Enabling traffic from inet to 44-net and vice versa - 44net

21 Apr 2017


      Hi all,
I'm checking my configuration at the gateway ampr-italy-gw.ampr.org due 
to an issue on routing.
This gateway is the main one in the Country and manages several subnets 
interconnected via VPN (OpenVPN).
The ampr-italy-gw.ampr.org is the point of contact with the AmprNet and 
it's handling the IPIP tunnel.
I would like to permit traffic from inet to 44-net and vice versa and, 
of course, only for specific 44-net hosts
that have the corresponding entry in the Ampr.org DNS.
Well, it doesn't work :)
Here is how the ampr-italy-gw.ampr.org router manages the traffic 
between inet and 44-net:
ip rule add from 44.0.0.0/8 table 44 prio 200
GW_ADDR="169.228.66.251"
#
/sbin/ip route add 128.0.0.0/1 via $GW_ADDR dev tunl0 onlink table 44 
#128-255
/sbin/ip route add 64.0.0.0/2 via $GW_ADDR dev tunl0 onlink table 44  
#64-127
/sbin/ip route add 0.0.0.0/3 via $GW_ADDR dev tunl0 onlink table 44   #0-31
/sbin/ip route add 48.0.0.0/4 via $GW_ADDR dev tunl0 onlink table 44  #48-63
/sbin/ip route add 32.0.0.0/5 via $GW_ADDR dev tunl0 onlink table 44  #32-39
/sbin/ip route add 40.0.0.0/6 via $GW_ADDR dev tunl0 onlink table 44  #40-43
/sbin/ip route add 46.0.0.0/7 via $GW_ADDR dev tunl0 onlink table 44  #46-47
/sbin/ip route add 45.0.0.0/8 via $GW_ADDR dev tunl0 onlink table 44  #45
--
[root@ks28006 ~]# ip rule list
0:      from all lookup 255
200:    from 44.0.0.0/8 lookup 44
32766:  from all lookup main
32767:  from all lookup default
The table 44 has a higher priority than the main table where the routes 
for each gateway are contained (basically what comes
from the encap.txt).
It should mean that when a 44-net hosts wants to reach an inet host, it 
happens through the amprnet router at UCSD.edu and not directly via the 
eth0 interface.
Now, if I send ICMP packets from 2.238.198.249 to 44.134.160.1, the 
following is what I see with tcpdump at the ampr-italy-gw.ampr.org:
eth0 (tcpdump -n -i eth0 proto 4)
21:36:36.915644 IP 169.228.66.251 > 91.121.90.186: IP 2.238.198.249 > 
44.134.160.1: ICMP echo request, id 1, seq 51, length 40 (ipip-proto-4)
21:36:36.937888 IP 91.121.90.186 > 169.228.66.251: IP 44.134.160.1 > 
2.238.198.249: ICMP echo reply, id 1, seq 51, length 40 (ipip-proto-4)
tunl0 (tcpdump -i tunl0 host 44.134.160.1)
21:36:36.915664 IP 2-238-198-249.ip245.fastwebnet.it > iw2ohx.ampr.org: 
ICMP echo request, id 1, seq 51, length 40
21:36:36.937872 IP iw2ohx.ampr.org > 2-238-198-249.ip245.fastwebnet.it: 
ICMP echo reply, id 1, seq 51, length 40
My understanding is that it's working correctly, because the icmp reply 
is sent back to 2.238.198.249 inside the tunnel and towards the
amprnet router (169.228.66.251).
Unfortunately there's something wrong in the middle because no packets 
are actually reaching 2.238.198.249
C:\Users\marco>ping iw2ohx.ampr.org
Pinging iw2ohx.ampr.org [44.134.160.1] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 44.134.160.1:
     Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Any ideas ?
Thanks for the help
Marco
iw2ohx