If anyone wants to test my incoming access, you can try n2mh.ampr.org or http://n2mh-web.ampr.org. Please let me know the results.
Sorry, that web url is a typo. It should be
I have received several emails to n2mh@n2mh.ampr.org.
73, Mark, N2MH
No problem from the Toronto area.
Bob VE3TOK
On 2021-01-01 20:28, Mark Herson, N2MH via 44Net wrote:
If anyone wants to test my incoming access, you can try n2mh.ampr.org or http://n2mh-web.ampr.org. Please let me know the results.
Sorry, that web url is a typo. It should be
I have received several emails to n2mh@n2mh.ampr.org.
73, Mark, N2MH
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Working from Green Bay, WI 44.92.21.X
As people have mentioned, there is no test script. Various people run web tools on their address space so that you can test (some even have them accessible to the greater internet) such as:
http://yo2tm.ampr.org/nettools.php
ipencap is a stateless protocol so there isn't any handshaking or really anyway without an active test to verify.
You are correct there are a number of gateways with errors
kb9mwr@kb9mwr:~/0 $ cat pkterrors.txt | cut -d " " -f1 | uniq 24.21.178.15 24.44.181.250 24.115.112.147 31.22.209.138 35.142.95.189 38.131.225.77 45.16.135.19 45.24.113.205 50.116.8.127 50.241.87.152 66.70.176.157 66.109.219.132 69.123.132.4 70.94.252.87 71.207.37.193 71.234.110.172 73.175.131.23 74.37.229.63 79.8.90.44 80.211.245.61 81.187.62.66 82.64.40.245 85.201.229.192 85.234.195.199 89.33.44.100 89.106.108.151 89.137.215.42 89.191.131.114 89.214.96.2 90.155.50.1 91.239.87.3 108.35.133.32 109.28.24.17 116.203.224.130 141.75.245.225 155.138.253.118 162.247.76.129 166.62.194.48 172.106.32.116 174.97.191.155 177.143.141.111 181.170.235.14 185.47.96.11 185.78.150.20 190.136.177.222 195.154.44.133 209.150.234.44 212.56.100.200 217.35.151.221
The most common logged error is "3 [19] dropped: non-44 inner source address"
On Fri, Jan 1, 2021 at 7:29 PM Mark Herson, N2MH via 44Net 44net@mailman.ampr.org wrote:
If anyone wants to test my incoming access, you can try n2mh.ampr.org or http://n2mh-web.ampr.org. Please let me know the results.
Sorry, that web url is a typo. It should be
I have received several emails to n2mh@n2mh.ampr.org.
73, Mark, N2MH
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
What is the error for 162.247.76.129 (my gateway address)?
-- 73 de N2NOV
The same question goes for 89.33.44.100. I dumped it and found no outgoing packets from other sources for your gateway.
Is it possible you actually capture some spoofing attempts? Do you account for replies to requests that may be addressed to non-44 addresses via your tunnels, like ICM unreachable and similar?
On 02.01.2021 05:36, Charles - N2NOV via 44Net wrote:
What is the error for 162.247.76.129 (my gateway address)?
-- 73 de N2NOV _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
89.33.44.100 44.182.21.1 67631 [ 8] dropped: encap to encap
That data is from the stats collector that the late Brian Kantor wrote, which can be seen here:
The login uses the old gateways login credentials from when Jim Fuller ran it. See:
https://mailman.ampr.org/mailman/private/44net/2020-January/010633.html
I highly recommend these rules:
# This prevents nested ipencap iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP # This prevents a general loop iptables -I FORWARD -i tunl0 -o tunl0 -j DROP # Drops outbound unassigned IPs from looping though tunl0 via ipencap # You Must add accept rules under this line to make exceptions iptables -I FORWARD ! -s 44.92.21.0/24 -o tunl0 -j DROP # ^ adjust to your subnet
On Sat, Jan 2, 2021 at 7:40 AM Marius Petrescu via 44Net 44net@mailman.ampr.org wrote:
The same question goes for 89.33.44.100. I dumped it and found no outgoing packets from other sources for your gateway.
Is it possible you actually capture some spoofing attempts? Do you account for replies to requests that may be addressed to non-44 addresses via your tunnels, like ICM unreachable and similar?
On 02.01.2021 05:36, Charles - N2NOV via 44Net wrote:
What is the error for 162.247.76.129 (my gateway address)?
-- 73 de N2NOV _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Hi all, Thanks for sharing! That's a very interesting troubleshooting utility. And yet more useful when someone suggests a possible fix.
Is there anyone that could help me to understand what's the issue here ?
93.51.76.174 44.134.160.1 97 [ 3] dropped: no source gateway 93.51.76.174 44.134.160.2 178 [ 3] dropped: no source gateway
Regards, Marco iw2ohx
On 1/3/2021 7:01 AM, Steve L via 44Net wrote:
89.33.44.100 44.182.21.1 67631 [ 8] dropped: encap to encap
That data is from the stats collector that the late Brian Kantor wrote, which can be seen here:
The login uses the old gateways login credentials from when Jim Fuller ran it. See:
https://mailman.ampr.org/mailman/private/44net/2020-January/010633.html
I highly recommend these rules:
# This prevents nested ipencap iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP # This prevents a general loop iptables -I FORWARD -i tunl0 -o tunl0 -j DROP # Drops outbound unassigned IPs from looping though tunl0 via ipencap # You Must add accept rules under this line to make exceptions iptables -I FORWARD ! -s 44.92.21.0/24 -o tunl0 -j DROP # ^ adjust to your subnet
On Sat, Jan 2, 2021 at 7:40 AM Marius Petrescu via 44Net 44net@mailman.ampr.org wrote:
The same question goes for 89.33.44.100. I dumped it and found no outgoing packets from other sources for your gateway.
Is it possible you actually capture some spoofing attempts? Do you account for replies to requests that may be addressed to non-44 addresses via your tunnels, like ICM unreachable and similar?
On 02.01.2021 05:36, Charles - N2NOV via 44Net wrote:
What is the error for 162.247.76.129 (my gateway address)?
-- 73 de N2NOV _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Maro,
I don't have an answer for you, but hope someone else will chime it.
I combed through my notes to see if I had any clues. I'll share these notes for everyone's benefit:
---
The collecting ripsender ICMP data is available for you to look at on the web site in file /private/gwlog.txt.
It has as the last two columns the ICMP type and code; so 'port unreachable' (code 3)
can be distinguished from
'host unreachable' (code 1),
'net unreachable' (code 0), and
'protocol unreachable' (code 2), etc.
I'm currently recording all 16 kinds of 'unreachable' in that file.
(2017-May)
--- I assume you mean the gwlog.txt file.
This is raw data, designed for a program to read, not humans.
column 1 is the IP address of the gateway columns 2 & 3 are the UTC date and time column 4 is the icmp type, always '3' for 'destination unreachable' column 5 is the icmp code why. '2' is 'unreachable protocol', '3' is 'unreachable port'.
Refer to RFC792 and later RFCs, or the Unix/Linux source code for the meanings of the type/code combinations. Or do a google search for 'icmp type 3'.
For example: 69.85.86.85 17-05-24 02:30:00 3 2
So '3 2' means that the gateway rejected a packet with the message 'unreachable protocol'.
(https://mailman.ampr.org/mailman/private/44net/2017-May/007420.html)
On Sun, Jan 3, 2021 at 1:27 AM Marco Di Martino (IW2OHX) via 44Net 44net@mailman.ampr.org wrote:
Hi all, Thanks for sharing! That's a very interesting troubleshooting utility. And yet more useful when someone suggests a possible fix.
Is there anyone that could help me to understand what's the issue here ?
93.51.76.174 44.134.160.1 97 [ 3] dropped: no source gateway 93.51.76.174 44.134.160.2 178 [ 3] dropped: no source gateway
Regards, Marco iw2ohx
On 1/3/2021 7:01 AM, Steve L via 44Net wrote:
89.33.44.100 44.182.21.1 67631 [ 8] dropped: encap to encap
That data is from the stats collector that the late Brian Kantor wrote, which can be seen here:
The login uses the old gateways login credentials from when Jim Fuller ran it. See:
https://mailman.ampr.org/mailman/private/44net/2020-January/010633.html
I highly recommend these rules:
# This prevents nested ipencap iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP # This prevents a general loop iptables -I FORWARD -i tunl0 -o tunl0 -j DROP # Drops outbound unassigned IPs from looping though tunl0 via ipencap # You Must add accept rules under this line to make exceptions iptables -I FORWARD ! -s 44.92.21.0/24 -o tunl0 -j DROP # ^ adjust to your subnet
On Sat, Jan 2, 2021 at 7:40 AM Marius Petrescu via 44Net 44net@mailman.ampr.org wrote:
The same question goes for 89.33.44.100. I dumped it and found no outgoing packets from other sources for your gateway.
Is it possible you actually capture some spoofing attempts? Do you account for replies to requests that may be addressed to non-44 addresses via your tunnels, like ICM unreachable and similar?
On 02.01.2021 05:36, Charles - N2NOV via 44Net wrote:
What is the error for 162.247.76.129 (my gateway address)?
-- 73 de N2NOV _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Hi Steve,
thanks a lot. Again...very useful info. Well, my gateway is not present in the current gwlog.txt. I will monitor it to see if there will be new occurrences.
Marco 73 de iw2ohx
On 1/3/2021 6:02 PM, Steve L via 44Net wrote:
Maro,
I don't have an answer for you, but hope someone else will chime it.
I combed through my notes to see if I had any clues. I'll share these notes for everyone's benefit:
The collecting ripsender ICMP data is available for you to look at on the web site in file /private/gwlog.txt.
It has as the last two columns the ICMP type and code; so 'port unreachable' (code 3)
can be distinguished from
'host unreachable' (code 1),
'net unreachable' (code 0), and
'protocol unreachable' (code 2), etc.
I'm currently recording all 16 kinds of 'unreachable' in that file.
(2017-May)
I assume you mean the gwlog.txt file.
This is raw data, designed for a program to read, not humans.
column 1 is the IP address of the gateway columns 2 & 3 are the UTC date and time column 4 is the icmp type, always '3' for 'destination unreachable' column 5 is the icmp code why. '2' is 'unreachable protocol', '3' is 'unreachable port'.
Refer to RFC792 and later RFCs, or the Unix/Linux source code for the meanings of the type/code combinations. Or do a google search for 'icmp type 3'.
For example: 69.85.86.85 17-05-24 02:30:00 3 2
So '3 2' means that the gateway rejected a packet with the message 'unreachable protocol'.
(https://mailman.ampr.org/mailman/private/44net/2017-May/007420.html)
On Sun, Jan 3, 2021 at 1:27 AM Marco Di Martino (IW2OHX) via 44Net 44net@mailman.ampr.org wrote:
Hi all, Thanks for sharing! That's a very interesting troubleshooting utility. And yet more useful when someone suggests a possible fix.
Is there anyone that could help me to understand what's the issue here ?
93.51.76.174 44.134.160.1 97 [ 3] dropped: no source gateway 93.51.76.174 44.134.160.2 178 [ 3] dropped: no source gateway
Regards, Marco iw2ohx
On 1/3/2021 7:01 AM, Steve L via 44Net wrote:
89.33.44.100 44.182.21.1 67631 [ 8] dropped: encap to encap
That data is from the stats collector that the late Brian Kantor wrote, which can be seen here:
The login uses the old gateways login credentials from when Jim Fuller ran it. See:
https://mailman.ampr.org/mailman/private/44net/2020-January/010633.html
I highly recommend these rules:
# This prevents nested ipencap iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP # This prevents a general loop iptables -I FORWARD -i tunl0 -o tunl0 -j DROP # Drops outbound unassigned IPs from looping though tunl0 via ipencap # You Must add accept rules under this line to make exceptions iptables -I FORWARD ! -s 44.92.21.0/24 -o tunl0 -j DROP # ^ adjust to your subnet
On Sat, Jan 2, 2021 at 7:40 AM Marius Petrescu via 44Net 44net@mailman.ampr.org wrote:
The same question goes for 89.33.44.100. I dumped it and found no outgoing packets from other sources for your gateway.
Is it possible you actually capture some spoofing attempts? Do you account for replies to requests that may be addressed to non-44 addresses via your tunnels, like ICM unreachable and similar?
On 02.01.2021 05:36, Charles - N2NOV via 44Net wrote:
What is the error for 162.247.76.129 (my gateway address)?
-- 73 de N2NOV _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Tnx Steve,
Corrected :-)
On 03.01.2021 08:01, Steve L via 44Net wrote:
89.33.44.100 44.182.21.1 67631 [ 8] dropped: encap to encap
That data is from the stats collector that the late Brian Kantor wrote, which can be seen here:
The login uses the old gateways login credentials from when Jim Fuller ran it. See:
https://mailman.ampr.org/mailman/private/44net/2020-January/010633.html
I highly recommend these rules:
# This prevents nested ipencap iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP # This prevents a general loop iptables -I FORWARD -i tunl0 -o tunl0 -j DROP # Drops outbound unassigned IPs from looping though tunl0 via ipencap # You Must add accept rules under this line to make exceptions iptables -I FORWARD ! -s 44.92.21.0/24 -o tunl0 -j DROP # ^ adjust to your subnet
On Sat, Jan 2, 2021 at 7:40 AM Marius Petrescu via 44Net 44net@mailman.ampr.org wrote:
The same question goes for 89.33.44.100. I dumped it and found no outgoing packets from other sources for your gateway.
Is it possible you actually capture some spoofing attempts? Do you account for replies to requests that may be addressed to non-44 addresses via your tunnels, like ICM unreachable and similar?
On 02.01.2021 05:36, Charles - N2NOV via 44Net wrote:
What is the error for 162.247.76.129 (my gateway address)?
-- 73 de N2NOV _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
On 1/2/21 4:08 AM, Steve L via 44Net wrote:
You are correct there are a number of gateways with errors
The most common logged error is "3 [19] dropped: non-44 inner source address"
A common problem is users sending tunneled packets with their public IP as the source address in the inner header. That often happens when routing and applications are done on the same machine, applications are offered on the public IP, and a simple routing table without policy routing is used.
I.e. there is no separate routing table for the tunnel traffic, but rather everything is in a single table. When a request is sent to the public IP from a net44 source (being routed over the public internet), the reply is routed back via the IPIP tunnel mesh. Wrong.
One should use policy routing so that traffic from non-net44 addresses in the own network is routed directly to the internet default gw, and only traffic with net44 source address is routed via the IPIP mesh.
The examples on www.ampr.org show how to do that in Linux. (the "ip rule" stuff)
Rob
On 1/2/21 2:28 AM, Mark Herson, N2MH via 44Net wrote:
If anyone wants to test my incoming access, you can try n2mh.ampr.org or http://n2mh-web.ampr.org. Please let me know the results.
Sorry, that web url is a typo. It should be
Ok I can reach that site! And also I can ping your primary address.
traceroute n2mh.ampr.org traceroute to n2mh.ampr.org (44.64.24.128), 30 hops max, 60 byte packets 1 gw.pe1chl.ampr.org (44.137.41.110) 0.305 ms 0.402 ms 0.515 ms 2 access2.pi1utr.ampr.org (44.137.73.242) 3.109 ms 3.842 ms 4.788 ms 3 gw2.pi1utr.ampr.org (44.137.73.254) 11.164 ms 12.151 ms 12.491 ms 4 pi1utr.pi1utr2.ampr.org (44.137.60.61) 12.798 ms 13.381 ms 16.900 ms 5 pi1utr.pi9noz.ampr.org (44.137.60.25) 18.333 ms 19.784 ms 20.108 ms 6 pi9noz.pi9noz.ampr.org (44.137.60.5) 26.960 ms 26.399 ms 26.731 ms 7 gw-core.pi9noz.ampr.org (44.137.60.1) 28.036 ms 26.137 ms 26.130 ms 8 n2mh.ampr.org (44.64.24.128) 106.702 ms 100.083 ms 99.874 ms
traceroute n2mh-web.n2mh.ampr.org traceroute to n2mh-web.n2mh.ampr.org (44.64.24.194), 30 hops max, 60 byte packets 1 gw.pe1chl.ampr.org (44.137.41.110) 0.298 ms 0.422 ms 0.535 ms 2 access2.pi1utr.ampr.org (44.137.73.242) 4.161 ms 4.216 ms 4.270 ms 3 gw2.pi1utr.ampr.org (44.137.73.254) 5.569 ms 6.485 ms 6.729 ms 4 pi1utr.pi1utr2.ampr.org (44.137.60.61) 7.084 ms 8.733 ms 9.564 ms 5 pi1utr.pi9noz.ampr.org (44.137.60.25) 9.836 ms 10.086 ms 11.074 ms 6 pi9noz.pi9noz.ampr.org (44.137.60.5) 16.241 ms 16.996 ms 17.307 ms 7 gw-core.pi9noz.ampr.org (44.137.60.1) 17.599 ms 14.205 ms 23.640 ms 8 44.64.24.223 (44.64.24.223) 95.376 ms 95.586 ms 96.444 ms 9 n2mh-web.n2mh.ampr.org (44.64.24.194) 105.684 ms 105.951 ms 106.987 ms
Looks like your webserver is behind a router that is not yet in DNS.
Rob
Works for me. Have access via Austrian HAMNET and IPIP gateway. 73 Roland oe1rsa
-
Boudewijn (Bob) Tenty -
Marco Di Martino (IW2OHX) -
Marius Petrescu -
Mark Herson, N2MH -
n2nov@n2nov.ampr.org -
Rob PE1CHL -
Roland Schwarz -
Steve L