In our tunnels, all traffic from a gateway should be encapsulated and should NOT contain an encapsulated ipencap packet. The ipip router at UCSD logs and discards these; I'm seeing such packets from gateways
77.138.34.39 85.234.252.133 86.161.255.194 185.58.225.84
which suggests that they have a routing misconfiguration. The operators of those gateways should examine their routing and encapsulation rules to see why this is happening. - Brian
Hi,
86.161.255.194 is the destination for 44.131.14.128/26. Just to clarify, what you were seeing was probably stray traffic from an IPv6 tunnel which goes between my 44net addresses. Blame the main BT router not handling IPv6 encapsulated packets unless I stick an extra IPv4 header on. Normally my traffic should not traverse the gateway, but over the last couple of days I have been testing a backup system for when my BGP routes go down so you probably saw some stray packets reach the main gateway during last nights tests. If you happened to capture the inner and outer headers and it shows something other than an IPv6 encapsulated packet with a destination inside 44.131.14/24, or if you are seeing traffic whilst my BGP route is up then it might be a configuration error.
Regarding the other thread about which firewall rules to use, the gateway is a little more complicated but for my home router I (normally, not last night in case you saw differently) have the equivalent to:
iptables -t filter -A FORWARD -i tunl0 ! -d 44.131.14.128/26 -j REJECT iptables -t filter -A FORWARD -o tunl0 ! -s 44.131.14.128/26 -j REJECT
I think this pretty much covers the requirements for a basic end network?
If the main gateway receives an invalid encapsulated packet from a known gateway or a 44net address, would it be helpful to return an error instead of dropping it? An ICMP Administratively Denied packet is more likely to generate an obvious error message than packets going missing. The gateway would probably need to rate-limit the number of errors it will send out to prevent abuse, though.
Thanks, Mike, M6XCV
On 20 April 2017 at 00:39, Brian Kantor Brian@ucsd.edu wrote:
(Please trim inclusions from previous messages) _______________________________________________ In our tunnels, all traffic from a gateway should be encapsulated and should NOT contain an encapsulated ipencap packet. The ipip router at UCSD logs and discards these; I'm seeing such packets from gateways
77.138.34.39 85.234.252.133 86.161.255.194 185.58.225.84
which suggests that they have a routing misconfiguration. The operators of those gateways should examine their routing and encapsulation rules to see why this is happening. - Brian
44Net mailing list 44Net@hamradio.ucsd.edu https://u4477715.ct.sendgrid.net/wf/click?upn=vS4GjSiF-2F5vYmfX5tr6ez81-2Fej...
-
Brian Kantor -
M6XCV (Mike)