Hello!
Here's my setup and problem.
I originally setup my ER-X (successfully) using the "Setting up a gateway on Ubiquiti EdgeRouter" instructions. I was able to interact with the AMPR gateway, but discovered that I of course couldn't access the various other 44net subnets. So I decided to switch to the instructions under "Installing ampr-ripd on a Ubiquiti EdgeRouter or EdgeRouter X".
I believe I did a good job of "unrolling" the changes from the first instructions. I removed my previous 'tun0' interface, associated firewall rules, etc (basically, anything I created in the first set of instructions, I removed, and have verified via the ER-X config tree).
Then I created my IP-IP tunnel setup using the second set of instructions. Here's what I have:
My modem to the outside world is my AT&T Uverse DSL modem. I have it in DMZplus mode where the ER-X (which lives 'behind' the modem) is actually assigned the external IP of 23.118.163.99. All traffic for any port should get pushed to the ER-X.
eth0 on the ER-X is the WAN connection to the modem. eth1/3/4 go to various other home network VLANs. eth2 is configured for my 44net subnet (44.46.1.56/29). The router is 44.46.1.57. I have one host (a Raspberry Pi) on the subnet at 44.46.1.62. DNS for kc4upr.ampr.org is mapped to 44.46.1.62; I do not have a DNS entry for the router itself (don't know if that's a problem???).
tun44 is setup per the instructions, with the address as 44.46.1.57/29, the local-ip as 23.118.163.99, the remote-ip as 0.0.0.0, and encapsulation as ipip.
I have the firewall rules configured per the instructions. I downloaded and installed ampr-ripd; the only tweak I made to the ampr.sh script was to add "-L KC4UPR@EM48qr" (I did not add any -a entries).
I also installed the status wizard. Checking the status wizard, I see that the ripd daemon is running, and there are 737 routes. I see 4 sensible static routes, 5 bypass routes that I assume make sense, and then a bunch of AMPR routes that look similar to what comes out of the encap.txt file.
I do see that my status and location show up correctly at http://www.yo2loj.ro/ampr-map/, and that my status is updating every 5 minutes per the ampr-ripd daemon. I looked at the source code, and verified that the way that the script "phones home" is via IP 44.182.21.1. So "something" on my system must be able to actually access 44net, right???
Here are my problem observations, however:
- I cannot seem to access anything on 44net, whether via my Raspberry Pi or directly from the router. Pings never return, and traceroute all ends at the router (44.46.1.57).
- Looking at my firewall policies, reviewing the stats, 0 packets/bytes have been processed by my "allow ipip from wan" rule for the wan-local policy (it's the first rule). Zero (0) packets whatsoever have been processed by either my 44Net-in or 44Net-local policies. So clearly something is not right there...
- I ran 'show ip route' on the router. There are 4 routes associated with 44Net: 1 for my subnet, connected to eth2. One for the router itself, connected to tun44. The other two routes are for 44.0.0.0/9 and 44.128.0.0/10, both via 169.228.34.84; both marked 'inactive' (is that a problem?).
- I also ran 'show interfaces tunnel tun44'. It shows lots of TX bytes, but 0 RX bytes.
- Also, I noticed that on the ER-X 'Routing' page, I can filter on 'RIP'. There are no routes under RIP... should it be that way?
Obviously my tunnel isn't working (even though I somehow still update location???). Any thoughts?
Thanks,
Rob KC4UPR
Hi Rob,
I will try to find the issues, but probably I will need more info on the way.
So here we go with the inline comments, and see how we work further from here.
On 27/05/2022 20:49, Rob French via 44net wrote:
Hello!
Here's my setup and problem.
I originally setup my ER-X (successfully) using the "Setting up a gateway on Ubiquiti EdgeRouter" instructions. I was able to interact with the AMPR gateway, but discovered that I of course couldn't access the various other 44net subnets. So I decided to switch to the instructions under "Installing ampr-ripd on a Ubiquiti EdgeRouter or EdgeRouter X".
I believe I did a good job of "unrolling" the changes from the first instructions. I removed my previous 'tun0' interface, associated firewall rules, etc (basically, anything I created in the first set of instructions, I removed, and have verified via the ER-X config tree).
Then I created my IP-IP tunnel setup using the second set of instructions. Here's what I have:
My modem to the outside world is my AT&T Uverse DSL modem. I have it in DMZplus mode where the ER-X (which lives 'behind' the modem) is actually assigned the external IP of 23.118.163.99. All traffic for any port should get pushed to the ER-X.
Are you sure about this setup? Your public IP is forwarded via the DMZ, but usually there is a DMZ host defined in your ISPs router, which is part of your internal network. You need to set that specific address in the ampr-ripd line in ampr.sh as a option.
eth0 on the ER-X is the WAN connection to the modem. eth1/3/4 go to various other home network VLANs. eth2 is configured for my 44net subnet (44.46.1.56/29). The router is 44.46.1.57. I have one host (a Raspberry Pi) on the subnet at 44.46.1.62. DNS for kc4upr.ampr.org is mapped to 44.46.1.62; I do not have a DNS entry for the router itself (don't know if that's a problem???).
I don't know, probably not, unless you need to access the router from 44net.
tun44 is setup per the instructions, with the address as 44.46.1.57/29, the local-ip as 23.118.163.99, the remote-ip as 0.0.0.0, and encapsulation as ipip.
Here you should use again, your WAN local address.
I have the firewall rules configured per the instructions. I downloaded and installed ampr-ripd; the only tweak I made to the ampr.sh script was to add "-L KC4UPR@EM48qr" (I did not add any -a entries).
I would sugest adding -a 44.0.0.1/8,44.46.1.56/29 to your command line. Lately, the gateway also publishes 44.0.0.1/8, which is interfering with the routing, acting as a catch-all for 44net, preventing access to your local ampr LAN.
I also installed the status wizard. Checking the status wizard, I see that the ripd daemon is running, and there are 737 routes. I see 4 sensible static routes, 5 bypass routes that I assume make sense, and then a bunch of AMPR routes that look similar to what comes out of the encap.txt file.
I do see that my status and location show up correctly at http://www.yo2loj.ro/ampr-map/, and that my status is updating every 5 minutes per the ampr-ripd daemon. I looked at the source code, and verified that the way that the script "phones home" is via IP 44.182.21.1. So "something" on my system must be able to actually access 44net, right???
That status will show up even if you send your "presence" via regular internet, so it can't be used as an indicator of the system working properly.
Here are my problem observations, however:
- I cannot seem to access anything on 44net, whether via my Raspberry
Pi or directly from the router. Pings never return, and traceroute all ends at the router (44.46.1.57).
- Looking at my firewall policies, reviewing the stats, 0
packets/bytes have been processed by my "allow ipip from wan" rule for the wan-local policy (it's the first rule). Zero (0) packets whatsoever have been processed by either my 44Net-in or 44Net-local policies. So clearly something is not right there...
- I ran 'show ip route' on the router. There are 4 routes associated
with 44Net: 1 for my subnet, connected to eth2. One for the router itself, connected to tun44. The other two routes are for 44.0.0.0/9 and 44.128.0.0/10, both via 169.228.34.84; both marked 'inactive' (is that a problem?).
Try to run 'ip route list table 44' for the ampr routes. They are not in your main routing table and do not show up in the web interface. But the fact that the wizard shows them tells us they are actually there.
- I also ran 'show interfaces tunnel tun44'. It shows lots of TX
bytes, but 0 RX bytes.
- Also, I noticed that on the ER-X 'Routing' page, I can filter on
'RIP'. There are no routes under RIP... should it be that way?
Obviously my tunnel isn't working (even though I somehow still update location???). Any thoughts?
Thanks,
Rob KC4UPR
Check these parts and let's see from here.
Marius, YO2LOJ
I added the -a options to ampr.sh as you recommended. No change after restarting it.As far as the router IP, in DMZplus mode, the AT&T router/modem actually assigns (via DHCP) the external address to the selected device, in this case my ER-X. So the ER-Xs DHCP- assigned address is 23.118.163.99.Sent via the Samsung Galaxy S9+, an AT&T 5G Evolution capable smartphone -------- Original message --------From: Marius Petrescu marius@yo2loj.ro Date: 5/27/22 15:06 (GMT-06:00) To: Rob French scrape@sdf.org, 44net@mailman.ampr.org Subject: Re: [44net] Problems with ampr-ripd on EdgeRouter X Hi Rob,I will try to find the issues, but probably I will need more info on the way.So here we go with the inline comments, and see how we work further from here.On 27/05/2022 20:49, Rob French via 44net wrote:> Hello!>> Here's my setup and problem.>> I originally setup my ER-X (successfully) using the "Setting up a > gateway on Ubiquiti EdgeRouter" instructions. I was able to interact > with the AMPR gateway, but discovered that I of course couldn't access > the various other 44net subnets. So I decided to switch to the > instructions under "Installing ampr-ripd on a Ubiquiti EdgeRouter or > EdgeRouter X".>> I believe I did a good job of "unrolling" the changes from the first > instructions. I removed my previous 'tun0' interface, associated > firewall rules, etc (basically, anything I created in the first set of > instructions, I removed, and have verified via the ER-X config tree).>> Then I created my IP-IP tunnel setup using the second set of > instructions. Here's what I have:>> My modem to the outside world is my AT&T Uverse DSL modem. I have it > in DMZplus mode where the ER-X (which lives 'behind' the modem) is > actually assigned the external IP of 23.118.163.99. All traffic for > any port should get pushed to the ER-X.Are you sure about this setup?Your public IP is forwarded via the DMZ, but usually there is a DMZ host defined in your ISPs router, which is part of your internal network. You need to set that specific address in the ampr-ripd line in ampr.sh as a option.>> eth0 on the ER-X is the WAN connection to the modem. eth1/3/4 go to > various other home network VLANs. eth2 is configured for my 44net > subnet (44.46.1.56/29). The router is 44.46.1.57. I have one host (a > Raspberry Pi) on the subnet at 44.46.1.62. DNS for kc4upr.ampr.org is > mapped to 44.46.1.62; I do not have a DNS entry for the router itself > (don't know if that's a problem???).I don't know, probably not, unless you need to access the router from 44net.>> tun44 is setup per the instructions, with the address as > 44.46.1.57/29, the local-ip as 23.118.163.99, the remote-ip as > 0.0.0.0, and encapsulation as ipip. Here you should use again, your WAN local address.>> I have the firewall rules configured per the instructions. I > downloaded and installed ampr-ripd; the only tweak I made to the > ampr.sh script was to add "-L KC4UPR@EM48qr" (I did not add any -a > entries).I would sugest adding -a 44.0.0.1/8,44.46.1.56/29 to your command line. Lately, the gateway also publishes 44.0.0.1/8, which is interfering with the routing, acting as a catch-all for 44net, preventing access to your local ampr LAN.>> I also installed the status wizard. Checking the status wizard, I see > that the ripd daemon is running, and there are 737 routes. I see 4 > sensible static routes, 5 bypass routes that I assume make sense, and > then a bunch of AMPR routes that look similar to what comes out of the > encap.txt file.>> I do see that my status and location show up correctly at > http://www.yo2loj.ro/ampr-map/, and that my status is updating every 5 > minutes per the ampr-ripd daemon. I looked at the source code, and > verified that the way that the script "phones home" is via IP > 44.182.21.1. So "something" on my system must be able to actually > access 44net, right???That status will show up even if you send your "presence" via regular internet, so it can't be used as an indicator of the system working properly.>> Here are my problem observations, however:>> - I cannot seem to access anything on 44net, whether via my Raspberry > Pi or directly from the router. Pings never return, and traceroute > all ends at the router (44.46.1.57).>> - Looking at my firewall policies, reviewing the stats, 0 > packets/bytes have been processed by my "allow ipip from wan" rule for > the wan-local policy (it's the first rule). Zero (0) packets > whatsoever have been processed by either my 44Net-in or 44Net-local > policies. So clearly something is not right there...>> - I ran 'show ip route' on the router. There are 4 routes associated > with 44Net: 1 for my subnet, connected to eth2. One for the router > itself, connected to tun44. The other two routes are for 44.0.0.0/9 > and 44.128.0.0/10, both via 169.228.34.84; both marked 'inactive' (is > that a problem?).Try to run 'ip route list table 44' for the ampr routes. They are not in your main routing table and do not show up in the web interface. But the fact that the wizard shows them tells us they are actually there.>> - I also ran 'show interfaces tunnel tun44'. It shows lots of TX > bytes, but 0 RX bytes.>> - Also, I noticed that on the ER-X 'Routing' page, I can filter on > 'RIP'. There are no routes under RIP... should it be that way?>> Obviously my tunnel isn't working (even though I somehow still update > location???). Any thoughts?>> Thanks,>> Rob KC4UPR>Check these parts and let's see from here.Marius, YO2LOJ
Maybe some more good data...
I tried running tcpdump on the router (44.46.1.57) while running traceroute on the raspberrypi (44.46.1.62).
First case:
raspberrypi (44.46.1.62): I ran 'traceroute 44.182.21.1'. I only get one hop (to the router), then nothing else. router (44.46.1.57): I ran 'tcpdump -i tun44'. I see many packets from kc4upr.ampr.org to yo2tm.ampr.org, but no responses.
Second case:
raspberrypi (44.46.1.62): I ran 'traceroute 44.182.21.1'. Same as above. router (44.46.1.57): I ran 'tcpdump -i eth0 -vvv -s0 -n proto ipencap'. I see many packets from 23.118.163.99 to 89.33.44.100, but no responses.
So what I THINK this means is that I am successfully tunneling out from my 44 subnet. I know that I am sending encapsulated packets from my subnet out to the gateway for yo2tm.ampr.org. But I am not getting anything back.
Of course, there are still a few potential sources for the problem:
- ER-X to my AT&T modem... are my packets actually leaving my house? (But everything else behind my ER-X appears to work fine...) - Coming back the other direction, is the other host seeing my packets and sending a response? (and/or are my packets properly formatted) - AT&T modem to my ER-X... could something be dropped - ER-X configuration... could I be missing some configuration there?
Rob KC4UPR
On 2022-05-27 16:01, Rob French via 44net wrote:
I added the -a options to ampr.sh as you recommended. No change after restarting it.
As far as the router IP, in DMZplus mode, the AT&T router/modem actually assigns (via DHCP) the external address to the selected device, in this case my ER-X. So the ER-Xs DHCP- assigned address is 23.118.163.99.
Sent via the Samsung Galaxy S9+, an AT&T 5G Evolution capable smartphone
-------- Original message -------- From: Marius Petrescu marius@yo2loj.ro Date: 5/27/22 15:06 (GMT-06:00) To: Rob French scrape@sdf.org, 44net@mailman.ampr.org Subject: Re: [44net] Problems with ampr-ripd on EdgeRouter X
Hi Rob,
I will try to find the issues, but probably I will need more info on the way.
So here we go with the inline comments, and see how we work further from here.
On 27/05/2022 20:49, Rob French via 44net wrote:
Hello!
Here's my setup and problem.
I originally setup my ER-X (successfully) using the "Setting up a gateway on Ubiquiti EdgeRouter" instructions. I was able to
interact
with the AMPR gateway, but discovered that I of course couldn't
access
the various other 44net subnets. So I decided to switch to the instructions under "Installing ampr-ripd on a Ubiquiti EdgeRouter or
EdgeRouter X".
I believe I did a good job of "unrolling" the changes from the first
instructions. I removed my previous 'tun0' interface, associated firewall rules, etc (basically, anything I created in the first set
of
instructions, I removed, and have verified via the ER-X config
tree).
Then I created my IP-IP tunnel setup using the second set of instructions. Here's what I have:
My modem to the outside world is my AT&T Uverse DSL modem. I have
it
in DMZplus mode where the ER-X (which lives 'behind' the modem) is actually assigned the external IP of 23.118.163.99. All traffic for
any port should get pushed to the ER-X.
Are you sure about this setup? Your public IP is forwarded via the DMZ, but usually there is a DMZ host defined in your ISPs router, which is part of your internal network. You need to set that specific address in the ampr-ripd line in ampr.sh as a option.
eth0 on the ER-X is the WAN connection to the modem. eth1/3/4 go to
various other home network VLANs. eth2 is configured for my 44net subnet (44.46.1.56/29). The router is 44.46.1.57. I have one host
(a
Raspberry Pi) on the subnet at 44.46.1.62. DNS for kc4upr.ampr.org
is
mapped to 44.46.1.62; I do not have a DNS entry for the router
itself
(don't know if that's a problem???).
I don't know, probably not, unless you need to access the router from 44net.
tun44 is setup per the instructions, with the address as 44.46.1.57/29, the local-ip as 23.118.163.99, the remote-ip as 0.0.0.0, and encapsulation as ipip.
Here you should use again, your WAN local address.
I have the firewall rules configured per the instructions. I downloaded and installed ampr-ripd; the only tweak I made to the ampr.sh script was to add "-L KC4UPR@EM48qr" (I did not add any -a entries).
I would sugest adding -a 44.0.0.1/8,44.46.1.56/29 to your command line. Lately, the gateway also publishes 44.0.0.1/8, which is interfering with the routing, acting as a catch-all for 44net, preventing access to your local ampr LAN.
I also installed the status wizard. Checking the status wizard, I
see
that the ripd daemon is running, and there are 737 routes. I see 4 sensible static routes, 5 bypass routes that I assume make sense,
and
then a bunch of AMPR routes that look similar to what comes out of
the
encap.txt file.
I do see that my status and location show up correctly at http://www.yo2loj.ro/ampr-map/, and that my status is updating every
5
minutes per the ampr-ripd daemon. I looked at the source code, and verified that the way that the script "phones home" is via IP 44.182.21.1. So "something" on my system must be able to actually access 44net, right???
That status will show up even if you send your "presence" via regular internet, so it can't be used as an indicator of the system working properly.
Here are my problem observations, however:
- I cannot seem to access anything on 44net, whether via my
Raspberry
Pi or directly from the router. Pings never return, and traceroute all ends at the router (44.46.1.57).
- Looking at my firewall policies, reviewing the stats, 0
packets/bytes have been processed by my "allow ipip from wan" rule
for
the wan-local policy (it's the first rule). Zero (0) packets whatsoever have been processed by either my 44Net-in or 44Net-local policies. So clearly something is not right there...
- I ran 'show ip route' on the router. There are 4 routes
associated
with 44Net: 1 for my subnet, connected to eth2. One for the router
itself, connected to tun44. The other two routes are for 44.0.0.0/9
and 44.128.0.0/10, both via 169.228.34.84; both marked 'inactive'
(is
that a problem?).
Try to run 'ip route list table 44' for the ampr routes. They are not in your main routing table and do not show up in the web interface. But the fact that the wizard shows them tells us they are actually there.
- I also ran 'show interfaces tunnel tun44'. It shows lots of TX
bytes, but 0 RX bytes.
- Also, I noticed that on the ER-X 'Routing' page, I can filter on
'RIP'. There are no routes under RIP... should it be that way?
Obviously my tunnel isn't working (even though I somehow still
update
location???). Any thoughts?
Thanks,
Rob KC4UPR
Check these parts and let's see from here.
Marius, YO2LOJ _______________________________________________ 44net mailing list -- 44net@mailman.ampr.org To unsubscribe send an email to 44net-leave@mailman.ampr.org
On Fri, 27 May 2022, Rob French via 44net wrote:
Maybe some more good data...
I tried running tcpdump on the router (44.46.1.57) while running traceroute on the raspberrypi (44.46.1.62).
If you enable ssh on the ERX, you can login and sudo to the root account and use that to run tcpdump.
# ssh ubnt@192.168.1.1 ubnt@192.168.1.1's password: Linux router 4.52.34-UBNT #1 SMP Tue Mar 32 22:23:24 UTC 2022 mips Welcome to EdgeOS Last login: Sat May 20 22:22:22 2022 from 192.168.1.2 ubnt@router:~$ sudo su - root@router:~#
From there you can use tcpdump on any port of the switch, and ifconfig is an available command if you need it.
Your configuration will vary depending on whether you are using the switch port as VLAN aware or not and what configured interfaces you have defined. Both the five-port switch chip itself and each individual port can have configured VLANs although both cannot use the same VLAN number independently.
IIRC the /config directory survives upgrades and reboots. I am not sure on that because I do not have the router I used for that part of my 44net network in front of me.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager
-
Kris Kirby -
Marius Petrescu -
Rob French