I have been trying to configure the AMPRtunnel for a while without success. Could someone please point me to the right direction.
I am running Debian 11 with public IP. I have configured the public IP in the AMPR portal as gateway.
I am trying to follow this document https://wiki.ampr.org/wiki/Ubuntu_Linux_Gateway_Example
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
Here is what I have done so far.
in /etc/network/interfaces, I added
auto ens3:1 iface ens3:1 inet static address 44.26.0.168 netmask 255.255.255.248
Then I created ipip tunnel using following commands
ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 ip link set dev ampr0 up ifconfig ampr0 multicast ip rule add to 44.0.0.0/8 table 44 priority 44 ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 44 ip route add 44.26.0.168/29 dev ens3 table 44
Then, I run ampr-ripd -d -v -i ens3 to get the password in order to plug into lat command ampr-ripd -s -i ampr0 -a 209.141.42.9-t 44 -p <SecretPassword>
However, the find_password.sh stopped at waiting for ripv2 broadcast. Here is the logs for command
Using metric 0 for routes. Using TCP window 840 for routes. Using gateway 209.141.42.1 for direct 44net endpoints via interface ens3. Waiting for RIPv2 broadcasts...
Any idea on what am I doing wrong? Thanks
Kun
I have configured the public IP in the AMPR portal as gateway.
If you just did this, wait a while like a half hour.
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
You don't need to run the find password script or specify a password if you are using ampr-ripd above version 1.14 (its hardcoded in the program). But I do believe even if you run that, it should retrieve it.
I usually start off really stripped down, with all firewall stuff off till I know I am receiving the protocol 4 rip broadcasts.
Do you see anything with tcpdump ? tcpdump -i eth0 -vvv host amprgw.ucsd.edu or ip proto \icmp
If not, then something upstream is blocking protocol 4 from reaching you. Seems like it might be outside of your home if your configuring the interface directly with a public IP
In the iptables world, here is the ipencap (protocol 4) syntax: iptables -A INPUT -p 4 -j ACCEPT
On Wed, Nov 3, 2021 at 6:11 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
I have been trying to configure the AMPRtunnel for a while without success. Could someone please point me to the right direction.
I am running Debian 11 with public IP. I have configured the public IP in the AMPR portal as gateway.
I am trying to follow this document https://wiki.ampr.org/wiki/Ubuntu_Linux_Gateway_Example
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
Here is what I have done so far.
in /etc/network/interfaces, I added
auto ens3:1 iface ens3:1 inet static address 44.26.0.168 netmask 255.255.255.248
Then I created ipip tunnel using following commands
ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 ip link set dev ampr0 up ifconfig ampr0 multicast ip rule add to 44.0.0.0/8 table 44 priority 44 ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 44 ip route add 44.26.0.168/29 dev ens3 table 44
Then, I run ampr-ripd -d -v -i ens3 to get the password in order to plug into lat command ampr-ripd -s -i ampr0 -a 209.141.42.9-t 44 -p <SecretPassword>
However, the find_password.sh stopped at waiting for ripv2 broadcast. Here is the logs for command
Using metric 0 for routes. Using TCP window 840 for routes. Using gateway 209.141.42.1 for direct 44net endpoints via interface ens3. Waiting for RIPv2 broadcasts...
Any idea on what am I doing wrong? Thanks
Kun
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Yes. I am trying this on a buyvm vps.
When I run sudo tcpdump -i ens3 -vvv host amprgw.ucsd.edu This is what I got: tcpdump: listening on ens3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
So it does look like something is blocking it? Kun ________________________________ From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Steve L via 44Net 44net@mailman.ampr.org Sent: Wednesday, November 3, 2021 18:46 To: 44Net general discussion 44net@mailman.ampr.org Cc: Steve L kb9mwr@gmail.com Subject: Re: [44net] Tunnel setup help: Debian 11
I have configured the public IP in the AMPR portal as gateway.
If you just did this, wait a while like a half hour.
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
You don't need to run the find password script or specify a password if you are using ampr-ripd above version 1.14 (its hardcoded in the program). But I do believe even if you run that, it should retrieve it.
I usually start off really stripped down, with all firewall stuff off till I know I am receiving the protocol 4 rip broadcasts.
Do you see anything with tcpdump ? tcpdump -i eth0 -vvv host amprgw.ucsd.edu or ip proto \icmp
If not, then something upstream is blocking protocol 4 from reaching you. Seems like it might be outside of your home if your configuring the interface directly with a public IP
In the iptables world, here is the ipencap (protocol 4) syntax: iptables -A INPUT -p 4 -j ACCEPT
On Wed, Nov 3, 2021 at 6:11 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
I have been trying to configure the AMPRtunnel for a while without success. Could someone please point me to the right direction.
I am running Debian 11 with public IP. I have configured the public IP in the AMPR portal as gateway.
I am trying to follow this document https://wiki.ampr.org/wiki/Ubuntu_Linux_Gateway_Example
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
Here is what I have done so far.
in /etc/network/interfaces, I added
auto ens3:1 iface ens3:1 inet static address 44.26.0.168 netmask 255.255.255.248
Then I created ipip tunnel using following commands
ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 ip link set dev ampr0 up ifconfig ampr0 multicast ip rule add to 44.0.0.0/8 table 44 priority 44 ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 44 ip route add 44.26.0.168/29 dev ens3 table 44
Then, I run ampr-ripd -d -v -i ens3 to get the password in order to plug into lat command ampr-ripd -s -i ampr0 -a 209.141.42.9-t 44 -p <SecretPassword>
However, the find_password.sh stopped at waiting for ripv2 broadcast. Here is the logs for command
Using metric 0 for routes. Using TCP window 840 for routes. Using gateway 209.141.42.1 for direct 44net endpoints via interface ens3. Waiting for RIPv2 broadcasts...
Any idea on what am I doing wrong? Thanks
Kun
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Kun,
I think you got the whole concept wrong.
1. you need yo configure a network interface with your public IP 2. You need to register that public IP wit the portal 3. After 30 min or so, on that public IP you need to receive IP proto 4 traffic, at least the once every 5 minutes (the RIP broadcasts) 4. Next you need to set up a point to multipoint tunnel interface 5. You need to run ampr-ripd on that tunnel interface to receive the RIP broadcasts. Ampr-ripd will set up all your additional routes as defined in its command parameters 6. you need to setup a local networtk interface according to your allocation, where the gateway will forward the 44-net trafic to local machines
So in your case you may listen to ens3 as long as you wish. The correct command to check for RIPv2 messages is:
ampr-ripd -d -v -i ampr0
The incoming ampr0 traffic is seen on the interface ampr0, not on ens3... Ens3 in your setup is for connecting your local machines...
Marius, YO2LOJ
On 04/11/2021 23:15, KUN LIN via 44Net wrote:
Yes. I am trying this on a buyvm vps.
When I run sudo tcpdump -i ens3 -vvv host amprgw.ucsd.edu This is what I got: tcpdump: listening on ens3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
So it does look like something is blocking it? Kun ________________________________ From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Steve L via 44Net 44net@mailman.ampr.org Sent: Wednesday, November 3, 2021 18:46 To: 44Net general discussion 44net@mailman.ampr.org Cc: Steve L kb9mwr@gmail.com Subject: Re: [44net] Tunnel setup help: Debian 11
I have configured the public IP in the AMPR portal as gateway.
If you just did this, wait a while like a half hour.
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
You don't need to run the find password script or specify a password if you are using ampr-ripd above version 1.14 (its hardcoded in the program). But I do believe even if you run that, it should retrieve it.
I usually start off really stripped down, with all firewall stuff off till I know I am receiving the protocol 4 rip broadcasts.
Do you see anything with tcpdump ? tcpdump -i eth0 -vvv host amprgw.ucsd.edu or ip proto \icmp
If not, then something upstream is blocking protocol 4 from reaching you. Seems like it might be outside of your home if your configuring the interface directly with a public IP
In the iptables world, here is the ipencap (protocol 4) syntax: iptables -A INPUT -p 4 -j ACCEPT
On Wed, Nov 3, 2021 at 6:11 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
I have been trying to configure the AMPRtunnel for a while without success. Could someone please point me to the right direction.
I am running Debian 11 with public IP. I have configured the public IP in the AMPR portal as gateway.
I am trying to follow this document https://wiki.ampr.org/wiki/Ubuntu_Linux_Gateway_Example
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
Here is what I have done so far.
in /etc/network/interfaces, I added
auto ens3:1 iface ens3:1 inet static address 44.26.0.168 netmask 255.255.255.248
Then I created ipip tunnel using following commands
ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 ip link set dev ampr0 up ifconfig ampr0 multicast ip rule add to 44.0.0.0/8 table 44 priority 44 ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 44 ip route add 44.26.0.168/29 dev ens3 table 44
Then, I run ampr-ripd -d -v -i ens3 to get the password in order to plug into lat command ampr-ripd -s -i ampr0 -a 209.141.42.9-t 44 -p <SecretPassword>
However, the find_password.sh stopped at waiting for ripv2 broadcast. Here is the logs for command
Using metric 0 for routes. Using TCP window 840 for routes. Using gateway 209.141.42.1 for direct 44net endpoints via interface ens3. Waiting for RIPv2 broadcasts...
Any idea on what am I doing wrong? Thanks
Kun
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
See my comments below in bold. Thanks. Kun
________________________________ From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Marius Petrescu via 44Net 44net@mailman.ampr.org Sent: Thursday, November 4, 2021 14:25 To: 44net@mailman.ampr.org 44net@mailman.ampr.org Cc: Marius Petrescu marius@yo2loj.ro Subject: Re: [44net] Tunnel setup help: Debian 11
Kun,
I think you got the whole concept wrong.
1. you need yo configure a network interface with your public IP I am configuring it on my public IP. Interface ens3 is the interface with public IP. I create an interface ens3:1 with my AMPR IP 2. You need to register that public IP wit the portal I have setup my public IP with amprportal 3. After 30 min or so, on that public IP you need to receive IP proto 4 The find_pass.sh could receive the password bradcast now traffic, at least the once every 5 minutes (the RIP broadcasts) 4. Next you need to set up a point to multipoint tunnel interface I have setup a script to create the IPIP tunnel. Attached below. Let me know if something isn't right. 5. You need to run ampr-ripd on that tunnel interface to receive the RIP broadcasts. Ampr-ripd will set up all your additional routes as defined in its command parameters 6. you need to setup a local networtk interface according to your allocation, where the gateway will forward the 44-net trafic to local machines
So in your case you may listen to ens3 as long as you wish. The correct command to check for RIPv2 messages is:
ampr-ripd -d -v -i ampr0 Where is the ampr0 interface come from. I could create one in /etc/network/interface. I only have one network interface.
The incoming ampr0 traffic is seen on the interface ampr0, not on ens3... Ens3 in your setup is for connecting your local machines...
Marius, YO2LOJ
-- rc.local
### ## Create AMPRNet Tunnel and routing ##
## Configure Tunnel (put your ISP you received from your ISP Here). ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255
## Bring it up ip link set dev ampr0 up
## Enable Multicast in order to receive routes ifconfig ampr0 multicast
## Configure Policy Based routing # Packets to 44/8 network use routing table 44 ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here) ip rule add from 44.26.0.168/29 table 44 priority 45
## Configure static routes # Default route for table 44 is to send traffic to amprnet gateway at UCSD ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet Subnet here) ip route add 44.26.0.168/29 dev ens3 table 44
## Start ampr-ripd to learn rest of mesh routes # Be sure to substitute the password you found earlier for <SecretPassword> # Put your static IP you received from your ISP here. /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p <thepassword I received>
--/etc/network/interfaces
# The loopback network interface auto lo iface lo inet loopback
# The primary network interface allow-hotplug ens3 iface ens3 inet dhcp
auto ens3:1 iface ens3:1 inet static address 44.26.0.168 netmask 255.255.255.248
On 04/11/2021 23:15, KUN LIN via 44Net wrote:
Yes. I am trying this on a buyvm vps.
When I run sudo tcpdump -i ens3 -vvv host amprgw.ucsd.edu This is what I got: tcpdump: listening on ens3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
So it does look like something is blocking it? Kun ________________________________ From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Steve L via 44Net 44net@mailman.ampr.org Sent: Wednesday, November 3, 2021 18:46 To: 44Net general discussion 44net@mailman.ampr.org Cc: Steve L kb9mwr@gmail.com Subject: Re: [44net] Tunnel setup help: Debian 11
I have configured the public IP in the AMPR portal as gateway.
If you just did this, wait a while like a half hour.
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
You don't need to run the find password script or specify a password if you are using ampr-ripd above version 1.14 (its hardcoded in the program). But I do believe even if you run that, it should retrieve it.
I usually start off really stripped down, with all firewall stuff off till I know I am receiving the protocol 4 rip broadcasts.
Do you see anything with tcpdump ? tcpdump -i eth0 -vvv host amprgw.ucsd.edu or ip proto \icmp
If not, then something upstream is blocking protocol 4 from reaching you. Seems like it might be outside of your home if your configuring the interface directly with a public IP
In the iptables world, here is the ipencap (protocol 4) syntax: iptables -A INPUT -p 4 -j ACCEPT
On Wed, Nov 3, 2021 at 6:11 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
I have been trying to configure the AMPRtunnel for a while without success. Could someone please point me to the right direction.
I am running Debian 11 with public IP. I have configured the public IP in the AMPR portal as gateway.
I am trying to follow this document https://wiki.ampr.org/wiki/Ubuntu_Linux_Gateway_Example
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
Here is what I have done so far.
in /etc/network/interfaces, I added
auto ens3:1 iface ens3:1 inet static address 44.26.0.168 netmask 255.255.255.248
Then I created ipip tunnel using following commands
ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 ip link set dev ampr0 up ifconfig ampr0 multicast ip rule add to 44.0.0.0/8 table 44 priority 44 ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 44 ip route add 44.26.0.168/29 dev ens3 table 44
Then, I run ampr-ripd -d -v -i ens3 to get the password in order to plug into lat command ampr-ripd -s -i ampr0 -a 209.141.42.9-t 44 -p <SecretPassword>
However, the find_password.sh stopped at waiting for ripv2 broadcast. Here is the logs for command
Using metric 0 for routes. Using TCP window 840 for routes. Using gateway 209.141.42.1 for direct 44net endpoints via interface ens3. Waiting for RIPv2 broadcasts...
Any idea on what am I doing wrong? Thanks
Kun
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
At the beginning, this concept confused the heck out of me, so I'd like to share some things I was not aware of.
I have worked with tunnels before, also ipip/ipencap ("proto 4") tunnels. There is usually a concept like local end/remote end. But "strangely" a remote end was never configured for ampr.
Now say your tunnel device is tunl0 which has *no* endpoint configured.
1.) When traffic is sent to your 44.x IP address, "someone else" (possibly amprgw.ucsd.edu) will pack that entire IP Packet into another IP packet and send it to your public, static IP, protocol 4. The network stack removes the outer header and the original packet (with destination IP) pops out of your tunl0 device
2.) But what when you send something? How is this processed in the tunnel without remote endpoint? There is a property of "nexthop" on Linux routes. When used in combination with a tunl device without explicit endpoint, Linux will take the destination address of the nexthop in the route.
So say you have a route in the system
ip route add 44.63.15.64/28 dev tunl0 nexthop 93.83.102.170
and you ping 44.63.15.65, Linux will wrap an outer IP packet (proto=4) and destination IP 93.83.102.170 around it and just send that packet via another route (most likely your normal default route over your normal internet uplink).
What rip44d does is that it listens on the tunnel device for RIP packets (acually, modified RIP packets) and then adds (via "ip route command") all routes from the portal (44.xx pairs and the public IPs) to the routing table.
I know you got your tunnel up now (great!) but just wanted to add this if it helps understanding.
- KM6RDV
On 2021-11-04 14:25, Marius Petrescu via 44Net wrote:
Kun,
I think you got the whole concept wrong.
- you need yo configure a network interface with your public IP
- You need to register that public IP wit the portal
- After 30 min or so, on that public IP you need to receive IP proto 4
traffic, at least the once every 5 minutes (the RIP broadcasts) 4. Next you need to set up a point to multipoint tunnel interface 5. You need to run ampr-ripd on that tunnel interface to receive the RIP broadcasts. Ampr-ripd will set up all your additional routes as defined in its command parameters 6. you need to setup a local networtk interface according to your allocation, where the gateway will forward the 44-net trafic to local machines
So in your case you may listen to ens3 as long as you wish. The correct command to check for RIPv2 messages is:
ampr-ripd -d -v -i ampr0
The incoming ampr0 traffic is seen on the interface ampr0, not on ens3... Ens3 in your setup is for connecting your local machines...
Marius, YO2LOJ
On 04/11/2021 23:15, KUN LIN via 44Net wrote:
Yes. I am trying this on a buyvm vps.
When I run sudo tcpdump -i ens3 -vvv host amprgw.ucsd.edu This is what I got: tcpdump: listening on ens3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
So it does look like something is blocking it? Kun ________________________________ From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Steve L via 44Net 44net@mailman.ampr.org Sent: Wednesday, November 3, 2021 18:46 To: 44Net general discussion 44net@mailman.ampr.org Cc: Steve L kb9mwr@gmail.com Subject: Re: [44net] Tunnel setup help: Debian 11
I have configured the public IP in the AMPR portal as gateway.
If you just did this, wait a while like a half hour.
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
You don't need to run the find password script or specify a password if you are using ampr-ripd above version 1.14 (its hardcoded in the program). But I do believe even if you run that, it should retrieve it.
I usually start off really stripped down, with all firewall stuff off till I know I am receiving the protocol 4 rip broadcasts.
Do you see anything with tcpdump ? tcpdump -i eth0 -vvv host amprgw.ucsd.edu or ip proto \icmp
If not, then something upstream is blocking protocol 4 from reaching you. Seems like it might be outside of your home if your configuring the interface directly with a public IP
In the iptables world, here is the ipencap (protocol 4) syntax: iptables -A INPUT -p 4 -j ACCEPT
On Wed, Nov 3, 2021 at 6:11 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
I have been trying to configure the AMPRtunnel for a while without success. Could someone please point me to the right direction.
I am running Debian 11 with public IP. I have configured the public IP in the AMPR portal as gateway.
I am trying to follow this document https://wiki.ampr.org/wiki/Ubuntu_Linux_Gateway_Example
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
Here is what I have done so far.
in /etc/network/interfaces, I added
auto ens3:1 iface ens3:1 inet static address 44.26.0.168 netmask 255.255.255.248
Then I created ipip tunnel using following commands
ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 ip link set dev ampr0 up ifconfig ampr0 multicast ip rule add to 44.0.0.0/8 table 44 priority 44 ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 44 ip route add 44.26.0.168/29 dev ens3 table 44
Then, I run ampr-ripd -d -v -i ens3 to get the password in order to plug into lat command ampr-ripd -s -i ampr0 -a 209.141.42.9-t 44 -p <SecretPassword>
However, the find_password.sh stopped at waiting for ripv2 broadcast. Here is the logs for command
Using metric 0 for routes. Using TCP window 840 for routes. Using gateway 209.141.42.1 for direct 44net endpoints via interface ens3. Waiting for RIPv2 broadcasts...
Any idea on what am I doing wrong? Thanks
Kun
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Oh, when I run find_pass.sh again, I did get the ripv4 broadcast and found the password.
And then I proceed to setup rc.local as documented in that wiki article. However, I still can't ping my AMPR IP from Internet.
-- rc.local
### ## Create AMPRNet Tunnel and routing ##
## Configure Tunnel (put your ISP you received from your ISP Here). ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255
## Bring it up ip link set dev ampr0 up
## Enable Multicast in order to receive routes ifconfig ampr0 multicast
## Configure Policy Based routing # Packets to 44/8 network use routing table 44 ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here) ip rule add from 44.26.0.168/29 table 44 priority 45
## Configure static routes # Default route for table 44 is to send traffic to amprnet gateway at UCSD ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet Subnet here) ip route add 44.26.0.168/29 dev ens3 table 44
## Start ampr-ripd to learn rest of mesh routes # Be sure to substitute the password you found earlier for <SecretPassword> # Put your static IP you received from your ISP here. /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p <thepassword I received>
________________________________ From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Steve L via 44Net 44net@mailman.ampr.org Sent: Wednesday, November 3, 2021 18:46 To: 44Net general discussion 44net@mailman.ampr.org Cc: Steve L kb9mwr@gmail.com Subject: Re: [44net] Tunnel setup help: Debian 11
I have configured the public IP in the AMPR portal as gateway.
If you just did this, wait a while like a half hour.
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
You don't need to run the find password script or specify a password if you are using ampr-ripd above version 1.14 (its hardcoded in the program). But I do believe even if you run that, it should retrieve it.
I usually start off really stripped down, with all firewall stuff off till I know I am receiving the protocol 4 rip broadcasts.
Do you see anything with tcpdump ? tcpdump -i eth0 -vvv host amprgw.ucsd.edu or ip proto \icmp
If not, then something upstream is blocking protocol 4 from reaching you. Seems like it might be outside of your home if your configuring the interface directly with a public IP
In the iptables world, here is the ipencap (protocol 4) syntax: iptables -A INPUT -p 4 -j ACCEPT
On Wed, Nov 3, 2021 at 6:11 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
I have been trying to configure the AMPRtunnel for a while without success. Could someone please point me to the right direction.
I am running Debian 11 with public IP. I have configured the public IP in the AMPR portal as gateway.
I am trying to follow this document https://wiki.ampr.org/wiki/Ubuntu_Linux_Gateway_Example
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
Here is what I have done so far.
in /etc/network/interfaces, I added
auto ens3:1 iface ens3:1 inet static address 44.26.0.168 netmask 255.255.255.248
Then I created ipip tunnel using following commands
ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 ip link set dev ampr0 up ifconfig ampr0 multicast ip rule add to 44.0.0.0/8 table 44 priority 44 ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 44 ip route add 44.26.0.168/29 dev ens3 table 44
Then, I run ampr-ripd -d -v -i ens3 to get the password in order to plug into lat command ampr-ripd -s -i ampr0 -a 209.141.42.9-t 44 -p <SecretPassword>
However, the find_password.sh stopped at waiting for ripv2 broadcast. Here is the logs for command
Using metric 0 for routes. Using TCP window 840 for routes. Using gateway 209.141.42.1 for direct 44net endpoints via interface ens3. Waiting for RIPv2 broadcasts...
Any idea on what am I doing wrong? Thanks
Kun
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
That's because that setup does not allow that, because replies will go out your main default route, from table main.
There should be another routing table, let's say 45, holding only a single default route:
ip route add default dev ampr0 via 169.228.34.84 onlink table 45
And you need to connection mark any incoming new connection from ampr0 NOT in 44.0.0.0/9 or 44.128.0.0/10 with that connection mark, and then mark any packet with that connection mark with routing mark 45. This will ensure the replies coming from ampr0 go back the way they came in... So basically you need this:
iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN
iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN
iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45
iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j CONNMARK --restore-mark
But be aware, this will get the door wide open from the internet to your internal network, so setting up some firewall rules would be useful...
Marius, YO2LOJ
On 04/11/2021 23:28, KUN LIN via 44Net wrote:
Oh, when I run find_pass.sh again, I did get the ripv4 broadcast and found the password.
And then I proceed to setup rc.local as documented in that wiki article. However, I still can't ping my AMPR IP from Internet.
-- rc.local
### ## Create AMPRNet Tunnel and routing ##
## Configure Tunnel (put your ISP you received from your ISP Here). ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255
## Bring it up ip link set dev ampr0 up
## Enable Multicast in order to receive routes ifconfig ampr0 multicast
## Configure Policy Based routing # Packets to 44/8 network use routing table 44 ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here) ip rule add from 44.26.0.168/29 table 44 priority 45
## Configure static routes # Default route for table 44 is to send traffic to amprnet gateway at UCSD ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet Subnet here) ip route add 44.26.0.168/29 dev ens3 table 44
## Start ampr-ripd to learn rest of mesh routes # Be sure to substitute the password you found earlier for <SecretPassword> # Put your static IP you received from your ISP here. /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p <thepassword I received>
From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Steve L via 44Net 44net@mailman.ampr.org Sent: Wednesday, November 3, 2021 18:46 To: 44Net general discussion 44net@mailman.ampr.org Cc: Steve L kb9mwr@gmail.com Subject: Re: [44net] Tunnel setup help: Debian 11
I have configured the public IP in the AMPR portal as gateway.
If you just did this, wait a while like a half hour.
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
You don't need to run the find password script or specify a password if you are using ampr-ripd above version 1.14 (its hardcoded in the program). But I do believe even if you run that, it should retrieve it.
I usually start off really stripped down, with all firewall stuff off till I know I am receiving the protocol 4 rip broadcasts.
Do you see anything with tcpdump ? tcpdump -i eth0 -vvv host amprgw.ucsd.edu or ip proto \icmp
If not, then something upstream is blocking protocol 4 from reaching you. Seems like it might be outside of your home if your configuring the interface directly with a public IP
In the iptables world, here is the ipencap (protocol 4) syntax: iptables -A INPUT -p 4 -j ACCEPT
On Wed, Nov 3, 2021 at 6:11 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
I have been trying to configure the AMPRtunnel for a while without success. Could someone please point me to the right direction.
I am running Debian 11 with public IP. I have configured the public IP in the AMPR portal as gateway.
I am trying to follow this document https://wiki.ampr.org/wiki/Ubuntu_Linux_Gateway_Example
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
Here is what I have done so far.
in /etc/network/interfaces, I added
auto ens3:1 iface ens3:1 inet static address 44.26.0.168 netmask 255.255.255.248
Then I created ipip tunnel using following commands
ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 ip link set dev ampr0 up ifconfig ampr0 multicast ip rule add to 44.0.0.0/8 table 44 priority 44 ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 44 ip route add 44.26.0.168/29 dev ens3 table 44
Then, I run ampr-ripd -d -v -i ens3 to get the password in order to plug into lat command ampr-ripd -s -i ampr0 -a 209.141.42.9-t 44 -p <SecretPassword>
However, the find_password.sh stopped at waiting for ripv2 broadcast. Here is the logs for command
Using metric 0 for routes. Using TCP window 840 for routes. Using gateway 209.141.42.1 for direct 44net endpoints via interface ens3. Waiting for RIPv2 broadcasts...
Any idea on what am I doing wrong? Thanks
Kun
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
I still can't ping my AMPR IP: I could receive RIPv2 password
Here is a recap of all the configuration I did:
/etc/network/interfaces # The loopback network interface auto lo iface lo inet loopback
# The primary network interface allow-hotplug ens3 iface ens3 inet dhcp iface ens3 inet6 static address 2605:6400:20:1920:8af7:f451:cb26:a3f8 netmask 48 gateway 2605:6400:20::1
auto ampr0 iface ampr0 inet static address 44.26.0.168 netmask 255.255.255.248
/etc/rc.local
iptables -A INPUT -p 4 -j ACCEPT
## Configure Tunnel (put your ISP you received from your ISP Here). ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255
## Bring it up ip link set dev ampr0 up
## Enable Multicast in order to receive routes ifconfig ampr0 multicast
## Configure Policy Based routing # Packets to 44/8 network use routing table 44 ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here) ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 45
## Configure static routes # Default route for table 44 is to send traffic to amprnet gateway at UCSD ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet Subnet here) ip route add 44.26.0.168/29 dev ens3 table 44
## Start ampr-ripd to learn rest of mesh routes # Be sure to substitute the password you found earlier for <SecretPassword> # Put your static IP you received from your ISP here. /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p pLaInTeXtpAsSwD
iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45 iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j CONNMARK --restore-mark
exit 0
________________________________ From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Marius Petrescu via 44Net 44net@mailman.ampr.org Sent: Thursday, November 4, 2021 14:45 To: 44net@mailman.ampr.org 44net@mailman.ampr.org Cc: Marius Petrescu marius@yo2loj.ro Subject: Re: [44net] Tunnel setup help: Debian 11
That's because that setup does not allow that, because replies will go out your main default route, from table main.
There should be another routing table, let's say 45, holding only a single default route:
ip route add default dev ampr0 via 169.228.34.84 onlink table 45
And you need to connection mark any incoming new connection from ampr0 NOT in 44.0.0.0/9 or 44.128.0.0/10 with that connection mark, and then mark any packet with that connection mark with routing mark 45. This will ensure the replies coming from ampr0 go back the way they came in... So basically you need this:
iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN
iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN
iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45
iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j CONNMARK --restore-mark
But be aware, this will get the door wide open from the internet to your internal network, so setting up some firewall rules would be useful...
Marius, YO2LOJ
On 04/11/2021 23:28, KUN LIN via 44Net wrote:
Oh, when I run find_pass.sh again, I did get the ripv4 broadcast and found the password.
And then I proceed to setup rc.local as documented in that wiki article. However, I still can't ping my AMPR IP from Internet.
-- rc.local
### ## Create AMPRNet Tunnel and routing ##
## Configure Tunnel (put your ISP you received from your ISP Here). ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255
## Bring it up ip link set dev ampr0 up
## Enable Multicast in order to receive routes ifconfig ampr0 multicast
## Configure Policy Based routing # Packets to 44/8 network use routing table 44 ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here) ip rule add from 44.26.0.168/29 table 44 priority 45
## Configure static routes # Default route for table 44 is to send traffic to amprnet gateway at UCSD ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet Subnet here) ip route add 44.26.0.168/29 dev ens3 table 44
## Start ampr-ripd to learn rest of mesh routes # Be sure to substitute the password you found earlier for <SecretPassword> # Put your static IP you received from your ISP here. /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p <thepassword I received>
From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Steve L via 44Net 44net@mailman.ampr.org Sent: Wednesday, November 3, 2021 18:46 To: 44Net general discussion 44net@mailman.ampr.org Cc: Steve L kb9mwr@gmail.com Subject: Re: [44net] Tunnel setup help: Debian 11
I have configured the public IP in the AMPR portal as gateway.
If you just did this, wait a while like a half hour.
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
You don't need to run the find password script or specify a password if you are using ampr-ripd above version 1.14 (its hardcoded in the program). But I do believe even if you run that, it should retrieve it.
I usually start off really stripped down, with all firewall stuff off till I know I am receiving the protocol 4 rip broadcasts.
Do you see anything with tcpdump ? tcpdump -i eth0 -vvv host amprgw.ucsd.edu or ip proto \icmp
If not, then something upstream is blocking protocol 4 from reaching you. Seems like it might be outside of your home if your configuring the interface directly with a public IP
In the iptables world, here is the ipencap (protocol 4) syntax: iptables -A INPUT -p 4 -j ACCEPT
On Wed, Nov 3, 2021 at 6:11 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
I have been trying to configure the AMPRtunnel for a while without success. Could someone please point me to the right direction.
I am running Debian 11 with public IP. I have configured the public IP in the AMPR portal as gateway.
I am trying to follow this document https://wiki.ampr.org/wiki/Ubuntu_Linux_Gateway_Example
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password.
Here is what I have done so far.
in /etc/network/interfaces, I added
auto ens3:1 iface ens3:1 inet static address 44.26.0.168 netmask 255.255.255.248
Then I created ipip tunnel using following commands
ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 ip link set dev ampr0 up ifconfig ampr0 multicast ip rule add to 44.0.0.0/8 table 44 priority 44 ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 44 ip route add 44.26.0.168/29 dev ens3 table 44
Then, I run ampr-ripd -d -v -i ens3 to get the password in order to plug into lat command ampr-ripd -s -i ampr0 -a 209.141.42.9-t 44 -p <SecretPassword>
However, the find_password.sh stopped at waiting for ripv2 broadcast. Here is the logs for command
Using metric 0 for routes. Using TCP window 840 for routes. Using gateway 209.141.42.1 for direct 44net endpoints via interface ens3. Waiting for RIPv2 broadcasts...
Any idea on what am I doing wrong? Thanks
Kun
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
https://wiki.ampr.org/wiki/FAQ
*What is the AmprGW?*
The AmprGW is a server run by Brian Kantor at UCSD as part of a long-running Internet research project. It has a number of functions:
a) It provides a selective gateway between non-AMPRNet internet devices and the IPIP (mesh) AMPRNet. For this traffic, it filters at the per-host(/32) level. Each host which is to receive traffic from the Internet into AMPRNet must individually be listed in the permissions file, which is built from the AMPR.ORG DNS 'A' records. If there is no DNS A record for a tunneled amprnet destination host, the traffic is not forwarded in either direction. Therefore, if you want hosts on your subnet to be able to communicate with the Internet, you will need to have your local coordinator add them to the AMPR.ORG DNS for you.
On Thu, Nov 4, 2021, 5:01 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
I still can't ping my AMPR IP: I could receive RIPv2 password
Here is a recap of all the configuration I did:
/etc/network/interfaces # The loopback network interface auto lo iface lo inet loopback
# The primary network interface allow-hotplug ens3 iface ens3 inet dhcp iface ens3 inet6 static address 2605:6400:20:1920:8af7:f451:cb26:a3f8 netmask 48 gateway 2605:6400:20::1
auto ampr0 iface ampr0 inet static address 44.26.0.168 netmask 255.255.255.248
/etc/rc.local
iptables -A INPUT -p 4 -j ACCEPT
## Configure Tunnel (put your ISP you received from your ISP Here). ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255
## Bring it up ip link set dev ampr0 up
## Enable Multicast in order to receive routes ifconfig ampr0 multicast
## Configure Policy Based routing # Packets to 44/8 network use routing table 44 ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here) ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 45
## Configure static routes # Default route for table 44 is to send traffic to amprnet gateway at UCSD ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet Subnet here) ip route add 44.26.0.168/29 dev ens3 table 44
## Start ampr-ripd to learn rest of mesh routes # Be sure to substitute the password you found earlier for <SecretPassword> # Put your static IP you received from your ISP here. /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p pLaInTeXtpAsSwD
iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45 iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j CONNMARK --restore-mark
exit 0
From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Marius Petrescu via 44Net 44net@mailman.ampr.org Sent: Thursday, November 4, 2021 14:45 To: 44net@mailman.ampr.org 44net@mailman.ampr.org Cc: Marius Petrescu marius@yo2loj.ro Subject: Re: [44net] Tunnel setup help: Debian 11
That's because that setup does not allow that, because replies will go out your main default route, from table main.
There should be another routing table, let's say 45, holding only a single default route:
ip route add default dev ampr0 via 169.228.34.84 onlink table 45
And you need to connection mark any incoming new connection from ampr0 NOT in 44.0.0.0/9 or 44.128.0.0/10 with that connection mark, and then mark any packet with that connection mark with routing mark 45. This will ensure the replies coming from ampr0 go back the way they came in... So basically you need this:
iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN
iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN
iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45
iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j CONNMARK --restore-mark
But be aware, this will get the door wide open from the internet to your internal network, so setting up some firewall rules would be useful...
Marius, YO2LOJ
On 04/11/2021 23:28, KUN LIN via 44Net wrote:
Oh, when I run find_pass.sh again, I did get the ripv4 broadcast and
found the password.
And then I proceed to setup rc.local as documented in that wiki article.
However, I still can't ping my AMPR IP from Internet.
-- rc.local
### ## Create AMPRNet Tunnel and routing ##
## Configure Tunnel (put your ISP you received from your ISP Here). ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255
## Bring it up ip link set dev ampr0 up
## Enable Multicast in order to receive routes ifconfig ampr0 multicast
## Configure Policy Based routing # Packets to 44/8 network use routing table 44 ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here) ip rule add from 44.26.0.168/29 table 44 priority 45
## Configure static routes # Default route for table 44 is to send traffic to amprnet gateway at
UCSD
ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet Subnet
here)
ip route add 44.26.0.168/29 dev ens3 table 44
## Start ampr-ripd to learn rest of mesh routes # Be sure to substitute the password you found earlier for
<SecretPassword> > # Put your static IP you received from your ISP here. > /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p <thepassword I received> > > ________________________________ > From: 44Net <44net-bounces+dnwk=linkun.info@mailman.ampr.org> on behalf of Steve L via 44Net <44net@mailman.ampr.org> > Sent: Wednesday, November 3, 2021 18:46 > To: 44Net general discussion <44net@mailman.ampr.org> > Cc: Steve L <kb9mwr@gmail.com> > Subject: Re: [44net] Tunnel setup help: Debian 11 > >> I have configured the public IP in the AMPR portal as gateway. > If you just did this, wait a while like a half hour. > >> When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password. > You don't need to run the find password script or specify a password > if you are using ampr-ripd above version 1.14 (its hardcoded in the > program). But I do believe even if you run that, it should retrieve > it. > > I usually start off really stripped down, with all firewall stuff off > till I know I am receiving the protocol 4 rip broadcasts. > > Do you see anything with tcpdump ? > tcpdump -i eth0 -vvv host amprgw.ucsd.edu or ip proto \\icmp > > If not, then something upstream is blocking protocol 4 from reaching > you. Seems like it might be outside of your home if your configuring > the interface directly with a public IP > > In the iptables world, here is the ipencap (protocol 4) syntax: > iptables -A INPUT -p 4 -j ACCEPT > > On Wed, Nov 3, 2021 at 6:11 PM KUN LIN via 44Net <44net@mailman.ampr.org> wrote: >> I have been trying to configure the AMPRtunnel for a while without success. Could someone please point me to the right direction. >> >> I am running Debian 11 with public IP. I have configured the public IP in the AMPR portal as gateway. >> >> I am trying to follow this document https://wiki.ampr.org/wiki/Ubuntu_Linux_Gateway_Example >> >> When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password. >> >> Here is what I have done so far. >> >> in /etc/network/interfaces, I added >> >> auto ens3:1 >> iface ens3:1 inet static >> address 44.26.0.168 >> netmask 255.255.255.248 >> >> Then I created ipip tunnel using following commands >> >> ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 >> ip link set dev ampr0 up >> ifconfig ampr0 multicast >> ip rule add to 44.0.0.0/8 table 44 priority 44 >> ip rule add from 44.26.0.168/29 table 44 priority 45 >> ip route add default dev ampr0 via 169.228.34.84 onlink table 44 >> ip route add 44.26.0.168/29 dev ens3 table 44 >> >> Then, I run ampr-ripd -d -v -i ens3 to get the password in order to plug into lat command >> ampr-ripd -s -i ampr0 -a 209.141.42.9-t 44 -p <SecretPassword> >> >> However, the find_password.sh stopped at waiting for ripv2 broadcast. Here is the logs for command >> >> Using metric 0 for routes. >> Using TCP window 840 for routes. >> Using gateway 209.141.42.1 for direct 44net endpoints via interface ens3. >> Waiting for RIPv2 broadcasts... >> >> Any idea on what am I doing wrong? >> Thanks >> >> Kun >> >> _________________________________________ >> 44Net mailing list >> 44Net@mailman.ampr.org >> https://mailman.ampr.org/mailman/listinfo/44net > _________________________________________ > 44Net mailing list > 44Net@mailman.ampr.org > https://mailman.ampr.org/mailman/listinfo/44net > _________________________________________ > 44Net mailing list > 44Net@mailman.ampr.org > https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
So, for my allocation 44.26.0.168/29, in order to use them, I will have to ask for a A record for each individual IP? Kun
________________________________ From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Steve L via 44Net 44net@mailman.ampr.org Sent: Thursday, November 4, 2021 17:53 To: 44Net general discussion 44net@mailman.ampr.org Cc: Steve L kb9mwr@gmail.com Subject: Re: [44net] Tunnel setup help: Debian 11
https://wiki.ampr.org/wiki/FAQ
*What is the AmprGW?*
The AmprGW is a server run by Brian Kantor at UCSD as part of a long-running Internet research project. It has a number of functions:
a) It provides a selective gateway between non-AMPRNet internet devices and the IPIP (mesh) AMPRNet. For this traffic, it filters at the per-host(/32) level. Each host which is to receive traffic from the Internet into AMPRNet must individually be listed in the permissions file, which is built from the AMPR.ORG DNS 'A' records. If there is no DNS A record for a tunneled amprnet destination host, the traffic is not forwarded in either direction. Therefore, if you want hosts on your subnet to be able to communicate with the Internet, you will need to have your local coordinator add them to the AMPR.ORG DNS for you.
On Thu, Nov 4, 2021, 5:01 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
I still can't ping my AMPR IP: I could receive RIPv2 password
Here is a recap of all the configuration I did:
/etc/network/interfaces # The loopback network interface auto lo iface lo inet loopback
# The primary network interface allow-hotplug ens3 iface ens3 inet dhcp iface ens3 inet6 static address 2605:6400:20:1920:8af7:f451:cb26:a3f8 netmask 48 gateway 2605:6400:20::1
auto ampr0 iface ampr0 inet static address 44.26.0.168 netmask 255.255.255.248
/etc/rc.local
iptables -A INPUT -p 4 -j ACCEPT
## Configure Tunnel (put your ISP you received from your ISP Here). ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255
## Bring it up ip link set dev ampr0 up
## Enable Multicast in order to receive routes ifconfig ampr0 multicast
## Configure Policy Based routing # Packets to 44/8 network use routing table 44 ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here) ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 45
## Configure static routes # Default route for table 44 is to send traffic to amprnet gateway at UCSD ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet Subnet here) ip route add 44.26.0.168/29 dev ens3 table 44
## Start ampr-ripd to learn rest of mesh routes # Be sure to substitute the password you found earlier for <SecretPassword> # Put your static IP you received from your ISP here. /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p pLaInTeXtpAsSwD
iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45 iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j CONNMARK --restore-mark
exit 0
From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Marius Petrescu via 44Net 44net@mailman.ampr.org Sent: Thursday, November 4, 2021 14:45 To: 44net@mailman.ampr.org 44net@mailman.ampr.org Cc: Marius Petrescu marius@yo2loj.ro Subject: Re: [44net] Tunnel setup help: Debian 11
That's because that setup does not allow that, because replies will go out your main default route, from table main.
There should be another routing table, let's say 45, holding only a single default route:
ip route add default dev ampr0 via 169.228.34.84 onlink table 45
And you need to connection mark any incoming new connection from ampr0 NOT in 44.0.0.0/9 or 44.128.0.0/10 with that connection mark, and then mark any packet with that connection mark with routing mark 45. This will ensure the replies coming from ampr0 go back the way they came in... So basically you need this:
iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN
iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN
iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45
iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j CONNMARK --restore-mark
But be aware, this will get the door wide open from the internet to your internal network, so setting up some firewall rules would be useful...
Marius, YO2LOJ
On 04/11/2021 23:28, KUN LIN via 44Net wrote:
Oh, when I run find_pass.sh again, I did get the ripv4 broadcast and
found the password.
And then I proceed to setup rc.local as documented in that wiki article.
However, I still can't ping my AMPR IP from Internet.
-- rc.local
### ## Create AMPRNet Tunnel and routing ##
## Configure Tunnel (put your ISP you received from your ISP Here). ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255
## Bring it up ip link set dev ampr0 up
## Enable Multicast in order to receive routes ifconfig ampr0 multicast
## Configure Policy Based routing # Packets to 44/8 network use routing table 44 ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here) ip rule add from 44.26.0.168/29 table 44 priority 45
## Configure static routes # Default route for table 44 is to send traffic to amprnet gateway at
UCSD
ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet Subnet
here)
ip route add 44.26.0.168/29 dev ens3 table 44
## Start ampr-ripd to learn rest of mesh routes # Be sure to substitute the password you found earlier for
<SecretPassword> > # Put your static IP you received from your ISP here. > /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p <thepassword I received> > > ________________________________ > From: 44Net <44net-bounces+dnwk=linkun.info@mailman.ampr.org> on behalf of Steve L via 44Net <44net@mailman.ampr.org> > Sent: Wednesday, November 3, 2021 18:46 > To: 44Net general discussion <44net@mailman.ampr.org> > Cc: Steve L <kb9mwr@gmail.com> > Subject: Re: [44net] Tunnel setup help: Debian 11 > >> I have configured the public IP in the AMPR portal as gateway. > If you just did this, wait a while like a half hour. > >> When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password. > You don't need to run the find password script or specify a password > if you are using ampr-ripd above version 1.14 (its hardcoded in the > program). But I do believe even if you run that, it should retrieve > it. > > I usually start off really stripped down, with all firewall stuff off > till I know I am receiving the protocol 4 rip broadcasts. > > Do you see anything with tcpdump ? > tcpdump -i eth0 -vvv host amprgw.ucsd.edu or ip proto \\icmp > > If not, then something upstream is blocking protocol 4 from reaching > you. Seems like it might be outside of your home if your configuring > the interface directly with a public IP > > In the iptables world, here is the ipencap (protocol 4) syntax: > iptables -A INPUT -p 4 -j ACCEPT > > On Wed, Nov 3, 2021 at 6:11 PM KUN LIN via 44Net <44net@mailman.ampr.org> wrote: >> I have been trying to configure the AMPRtunnel for a while without success. Could someone please point me to the right direction. >> >> I am running Debian 11 with public IP. I have configured the public IP in the AMPR portal as gateway. >> >> I am trying to follow this document https://wiki.ampr.org/wiki/Ubuntu_Linux_Gateway_Example >> >> When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at Waiting for RIPv2 broadcasts... and never retrieve a password. >> >> Here is what I have done so far. >> >> in /etc/network/interfaces, I added >> >> auto ens3:1 >> iface ens3:1 inet static >> address 44.26.0.168 >> netmask 255.255.255.248 >> >> Then I created ipip tunnel using following commands >> >> ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 >> ip link set dev ampr0 up >> ifconfig ampr0 multicast >> ip rule add to 44.0.0.0/8 table 44 priority 44 >> ip rule add from 44.26.0.168/29 table 44 priority 45 >> ip route add default dev ampr0 via 169.228.34.84 onlink table 44 >> ip route add 44.26.0.168/29 dev ens3 table 44 >> >> Then, I run ampr-ripd -d -v -i ens3 to get the password in order to plug into lat command >> ampr-ripd -s -i ampr0 -a 209.141.42.9-t 44 -p <SecretPassword> >> >> However, the find_password.sh stopped at waiting for ripv2 broadcast. Here is the logs for command >> >> Using metric 0 for routes. >> Using TCP window 840 for routes. >> Using gateway 209.141.42.1 for direct 44net endpoints via interface ens3. >> Waiting for RIPv2 broadcasts... >> >> Any idea on what am I doing wrong? >> Thanks >> >> Kun >> >> _________________________________________ >> 44Net mailing list >> 44Net@mailman.ampr.org >> https://mailman.ampr.org/mailman/listinfo/44net > _________________________________________ > 44Net mailing list > 44Net@mailman.ampr.org > https://mailman.ampr.org/mailman/listinfo/44net > _________________________________________ > 44Net mailing list > 44Net@mailman.ampr.org > https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Yes
On Fri, Nov 5, 2021 at 9:22 AM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
So, for my allocation 44.26.0.168/29, in order to use them, I will have to ask for a A record for each individual IP? Kun
From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Steve L via 44Net 44net@mailman.ampr.org Sent: Thursday, November 4, 2021 17:53 To: 44Net general discussion 44net@mailman.ampr.org Cc: Steve L kb9mwr@gmail.com Subject: Re: [44net] Tunnel setup help: Debian 11
https://wiki.ampr.org/wiki/FAQ
*What is the AmprGW?*
The AmprGW is a server run by Brian Kantor at UCSD as part of a long-running Internet research project. It has a number of functions:
a) It provides a selective gateway between non-AMPRNet internet devices and the IPIP (mesh) AMPRNet. For this traffic, it filters at the per-host(/32) level. Each host which is to receive traffic from the Internet into AMPRNet must individually be listed in the permissions file, which is built from the AMPR.ORG DNS 'A' records. If there is no DNS A record for a tunneled amprnet destination host, the traffic is not forwarded in either direction. Therefore, if you want hosts on your subnet to be able to communicate with the Internet, you will need to have your local coordinator add them to the AMPR.ORG DNS for you.
On Thu, Nov 4, 2021, 5:01 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
I still can't ping my AMPR IP: I could receive RIPv2 password
Here is a recap of all the configuration I did:
/etc/network/interfaces # The loopback network interface auto lo iface lo inet loopback
# The primary network interface allow-hotplug ens3 iface ens3 inet dhcp iface ens3 inet6 static address 2605:6400:20:1920:8af7:f451:cb26:a3f8 netmask 48 gateway 2605:6400:20::1
auto ampr0 iface ampr0 inet static address 44.26.0.168 netmask 255.255.255.248
/etc/rc.local
iptables -A INPUT -p 4 -j ACCEPT
## Configure Tunnel (put your ISP you received from your ISP Here). ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255
## Bring it up ip link set dev ampr0 up
## Enable Multicast in order to receive routes ifconfig ampr0 multicast
## Configure Policy Based routing # Packets to 44/8 network use routing table 44 ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here) ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 45
## Configure static routes # Default route for table 44 is to send traffic to amprnet gateway at
UCSD
ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet Subnet here) ip route add 44.26.0.168/29 dev ens3 table 44
## Start ampr-ripd to learn rest of mesh routes # Be sure to substitute the password you found earlier for
<SecretPassword> > # Put your static IP you received from your ISP here. > /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p pLaInTeXtpAsSwD > > iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN > iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN > iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45 > iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK > --restore-mark > iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j > CONNMARK --restore-mark > > exit 0 > > ________________________________ > From: 44Net <44net-bounces+dnwk=linkun.info@mailman.ampr.org> on behalf > of Marius Petrescu via 44Net <44net@mailman.ampr.org> > Sent: Thursday, November 4, 2021 14:45 > To: 44net@mailman.ampr.org <44net@mailman.ampr.org> > Cc: Marius Petrescu <marius@yo2loj.ro> > Subject: Re: [44net] Tunnel setup help: Debian 11 > > That's because that setup does not allow that, because replies will go > out your main default route, from table main. > > There should be another routing table, let's say 45, holding only a > single default route: > > ip route add default dev ampr0 via 169.228.34.84 onlink table 45 > > And you need to connection mark any incoming new connection from ampr0 > NOT in 44.0.0.0/9 or 44.128.0.0/10 with that connection mark, and then > mark any packet with that connection mark with routing mark 45. > This will ensure the replies coming from ampr0 go back the way they came > in... > So basically you need this: > > iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN > > iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN > > iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45 > > iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK > --restore-mark > > iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j > CONNMARK --restore-mark > > > But be aware, this will get the door wide open from the internet to your > internal network, so setting up some firewall rules would be useful... > > Marius, YO2LOJ > > On 04/11/2021 23:28, KUN LIN via 44Net wrote: > > Oh, when I run find_pass.sh again, I did get the ripv4 broadcast and > found the password. > > > > And then I proceed to setup rc.local as documented in that wiki article. > However, I still can't ping my AMPR IP from Internet. > > > > -- rc.local > > > > ### > > ## Create AMPRNet Tunnel and routing > > ## > > > > ## Configure Tunnel (put your ISP you received from your ISP Here). > > ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 > > > > ## Bring it up > > ip link set dev ampr0 up > > > > ## Enable Multicast in order to receive routes > > ifconfig ampr0 multicast > > > > ## Configure Policy Based routing > > # Packets to 44/8 network use routing table 44 > > ip rule add to 44.0.0.0/8 table 44 priority 44 > > > > # Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here) > > ip rule add from 44.26.0.168/29 table 44 priority 45 > > > > ## Configure static routes > > # Default route for table 44 is to send traffic to amprnet gateway at > UCSD > > ip route add default dev ampr0 via 169.228.34.84 onlink table 44 > > > > # Route packets for our net to local interface (put your AMPRNet Subnet > here) > > ip route add 44.26.0.168/29 dev ens3 table 44 > > > > ## Start ampr-ripd to learn rest of mesh routes > > # Be sure to substitute the password you found earlier for > <SecretPassword> > > # Put your static IP you received from your ISP here. > > /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p <thepassword I > received> > > > > ________________________________ > > From: 44Net <44net-bounces+dnwk=linkun.info@mailman.ampr.org> on behalf > of Steve L via 44Net <44net@mailman.ampr.org> > > Sent: Wednesday, November 3, 2021 18:46 > > To: 44Net general discussion <44net@mailman.ampr.org> > > Cc: Steve L <kb9mwr@gmail.com> > > Subject: Re: [44net] Tunnel setup help: Debian 11 > > > >> I have configured the public IP in the AMPR portal as gateway. > > If you just did this, wait a while like a half hour. > > > >> When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at > Waiting for RIPv2 broadcasts... and never retrieve a password. > > You don't need to run the find password script or specify a password > > if you are using ampr-ripd above version 1.14 (its hardcoded in the > > program). But I do believe even if you run that, it should retrieve > > it. > > > > I usually start off really stripped down, with all firewall stuff off > > till I know I am receiving the protocol 4 rip broadcasts. > > > > Do you see anything with tcpdump ? > > tcpdump -i eth0 -vvv host amprgw.ucsd.edu or ip proto \\icmp > > > > If not, then something upstream is blocking protocol 4 from reaching > > you. Seems like it might be outside of your home if your configuring > > the interface directly with a public IP > > > > In the iptables world, here is the ipencap (protocol 4) syntax: > > iptables -A INPUT -p 4 -j ACCEPT > > > > On Wed, Nov 3, 2021 at 6:11 PM KUN LIN via 44Net < 44net@mailman.ampr.org> > wrote: > >> I have been trying to configure the AMPRtunnel for a while without > success. Could someone please point me to the right direction. > >> > >> I am running Debian 11 with public IP. I have configured the public IP > in the AMPR portal as gateway. > >> > >> I am trying to follow this document > https://wiki.ampr.org/wiki/Ubuntu_Linux_Gateway_Example > >> > >> When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at > Waiting for RIPv2 broadcasts... and never retrieve a password. > >> > >> Here is what I have done so far. > >> > >> in /etc/network/interfaces, I added > >> > >> auto ens3:1 > >> iface ens3:1 inet static > >> address 44.26.0.168 > >> netmask 255.255.255.248 > >> > >> Then I created ipip tunnel using following commands > >> > >> ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 > >> ip link set dev ampr0 up > >> ifconfig ampr0 multicast > >> ip rule add to 44.0.0.0/8 table 44 priority 44 > >> ip rule add from 44.26.0.168/29 table 44 priority 45 > >> ip route add default dev ampr0 via 169.228.34.84 onlink table 44 > >> ip route add 44.26.0.168/29 dev ens3 table 44 > >> > >> Then, I run ampr-ripd -d -v -i ens3 to get the password in order to > plug into lat command > >> ampr-ripd -s -i ampr0 -a 209.141.42.9-t 44 -p <SecretPassword> > >> > >> However, the find_password.sh stopped at waiting for ripv2 broadcast. > Here is the logs for command > >> > >> Using metric 0 for routes. > >> Using TCP window 840 for routes. > >> Using gateway 209.141.42.1 for direct 44net endpoints via interface > ens3. > >> Waiting for RIPv2 broadcasts... > >> > >> Any idea on what am I doing wrong? > >> Thanks > >> > >> Kun > >> > >> _________________________________________ > >> 44Net mailing list > >> 44Net@mailman.ampr.org > >> https://mailman.ampr.org/mailman/listinfo/44net > > _________________________________________ > > 44Net mailing list > > 44Net@mailman.ampr.org > > https://mailman.ampr.org/mailman/listinfo/44net > > _________________________________________ > > 44Net mailing list > > 44Net@mailman.ampr.org > > https://mailman.ampr.org/mailman/listinfo/44net > _________________________________________ > 44Net mailing list > 44Net@mailman.ampr.org > https://mailman.ampr.org/mailman/listinfo/44net > _________________________________________ > 44Net mailing list > 44Net@mailman.ampr.org > https://mailman.ampr.org/mailman/listinfo/44net > _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
I think a key point here is if you want them to be able to reach the Internet via the AMPR gateway in San Diego,CA then YES, each IP will need it's own DNS "A" record. If you just want to talk to other hosts on the IPIP mesh, NO, each of your IPs won't need a DNS record.
--David KI6ZHD
On 11/05/2021 10:53 AM, K7VE - John via 44Net wrote:
Yes
On Fri, Nov 5, 2021 at 9:22 AM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
So, for my allocation 44.26.0.168/29, in order to use them, I will have to ask for a A record for each individual IP? Kun
From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Steve L via 44Net 44net@mailman.ampr.org Sent: Thursday, November 4, 2021 17:53 To: 44Net general discussion 44net@mailman.ampr.org Cc: Steve L kb9mwr@gmail.com Subject: Re: [44net] Tunnel setup help: Debian 11
https://wiki.ampr.org/wiki/FAQ
*What is the AmprGW?*
The AmprGW is a server run by Brian Kantor at UCSD as part of a long-running Internet research project. It has a number of functions:
a) It provides a selective gateway between non-AMPRNet internet devices and the IPIP (mesh) AMPRNet. For this traffic, it filters at the per-host(/32) level. Each host which is to receive traffic from the Internet into AMPRNet must individually be listed in the permissions file, which is built from the AMPR.ORG DNS 'A' records. If there is no DNS A record for a tunneled amprnet destination host, the traffic is not forwarded in either direction. Therefore, if you want hosts on your subnet to be able to communicate with the Internet, you will need to have your local coordinator add them to the AMPR.ORG DNS for you.
On Thu, Nov 4, 2021, 5:01 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
I still can't ping my AMPR IP: I could receive RIPv2 password
Here is a recap of all the configuration I did:
/etc/network/interfaces # The loopback network interface auto lo iface lo inet loopback
# The primary network interface allow-hotplug ens3 iface ens3 inet dhcp iface ens3 inet6 static address 2605:6400:20:1920:8af7:f451:cb26:a3f8 netmask 48 gateway 2605:6400:20::1
auto ampr0 iface ampr0 inet static address 44.26.0.168 netmask 255.255.255.248
/etc/rc.local
iptables -A INPUT -p 4 -j ACCEPT
## Configure Tunnel (put your ISP you received from your ISP Here). ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255
## Bring it up ip link set dev ampr0 up
## Enable Multicast in order to receive routes ifconfig ampr0 multicast
## Configure Policy Based routing # Packets to 44/8 network use routing table 44 ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here) ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 45
## Configure static routes # Default route for table 44 is to send traffic to amprnet gateway at
UCSD
ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet Subnet here) ip route add 44.26.0.168/29 dev ens3 table 44
## Start ampr-ripd to learn rest of mesh routes # Be sure to substitute the password you found earlier for
<SecretPassword> > # Put your static IP you received from your ISP here. > /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p pLaInTeXtpAsSwD > > iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN > iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN > iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45 > iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK > --restore-mark > iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j > CONNMARK --restore-mark > > exit 0 > > ________________________________ > From: 44Net <44net-bounces+dnwk=linkun.info@mailman.ampr.org> on behalf > of Marius Petrescu via 44Net <44net@mailman.ampr.org> > Sent: Thursday, November 4, 2021 14:45 > To: 44net@mailman.ampr.org <44net@mailman.ampr.org> > Cc: Marius Petrescu <marius@yo2loj.ro> > Subject: Re: [44net] Tunnel setup help: Debian 11 > > That's because that setup does not allow that, because replies will go > out your main default route, from table main. > > There should be another routing table, let's say 45, holding only a > single default route: > > ip route add default dev ampr0 via 169.228.34.84 onlink table 45 > > And you need to connection mark any incoming new connection from ampr0 > NOT in 44.0.0.0/9 or 44.128.0.0/10 with that connection mark, and then > mark any packet with that connection mark with routing mark 45. > This will ensure the replies coming from ampr0 go back the way they came > in... > So basically you need this: > > iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN > > iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN > > iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45 > > iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK > --restore-mark > > iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j > CONNMARK --restore-mark > > > But be aware, this will get the door wide open from the internet to your > internal network, so setting up some firewall rules would be useful... > > Marius, YO2LOJ > > On 04/11/2021 23:28, KUN LIN via 44Net wrote: >> Oh, when I run find_pass.sh again, I did get the ripv4 broadcast and > found the password. >> And then I proceed to setup rc.local as documented in that wiki article. > However, I still can't ping my AMPR IP from Internet. >> -- rc.local >> >> ### >> ## Create AMPRNet Tunnel and routing >> ## >> >> ## Configure Tunnel (put your ISP you received from your ISP Here). >> ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 >> >> ## Bring it up >> ip link set dev ampr0 up >> >> ## Enable Multicast in order to receive routes >> ifconfig ampr0 multicast >> >> ## Configure Policy Based routing >> # Packets to 44/8 network use routing table 44 >> ip rule add to 44.0.0.0/8 table 44 priority 44 >> >> # Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here) >> ip rule add from 44.26.0.168/29 table 44 priority 45 >> >> ## Configure static routes >> # Default route for table 44 is to send traffic to amprnet gateway at > UCSD >> ip route add default dev ampr0 via 169.228.34.84 onlink table 44 >> >> # Route packets for our net to local interface (put your AMPRNet Subnet > here) >> ip route add 44.26.0.168/29 dev ens3 table 44 >> >> ## Start ampr-ripd to learn rest of mesh routes >> # Be sure to substitute the password you found earlier for > <SecretPassword> >> # Put your static IP you received from your ISP here. >> /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p <thepassword I > received> >> ________________________________ >> From: 44Net <44net-bounces+dnwk=linkun.info@mailman.ampr.org> on behalf > of Steve L via 44Net <44net@mailman.ampr.org> >> Sent: Wednesday, November 3, 2021 18:46 >> To: 44Net general discussion <44net@mailman.ampr.org> >> Cc: Steve L <kb9mwr@gmail.com> >> Subject: Re: [44net] Tunnel setup help: Debian 11 >> >>> I have configured the public IP in the AMPR portal as gateway. >> If you just did this, wait a while like a half hour. >> >>> When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at > Waiting for RIPv2 broadcasts... and never retrieve a password. >> You don't need to run the find password script or specify a password >> if you are using ampr-ripd above version 1.14 (its hardcoded in the >> program). But I do believe even if you run that, it should retrieve >> it. >> >> I usually start off really stripped down, with all firewall stuff off >> till I know I am receiving the protocol 4 rip broadcasts. >> >> Do you see anything with tcpdump ? >> tcpdump -i eth0 -vvv host amprgw.ucsd.edu or ip proto \\icmp >> >> If not, then something upstream is blocking protocol 4 from reaching >> you. Seems like it might be outside of your home if your configuring >> the interface directly with a public IP >> >> In the iptables world, here is the ipencap (protocol 4) syntax: >> iptables -A INPUT -p 4 -j ACCEPT >> >> On Wed, Nov 3, 2021 at 6:11 PM KUN LIN via 44Net < 44net@mailman.ampr.org> > wrote: >>> I have been trying to configure the AMPRtunnel for a while without > success. Could someone please point me to the right direction. >>> I am running Debian 11 with public IP. I have configured the public IP > in the AMPR portal as gateway. >>> I am trying to follow this document > https://wiki.ampr.org/wiki/Ubuntu_Linux_Gateway_Example >>> When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at > Waiting for RIPv2 broadcasts... and never retrieve a password. >>> Here is what I have done so far. >>> >>> in /etc/network/interfaces, I added >>> >>> auto ens3:1 >>> iface ens3:1 inet static >>> address 44.26.0.168 >>> netmask 255.255.255.248 >>> >>> Then I created ipip tunnel using following commands >>> >>> ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 >>> ip link set dev ampr0 up >>> ifconfig ampr0 multicast >>> ip rule add to 44.0.0.0/8 table 44 priority 44 >>> ip rule add from 44.26.0.168/29 table 44 priority 45 >>> ip route add default dev ampr0 via 169.228.34.84 onlink table 44 >>> ip route add 44.26.0.168/29 dev ens3 table 44 >>> >>> Then, I run ampr-ripd -d -v -i ens3 to get the password in order to > plug into lat command >>> ampr-ripd -s -i ampr0 -a 209.141.42.9-t 44 -p <SecretPassword> >>> >>> However, the find_password.sh stopped at waiting for ripv2 broadcast. > Here is the logs for command >>> Using metric 0 for routes. >>> Using TCP window 840 for routes. >>> Using gateway 209.141.42.1 for direct 44net endpoints via interface > ens3. >>> Waiting for RIPv2 broadcasts... >>> >>> Any idea on what am I doing wrong? >>> Thanks >>> >>> Kun >>> >>> _________________________________________ >>> 44Net mailing list >>> 44Net@mailman.ampr.org >>> https://mailman.ampr.org/mailman/listinfo/44net >> _________________________________________ >> 44Net mailing list >> 44Net@mailman.ampr.org >> https://mailman.ampr.org/mailman/listinfo/44net >> _________________________________________ >> 44Net mailing list >> 44Net@mailman.ampr.org >> https://mailman.ampr.org/mailman/listinfo/44net > _________________________________________ > 44Net mailing list > 44Net@mailman.ampr.org > https://mailman.ampr.org/mailman/listinfo/44net > _________________________________________ > 44Net mailing list > 44Net@mailman.ampr.org > https://mailman.ampr.org/mailman/listinfo/44net > _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Is there an example IP I could try ping to make sure my tunnel is setup correctly before asking for an A record? Thanks, Kun
________________________________ From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of David Ranch via 44Net 44net@mailman.ampr.org Sent: Friday, November 5, 2021 11:12 To: 44Net general discussion 44net@mailman.ampr.org Cc: David Ranch amprgw@trinnet.net Subject: Re: [44net] Tunnel setup help: Debian 11
I think a key point here is if you want them to be able to reach the Internet via the AMPR gateway in San Diego,CA then YES, each IP will need it's own DNS "A" record. If you just want to talk to other hosts on the IPIP mesh, NO, each of your IPs won't need a DNS record.
--David KI6ZHD
On 11/05/2021 10:53 AM, K7VE - John via 44Net wrote:
Yes
On Fri, Nov 5, 2021 at 9:22 AM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
So, for my allocation 44.26.0.168/29, in order to use them, I will have to ask for a A record for each individual IP? Kun
From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Steve L via 44Net 44net@mailman.ampr.org Sent: Thursday, November 4, 2021 17:53 To: 44Net general discussion 44net@mailman.ampr.org Cc: Steve L kb9mwr@gmail.com Subject: Re: [44net] Tunnel setup help: Debian 11
https://wiki.ampr.org/wiki/FAQ
*What is the AmprGW?*
The AmprGW is a server run by Brian Kantor at UCSD as part of a long-running Internet research project. It has a number of functions:
a) It provides a selective gateway between non-AMPRNet internet devices and the IPIP (mesh) AMPRNet. For this traffic, it filters at the per-host(/32) level. Each host which is to receive traffic from the Internet into AMPRNet must individually be listed in the permissions file, which is built from the AMPR.ORG DNS 'A' records. If there is no DNS A record for a tunneled amprnet destination host, the traffic is not forwarded in either direction. Therefore, if you want hosts on your subnet to be able to communicate with the Internet, you will need to have your local coordinator add them to the AMPR.ORG DNS for you.
On Thu, Nov 4, 2021, 5:01 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
I still can't ping my AMPR IP: I could receive RIPv2 password
Here is a recap of all the configuration I did:
/etc/network/interfaces # The loopback network interface auto lo iface lo inet loopback
# The primary network interface allow-hotplug ens3 iface ens3 inet dhcp iface ens3 inet6 static address 2605:6400:20:1920:8af7:f451:cb26:a3f8 netmask 48 gateway 2605:6400:20::1
auto ampr0 iface ampr0 inet static address 44.26.0.168 netmask 255.255.255.248
/etc/rc.local
iptables -A INPUT -p 4 -j ACCEPT
## Configure Tunnel (put your ISP you received from your ISP Here). ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255
## Bring it up ip link set dev ampr0 up
## Enable Multicast in order to receive routes ifconfig ampr0 multicast
## Configure Policy Based routing # Packets to 44/8 network use routing table 44 ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here) ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 45
## Configure static routes # Default route for table 44 is to send traffic to amprnet gateway at
UCSD
ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet Subnet here) ip route add 44.26.0.168/29 dev ens3 table 44
## Start ampr-ripd to learn rest of mesh routes # Be sure to substitute the password you found earlier for
<SecretPassword> > # Put your static IP you received from your ISP here. > /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p pLaInTeXtpAsSwD > > iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN > iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN > iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45 > iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK > --restore-mark > iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j > CONNMARK --restore-mark > > exit 0 > > ________________________________ > From: 44Net <44net-bounces+dnwk=linkun.info@mailman.ampr.org> on behalf > of Marius Petrescu via 44Net <44net@mailman.ampr.org> > Sent: Thursday, November 4, 2021 14:45 > To: 44net@mailman.ampr.org <44net@mailman.ampr.org> > Cc: Marius Petrescu <marius@yo2loj.ro> > Subject: Re: [44net] Tunnel setup help: Debian 11 > > That's because that setup does not allow that, because replies will go > out your main default route, from table main. > > There should be another routing table, let's say 45, holding only a > single default route: > > ip route add default dev ampr0 via 169.228.34.84 onlink table 45 > > And you need to connection mark any incoming new connection from ampr0 > NOT in 44.0.0.0/9 or 44.128.0.0/10 with that connection mark, and then > mark any packet with that connection mark with routing mark 45. > This will ensure the replies coming from ampr0 go back the way they came > in... > So basically you need this: > > iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN > > iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN > > iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45 > > iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK > --restore-mark > > iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j > CONNMARK --restore-mark > > > But be aware, this will get the door wide open from the internet to your > internal network, so setting up some firewall rules would be useful... > > Marius, YO2LOJ > > On 04/11/2021 23:28, KUN LIN via 44Net wrote: >> Oh, when I run find_pass.sh again, I did get the ripv4 broadcast and > found the password. >> And then I proceed to setup rc.local as documented in that wiki article. > However, I still can't ping my AMPR IP from Internet. >> -- rc.local >> >> ### >> ## Create AMPRNet Tunnel and routing >> ## >> >> ## Configure Tunnel (put your ISP you received from your ISP Here). >> ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 >> >> ## Bring it up >> ip link set dev ampr0 up >> >> ## Enable Multicast in order to receive routes >> ifconfig ampr0 multicast >> >> ## Configure Policy Based routing >> # Packets to 44/8 network use routing table 44 >> ip rule add to 44.0.0.0/8 table 44 priority 44 >> >> # Packets from our 44 subnet use table 44 (put your AMPRNet Subnet here) >> ip rule add from 44.26.0.168/29 table 44 priority 45 >> >> ## Configure static routes >> # Default route for table 44 is to send traffic to amprnet gateway at > UCSD >> ip route add default dev ampr0 via 169.228.34.84 onlink table 44 >> >> # Route packets for our net to local interface (put your AMPRNet Subnet > here) >> ip route add 44.26.0.168/29 dev ens3 table 44 >> >> ## Start ampr-ripd to learn rest of mesh routes >> # Be sure to substitute the password you found earlier for > <SecretPassword> >> # Put your static IP you received from your ISP here. >> /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p <thepassword I > received> >> ________________________________ >> From: 44Net <44net-bounces+dnwk=linkun.info@mailman.ampr.org> on behalf > of Steve L via 44Net <44net@mailman.ampr.org> >> Sent: Wednesday, November 3, 2021 18:46 >> To: 44Net general discussion <44net@mailman.ampr.org> >> Cc: Steve L <kb9mwr@gmail.com> >> Subject: Re: [44net] Tunnel setup help: Debian 11 >> >>> I have configured the public IP in the AMPR portal as gateway. >> If you just did this, wait a while like a half hour. >> >>> When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at > Waiting for RIPv2 broadcasts... and never retrieve a password. >> You don't need to run the find password script or specify a password >> if you are using ampr-ripd above version 1.14 (its hardcoded in the >> program). But I do believe even if you run that, it should retrieve >> it. >> >> I usually start off really stripped down, with all firewall stuff off >> till I know I am receiving the protocol 4 rip broadcasts. >> >> Do you see anything with tcpdump ? >> tcpdump -i eth0 -vvv host amprgw.ucsd.edu or ip proto \\icmp >> >> If not, then something upstream is blocking protocol 4 from reaching >> you. Seems like it might be outside of your home if your configuring >> the interface directly with a public IP >> >> In the iptables world, here is the ipencap (protocol 4) syntax: >> iptables -A INPUT -p 4 -j ACCEPT >> >> On Wed, Nov 3, 2021 at 6:11 PM KUN LIN via 44Net < 44net@mailman.ampr.org> > wrote: >>> I have been trying to configure the AMPRtunnel for a while without > success. Could someone please point me to the right direction. >>> I am running Debian 11 with public IP. I have configured the public IP > in the AMPR portal as gateway. >>> I am trying to follow this document > https://wiki.ampr.org/wiki/Ubuntu_Linux_Gateway_Example >>> When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at > Waiting for RIPv2 broadcasts... and never retrieve a password. >>> Here is what I have done so far. >>> >>> in /etc/network/interfaces, I added >>> >>> auto ens3:1 >>> iface ens3:1 inet static >>> address 44.26.0.168 >>> netmask 255.255.255.248 >>> >>> Then I created ipip tunnel using following commands >>> >>> ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 >>> ip link set dev ampr0 up >>> ifconfig ampr0 multicast >>> ip rule add to 44.0.0.0/8 table 44 priority 44 >>> ip rule add from 44.26.0.168/29 table 44 priority 45 >>> ip route add default dev ampr0 via 169.228.34.84 onlink table 44 >>> ip route add 44.26.0.168/29 dev ens3 table 44 >>> >>> Then, I run ampr-ripd -d -v -i ens3 to get the password in order to > plug into lat command >>> ampr-ripd -s -i ampr0 -a 209.141.42.9-t 44 -p <SecretPassword> >>> >>> However, the find_password.sh stopped at waiting for ripv2 broadcast. > Here is the logs for command >>> Using metric 0 for routes. >>> Using TCP window 840 for routes. >>> Using gateway 209.141.42.1 for direct 44net endpoints via interface > ens3. >>> Waiting for RIPv2 broadcasts... >>> >>> Any idea on what am I doing wrong? >>> Thanks >>> >>> Kun >>> >>> _________________________________________ >>> 44Net mailing list >>> 44Net@mailman.ampr.org >>> https://mailman.ampr.org/mailman/listinfo/44net >> _________________________________________ >> 44Net mailing list >> 44Net@mailman.ampr.org >> https://mailman.ampr.org/mailman/listinfo/44net >> _________________________________________ >> 44Net mailing list >> 44Net@mailman.ampr.org >> https://mailman.ampr.org/mailman/listinfo/44net > _________________________________________ > 44Net mailing list > 44Net@mailman.ampr.org > https://mailman.ampr.org/mailman/listinfo/44net > _________________________________________ > 44Net mailing list > 44Net@mailman.ampr.org > https://mailman.ampr.org/mailman/listinfo/44net > _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
In theory all of these reporting nodes / stations should be internally reachable:
https://wiki.ampr.org/wiki/Ampr-map
On Fri, Nov 5, 2021, 4:41 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
Is there an example IP I could try ping to make sure my tunnel is setup correctly before asking for an A record? Thanks, Kun
From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of David Ranch via 44Net 44net@mailman.ampr.org Sent: Friday, November 5, 2021 11:12 To: 44Net general discussion 44net@mailman.ampr.org Cc: David Ranch amprgw@trinnet.net Subject: Re: [44net] Tunnel setup help: Debian 11
I think a key point here is if you want them to be able to reach the Internet via the AMPR gateway in San Diego,CA then YES, each IP will need it's own DNS "A" record. If you just want to talk to other hosts on the IPIP mesh, NO, each of your IPs won't need a DNS record.
--David KI6ZHD
On 11/05/2021 10:53 AM, K7VE - John via 44Net wrote:
Yes
On Fri, Nov 5, 2021 at 9:22 AM KUN LIN via 44Net <44net@mailman.ampr.org
wrote:
So, for my allocation 44.26.0.168/29, in order to use them, I will have to ask for a A record for each individual IP? Kun
From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Steve L via 44Net 44net@mailman.ampr.org Sent: Thursday, November 4, 2021 17:53 To: 44Net general discussion 44net@mailman.ampr.org Cc: Steve L kb9mwr@gmail.com Subject: Re: [44net] Tunnel setup help: Debian 11
https://wiki.ampr.org/wiki/FAQ
*What is the AmprGW?*
The AmprGW is a server run by Brian Kantor at UCSD as part of a long-running Internet research project. It has a number of functions:
a) It provides a selective gateway between non-AMPRNet internet devices
and
the IPIP (mesh) AMPRNet. For this traffic, it filters at the
per-host(/32)
level. Each host which is to receive traffic from the Internet into
AMPRNet
must individually be listed in the permissions file, which is built from the AMPR.ORG DNS 'A' records. If there is no DNS A record for a
tunneled
amprnet destination host, the traffic is not forwarded in either
direction.
Therefore, if you want hosts on your subnet to be able to communicate
with
the Internet, you will need to have your local coordinator add them to
the
AMPR.ORG DNS for you.
On Thu, Nov 4, 2021, 5:01 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
I still can't ping my AMPR IP: I could receive RIPv2 password
Here is a recap of all the configuration I did:
/etc/network/interfaces # The loopback network interface auto lo iface lo inet loopback
# The primary network interface allow-hotplug ens3 iface ens3 inet dhcp iface ens3 inet6 static address 2605:6400:20:1920:8af7:f451:cb26:a3f8 netmask 48 gateway 2605:6400:20::1
auto ampr0 iface ampr0 inet static address 44.26.0.168 netmask 255.255.255.248
/etc/rc.local
iptables -A INPUT -p 4 -j ACCEPT
## Configure Tunnel (put your ISP you received from your ISP Here). ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255
## Bring it up ip link set dev ampr0 up
## Enable Multicast in order to receive routes ifconfig ampr0 multicast
## Configure Policy Based routing # Packets to 44/8 network use routing table 44 ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet
here)
ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 45
## Configure static routes # Default route for table 44 is to send traffic to amprnet gateway at
UCSD
ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet Subnet here) ip route add 44.26.0.168/29 dev ens3 table 44
## Start ampr-ripd to learn rest of mesh routes # Be sure to substitute the password you found earlier for
<SecretPassword> > # Put your static IP you received from your ISP here. > /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p pLaInTeXtpAsSwD > > iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN > iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN > iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45 > iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK > --restore-mark > iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j > CONNMARK --restore-mark > > exit 0 > > ________________________________ > From: 44Net <44net-bounces+dnwk=linkun.info@mailman.ampr.org> on
behalf
of Marius Petrescu via 44Net 44net@mailman.ampr.org Sent: Thursday, November 4, 2021 14:45 To: 44net@mailman.ampr.org 44net@mailman.ampr.org Cc: Marius Petrescu marius@yo2loj.ro Subject: Re: [44net] Tunnel setup help: Debian 11
That's because that setup does not allow that, because replies will go out your main default route, from table main.
There should be another routing table, let's say 45, holding only a single default route:
ip route add default dev ampr0 via 169.228.34.84 onlink table 45
And you need to connection mark any incoming new connection from ampr0 NOT in 44.0.0.0/9 or 44.128.0.0/10 with that connection mark, and then mark any packet with that connection mark with routing mark 45. This will ensure the replies coming from ampr0 go back the way they
came
in... So basically you need this:
iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN
iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN
iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45
iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j CONNMARK --restore-mark
But be aware, this will get the door wide open from the internet to
your
internal network, so setting up some firewall rules would be useful...
Marius, YO2LOJ
On 04/11/2021 23:28, KUN LIN via 44Net wrote:
Oh, when I run find_pass.sh again, I did get the ripv4 broadcast and
found the password.
And then I proceed to setup rc.local as documented in that wiki
article.
However, I still can't ping my AMPR IP from Internet.
-- rc.local
### ## Create AMPRNet Tunnel and routing ##
## Configure Tunnel (put your ISP you received from your ISP Here). ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255
## Bring it up ip link set dev ampr0 up
## Enable Multicast in order to receive routes ifconfig ampr0 multicast
## Configure Policy Based routing # Packets to 44/8 network use routing table 44 ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet
here)
ip rule add from 44.26.0.168/29 table 44 priority 45
## Configure static routes # Default route for table 44 is to send traffic to amprnet gateway at
UCSD
ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet
Subnet
here)
ip route add 44.26.0.168/29 dev ens3 table 44
## Start ampr-ripd to learn rest of mesh routes # Be sure to substitute the password you found earlier for
<SecretPassword> > # Put your static IP you received from your ISP here. > /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p <thepassword I received> > ________________________________ > From: 44Net <44net-bounces+dnwk=linkun.info@mailman.ampr.org> on
behalf
of Steve L via 44Net 44net@mailman.ampr.org
Sent: Wednesday, November 3, 2021 18:46 To: 44Net general discussion 44net@mailman.ampr.org Cc: Steve L kb9mwr@gmail.com Subject: Re: [44net] Tunnel setup help: Debian 11
I have configured the public IP in the AMPR portal as gateway.
If you just did this, wait a while like a half hour.
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at
Waiting for RIPv2 broadcasts... and never retrieve a password.
You don't need to run the find password script or specify a password if you are using ampr-ripd above version 1.14 (its hardcoded in the program). But I do believe even if you run that, it should retrieve it.
I usually start off really stripped down, with all firewall stuff off till I know I am receiving the protocol 4 rip broadcasts.
Do you see anything with tcpdump ? tcpdump -i eth0 -vvv host amprgw.ucsd.edu or ip proto \icmp
If not, then something upstream is blocking protocol 4 from reaching you. Seems like it might be outside of your home if your configuring the interface directly with a public IP
In the iptables world, here is the ipencap (protocol 4) syntax: iptables -A INPUT -p 4 -j ACCEPT
On Wed, Nov 3, 2021 at 6:11 PM KUN LIN via 44Net <
44net@mailman.ampr.org>
wrote:
I have been trying to configure the AMPRtunnel for a while without
success. Could someone please point me to the right direction.
I am running Debian 11 with public IP. I have configured the public
IP
in the AMPR portal as gateway.
I am trying to follow this document
https://wiki.ampr.org/wiki/Ubuntu_Linux_Gateway_Example
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at
Waiting for RIPv2 broadcasts... and never retrieve a password.
Here is what I have done so far.
in /etc/network/interfaces, I added
auto ens3:1 iface ens3:1 inet static address 44.26.0.168 netmask 255.255.255.248
Then I created ipip tunnel using following commands
ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 ip link set dev ampr0 up ifconfig ampr0 multicast ip rule add to 44.0.0.0/8 table 44 priority 44 ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 44 ip route add 44.26.0.168/29 dev ens3 table 44
Then, I run ampr-ripd -d -v -i ens3 to get the password in order to
plug into lat command
ampr-ripd -s -i ampr0 -a 209.141.42.9-t 44 -p <SecretPassword>
However, the find_password.sh stopped at waiting for ripv2 broadcast.
Here is the logs for command
Using metric 0 for routes. Using TCP window 840 for routes. Using gateway 209.141.42.1 for direct 44net endpoints via interface
ens3.
Waiting for RIPv2 broadcasts...
Any idea on what am I doing wrong? Thanks
Kun
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
Thanks. I did successfully ping some mesh only IP. I’m just waiting for DNS entry now. Finally get the IPIP tunnel done. Kun
From: Steve L via 44Netmailto:44net@mailman.ampr.org Sent: Friday, November 5, 2021 5:49 PM To: 44Net general discussionmailto:44net@mailman.ampr.org Cc: Steve Lmailto:kb9mwr@gmail.com Subject: Re: [44net] Tunnel setup help: Debian 11
In theory all of these reporting nodes / stations should be internally reachable:
https://wiki.ampr.org/wiki/Ampr-map
On Fri, Nov 5, 2021, 4:41 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
Is there an example IP I could try ping to make sure my tunnel is setup correctly before asking for an A record? Thanks, Kun
From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of David Ranch via 44Net 44net@mailman.ampr.org Sent: Friday, November 5, 2021 11:12 To: 44Net general discussion 44net@mailman.ampr.org Cc: David Ranch amprgw@trinnet.net Subject: Re: [44net] Tunnel setup help: Debian 11
I think a key point here is if you want them to be able to reach the Internet via the AMPR gateway in San Diego,CA then YES, each IP will need it's own DNS "A" record. If you just want to talk to other hosts on the IPIP mesh, NO, each of your IPs won't need a DNS record.
--David KI6ZHD
On 11/05/2021 10:53 AM, K7VE - John via 44Net wrote:
Yes
On Fri, Nov 5, 2021 at 9:22 AM KUN LIN via 44Net <44net@mailman.ampr.org
wrote:
So, for my allocation 44.26.0.168/29, in order to use them, I will have to ask for a A record for each individual IP? Kun
From: 44Net 44net-bounces+dnwk=linkun.info@mailman.ampr.org on behalf of Steve L via 44Net 44net@mailman.ampr.org Sent: Thursday, November 4, 2021 17:53 To: 44Net general discussion 44net@mailman.ampr.org Cc: Steve L kb9mwr@gmail.com Subject: Re: [44net] Tunnel setup help: Debian 11
https://wiki.ampr.org/wiki/FAQ
*What is the AmprGW?*
The AmprGW is a server run by Brian Kantor at UCSD as part of a long-running Internet research project. It has a number of functions:
a) It provides a selective gateway between non-AMPRNet internet devices
and
the IPIP (mesh) AMPRNet. For this traffic, it filters at the
per-host(/32)
level. Each host which is to receive traffic from the Internet into
AMPRNet
must individually be listed in the permissions file, which is built from the AMPR.ORG DNS 'A' records. If there is no DNS A record for a
tunneled
amprnet destination host, the traffic is not forwarded in either
direction.
Therefore, if you want hosts on your subnet to be able to communicate
with
the Internet, you will need to have your local coordinator add them to
the
AMPR.ORG DNS for you.
On Thu, Nov 4, 2021, 5:01 PM KUN LIN via 44Net 44net@mailman.ampr.org wrote:
I still can't ping my AMPR IP: I could receive RIPv2 password
Here is a recap of all the configuration I did:
/etc/network/interfaces # The loopback network interface auto lo iface lo inet loopback
# The primary network interface allow-hotplug ens3 iface ens3 inet dhcp iface ens3 inet6 static address 2605:6400:20:1920:8af7:f451:cb26:a3f8 netmask 48 gateway 2605:6400:20::1
auto ampr0 iface ampr0 inet static address 44.26.0.168 netmask 255.255.255.248
/etc/rc.local
iptables -A INPUT -p 4 -j ACCEPT
## Configure Tunnel (put your ISP you received from your ISP Here). ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255
## Bring it up ip link set dev ampr0 up
## Enable Multicast in order to receive routes ifconfig ampr0 multicast
## Configure Policy Based routing # Packets to 44/8 network use routing table 44 ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet
here)
ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 45
## Configure static routes # Default route for table 44 is to send traffic to amprnet gateway at
UCSD
ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet Subnet here) ip route add 44.26.0.168/29 dev ens3 table 44
## Start ampr-ripd to learn rest of mesh routes # Be sure to substitute the password you found earlier for
<SecretPassword> > # Put your static IP you received from your ISP here. > /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p pLaInTeXtpAsSwD > > iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN > iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN > iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45 > iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK > --restore-mark > iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j > CONNMARK --restore-mark > > exit 0 > > ________________________________ > From: 44Net <44net-bounces+dnwk=linkun.info@mailman.ampr.org> on
behalf
of Marius Petrescu via 44Net 44net@mailman.ampr.org Sent: Thursday, November 4, 2021 14:45 To: 44net@mailman.ampr.org 44net@mailman.ampr.org Cc: Marius Petrescu marius@yo2loj.ro Subject: Re: [44net] Tunnel setup help: Debian 11
That's because that setup does not allow that, because replies will go out your main default route, from table main.
There should be another routing table, let's say 45, holding only a single default route:
ip route add default dev ampr0 via 169.228.34.84 onlink table 45
And you need to connection mark any incoming new connection from ampr0 NOT in 44.0.0.0/9 or 44.128.0.0/10 with that connection mark, and then mark any packet with that connection mark with routing mark 45. This will ensure the replies coming from ampr0 go back the way they
came
in... So basically you need this:
iptables -t mangle -A PREROUTING -i ampr0 -s 44.0.0.0/9 -j RETURN
iptables -t mangle -A PREROUTING -i ampr0 -s 44.128.0.0/10 -j RETURN
iptables -t mangle -A PREROUTING -i ampr0 -j CONNMARK --set-mark 45
iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING ! -i ampr0 -m connmark --mark 45 -j CONNMARK --restore-mark
But be aware, this will get the door wide open from the internet to
your
internal network, so setting up some firewall rules would be useful...
Marius, YO2LOJ
On 04/11/2021 23:28, KUN LIN via 44Net wrote:
Oh, when I run find_pass.sh again, I did get the ripv4 broadcast and
found the password.
And then I proceed to setup rc.local as documented in that wiki
article.
However, I still can't ping my AMPR IP from Internet.
-- rc.local
### ## Create AMPRNet Tunnel and routing ##
## Configure Tunnel (put your ISP you received from your ISP Here). ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255
## Bring it up ip link set dev ampr0 up
## Enable Multicast in order to receive routes ifconfig ampr0 multicast
## Configure Policy Based routing # Packets to 44/8 network use routing table 44 ip rule add to 44.0.0.0/8 table 44 priority 44
# Packets from our 44 subnet use table 44 (put your AMPRNet Subnet
here)
ip rule add from 44.26.0.168/29 table 44 priority 45
## Configure static routes # Default route for table 44 is to send traffic to amprnet gateway at
UCSD
ip route add default dev ampr0 via 169.228.34.84 onlink table 44
# Route packets for our net to local interface (put your AMPRNet
Subnet
here)
ip route add 44.26.0.168/29 dev ens3 table 44
## Start ampr-ripd to learn rest of mesh routes # Be sure to substitute the password you found earlier for
<SecretPassword> > # Put your static IP you received from your ISP here. > /usr/bin/ampr-ripd -s -i ampr0 -a 209.141.42.9 -t 44 -p <thepassword I received> > ________________________________ > From: 44Net <44net-bounces+dnwk=linkun.info@mailman.ampr.org> on
behalf
of Steve L via 44Net 44net@mailman.ampr.org
Sent: Wednesday, November 3, 2021 18:46 To: 44Net general discussion 44net@mailman.ampr.org Cc: Steve L kb9mwr@gmail.com Subject: Re: [44net] Tunnel setup help: Debian 11
I have configured the public IP in the AMPR portal as gateway.
If you just did this, wait a while like a half hour.
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at
Waiting for RIPv2 broadcasts... and never retrieve a password.
You don't need to run the find password script or specify a password if you are using ampr-ripd above version 1.14 (its hardcoded in the program). But I do believe even if you run that, it should retrieve it.
I usually start off really stripped down, with all firewall stuff off till I know I am receiving the protocol 4 rip broadcasts.
Do you see anything with tcpdump ? tcpdump -i eth0 -vvv host amprgw.ucsd.edu or ip proto \icmp
If not, then something upstream is blocking protocol 4 from reaching you. Seems like it might be outside of your home if your configuring the interface directly with a public IP
In the iptables world, here is the ipencap (protocol 4) syntax: iptables -A INPUT -p 4 -j ACCEPT
On Wed, Nov 3, 2021 at 6:11 PM KUN LIN via 44Net <
44net@mailman.ampr.org>
wrote:
I have been trying to configure the AMPRtunnel for a while without
success. Could someone please point me to the right direction.
I am running Debian 11 with public IP. I have configured the public
IP
in the AMPR portal as gateway.
I am trying to follow this document
https://wiki.ampr.org/wiki/Ubuntu_Linux_Gateway_Example
When I try to run find_password.sh in ampr-ripd-2.4, I am stopped at
Waiting for RIPv2 broadcasts... and never retrieve a password.
Here is what I have done so far.
in /etc/network/interfaces, I added
auto ens3:1 iface ens3:1 inet static address 44.26.0.168 netmask 255.255.255.248
Then I created ipip tunnel using following commands
ip tunnel add ampr0 mode ipip local 209.141.42.9 ttl 255 ip link set dev ampr0 up ifconfig ampr0 multicast ip rule add to 44.0.0.0/8 table 44 priority 44 ip rule add from 44.26.0.168/29 table 44 priority 45 ip route add default dev ampr0 via 169.228.34.84 onlink table 44 ip route add 44.26.0.168/29 dev ens3 table 44
Then, I run ampr-ripd -d -v -i ens3 to get the password in order to
plug into lat command
ampr-ripd -s -i ampr0 -a 209.141.42.9-t 44 -p <SecretPassword>
However, the find_password.sh stopped at waiting for ripv2 broadcast.
Here is the logs for command
Using metric 0 for routes. Using TCP window 840 for routes. Using gateway 209.141.42.1 for direct 44net endpoints via interface
ens3.
Waiting for RIPv2 broadcasts...
Any idea on what am I doing wrong? Thanks
Kun
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
-
David Ranch -
K7VE - John -
KUN LIN -
Marius Petrescu -
Nick KM6RDV -
Steve L