Re: [44net] Test Script for ipip Gateway - 44net - mailman.ardc.net

List overview All Threads
Download

Re: [44net] Test Script for ipip Gateway

Ping: Is the list down?

Scope, limited scope, and policies

Mark Herson, N2MH

1 Jan 2021 1 Jan '21

8:28 p.m.

If anyone wants to test my incoming access, you can try n2mh.ampr.org or http://n2mh-web.ampr.org. Please let me know the results.

Sorry, that web url is a typo. It should be http://n2mh-web.n2mh.ampr.org I have received several emails to n2mh(a)n2mh.ampr.org. 73, Mark, N2MH

Reply

Show replies by date

Boudewijn (Bob) Tenty

1 Jan 1 Jan

9:33 p.m.

New subject: Test Script for ipip Gateway

No problem from the Toronto area. Bob VE3TOK On 2021-01-01 20:28, Mark Herson, N2MH via 44Net wrote:

If anyone wants to test my incoming access, you can try n2mh.ampr.org or http://n2mh-web.ampr.org. Please let me know the results.

Sorry, that web url is a typo. It should be http://n2mh-web.n2mh.ampr.org I have received several emails to n2mh(a)n2mh.ampr.org. 73, Mark, N2MH _________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

-- When you change the way you look at things, the things you look at change Max Planck

Reply

Steve L

10:08 p.m.

New subject: Test Script for ipip Gateway

Working from Green Bay, WI 44.92.21.X As people have mentioned, there is no test script. Various people run web tools on their address space so that you can test (some even have them accessible to the greater internet) such as: http://yo2tm.ampr.org/nettools.php ipencap is a stateless protocol so there isn't any handshaking or really anyway without an active test to verify. You are correct there are a number of gateways with errors kb9mwr@kb9mwr:~/0 $ cat pkterrors.txt | cut -d " " -f1 | uniq 24.21.178.15 24.44.181.250 24.115.112.147 31.22.209.138 35.142.95.189 38.131.225.77 45.16.135.19 45.24.113.205 50.116.8.127 50.241.87.152 66.70.176.157 66.109.219.132 69.123.132.4 70.94.252.87 71.207.37.193 71.234.110.172 73.175.131.23 74.37.229.63 79.8.90.44 80.211.245.61 81.187.62.66 82.64.40.245 85.201.229.192 85.234.195.199 89.33.44.100 89.106.108.151 89.137.215.42 89.191.131.114 89.214.96.2 90.155.50.1 91.239.87.3 108.35.133.32 109.28.24.17 116.203.224.130 141.75.245.225 155.138.253.118 162.247.76.129 166.62.194.48 172.106.32.116 174.97.191.155 177.143.141.111 181.170.235.14 185.47.96.11 185.78.150.20 190.136.177.222 195.154.44.133 209.150.234.44 212.56.100.200 217.35.151.221 The most common logged error is "3 [19] dropped: non-44 inner source address" On Fri, Jan 1, 2021 at 7:29 PM Mark Herson, N2MH via 44Net <44net(a)mailman.ampr.org> wrote:

If anyone wants to test my incoming access, you can try n2mh.ampr.org or http://n2mh-web.ampr.org. Please let me know the results.

Sorry, that web url is a typo. It should be http://n2mh-web.n2mh.ampr.org I have received several emails to n2mh(a)n2mh.ampr.org. 73, Mark, N2MH _________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

Reply

n2nov＠n2nov.ampr.org

10:36 p.m.

New subject: Test Script for ipip Gateway

What is the error for 162.247.76.129 (my gateway address)? -- 73 de N2NOV

Reply

Marius Petrescu

2 Jan 2 Jan

8:38 a.m.

New subject: Test Script for ipip Gateway

The same question goes for 89.33.44.100. I dumped it and found no outgoing packets from other sources for your gateway. Is it possible you actually capture some spoofing attempts? Do you account for replies to requests that may be addressed to non-44 addresses via your tunnels, like ICM unreachable and similar? On 02.01.2021 05:36, Charles - N2NOV via 44Net wrote:

What is the error for 162.247.76.129 (my gateway address)? -- 73 de N2NOV _________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

Reply

Steve L

3 Jan 3 Jan

1:01 a.m.

New subject: Test Script for ipip Gateway

89.33.44.100 44.182.21.1 67631 [ 8] dropped: encap to encap That data is from the stats collector that the late Brian Kantor wrote, which can be seen here: https://gw.ampr.org/private/ The login uses the old gateways login credentials from when Jim Fuller ran it. See: https://mailman.ampr.org/mailman/private/44net/2020-January/010633.html I highly recommend these rules: # This prevents nested ipencap iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP # This prevents a general loop iptables -I FORWARD -i tunl0 -o tunl0 -j DROP # Drops outbound unassigned IPs from looping though tunl0 via ipencap # You Must add accept rules under this line to make exceptions iptables -I FORWARD ! -s 44.92.21.0/24 -o tunl0 -j DROP # ^ adjust to your subnet On Sat, Jan 2, 2021 at 7:40 AM Marius Petrescu via 44Net <44net(a)mailman.ampr.org> wrote:

The same question goes for 89.33.44.100. I dumped it and found no outgoing packets from other sources for your gateway. Is it possible you actually capture some spoofing attempts? Do you account for replies to requests that may be addressed to non-44 addresses via your tunnels, like ICM unreachable and similar? On 02.01.2021 05:36, Charles - N2NOV via 44Net wrote:

What is the error for 162.247.76.129 (my gateway address)? -- 73 de N2NOV _________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

_________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

Reply

Marco Di Martino (IW2OHX)

2:25 a.m.

New subject: Test Script for ipip Gateway

Hi all, Thanks for sharing! That's a very interesting troubleshooting utility. And yet more useful when someone suggests a possible fix. Is there anyone that could help me to understand what's the issue here ? 93.51.76.174 44.134.160.1 97 [ 3] dropped: no source gateway 93.51.76.174 44.134.160.2 178 [ 3] dropped: no source gateway Regards, Marco iw2ohx On 1/3/2021 7:01 AM, Steve L via 44Net wrote:

89.33.44.100 44.182.21.1 67631 [ 8] dropped: encap to encap That data is from the stats collector that the late Brian Kantor wrote, which can be seen here: https://gw.ampr.org/private/ The login uses the old gateways login credentials from when Jim Fuller ran it. See: https://mailman.ampr.org/mailman/private/44net/2020-January/010633.html I highly recommend these rules: # This prevents nested ipencap iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP # This prevents a general loop iptables -I FORWARD -i tunl0 -o tunl0 -j DROP # Drops outbound unassigned IPs from looping though tunl0 via ipencap # You Must add accept rules under this line to make exceptions iptables -I FORWARD ! -s 44.92.21.0/24 -o tunl0 -j DROP # ^ adjust to your subnet On Sat, Jan 2, 2021 at 7:40 AM Marius Petrescu via 44Net <44net(a)mailman.ampr.org> wrote:

The same question goes for 89.33.44.100. I dumped it and found no outgoing packets from other sources for your gateway. Is it possible you actually capture some spoofing attempts? Do you account for replies to requests that may be addressed to non-44 addresses via your tunnels, like ICM unreachable and similar? On 02.01.2021 05:36, Charles - N2NOV via 44Net wrote:

What is the error for 162.247.76.129 (my gateway address)? -- 73 de N2NOV _________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

_________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

_________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

Reply

Steve L

12:02 p.m.

New subject: Test Script for ipip Gateway

Maro, I don't have an answer for you, but hope someone else will chime it. I combed through my notes to see if I had any clues. I'll share these notes for everyone's benefit: --- The collecting ripsender ICMP data is available for you to look at on the web site in file /private/gwlog.txt. It has as the last two columns the ICMP type and code; so 'port unreachable' (code 3) can be distinguished from 'host unreachable' (code 1), 'net unreachable' (code 0), and 'protocol unreachable' (code 2), etc. I'm currently recording all 16 kinds of 'unreachable' in that file. (2017-May) --- I assume you mean the gwlog.txt file. This is raw data, designed for a program to read, not humans. column 1 is the IP address of the gateway columns 2 & 3 are the UTC date and time column 4 is the icmp type, always '3' for 'destination unreachable' column 5 is the icmp code why. '2' is 'unreachable protocol', '3' is 'unreachable port'. Refer to RFC792 and later RFCs, or the Unix/Linux source code for the meanings of the type/code combinations. Or do a google search for 'icmp type 3'. For example: 69.85.86.85 17-05-24 02:30:00 3 2 So '3 2' means that the gateway rejected a packet with the message 'unreachable protocol'. (https://mailman.ampr.org/mailman/private/44net/2017-May/007420.html) On Sun, Jan 3, 2021 at 1:27 AM Marco Di Martino (IW2OHX) via 44Net <44net(a)mailman.ampr.org> wrote:

Hi all, Thanks for sharing! That's a very interesting troubleshooting utility. And yet more useful when someone suggests a possible fix. Is there anyone that could help me to understand what's the issue here ? 93.51.76.174 44.134.160.1 97 [ 3] dropped: no source gateway 93.51.76.174 44.134.160.2 178 [ 3] dropped: no source gateway Regards, Marco iw2ohx On 1/3/2021 7:01 AM, Steve L via 44Net wrote:

89.33.44.100 44.182.21.1 67631 [ 8] dropped: encap to encap That data is from the stats collector that the late Brian Kantor wrote, which can be seen here: https://gw.ampr.org/private/ The login uses the old gateways login credentials from when Jim Fuller ran it. See: https://mailman.ampr.org/mailman/private/44net/2020-January/010633.html I highly recommend these rules: # This prevents nested ipencap iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP # This prevents a general loop iptables -I FORWARD -i tunl0 -o tunl0 -j DROP # Drops outbound unassigned IPs from looping though tunl0 via ipencap # You Must add accept rules under this line to make exceptions iptables -I FORWARD ! -s 44.92.21.0/24 -o tunl0 -j DROP # ^ adjust to your subnet On Sat, Jan 2, 2021 at 7:40 AM Marius Petrescu via 44Net <44net(a)mailman.ampr.org> wrote:

The same question goes for 89.33.44.100. I dumped it and found no outgoing packets from other sources for your gateway. Is it possible you actually capture some spoofing attempts? Do you account for replies to requests that may be addressed to non-44 addresses via your tunnels, like ICM unreachable and similar? On 02.01.2021 05:36, Charles - N2NOV via 44Net wrote:

What is the error for 162.247.76.129 (my gateway address)? -- 73 de N2NOV _________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

_________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

_________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

_________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

Reply

Marco Di Martino (IW2OHX)

4 Jan 4 Jan

1:37 a.m.

New subject: Test Script for ipip Gateway

Hi Steve, thanks a lot. Again...very useful info. Well, my gateway is not present in the current gwlog.txt. I will monitor it to see if there will be new occurrences. Marco 73 de iw2ohx On 1/3/2021 6:02 PM, Steve L via 44Net wrote:

Maro, I don't have an answer for you, but hope someone else will chime it. I combed through my notes to see if I had any clues. I'll share these notes for everyone's benefit: --- The collecting ripsender ICMP data is available for you to look at on the web site in file /private/gwlog.txt. It has as the last two columns the ICMP type and code; so 'port unreachable' (code 3) can be distinguished from 'host unreachable' (code 1), 'net unreachable' (code 0), and 'protocol unreachable' (code 2), etc. I'm currently recording all 16 kinds of 'unreachable' in that file. (2017-May) --- I assume you mean the gwlog.txt file. This is raw data, designed for a program to read, not humans. column 1 is the IP address of the gateway columns 2 & 3 are the UTC date and time column 4 is the icmp type, always '3' for 'destination unreachable' column 5 is the icmp code why. '2' is 'unreachable protocol', '3' is 'unreachable port'. Refer to RFC792 and later RFCs, or the Unix/Linux source code for the meanings of the type/code combinations. Or do a google search for 'icmp type 3'. For example: 69.85.86.85 17-05-24 02:30:00 3 2 So '3 2' means that the gateway rejected a packet with the message 'unreachable protocol'. (https://mailman.ampr.org/mailman/private/44net/2017-May/007420.html) On Sun, Jan 3, 2021 at 1:27 AM Marco Di Martino (IW2OHX) via 44Net <44net(a)mailman.ampr.org> wrote:

Hi all, Thanks for sharing! That's a very interesting troubleshooting utility. And yet more useful when someone suggests a possible fix. Is there anyone that could help me to understand what's the issue here ? 93.51.76.174 44.134.160.1 97 [ 3] dropped: no source gateway 93.51.76.174 44.134.160.2 178 [ 3] dropped: no source gateway Regards, Marco iw2ohx On 1/3/2021 7:01 AM, Steve L via 44Net wrote:

89.33.44.100 44.182.21.1 67631 [ 8] dropped: encap to encap That data is from the stats collector that the late Brian Kantor wrote, which can be seen here: https://gw.ampr.org/private/ The login uses the old gateways login credentials from when Jim Fuller ran it. See: https://mailman.ampr.org/mailman/private/44net/2020-January/010633.html I highly recommend these rules: # This prevents nested ipencap iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP # This prevents a general loop iptables -I FORWARD -i tunl0 -o tunl0 -j DROP # Drops outbound unassigned IPs from looping though tunl0 via ipencap # You Must add accept rules under this line to make exceptions iptables -I FORWARD ! -s 44.92.21.0/24 -o tunl0 -j DROP # ^ adjust to your subnet On Sat, Jan 2, 2021 at 7:40 AM Marius Petrescu via 44Net <44net(a)mailman.ampr.org> wrote:

The same question goes for 89.33.44.100. I dumped it and found no outgoing packets from other sources for your gateway. Is it possible you actually capture some spoofing attempts? Do you account for replies to requests that may be addressed to non-44 addresses via your tunnels, like ICM unreachable and similar? On 02.01.2021 05:36, Charles - N2NOV via 44Net wrote: > What is the error for 162.247.76.129 (my gateway address)? > > -- > 73 de N2NOV > _________________________________________ > 44Net mailing list > 44Net(a)mailman.ampr.org > https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

_________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

_________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

_________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

Reply

Marius Petrescu

3 Jan 3 Jan

6:52 p.m.

New subject: Test Script for ipip Gateway

Tnx Steve, Corrected :-) On 03.01.2021 08:01, Steve L via 44Net wrote:

89.33.44.100 44.182.21.1 67631 [ 8] dropped: encap to encap That data is from the stats collector that the late Brian Kantor wrote, which can be seen here: https://gw.ampr.org/private/ The login uses the old gateways login credentials from when Jim Fuller ran it. See: https://mailman.ampr.org/mailman/private/44net/2020-January/010633.html I highly recommend these rules: # This prevents nested ipencap iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP # This prevents a general loop iptables -I FORWARD -i tunl0 -o tunl0 -j DROP # Drops outbound unassigned IPs from looping though tunl0 via ipencap # You Must add accept rules under this line to make exceptions iptables -I FORWARD ! -s 44.92.21.0/24 -o tunl0 -j DROP # ^ adjust to your subnet On Sat, Jan 2, 2021 at 7:40 AM Marius Petrescu via 44Net <44net(a)mailman.ampr.org> wrote:

The same question goes for 89.33.44.100. I dumped it and found no outgoing packets from other sources for your gateway. Is it possible you actually capture some spoofing attempts? Do you account for replies to requests that may be addressed to non-44 addresses via your tunnels, like ICM unreachable and similar? On 02.01.2021 05:36, Charles - N2NOV via 44Net wrote:

What is the error for 162.247.76.129 (my gateway address)? -- 73 de N2NOV _________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

_________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

_________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net

Reply

Rob PE1CHL

2 Jan 2 Jan

5:05 a.m.

New subject: Test Script for ipip Gateway

On 1/2/21 4:08 AM, Steve L via 44Net wrote:

You are correct there are a number of gateways with errors The most common logged error is "3 [19] dropped: non-44 inner source address"

A common problem is users sending tunneled packets with their public IP as the source address in the inner header. That often happens when routing and applications are done on the same machine, applications are offered on the public IP, and a simple routing table without policy routing is used. I.e. there is no separate routing table for the tunnel traffic, but rather everything is in a single table. When a request is sent to the public IP from a net44 source (being routed over the public internet), the reply is routed back via the IPIP tunnel mesh. Wrong. One should use policy routing so that traffic from non-net44 addresses in the own network is routed directly to the internet default gw, and only traffic with net44 source address is routed via the IPIP mesh. The examples on www.ampr.org show how to do that in Linux. (the "ip rule" stuff) Rob

Reply

Rob PE1CHL

4:56 a.m.

New subject: Test Script for ipip Gateway

On 1/2/21 2:28 AM, Mark Herson, N2MH via 44Net wrote:

If anyone wants to test my incoming access, you can try n2mh.ampr.org or http://n2mh-web.ampr.org. Please let me know the results.

Sorry, that web url is a typo. It should be http://n2mh-web.n2mh.ampr.org

Ok I can reach that site! And also I can ping your primary address. traceroute n2mh.ampr.org traceroute to n2mh.ampr.org (44.64.24.128), 30 hops max, 60 byte packets 1 gw.pe1chl.ampr.org (44.137.41.110) 0.305 ms 0.402 ms 0.515 ms 2 access2.pi1utr.ampr.org (44.137.73.242) 3.109 ms 3.842 ms 4.788 ms 3 gw2.pi1utr.ampr.org (44.137.73.254) 11.164 ms 12.151 ms 12.491 ms 4 pi1utr.pi1utr2.ampr.org (44.137.60.61) 12.798 ms 13.381 ms 16.900 ms 5 pi1utr.pi9noz.ampr.org (44.137.60.25) 18.333 ms 19.784 ms 20.108 ms 6 pi9noz.pi9noz.ampr.org (44.137.60.5) 26.960 ms 26.399 ms 26.731 ms 7 gw-core.pi9noz.ampr.org (44.137.60.1) 28.036 ms 26.137 ms 26.130 ms 8 n2mh.ampr.org (44.64.24.128) 106.702 ms 100.083 ms 99.874 ms traceroute n2mh-web.n2mh.ampr.org traceroute to n2mh-web.n2mh.ampr.org (44.64.24.194), 30 hops max, 60 byte packets 1 gw.pe1chl.ampr.org (44.137.41.110) 0.298 ms 0.422 ms 0.535 ms 2 access2.pi1utr.ampr.org (44.137.73.242) 4.161 ms 4.216 ms 4.270 ms 3 gw2.pi1utr.ampr.org (44.137.73.254) 5.569 ms 6.485 ms 6.729 ms 4 pi1utr.pi1utr2.ampr.org (44.137.60.61) 7.084 ms 8.733 ms 9.564 ms 5 pi1utr.pi9noz.ampr.org (44.137.60.25) 9.836 ms 10.086 ms 11.074 ms 6 pi9noz.pi9noz.ampr.org (44.137.60.5) 16.241 ms 16.996 ms 17.307 ms 7 gw-core.pi9noz.ampr.org (44.137.60.1) 17.599 ms 14.205 ms 23.640 ms 8 44.64.24.223 (44.64.24.223) 95.376 ms 95.586 ms 96.444 ms 9 n2mh-web.n2mh.ampr.org (44.64.24.194) 105.684 ms 105.951 ms 106.987 ms Looks like your webserver is behind a router that is not yet in DNS. Rob

Reply

Roland Schwarz

8:51 a.m.

New subject: Test Script for ipip Gateway

Works for me. Have access via Austrian HAMNET and IPIP gateway. 73 Roland oe1rsa -- __________________________________________ _ _ | Roland Schwarz |_)(_ | | \__) | mailto:roland.schwarz@blackspace.at ________| http://www.blackspace.at

Reply

1230

days inactive

1232

days old

44net@mailman.ampr.org

Manage subscription

12 comments

8 participants

tags (0)

participants (8)

Boudewijn (Bob) Tenty
Marco Di Martino (IW2OHX)
Marius Petrescu
Mark Herson, N2MH
n2nov＠n2nov.ampr.org
Rob PE1CHL
Roland Schwarz
Steve L