gw EXCEPT for rip multicast (Im rxing traffic for dst address 224.0.0.9). The address should be 44.34.128.1.
44.34.128.1 isn't listed in the AMPR DNS and the amprgw gateway won't pass traffic to addresses that aren't in the DNS. I can add that to the DNS if you'll tell me the hostname you want to use for it. - Brian _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Pls ignore the previous message. I didn't get Brians message correctly. Just came from work :-)
-
Brian Kantor -
Marius Petrescu -
Ryan Elliott Turner