13 Jul
2017
13 Jul
'17
12:33 p.m.
Remember that the system routing table and the encap
routing table are
separate on amprgw. The system routing table is in the kernel; the
encap table is in user space. Packets arriving at amprgw which are for
hosts listed in the encap hosts table are diverted to the encap router;
all other packets are left to the kernel to route.
Ok that should work fine.
On the other hand, packets leaving (originating at)
amprgw are first
looked up in the system routing table and if a route is found (as it
would be for your bgp-advertised subnet), they are sent out the system
Ethernet interface and not diverted into the encap router. Packets with a
destination not in the system routing table are tested to see if they're
in the encap list, and if they are, they're sent to the encap router
to be forwarded. The rest are dropped. The encap list currently has
19000 host entries in it.
Why do you have entries for the BGP-advertised subnets? Would those not
be adequately handled by the default route? Or is this only to handle
IPIP tunnels with a BGP-advertised net-44 tunnel endpoint address? Maybe
route entries for only those addresses would be an option.
(after all, they are known as they are listed in encap.txt)
The algorithm could then be to lookup 44-net addresses in the IPIP table
when there is no specific route for them in the routing table. When no
match is found, they could still be sent out as BGP-routed when desired,
this could be achieved with a "special" entry in the lookup array for
BGP-routed addresses that are not mentioned in the encap list.
I have experimented with forcing 44.137.40.2 into the
encap router with
an explicit route to the loopback interface. This seems to work; the
pings go out a tunnel to 89.18.172.156. I've left this route in place
for now so you can repeat your tests and see if you do indeed get replies
over the tunnel the way you expect. Please let me know.
Interesting: I can now ping 44.0.0.1 from that system, but a "telnet 44.0.0.1
25"
still yields nothing. I have not yet been able to find why that is, I see
the SYN ACK coming back on the tunnel and I have allowed all traffic from
44.0.0.1 in the firewall but it simply fails to establish. No ACK is going
back to you. I can connect to other IPIP endpoints just fine. Strange.
It is not really required to fix it, I can easily route the mail via a
different path, but I was interested in finding why this goes wrong and how
it may affect others / other applications.
It could be argued that I should scrap FreeBSD on
amprgw and start over
with a Linux host. I don't know enough about the intricacies of Linux
IP handling to be at all confident of being able to do that.
I can understand that! It is certainly possible to get it running, and it
would be a lot easier to get IPIP running, but it is always a big step
to do such things.
Rob
13 Jul
13 Jul
12:42 p.m.
New subject: gw.ampr.org from tunnel system
I'm curious as to how long you waited when trying port 25. There
is a five-second delay after the connection is established before
it issues the 220 greeting, as a measure to deflect some spam. The
mail log shows a connect from linux.pe1chl.ampr.org [44.137.41.97]
about 20 minutes ago, but no commands were issued. A few minutes
later, gw-44-137.pi9noz.ampr.org [44.137.0.1] similarly connected
but did not do anything before disconnecting.
- Brian
On Thu, Jul 13, 2017 at 06:33:51PM +0200, Rob Janssen wrote:
Interesting: I can now ping 44.0.0.1 from that system,
but a "telnet 44.0.0.1 25"
still yields nothing. I have not yet been able to find why that is, I see
the SYN ACK coming back on the tunnel and I have allowed all traffic from
44.0.0.1 in the firewall but it simply fails to establish. No ACK is going
back to you. I can connect to other IPIP endpoints just fine. Strange.
It is not really required to fix it, I can easily route the mail via a
different path, but I was interested in finding why this goes wrong and how
it may affect others / other applications.
11:58 a.m.
New subject: gw.ampr.org from tunnel system
Brian.
Just being a bit curious I tried telnet...
1. From Windows 8/64b (IP 87.251.250.110)
2. From my server 44.165.2.2
Got almost the same:
Trying 44.0.0.1...
Connected to 44.0.0.1.
Escape character is '^]'.
220 gw.ampr.org ESMTP Sendmail 8.15.2/8.15.2; Thu, 13 Jul 2017
09:52:33 -0700 (PDT)
Best regards.
Tom - SP2L
1:19 p.m.
New subject: gw.ampr.org from tunnel system
Yes, I saw that in the logs.
Thanks!
- Brian
On Thu, Jul 13, 2017 at 06:58:11PM +0300, SP2L(a)wp.pl wrote:
Brian.
Just being a bit curious I tried telnet...
1. From Windows 8/64b (IP 87.251.250.110)
2. From my server 44.165.2.2
Got almost the same:
Trying 44.0.0.1...
Connected to 44.0.0.1.
Escape character is '^]'.
220 gw.ampr.org ESMTP Sendmail 8.15.2/8.15.2; Thu, 13 Jul 2017 09:52:33
-0700 (PDT)
Best regards.
Tom - SP2L
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
2500
days inactive
2500
days old
3 comments
3 participants
participants (3)
-
Brian Kantor -
Rob Janssen -
SP2L@wp.pl