23 Feb
2016
23 Feb
'16
3:21 a.m.
I'm trying to understand why you change the net so
I need separate tunnel
to every GW.
In this case what are the benefit of using 44 net instead of "regular" ip ?
i think that adding some main GW (maybe main router to each country ) and
by that add the connectivity to 44 networks easily and every endpoint will
take care to single tunnel.
That is exactly what we did here in the Netherlands. We put a machine in a
datacenter that serves as an IPIP gateway for 44.137.0.0/16, and everyone who
is interested in a simple tunnel can get a connection to there using one of the
VPN techniques that are more in use today: OpenVPN, IPsec tunnel, GRE over IPsec
transport,
or also IPIP. And, this system routes towards the radio network that is in
quick development right now. (Ubiquiti and MikroTik equipment for 6cm)
The provider XS4ALL that hosts this system also advertises the 44.137.0.0/16
space on their routers using BGP (in close cooperation with Brian Kantor), and
they statically route this traffic to the machine. So we are directly reachable
from Internet as well. We explicitly chose this method because we are no experts
on Internet BGP and those people at the provider are, it is their daily business.
We run BGP on the 44-network as well (the radio side), but that is a different
thing. There is no BGP communication across our gateway.
The machine is a HP Proliant DL380 server so it is not as failure prone as the home
PCs that Ronen has used. And just this weekend I have migrated it to a newer HP
server that we installed with VMware ESXi on which this is one of the Virtual Machines,
now we will soon install VMware ESXi on the old machine as well and we will have
failover capability (manually operated cold standby, for now).
We also host Echolink Proxy and Relay servers and several services related to the
new digital modes, like a BrandMeister Master server, D-Star reflectors, etc,
on other Virtual Machines on the same server.
Of course the advantage of an IPIP mesh direct to every gateway is that there is
no central point of failure. When our gateway is down, we mostly become isolated.
When a gateway serving only a local subnet would be down, the other gateways can
still communicate amongst eachother. That is one reason that architecture was
chosen.
This has not "changed". It has always worked like this. However, not everyone
has
understood that, and they believed that they could just send all traffic to the
UCSD gateway (which is the gateway for the entire 44.0.0.0/8 subnet towards internet),
and it would forward it to the proper destination. That was always a bad thing to
do, because you would load that single system with all the traffic. But it worked.
Now it does not work anymore and you have to do the right thing: route the traffic
to where it has to go. This of course also means it will work better, because when
you send traffic to a regional system it will no longer travel via California, and
you will have a much shorter delay.
Using our architecture it is still possible for a Dutch station to setup IPIP
routing for their local subnet, because they will just become part of the IPIP mesh
and the Dutch gateway is also part of that mesh. Traffic will still flow correctly.
However, it is no longer a good idea to run IPIP on a regional gateway
(as someone asked for this weekend), because the individual VPN routes are not
known to that gateway and the routing for those will break. Therefore we route
those regional gateways using BGP (on private AS numbers) so they receive all routing
information dynamically. For that, they are connected to the gateway using GRE.
(the situation was explained off-list to the one asking here)
Of course setting this all up requires a bit more knowledge of routing and a lot
more perseverance than configuring a simple IPIP gateway on a Raspberry Pi.
Linux routing is really powerful, also when compared to the most established
professional routers. But you have to read documentation, sometimes written by
Russian and Japanese volunteers and researchers, not having English as their
main language (just like me). It can be challenging, but I thing it is very
rewarding to get it operating perfectly. It is like building your own station
for amateur radio: some people like to build from small parts, others from a kit,
and some like to buy a shiny box. They all enjoy the hobby, but building from
small parts is not for everyone. To me, finding out how to do it is a big part of
all the fun, and the end result ("what are the benefit of using 44 net instead
of "regular" ip ?") is much less important. That is why I do not always
understand
those that just want directions on how to do it and copy what someone else has
tinkered with. Sure it will bring you online quickly, but then leave you with the
question what to do next.
Rob
23 Feb
23 Feb
4:19 a.m.
Im impressed from what i have read
That is only a dream for me to have such a things here
I have some questions (most are not technically)
1)how much downtime you had lets say the last year (i mean downtime not because of
server upgrade) i mean because server failure or software failure
2) where do you get budget for buying such a server and hosting at ISP farm is it a
donation ? or the amateur pay this?
and after all i solute you for all the services you provide there (im now trying to
connect our only P25 repeater to a world wide network) its consider minor to what you
do there ..
--------------------------------
The machine is a HP Proliant DL380 server so it is not as failure prone as the home
PCs that Ronen has used. And just this weekend I have migrated it to a newer HP
server that we installed with VMware ESXi on which this is one of the Virtual Machines,
now we will soon install VMware ESXi on the old machine as well and we will have
failover capability (manually operated cold standby, for now).
3194
days inactive
3194
days old
1 comments
2 participants
participants (2)
-
R P -
Rob Janssen