Dear Folks,
I'm trying to set up an AMPRnet gateway at home and am running into some problems. Has anyone successfully configured a BSD-based gateway that would be willing to give me some pointers?
Some details of my setup:
* I have a comcast business-class circuit with a static IP address that I've dedicated to 44net traffic (23.30.150.141). * I have an AMPRnet network allocation (44.44.107.0/24). * The Comcast router is configured as simply a router: all NATing and firewalling is disabled and I can see tunneled traffic arriving at the external NIC of my (non-comcast) router (specifically, I see RIPv2 packets with 44net routing information in them). * My "real" router is a Ubiquiti EdgeRouter Lite running OpenBSD 5.9. I have the three ethernet interfaces on the ERL configured as follows:
cnmac0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 lladdr 44:d9:e7:9f:a7:64 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet 23.30.150.141 netmask 0xfffffff8 broadcast 23.30.150.143 cnmac1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 44:d9:e7:9f:a7:65 priority: 0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.129.4 netmask 0xffffff00 broadcast 192.168.129.255 cnmac2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 44:d9:e7:9f:a7:66 priority: 0 media: Ethernet autoselect (none) status: no carrier inet 44.44.107.1 netmask 0xffffff00 broadcast 44.44.107.255
Where I'm getting tripped up is in figuring out where to go from here.
It seems like what I want to do is configure a gif(4) interface for tunnel traffic, but my attempts at doing so all seem to fail, and documentation for setting up an IPENCAP tunnel is related to setting up IPsec gateways; my attempts at transliterating from the examples for e.g. Linux and Cisco et al have failed.
If someone has gone down this road before and has a working setup, that would be tremendously helpful. If someone could send me output from 'ifconfig -a' and/or 'netstat -rn -f inet' and possibly some 'tcpdump' output, I could probably muddle through the rest. If there are any caveats in setting up a 'pf' based firewall, that would be helpful as well. If not, I suppose my next step will be to reinstall RouterOS on the ERL, try and get everything configured, and then see if I can replicate under BSD.
Much thanks in advance! 73 de AC2OI,
- Dan C.
Dan,
I see your list of Ethernet interfaces...but where's your IPENCAP tunnel interface?
What commands are you using to set your IPENCAP interface Up?
73,
- Lynwood KB3VWG
On Tue, Jun 14, 2016 at 1:23 PM, lleachii--- via 44Net 44net@hamradio.ucsd.edu wrote:
I see your list of Ethernet interfaces...but where's your IPENCAP tunnel interface?
What commands are you using to set your IPENCAP interface Up?
Lynwood,
Thanks for the note. Setting up the IPENCAP interface is the thing I haven't figured out yet. :-)
Here is an example of what I've tried:
# ifconfig gif0 create # ifconfig gif0 tunnel 23.30.150.141 169.228.66.251 netmask 255.255.255.254 # route add -host 169.228.66.251 23.30.150.142 add host 169.228.66.251: gateway 23.30.150.142 # ifconfig gif0 inet 23.30.150.141 169.228.66.251 netmask 255.255.255.254 # ifconfig gif0 gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 priority: 0 groups: gif tunnel: inet 23.30.150.141 -> 169.228.66.251 inet 23.30.150.141 --> 169.228.66.251 netmask 0xfffffffe # route add 44/8 23.30.150.141 add net 44/8: gateway 23.30.150.141 # netstat -rn -f inet Routing tables
Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 23.30.150.142 UGS 4 48 - 8 cnmac0 23.30.150.136/29 23.30.150.141 UC 1 0 - 4 cnmac0 23.30.150.141 44:d9:e7:9f:a7:64 UHLl 0 77 - 1 cnmac0 23.30.150.142 4a:1d:70:de:c3:5a UHLc 2 9 - 4 cnmac0 23.30.150.143 23.30.150.141 UHb 0 0 - 1 cnmac0 44/8 23.30.150.141 UGS 0 33 - 8 gif0 44.44.107/24 44.44.107.1 C 0 0 - 4 cnmac2 44.44.107.1 44:d9:e7:9f:a7:66 UHLl 0 0 - 1 cnmac2 44.44.107.255 44.44.107.1 Hb 0 0 - 1 cnmac2 127/8 127.0.0.1 UGRS 0 0 32768 8 lo0 127.0.0.1 127.0.0.1 UHl 0 0 32768 1 lo0 169.228.66.251 23.30.150.142 UGHSP 0 11 - 8 cnmac0 169.228.66.251 23.30.150.141 UHP 0 0 - 8 gif0 192.168/16 192.168.129.1 UGS 3 3 - 8 cnmac1 192.168.129/24 192.168.129.4 UC 1 0 - 4 cnmac1 192.168.129.1 24:a4:3c:05:57:b5 UHLc 1 2 - 4 cnmac1 192.168.129.4 44:d9:e7:9f:a7:65 UHLl 0 7 - 1 cnmac1 192.168.129.255 192.168.129.4 UHb 0 0 - 1 cnmac1 224/4 127.0.0.1 URS 0 24 32768 8 lo0 #
Let's suppose I try to ping something based on this.
# ping -I 44.44.107.1 -c 5 44.0.0.1 PING 44.0.0.1 (44.0.0.1): 56 data bytes --- 44.0.0.1 ping statistics --- 5 packets transmitted, 0 packets received, 100.0% packet loss #
However, it appears these are being forwarded. In another window I ran 'tcpdump -vni gif0' and see this output:
# tcpdump -vni gif0 tcpdump: listening on gif0, link-type LOOP 17:54:23.704315 44.44.107.1 > 44.0.0.1: icmp: echo request (id:17cb seq:0) [icmp cksum ok] (ttl 255, id 47502, len 84) 17:54:24.715928 44.44.107.1 > 44.0.0.1: icmp: echo request (id:17cb seq:1) [icmp cksum ok] (ttl 255, id 47611, len 84) 17:54:25.710780 44.44.107.1 > 44.0.0.1: icmp: echo request (id:17cb seq:2) [icmp cksum ok] (ttl 255, id 16830, len 84) 17:54:26.705734 44.44.107.1 > 44.0.0.1: icmp: echo request (id:17cb seq:3) [icmp cksum ok] (ttl 255, id 34739, len 84) 17:54:27.710742 44.44.107.1 > 44.0.0.1: icmp: echo request (id:17cb seq:4) [icmp cksum ok] (ttl 255, id 32354, len 84) ^C 5 packets received by filter 0 packets dropped by kernel #
And running 'tcpdump -vni cnmac0 proto ipencap' in yet another window I see the following:
# tcpdump -vni cnmac0 proto ipencap tcpdump: listening on cnmac0, link-type EN10MB 17:56:16.647503 23.30.150.141 > 169.228.66.251: 44.44.107.1 > 44.0.0.1: icmp: echo request (id:1ace seq:0) (ttl 255, id 7822, len 84) (ttl 64, id 27590, len 104) 17:56:17.658425 23.30.150.141 > 169.228.66.251: 44.44.107.1 > 44.0.0.1: icmp: echo request (id:1ace seq:1) (ttl 255, id 22527, len 84) (ttl 64, id 20077, len 104) 17:56:18.653338 23.30.150.141 > 169.228.66.251: 44.44.107.1 > 44.0.0.1: icmp: echo request (id:1ace seq:2) (ttl 255, id 63017, len 84) (ttl 64, id 22814, len 104) 17:56:19.648295 23.30.150.141 > 169.228.66.251: 44.44.107.1 > 44.0.0.1: icmp: echo request (id:1ace seq:3) (ttl 255, id 24579, len 84) (ttl 64, id 13778, len 104) 17:56:20.653301 23.30.150.141 > 169.228.66.251: 44.44.107.1 > 44.0.0.1: icmp: echo request (id:1ace seq:4) (ttl 255, id 31869, len 84) (ttl 64, id 32539, len 104) ^C 21 packets received by filter 0 packets dropped by kernel #
But, no responses are receieved. Perhaps I'm just not pinging the right thing? Trying to ping '44.44.107.1' from an external address does not see incoming packets, either.
Thanks for any help! 73 de AC2OI,
- Dan C.
Hi,
Pinging 44.0.0.1 will not work, since the ucsd gateway does NOT respond to ping from tunnels, only from the internet.
The easiest way to test the tunnels is to set up a tunnel by hand to a known peer, and test using that peer.
Marius, YO2LOJ
(Please trim inclusions from previous messages) _______________________________________________ On Tue, Jun 14, 2016 at 1:23 PM, lleachii--- via 44Net 44net@hamradio.ucsd.edu wrote:
I see your list of Ethernet interfaces...but where's your IPENCAP tunnel interface?
What commands are you using to set your IPENCAP interface Up?
Lynwood,
Thanks for the note. Setting up the IPENCAP interface is the thingI haven't figured out yet. :-)
Here is an example of what I've tried:# ifconfig gif0 create # ifconfig gif0 tunnel 23.30.150.141 169.228.66.251 netmask 255.255.255.254 # route add -host 169.228.66.251 23.30.150.142 add host 169.228.66.251: gateway 23.30.150.142 # ifconfig gif0 inet 23.30.150.141 169.228.66.251 netmask 255.255.255.254 # ifconfig gif0 gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 priority: 0 groups: gif tunnel: inet 23.30.150.141 -> 169.228.66.251 inet 23.30.150.141 --> 169.228.66.251 netmask 0xfffffffe # route add 44/8 23.30.150.141 add net 44/8: gateway 23.30.150.141 # netstat -rn -f inet Routing tables
Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 23.30.150.142 UGS 4 48 - 8 cnmac0 23.30.150.136/29 23.30.150.141 UC 1 0 - 4 cnmac0 23.30.150.141 44:d9:e7:9f:a7:64 UHLl 0 77 - 1 cnmac0 23.30.150.142 4a:1d:70:de:c3:5a UHLc 2 9 - 4 cnmac0 23.30.150.143 23.30.150.141 UHb 0 0 - 1 cnmac0 44/8 23.30.150.141 UGS 0 33 - 8 gif0 44.44.107/24 44.44.107.1 C 0 0 - 4 cnmac2 44.44.107.1 44:d9:e7:9f:a7:66 UHLl 0 0 - 1 cnmac2 44.44.107.255 44.44.107.1 Hb 0 0 - 1 cnmac2 127/8 127.0.0.1 UGRS 0 0 32768 8 lo0 127.0.0.1 127.0.0.1 UHl 0 0 32768 1 lo0 169.228.66.251 23.30.150.142 UGHSP 0 11 - 8 cnmac0 169.228.66.251 23.30.150.141 UHP 0 0 - 8 gif0 192.168/16 192.168.129.1 UGS 3 3 - 8 cnmac1 192.168.129/24 192.168.129.4 UC 1 0 - 4 cnmac1 192.168.129.1 24:a4:3c:05:57:b5 UHLc 1 2 - 4 cnmac1 192.168.129.4 44:d9:e7:9f:a7:65 UHLl 0 7 - 1 cnmac1 192.168.129.255 192.168.129.4 UHb 0 0 - 1 cnmac1 224/4 127.0.0.1 URS 0 24 32768 8 lo0 #
Let's suppose I try to ping something based on this.# ping -I 44.44.107.1 -c 5 44.0.0.1 PING 44.0.0.1 (44.0.0.1): 56 data bytes --- 44.0.0.1 ping statistics --- 5 packets transmitted, 0 packets received, 100.0% packet loss #
However, it appears these are being forwarded. In another windowI ran 'tcpdump -vni gif0' and see this output:
# tcpdump -vni gif0 tcpdump: listening on gif0, link-type LOOP 17:54:23.704315 44.44.107.1 > 44.0.0.1: icmp: echo request (id:17cb seq:0) [icmp cksum ok] (ttl 255, id 47502, len 84) 17:54:24.715928 44.44.107.1 > 44.0.0.1: icmp: echo request (id:17cb seq:1) [icmp cksum ok] (ttl 255, id 47611, len 84) 17:54:25.710780 44.44.107.1 > 44.0.0.1: icmp: echo request (id:17cb seq:2) [icmp cksum ok] (ttl 255, id 16830, len 84) 17:54:26.705734 44.44.107.1 > 44.0.0.1: icmp: echo request (id:17cb seq:3) [icmp cksum ok] (ttl 255, id 34739, len 84) 17:54:27.710742 44.44.107.1 > 44.0.0.1: icmp: echo request (id:17cb seq:4) [icmp cksum ok] (ttl 255, id 32354, len 84) ^C 5 packets received by filter 0 packets dropped by kernel #
And running 'tcpdump -vni cnmac0 proto ipencap' in yet another windowI see the following:
# tcpdump -vni cnmac0 proto ipencap tcpdump: listening on cnmac0, link-type EN10MB 17:56:16.647503 23.30.150.141 > 169.228.66.251: 44.44.107.1 > 44.0.0.1: icmp: echo request (id:1ace seq:0) (ttl 255, id 7822, len 84) (ttl 64, id 27590, len 104) 17:56:17.658425 23.30.150.141 > 169.228.66.251: 44.44.107.1 > 44.0.0.1: icmp: echo request (id:1ace seq:1) (ttl 255, id 22527, len 84) (ttl 64, id 20077, len 104) 17:56:18.653338 23.30.150.141 > 169.228.66.251: 44.44.107.1 > 44.0.0.1: icmp: echo request (id:1ace seq:2) (ttl 255, id 63017, len 84) (ttl 64, id 22814, len 104) 17:56:19.648295 23.30.150.141 > 169.228.66.251: 44.44.107.1 > 44.0.0.1: icmp: echo request (id:1ace seq:3) (ttl 255, id 24579, len 84) (ttl 64, id 13778, len 104) 17:56:20.653301 23.30.150.141 > 169.228.66.251: 44.44.107.1 > 44.0.0.1: icmp: echo request (id:1ace seq:4) (ttl 255, id 31869, len 84) (ttl 64, id 32539, len 104) ^C 21 packets received by filter 0 packets dropped by kernel #
But, no responses are receieved. Perhaps I'm just not pinging theright thing? Trying to ping '44.44.107.1' from an external address does not see incoming packets, either.
Thanks for any help! 73 de AC2OI, - Dan C.
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Dan,
The reason your AMPR traffic does not yet work - is because you haven't yet created an IPENCAP tunnel to listen on cnmac0 that will decapsulate the IP traffic and forward/bridge/NET/etc. it to the network located at cnmac2.
At this point, you're still looking at the encapsulated IPENCAP traffic with the additional Public IP header included. The tunnel interface strips this header - and your traffic will be ready for your local 44 subnet.
Hopefully, someone can provide you information on IPENCAP in BSD (once you receive it, consider making a BSD page on the Wiki site).
73,
KB3VWG
On Tue, Jun 14, 2016 at 4:33 PM, lleachii--- via 44Net < 44net@hamradio.ucsd.edu> wrote:
(Please trim inclusions from previous messages) _______________________________________________ The reason your AMPR traffic does not yet work - is because you haven't yet created an IPENCAP tunnel to listen on cnmac0 that will decapsulate the IP traffic and forward/bridge/NET/etc. it to the network located at cnmac2.
At this point, you're still looking at the encapsulated IPENCAP traffic with the additional Public IP header included. The tunnel interface strips this header - and your traffic will be ready for your local 44 subnet.
Thanks again for the response, Lynwood. I'm not sure this is completely accurate, however: in the tunnel configuration I created in my last email, for instance, I saw unencapsulated RIP traffic being delivered to to gif interface I created. For example, consider this output from tcpdump:
# tcpdump -vni gif0 ... 20:30:33.727242 44.0.0.1.520 > 224.0.0.9.520: [no udp cksum] RIPv2-resp [items 25]: [password ***redacted***] {44.131.8.0/255.255.255.0->212.56.100.200 tag 0004}(1) {44.131.7.0/255.255.255.0->92.237.131.1 tag 0004}(1) { 44.130.240.6/255.255.255.255->52.76.212.50 tag 0004}(1)[|rip] (ttl 64, id 0, len 532) ... #
From this point, I would expect to be able to 'ping 44.44.107.1' (my 44net interface) from an external, Internet connected host and at least see an ICMP echo request. However, doing so from a random machine, I see neither an unencapsulated ICMP echo request packet on gif0, nor an encapsulated packet on cnmac0.
Trying to 'traceroute 44.44.107.1' from a machine on the Internet shows hops until I get to the amprgw at UCSD, and then nothing. Should I expect to see those make it to my router?
Hopefully, someone can provide you information on IPENCAP in BSD (once you
receive it, consider making a BSD page on the Wiki site).
I will be happy to!
One of the apparent differences between BSD and Linux is that folks seem to be adding multiple point-to-point tunnels between machines onto a single virtual tunnel interface. With BSD, it appears the easiest thing to do *may* be create a separate 'gif' interface for each tunnel. I was hoping to find a way to avoid that, but I come up with anything. If someone knows, please do let me know. Thanks!
- Dan C.
On Tue, Jun 14, 2016 at 04:57:06PM -0400, Dan Cross wrote:
From this point, I would expect to be able to 'ping 44.44.107.1' (my 44net
interface) from an external, Internet connected host and at least see an ICMP echo request. However, doing so from a random machine, I see neither an unencapsulated ICMP echo request packet on gif0, nor an encapsulated packet on cnmac0.
Trying to 'traceroute 44.44.107.1' from a machine on the Internet shows hops until I get to the amprgw at UCSD, and then nothing. Should I expect to see those make it to my router?
No, because there is a filter at UCSD which requires you to be registered in the AMPR.ORG DNS. You are not. Once that is in place you should be able to traceroute and ping your 44.44.107.1 address from anywhere on the great unwashed Internet. I would register you but I don't know your callsign.
In the meantime, if you set up a tunnel to another 44-net address, you should be able to ping it even though you're not in the DNS as the filter only affects non-44 inbound Internet traffic. I often test tunnels by seeing if I can ping to n1uro.ampr.org, 44.88.0.9, which is dependably there. - Brian
BK/Dan et al:
No, because there is a filter at UCSD which requires you to be registered in the AMPR.ORG DNS. You are not. Once that is in place you should be able to traceroute and ping your 44.44.107.1 address from anywhere on the great unwashed Internet. I would register you but I don't know your callsign.
From his allocated block notes authored by me 6 months ago: Dan; You'll need to email me your DNS requests manually
In the meantime, if you set up a tunnel to another 44-net address, you should be able to ping it even though you're not in the DNS as the filter only affects non-44 inbound Internet traffic. I often test tunnels by seeing if I can ping to n1uro.ampr.org, 44.88.0.9, which is dependably there.
n1uro@gw:~$ ip ro get 44.44.107.1 44.44.107.1 via 23.30.150.141 dev tunl0 src 44.88.0.1 cache expires 574sec mtu 1480 window 840
n1uro@n1uro:~$ ping.pl 44.44.107.0/24 info 44.44.107.1 info 44.44.107.2 info 44.44.107.3 info 44.44.107.4 info 44.44.107.5 info 44.44.107.6
so far no answer... whereas n1uro@n1uro:~$ ping.pl 44.48.6.0/29 info 44.48.6.1 is alive info 44.48.6.2 info 44.48.6.3 info 44.48.6.4 info 44.48.6.5 is alive info 44.48.6.6 is alive info 3 out of 6 (50%) are alive
On Tue, Jun 14, 2016 at 8:26 PM, Brian n1uro@n1uro.ampr.org wrote:
No, because there is a filter at UCSD which requires you to be registered in the AMPR.ORG DNS. You are not.
[snip]
From his allocated block notes authored by me 6 months ago:
Dan; You'll need to email me your DNS requests manually
Indeed, you did write that and I overlooked it. Mea culpa. I'll write you off-list with some entries.
- Dan C.
When you do I'll be glad to enter them in. --- Pardon my brevity, I'm on a Samsung Galaxy smartphone. --- Sent via axMail-Fax by N1URO.
On June 14, 2016 10:05:39 PM Dan Cross crossd@gmail.com wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Tue, Jun 14, 2016 at 8:26 PM, Brian n1uro@n1uro.ampr.org wrote:
No, because there is a filter at UCSD which requires you to be registered in the AMPR.ORG DNS. You are not.
[snip]
From his allocated block notes authored by me 6 months ago: Dan; You'll need to email me your DNS requests manually
Indeed, you did write that and I overlooked it. Mea culpa. I'll write you off-list with some entries.
- Dan C.
Received and entered. Considering I work 3rd shift and 1st shift I may not get to it in the click of a mouse but I do keep watch considering. --- Pardon my brevity, I'm on a Samsung Galaxy smartphone. --- Sent via axMail-Fax by N1URO.
On June 15, 2016 12:04:02 AM Brian n1uro@n1uro.ampr.org wrote:
(Please trim inclusions from previous messages) _______________________________________________ When you do I'll be glad to enter them in.
Pardon my brevity, I'm on a Samsung Galaxy smartphone.
Sent via axMail-Fax by N1URO.
On June 14, 2016 10:05:39 PM Dan Cross crossd@gmail.com wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Tue, Jun 14, 2016 at 8:26 PM, Brian n1uro@n1uro.ampr.org wrote:
No, because there is a filter at UCSD which requires you to be registered in the AMPR.ORG DNS. You are not.
[snip]
From his allocated block notes authored by me 6 months ago: Dan; You'll need to email me your DNS requests manually
Indeed, you did write that and I overlooked it. Mea culpa. I'll write you off-list with some entries.
- Dan C.
On Wed, Jun 15, 2016 at 12:46 AM, Brian n1uro@n1uro.ampr.org wrote:
Received and entered.
Thank you so much!
Considering I work 3rd shift and 1st shift I may not get to it in the click
of a mouse but I do keep watch considering.
Oh I hope I didn't imply I was being impatient; that wasn't my intent if I did.
Thanks again!
- Dan C.
You're good, you didn't imply anything. --- Pardon my brevity, I'm on a Samsung Galaxy smartphone. --- Sent via axMail-Fax by N1URO.
On June 15, 2016 1:22:19 AM Dan Cross crossd@gmail.com wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Wed, Jun 15, 2016 at 12:46 AM, Brian n1uro@n1uro.ampr.org wrote:
Received and entered.
Thank you so much!
Considering I work 3rd shift and 1st shift I may not get to it in the click
of a mouse but I do keep watch considering.
Oh I hope I didn't imply I was being impatient; that wasn't my intent if I did.
Thanks again!
- Dan C.
On Tue, Jun 14, 2016 at 5:49 PM, Brian Kantor Brian@ucsd.edu wrote:
[snip] Should I expect to see those make it to my router?
No, because there is a filter at UCSD which requires you to be registered in the AMPR.ORG DNS. You are not. Once that is in place you should be able to traceroute and ping your 44.44.107.1 address from anywhere on the great unwashed Internet. I would register you but I don't know your callsign.
Aha! The missing link. N1URO is correct that he did tell me that six months ago; sadly I overlooked that in his email. I'll email him directly to add DNS entries. FWIW, my callsign is AC2OI.
In the meantime, if you set up a tunnel to another 44-net address, you
should be able to ping it even though you're not in the DNS as the filter only affects non-44 inbound Internet traffic. I often test tunnels by seeing if I can ping to n1uro.ampr.org, 44.88.0.9, which is dependably there.
Thanks. With this, I'm able to configure a second tunnel on a second gif interface and ping 44.88.0.9. My current configuration:
# ifconfig -a lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff000000 cnmac0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 44:d9:e7:9f:a7:64 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet 23.30.150.141 netmask 0xfffffff8 broadcast 23.30.150.143 cnmac1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 44:d9:e7:9f:a7:65 priority: 0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.129.4 netmask 0xffffff00 broadcast 192.168.129.255 cnmac2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 44:d9:e7:9f:a7:66 priority: 0 media: Ethernet autoselect (none) status: no carrier inet 44.44.107.1 netmask 0xffffff00 broadcast 44.44.107.255 enc0: flags=0<> priority: 0 groups: enc status: active pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144 priority: 0 groups: pflog gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 priority: 0 groups: gif tunnel: inet 23.30.150.141 -> 169.228.66.251 inet 23.30.150.141 --> 169.228.66.251 netmask 0xff000000 gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 priority: 0 groups: gif tunnel: inet 23.30.150.141 -> 24.147.182.8 inet 23.30.150.141 --> 24.147.182.8 netmask 0xff000000 # netstat -rn -f inet Routing tables
Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 23.30.150.142 UGS 4 5573 - 8 cnmac0 23.30.150.136/29 23.30.150.141 UC 1 16 - 4 cnmac0 23.30.150.141 44:d9:e7:9f:a7:64 UHLl 0 5788 - 1 cnmac0 23.30.150.142 4a:1d:70:de:c3:5a UHLc 2 40 - 4 cnmac0 23.30.150.143 23.30.150.141 UHb 0 0 - 1 cnmac0 24.147.182.8 23.30.150.142 UGHSP 0 53 - 8 cnmac0 24.147.182.8 23.30.150.141 UHP 0 0 - 8 gif1 44.44.107/24 44.44.107.1 C 0 249 - 4 cnmac2 44.44.107.1 44:d9:e7:9f:a7:66 UHLl 0 48 - 1 cnmac2 44.44.107.255 44.44.107.1 Hb 0 0 - 1 cnmac2 44.88.0.0/27 24.147.182.8 UGS 0 31 - 8 gif1 44.135.49.0/27 24.147.182.8 UGS 0 6 - 8 gif1 77.171.66.225 23.30.150.142 UGHS 0 2 - 8 cnmac0 127/8 127.0.0.1 UGRS 0 0 32768 8 lo0 127.0.0.1 127.0.0.1 UHl 0 10 32768 1 lo0 169.228.66.251 23.30.150.141 UH 0 0 - 8 gif0 178.33.213.221 23.30.150.142 UGHS 0 2 - 8 cnmac0 192.168/16 192.168.129.1 UGS 2 9 - 8 cnmac1 192.168.129/24 192.168.129.4 UC 1 0 - 4 cnmac1 192.168.129.1 24:a4:3c:05:57:b5 UHLc 1 2 - 4 cnmac1 192.168.129.4 44:d9:e7:9f:a7:65 UHLl 0 24 - 1 cnmac1 192.168.129.255 192.168.129.4 UHb 0 0 - 1 cnmac1 224/4 127.0.0.1 URS 0 2449 32768 8 lo0 #
I still haven't figured out a way to add multiple tunnels on a single 'gif' interface; I'm not sure such a thing is possible. But it seems that one can dynamically create an arbitrary number of them, so maybe it doesn't matter. A modified RIP daemon modified for AMPR can keep a reference-counted list of gateways and create/destroy interfaces as needed for BSD-based systems.
Still, if someone else has done this already and knows a better way, please do let me know.
Thanks! 73 de AC2OI
- Dan C.
On 6/14/16 5:49 PM, Brian Kantor wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Tue, Jun 14, 2016 at 04:57:06PM -0400, Dan Cross wrote:
From this point, I would expect to be able to 'ping 44.44.107.1' (my 44net
interface) from an external, Internet connected host and at least see an ICMP echo request. However, doing so from a random machine, I see neither an unencapsulated ICMP echo request packet on gif0, nor an encapsulated packet on cnmac0.
Trying to 'traceroute 44.44.107.1' from a machine on the Internet shows hops until I get to the amprgw at UCSD, and then nothing. Should I expect to see those make it to my router?
No, because there is a filter at UCSD which requires you to be registered in the AMPR.ORG DNS. You are not. Once that is in place you should be able to traceroute and ping your 44.44.107.1 address from anywhere on the great unwashed Internet. I would register you but I don't know your callsign.
Can you delegate out a subdomain from ampr.org to someone's nameserver? So could I, for example, have *.n5xns.ampr.org have an NS record delegated out to my own name server?
And if not, does that mean I should send you my DNS record requests, Brian?
On Tue, Jun 14, 2016 at 12:51 PM, Dan Cross crossd@gmail.com wrote:
I'm trying to set up an AMPRNet gateway at home and am running intosome problems. Has anyone successfully configured a BSD-based gateway that would be willing to give me some pointers?
[snip]
It seems like what I want to do is configure a gif(4) interfacefor tunnel traffic, but my attempts at doing so all seem to fail, and documentation for setting up an IPENCAP tunnel is related to setting up IPsec gateways; my attempts at transliterating from the examples for e.g. Linux and Cisco et al have failed.
If someone has gone down this road before and has a workingsetup, that would be tremendously helpful. If someone could send me output from 'ifconfig -a' and/or 'netstat -rn -f inet' and possibly some 'tcpdump' output, I could probably muddle through the rest. If there are any caveats in setting up a 'pf' based firewall, that would be helpful as well. If not, I suppose my next step will be to reinstall RouterOS on the ERL, try and get everything configured, and then see if I can replicate under BSD.
Folks,
I just wanted to do a quick followup to this for the archives. I am now successfully transferring traffic between my 44net subnet (44.44.107.0/24) and the rest of the world using my OpenBSD-based router.
A quick recap of my setup: 1. I have a Comcast business class circuit. 2. I have a dedicated static IP address to use as an endpoint for 44net traffic. 3. My comcast router is just a router; no NATing, no firewalling. 4. My (non-comcast) edge router is a Ubiquiti EdgeRouter Lite running OpenBSD 5.9. It has three ethernet interfaces: a. cnmac0 is the external interface connected to Comcast's network b. cnmac1 connects to my internal network c. cnmac2 is my internal gateway to 44.44.107.0/24.
On OpenBSD, tunneling interfaces for IPENCAP are provided by 'gif' pseudo-devices. Unlike Linux, it appears that one creates a separate 'gif' interface for each tunnel, but one seems able to create an arbitrary number of such interfaces: I created a thousand as a test. I'm sure there is a limit but it seems sufficiently high that practically routing AMPRNet traffic won't run up against it. (Again, if someone knows of a different way to configure a single 'gif' interface so that it could support multiple tunnels, I'd be happy to know about it). In other words, don't worry about scalability because you are creating a separate 'gif' interface for each tunnel to another AMPRNet site.
On AMPRNet, the UCSD gateway *will not* pass traffic for an IP address that does not have a corresponding entry in the AMPR.ORG domain. Also, 44.0.0.1 does not respond to 'ping' from 44/8 IP's. Caveat emptor as one tries to test: make sure you have DNS entries for your addresses and try pinging something other than 44.0.0.1 or you'll suffer contusions banging your head against a desk trying to figure out why nothing appears to work....
Once I had a tunnel up to UCSD, I found that I could ping my 44.44.107.1 machine from a host on my internal network, but not from arbitrary machines. This was interesting; it turns out that hosts on my internal network get NAT'ed to another IP address on the small subnet I got from Comcast (through another, completely separate router -- not comcast's router but another ERL). What was happening was that as I ping'ed 44.44.107.1 from e.g. my laptop, ICMP echo request packets got NAT'ed to this other address and routed over to amprgw.sysnet.ucsd.edu and tunneled back to the external interface of my AMPRNet gateway. The gateway accepted the encapsulated ICMP echo requests (I have a PF rule that explicitly allows ping) and forwarded them across the tunnel interface where they were unencapsulated; the IP stack saw that the result was addressed to an IP address on a local interface (i.e., they were for the router) and generated an ICMP echo response packet with a *source* address of 44.44.107.1 and a *destination* address of the external address of my other router (that is, the address the ICMP echo request was NAT'ed to). This matched the network route for my local Comcats subnet and so my AMPRNet router realized it could pass the packet back to my other router directly. It did so and the other router happily took the packet, matched it back through the NAT back to the original requesting machine (my laptop) and forwarded it: hence, I got my ping responses back. But note that the response was not going through the tunnel back to UCSD: it was being routed directly through the external interface.
Now consider what happens when I tried to ping 44.44.107.1 from a different machine on some other network. The ICMP echo request packet gets routed through the UCSD gateway and tunneled back to my gateway as before, but since responses don't go through back through the tunnel, the response packet matches the default route of my gateway and get's forwarded to comcast's router. Comcast would look at it, see that 44.44.107.1 wasn't on one of it's known networks that it would route floor, and discard the response. Oops.
The solution was to set up a separate routing table in a different routing domain specifically for AMPRNet traffic, and tie the two together using firewall rules. In the AMPRNet routing table, I could set my default route to point to the UCSD gateway, so any traffic sent from one of my 44.44.107.0/24 addresses that doesn't match a route to a known tunnel gets forwarded through amprgw.sysnet.ucsd.edu. With that in place, I could ping my gateway from random machines. This must seem obvious to a lot of folks here, but it took me a little while to figure out what was going on. Things are working now, however.
So far I have encountered two other caveats: I decided to configure two tunnel interfaces statically at boot time: 'gif0' goes to the UCSD tunnel, and 'gif1' sets up a tunnel to N1URO for his 44.88 net. Under OpenBSD, I assumed that the natural way to do this would be to add /etc/hostname.gif0 and /etc/hostname.gif1 files and this does in fact create the tunnels at boot time. However, traffic going out from my gateway doesn't seem to get sent through the tunnels; I did not bother to track down exactly why, but I believe it has to do with some kind of implicit ordering dependency when initializing PF. When I set up the separate routing domain, it struck me that the language accepted by /etc/netstart in an /etc/hostname.if file was not sufficiently rich to set up tunnels in a routing domain, so I capitulated and just set up the static interfaces from /etc/rc.local; imperfect but it works.
The second caveat is that I seem to have tickled a kernel error trying to set up an alias of a second IP address on my 44.44.107.1 NIC; I get a kernel panic due to an assertion failure. It looks a bug to me, but I haven't had the bandwidth to track it down. In the meanwhile, simply don't add aliases to interfaces in non-default routing domains.
I'll try to go through my notes and type up something for the wiki.
The next step is to write a modified version of rip44d for BSD. I may take a stab at that this weekend if I can get some time. As near as I can tell, the wire format of the protocol is strictly RIPv2; the difference is what the gateway does with the data in the RIP packet (it sets up tunnels in addition to maintaining routes).
Anyway, I hope this can be of some small help to someone else who wants to run an OpenBSD-based gateway!
- Dan C.
Dan,
wouldn't a complete user space implementation be more appropriate? May you want to check my amprd 1.4 software (http://www.yo2loj.ro/hamprojects/) which includes the same functionalities like ampr-ripd except dynamic gateway resolution but does all the encap and RIPv2 handling in user space providing a virtual 44net interface to the system.
Marius, YO2LOJ
On 2016-06-18 00:46, Dan Cross wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Tue, Jun 14, 2016 at 12:51 PM, Dan Cross crossd@gmail.com wrote:
I'm trying to set up an AMPRNet gateway at home and am running intosome problems. Has anyone successfully configured a BSD-based gateway that would be willing to give me some pointers?
[snip]
It seems like what I want to do is configure a gif(4) interfacefor tunnel traffic, but my attempts at doing so all seem to fail, and documentation for setting up an IPENCAP tunnel is related to setting up IPsec gateways; my attempts at transliterating from the examples for e.g. Linux and Cisco et al have failed.
If someone has gone down this road before and has a workingsetup, that would be tremendously helpful. If someone could send me output from 'ifconfig -a' and/or 'netstat -rn -f inet' and possibly some 'tcpdump' output, I could probably muddle through the rest. If there are any caveats in setting up a 'pf' based firewall, that would be helpful as well. If not, I suppose my next step will be to reinstall RouterOS on the ERL, try and get everything configured, and then see if I can replicate under BSD.
Folks,
I just wanted to do a quick followup to this for the archives.I am now successfully transferring traffic between my 44net subnet (44.44.107.0/24) and the rest of the world using my OpenBSD-based router.
A quick recap of my setup:
I have a Comcast business class circuit.
I have a dedicated static IP address to use as an endpoint for 44net traffic.
My comcast router is just a router; no NATing, no firewalling.
My (non-comcast) edge router is a Ubiquiti EdgeRouter Lite running OpenBSD 5.9. It has three ethernet interfaces: a. cnmac0 is the external interface connected to Comcast's network b. cnmac1 connects to my internal network c. cnmac2 is my internal gateway to 44.44.107.0/24.
On OpenBSD, tunneling interfaces for IPENCAP are provided by
'gif' pseudo-devices. Unlike Linux, it appears that one creates a separate 'gif' interface for each tunnel, but one seems able to create an arbitrary number of such interfaces: I created a thousand as a test. I'm sure there is a limit but it seems sufficiently high that practically routing AMPRNet traffic won't run up against it. (Again, if someone knows of a different way to configure a single 'gif' interface so that it could support multiple tunnels, I'd be happy to know about it). In other words, don't worry about scalability because you are creating a separate 'gif' interface for each tunnel to another AMPRNet site.
On AMPRNet, the UCSD gateway *will not* pass traffic for anIP address that does not have a corresponding entry in the AMPR.ORG domain. Also, 44.0.0.1 does not respond to 'ping' from 44/8 IP's. Caveat emptor as one tries to test: make sure you have DNS entries for your addresses and try pinging something other than 44.0.0.1 or you'll suffer contusions banging your head against a desk trying to figure out why nothing appears to work....
Once I had a tunnel up to UCSD, I found that I could ping my44.44.107.1 machine from a host on my internal network, but not from arbitrary machines. This was interesting; it turns out that hosts on my internal network get NAT'ed to another IP address on the small subnet I got from Comcast (through another, completely separate router -- not comcast's router but another ERL). What was happening was that as I ping'ed 44.44.107.1 from e.g. my laptop, ICMP echo request packets got NAT'ed to this other address and routed over to amprgw.sysnet.ucsd.edu and tunneled back to the external interface of my AMPRNet gateway. The gateway accepted the encapsulated ICMP echo requests (I have a PF rule that explicitly allows ping) and forwarded them across the tunnel interface where they were unencapsulated; the IP stack saw that the result was addressed to an IP address on a local interface (i.e., they were for the router) and generated an ICMP echo response packet with a *source* address of 44.44.107.1 and a *destination* address of the external address of my other router (that is, the address the ICMP echo request was NAT'ed to). This matched the network route for my local Comcats subnet and so my AMPRNet router realized it could pass the packet back to my other router directly. It did so and the other router happily took the packet, matched it back through the NAT back to the original requesting machine (my laptop) and forwarded it: hence, I got my ping responses back. But note that the response was not going through the tunnel back to UCSD: it was being routed directly through the external interface.
Now consider what happens when I tried to ping 44.44.107.1 froma different machine on some other network. The ICMP echo request packet gets routed through the UCSD gateway and tunneled back to my gateway as before, but since responses don't go through back through the tunnel, the response packet matches the default route of my gateway and get's forwarded to comcast's router. Comcast would look at it, see that 44.44.107.1 wasn't on one of it's known networks that it would route floor, and discard the response. Oops.
The solution was to set up a separate routing table in a differentrouting domain specifically for AMPRNet traffic, and tie the two together using firewall rules. In the AMPRNet routing table, I could set my default route to point to the UCSD gateway, so any traffic sent from one of my 44.44.107.0/24 addresses that doesn't match a route to a known tunnel gets forwarded through amprgw.sysnet.ucsd.edu. With that in place, I could ping my gateway from random machines. This must seem obvious to a lot of folks here, but it took me a little while to figure out what was going on. Things are working now, however.
So far I have encountered two other caveats: I decided toconfigure two tunnel interfaces statically at boot time: 'gif0' goes to the UCSD tunnel, and 'gif1' sets up a tunnel to N1URO for his 44.88 net. Under OpenBSD, I assumed that the natural way to do this would be to add /etc/hostname.gif0 and /etc/hostname.gif1 files and this does in fact create the tunnels at boot time. However, traffic going out from my gateway doesn't seem to get sent through the tunnels; I did not bother to track down exactly why, but I believe it has to do with some kind of implicit ordering dependency when initializing PF. When I set up the separate routing domain, it struck me that the language accepted by /etc/netstart in an /etc/hostname.if file was not sufficiently rich to set up tunnels in a routing domain, so I capitulated and just set up the static interfaces from /etc/rc.local; imperfect but it works.
The second caveat is that I seem to have tickled a kernel errortrying to set up an alias of a second IP address on my 44.44.107.1 NIC; I get a kernel panic due to an assertion failure. It looks a bug to me, but I haven't had the bandwidth to track it down. In the meanwhile, simply don't add aliases to interfaces in non-default routing domains.
I'll try to go through my notes and type up something for thewiki.
The next step is to write a modified version of rip44d for BSD.I may take a stab at that this weekend if I can get some time. As near as I can tell, the wire format of the protocol is strictly RIPv2; the difference is what the gateway does with the data in the RIP packet (it sets up tunnels in addition to maintaining routes).
Anyway, I hope this can be of some small help to someone elsewho wants to run an OpenBSD-based gateway!
- Dan C.
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
On Fri, Jun 17, 2016 at 7:00 PM, Marius Petrescu marius@yo2loj.ro wrote:
wouldn't a complete user space implementation be more appropriate? May you want to check my amprd 1.4 software (http://www.yo2loj.ro/hamprojects/) which includes the same functionalities like ampr-ripd except dynamic gateway resolution but does all the encap and RIPv2 handling in user space providing a virtual 44net interface to the system.
That's an interesting question, Marius. I'm not sure it's more or less appropriate, given that the kernel already provides all the pieces in well-support modules, (save for dynamic setup/tear-down of tunnels and routing table maintenance) but I can see the appeal of an all-userspace application: it's simple and self-contained and doesn't require anything other than the default routing configuration.
I'll have a look at amprd and ping you off-list; do you by chance have a github repo or something?
- Dan C.
-
Brian -
Brian Kantor -
Dan Cross -
James Sharp -
lleachii@aol.com -
Marius Petrescu -
marius@yo2loj.ro