7 Jun
2016
7 Jun
'16
3 a.m.
Ok... all important points to understand and we
absolutely rely and
appreciate all your help on running the current AMPRGW solution. Before
even jumping to conclusion, we'd need to know if GRE really would be
more successful than IPIP. In Brian, N1URO's situation, I'm curious if
a Comcast "Business" class service would remove some of these
intentional filtering issues.
I don't think it will be an appreciable improvement.
I have experimented with GRE as the tunneling protocol (chosen exactly for this reason)
to connect local stations to our Dutch gateway, and at first the results looked
promising,
but it did not take long before I got to the first case where plain GRE would not work
over a consumer NAT router. I think it is (at least here) never caused by intentional
ISP filtering, it is just caused by limitations of NAT routers that were only designed
for typical outgoing TCP and UDP connections only. In the mentioned case the router was
not even provided by the ISP, making malice even less likely.
I then changed setup to GRE over IPsec which works fine until now when in NAT-T mode,
but of course this is only suitable for use in a star configuration with connections
initiated from the users to some gateway. Not a replacement for the tunnel mesh.
I heard in Germany L2TP is used, I'm not sure if it is over IPsec or not.
Anyway, I use L2TP over IPsec (sometimes over NAT-T) at work, it works over any
connection
but here as well it is a star topology.
We also offer OpenVPN connectivity at our gateway, in UDP mode only, and this too is
problem-free w.r.t. ISP routers. I don't believe a provider would (or even can?)
filter
OpenVPN, certainly not when it would be run in TCP mode on port 443.
However, what is common in all these solutions is the star topology where the user behind
the crippled router connects outward to a well-connected system.
Of course we don't want to make the entire network into a star, but it could be an
idea to deploy more regional gateways like our national gateway, that are interconnected
by IPIP tunnels and optionally are BGP-routed on internet, and that offer services like
mentioned above and discussed before in this thread to regional users who for some reason
cannot run IPIP.
It works well here.
It is possible to deploy these on virtual servers that are quite inexpensive these
days, certainly when not doing BGP (not all those hosters will offer BGP of a /16 or
similar network via their routers, at an affordable price)
In my experience it is possible (although not for "I am not a programmer" types)
to get
this working well on a Linux box. Setting up the VPN services and routing is quite well
described. Setting up a firewall requires some thought and monitoring, see the recent
incident with portmap. But this list is available for exchange of such information.
Rob
7 Jun
7 Jun
3:12 a.m.
New subject: Unable to Receive rip44 Datagram
The situation of GRE on consumer routers is a little more complicated.
Most feature an option like "vpn forward", or "gre forward" or
similar.
But these forwards work only for PPTP or L2TP, and use port knocking using
the PPtP/L2TP control channel to establish the internal forward
destination.
That means that, while PPtP or L2TP initiated by a internal client works,
plain GRE or other GRE based protocols like EoIP will not.
A possible option could be SSTP, which works over regular TCP connections
on port 443. But this is not well supported by the Linux world.
Marius, YO2LOJ
12:25 p.m.
New subject: Unable to Receive rip44 Datagram
On 6/7/16 4:00 AM, Rob Janssen wrote:
We also offer OpenVPN connectivity at our gateway, in
UDP mode only, and
this too is
problem-free w.r.t. ISP routers. I don't believe a provider would (or
even can?) filter
OpenVPN, certainly not when it would be run in TCP mode on port 443.
I haven't run in to 443 "filtering", but I have run into instances where
the ISP will drop TCP connections that are active for more than a few
minutes, forcing openvpn to restart the connection.
12:41 p.m.
New subject: Unable to Receive rip44 Datagram
James et al;
On Tue, 2016-06-07 at 13:25 -0400, James Sharp wrote:
I haven't run in to 443 "filtering", but
I have run into instances where
the ISP will drop TCP connections that are active for more than a few
minutes, forcing openvpn to restart the connection.
Chances are your issue is the same as mine was. The CPE (router) has a
built in watchdog timer that cuts all sockets after a few minutes. Using
port 443 wouldn't make any difference. To the average web user this
isn't an issue because each time a page is opened/refreshed a new socket
is created, thus a new timer engages. The same may be said for services
such as pop3/smtp/etc. where you're engaging a new socket each time you
pop or send email. As long as the attachments aren't that big where you
may exceed the watchdog's timer you'll never notice this.
I was noticing it when someone asked me to ssh into their system to
review their config, tweek their system, etc... and SSH would simply get
dropped. When I put the ISP's router into bridge mode and installed a
wifi router with DD-WRT, I had found where I was able to disable the
watchdog timer and have had no trouble with such things since. Yes it's
at the expense of having to use a second device and a little more
electricity but for now it's fixed the issues.
You also should be able to receive your RIP broadcasts just fine as
well.
--
<rhetorical> Why is it linux users can install and operate *any* version of M$
Windoze but the same can't be said in reverse?</rhetorical>
73 de Brian - N1URO
email: (see above)
Web: http://www.n1uro.net/
Ampr1: http://n1uro.ampr.org/
Ampr2: http://nos.n1uro.ampr.org
Linux Amateur Radio Services
axMail-Fax & URONode
http://uronode.sourceforge.net
http://axmail.sourceforge.net
AmprNet coordinator for:
Connecticut, Delaware, Maine,
Maryland, Massachusetts,
New Hampshire, Pennsylvania,
Rhode Island, and Vermont.
1:07 p.m.
New subject: Unable to Receive rip44 Datagram
I block all ports and only have protocol 4 open. Seems to work for me. Is
this reasonable?
Jerry, N0MR
-----Original Message-----
From: Brian
Sent: Tuesday, June 07, 2016 12:41 PM
To: 44net(a)hamradio.ucsd.edu
Subject: Re: [44net] Unable to Receive rip44 Datagram
(Please trim inclusions from previous messages)
_______________________________________________
James et al;
On Tue, 2016-06-07 at 13:25 -0400, James Sharp wrote:
I haven't run in to 443 "filtering", but
I have run into instances where
the ISP will drop TCP connections that are active for more than a few
minutes, forcing openvpn to restart the connection.
Chances are your issue is the same as mine was. The CPE (router) has a
built in watchdog timer that cuts all sockets after a few minutes. Using
port 443 wouldn't make any difference. To the average web user this
isn't an issue because each time a page is opened/refreshed a new socket
is created, thus a new timer engages. The same may be said for services
such as pop3/smtp/etc. where you're engaging a new socket each time you
pop or send email. As long as the attachments aren't that big where you
may exceed the watchdog's timer you'll never notice this.
I was noticing it when someone asked me to ssh into their system to
review their config, tweek their system, etc... and SSH would simply get
dropped. When I put the ISP's router into bridge mode and installed a
wifi router with DD-WRT, I had found where I was able to disable the
watchdog timer and have had no trouble with such things since. Yes it's
at the expense of having to use a second device and a little more
electricity but for now it's fixed the issues.
You also should be able to receive your RIP broadcasts just fine as
well.
--
<rhetorical> Why is it linux users can install and operate *any* version of
M$
Windoze but the same can't be said in reverse?</rhetorical>
73 de Brian - N1URO
email: (see above)
Web: http://www.n1uro.net/
Ampr1: http://n1uro.ampr.org/
Ampr2: http://nos.n1uro.ampr.org
Linux Amateur Radio Services
axMail-Fax & URONode
http://uronode.sourceforge.net
http://axmail.sourceforge.net
AmprNet coordinator for:
Connecticut, Delaware, Maine,
Maryland, Massachusetts,
New Hampshire, Pennsylvania,
Rhode Island, and Vermont.
3092
days inactive
3092
days old
4 comments
5 participants
participants (5)
-
Brian -
James Sharp -
Lakenet -
marius@yo2loj.ro -
Rob Janssen