I added the -a options to ampr.sh as you recommended.  No change after restarting it.As far as the router IP, in DMZplus mode, the AT&T router/modem actually assigns (via DHCP) the external address to the selected device,  in this case my ER-X.  So the ER-Xs DHCP- assigned address is 23.118.163.99.Sent via the Samsung Galaxy S9+, an AT&T 5G Evolution capable smartphone -------- Original message --------From: Marius Petrescu <marius(a)yo2loj.ro> Date: 5/27/22 15:06 (GMT-06:00) To: Rob French <scrape(a)sdf.org>rg>, 44net(a)mailman.ampr.org Subject: Re: [44net] Problems with ampr-ripd on EdgeRouter X Hi Rob,I will try to find the issues, but probably I will need more info on the way.So here we go with the inline comments, and see how we work further from here.On 27/05/2022 20:49, Rob French via 44net wrote:> Hello!>> Here's my setup and problem.>> I originally setup my ER-X (successfully) using the "Setting up a > gateway on Ubiquiti EdgeRouter" instructions.  I was able to interact > with the AMPR gateway, but discovered that I of course couldn't access > the various other 44net subnets.  So I decided to switch to the > instructions under "Installing ampr-ripd on a Ubiquiti EdgeRouter or > EdgeRouter X".>> I believe I did a good job of "unrolling" the changes from the first > instructions.  I removed my previous 'tun0' interface, associated > firewall rules, etc (basically, anything I created in the first set of > instructions, I removed, and have verified via the ER-X config tree).>> Then I created my IP-IP tunnel setup using the second set of > instructions.  Here's what I have:>> My modem to the outside world is my AT&T Uverse DSL modem.  I have it > in DMZplus mode where the ER-X (which lives 'behind' the modem) is > actually assigned the external IP of 23.118.163.99.  All traffic for > any port should get pushed to the ER-X.Are you sure about this setup?Your public IP is forwarded via the DMZ, but usually there is a DMZ host defined in your ISPs router, which is part of your internal network. You need to set that specific address in the ampr-ripd line in ampr.sh as a option.>> eth0 on the ER-X is the WAN connection to the modem.  eth1/3/4 go to > various other home network VLANs.  eth2 is configured for my 44net > subnet (44.46.1.56/29).  The router is 44.46.1.57.  I have one host (a > Raspberry Pi) on the subnet at 44.46.1.62.  DNS for kc4upr.ampr.org is > mapped to 44.46.1.62; I do not have a DNS entry for the router itself > (don't know if that's a problem???).I don't know, probably not, unless you need to access the router from 44net.>> tun44 is setup per the instructions, with the address as > 44.46.1.57/29, the local-ip as 23.118.163.99, the remote-ip as > 0.0.0.0, and encapsulation as ipip. Here you should use again, your WAN local address.>> I have the firewall rules configured per the instructions.  I > downloaded and installed ampr-ripd; the only tweak I made to the > ampr.sh script was to add "-L KC4UPR@EM48qr" (I did not add any -a > entries).I would sugest adding -a 44.0.0.1/8,44.46.1.56/29 to your command line. Lately, the gateway also publishes 44.0.0.1/8, which is interfering with the routing, acting as a catch-all for 44net, preventing access to your local ampr LAN.>> I also installed the status wizard.  Checking the status wizard, I see > that the ripd daemon is running, and there are 737 routes.  I see 4 > sensible static routes, 5 bypass routes that I assume make sense, and > then a bunch of AMPR routes that look similar to what comes out of the > encap.txt file.>> I do see that my status and location show up correctly at > http://www.yo2loj.ro/ampr-map/, and that my status is updating every 5 > minutes per the ampr-ripd daemon.  I looked at the source code, and > verified that the way that the script "phones home" is via IP > 44.182.21.1.  So "something" on my system must be able to actually > access 44net, right???That status will show up even if you send your "presence" via regular internet, so it can't be used as an indicator of the system working properly.>> Here are my problem observations, however:>> - I cannot seem to access anything on 44net, whether via my Raspberry > Pi or directly from the router.  Pings never return, and traceroute > all ends at the router (44.46.1.57).>> - Looking at my firewall policies, reviewing the stats, 0 > packets/bytes have been processed by my "allow ipip from wan" rule for > the wan-local policy (it's the first rule). Zero (0) packets > whatsoever have been processed by either my 44Net-in or 44Net-local > policies.  So clearly something is not right there...>> - I ran 'show ip route' on the router.  There are 4 routes associated > with 44Net:  1 for my subnet, connected to eth2.  One for the router > itself, connected to tun44.  The other two routes are for 44.0.0.0/9 > and 44.128.0.0/10, both via 169.228.34.84; both marked 'inactive' (is > that a problem?).Try to run 'ip route list table 44' for the ampr routes. They are not in your main routing table and do not show up in the web interface. But the fact that the wizard shows them tells us they are actually there.>> - I also ran 'show interfaces tunnel tun44'.  It shows lots of TX > bytes, but 0 RX bytes.>> - Also, I noticed that on the ER-X 'Routing' page, I can filter on > 'RIP'.  There are no routes under RIP... should it be that way?>> Obviously my tunnel isn't working (even though I somehow still update > location???).  Any thoughts?>> Thanks,>> Rob KC4UPR>Check these parts and let's see from here.Marius, YO2LOJ

On Fri, 27 May 2022, Rob French via 44net wrote: If you enable ssh on the ERX, you can login and sudo to the root account and use that to run tcpdump. # ssh ubnt(a)192.168.1.1 ubnt(a)192.168.1.1's password: Linux router 4.52.34-UBNT #1 SMP Tue Mar 32 22:23:24 UTC 2022 mips Welcome to EdgeOS Last login: Sat May 20 22:22:22 2022 from 192.168.1.2 ubnt@router:~$ sudo su - root@router:~# From there you can use tcpdump on any port of the switch, and ifconfig is an available command if you need it. Your configuration will vary depending on whether you are using the switch port as VLAN aware or not and what configured interfaces you have defined. Both the five-port switch chip itself and each individual port can have configured VLANs although both cannot use the same VLAN number independently. IIRC the /config directory survives upgrades and reboots. I am not sure on that because I do not have the router I used for that part of my 44net network in front of me. -- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager