Re: [44net] Education about networking (Was Re: Inviting you to ARDC Grantmaking Survey + Community Jitsi Call)
5 Oct
2020
5 Oct
'20
4:40 a.m.
Yeah this thread kinda went off the rails. Originally
we WERE talking about global Internet BGP. That is what the folks need that are using
net-44 for IRLP, Allstar, Echolink, D-Star and various types of DMR. 44-net addresses that
need access to and from the global Internet.
It took my local data center provider about three weeks
to set up advertising one of my /23. Mostly waiting for all of their upstream providers to
accept the newly advertised routes. Vultr.com has a very slick set of tools allowing one
to get it going in a few hours, assuming proper license from ARDC is obtained. Neither one
charges anything extra for doing that.
But it is nothing anyone here can do on their own from
home. Basically it requires support from a large data center or ISP. All of my blocks are
globally routable, courtesy of my data center providers. I run an implementation of
OpenVPN on a Linux VM to pass individual addresses (/32) to client IRLP nodes.
Please understand that in the topology I am proposing (and have proposed several times in
the past) you don't need to do that as an individual, it is left to local groups or
ARDC to do that.
You would have a local router in some datacenter that advertises some segment of the
net-44 space on internet (or preferably, the ISP does the advertising and just statically
routes the incoming traffic to you). Then in that datacenter you have a router that
allows incoming VPN connections from small routers at the individual's homes or
repeater locations.
Those individual routers talk BGP as well, but that only travels between their router and
the datacenter router. It is used to tell the datacenter router what subnet(s) of the
net-44 space each one wants to receive. It does not influence what happens on the
internet side, there it always receives the full /16../24 that is advertised on internet.
Now, the individuals and repeaters can build radiolinks between them, they will form the
AMPRnet over radio for that region. Traffic will (with proper setup) select those
radiolinks first, the link to the datacenter is used for traffic towards internet or when
there is no radiolink available.
ARDC would arrange there is a full mesh (or almost full mesh) of GRE tunnels between all
those datacenter routers where BGP is running as well. That means that redundancy can be
built into the network, so you would not be dependent on a single router when you
don't like that. You could setup a VPN to more than one datacenter router and again
BGP will arrange that you will receive your network traffic, at least the AMPRnet traffic,
at any time even when your main router is down.
In my opinion that is a much better solution than the IPIP mesh we have now, which is
completely static and has your gateway system as a single point of failure.
Also it requires a mostly static IP, and possibility to forward the protocol 4 traffic to
the gateway system. This is ever harder to get going on a modern internet connection that
has a dynamic address and maybe even CGNAT. A VPN system does not suffer from that.
Rob
7 Oct
7 Oct
8:51 a.m.
New subject: Education about networking (Was Re: Inviting you to ARDC Grantmaking Survey + Community Jitsi Call)
Le 05/10/2020 à 10:40, Rob Janssen via 44Net a écrit :
Please understand that in the topology I am proposing (and have
proposed several times in the past) you don't need to do that as an
individual, it is left to local groups or ARDC to do that.
+1
We are using a similar topology here.
Anyway, the details of our implementation differ :
- We are currently testing Wireguard as a replacement for OpenVPN (too
much odd behaviors with OpenVPN)
- Our endpoints are $20-$50 OpenWRT routers. We configure them, and send
them to the local users / sites.
- On any site, we typically route /29 (5 usable IPs) on small sites and
/28 (13 usable IPs) on more important sites
- We typically route a 44.190 subnet for things that requite public
Internet addressing (D-Star, DMR, XLX) (as defined by DG8NGN), and a
44.168 subnet for all ham-related machines.
- Any site can have a 44.190 subnet, a 44.168 subnet, or both.
- There's no more dual adressing. All machines only have a 44.168 or
44.190 IP. Except for the central gateway, no machine / no server is
using public Internet IP anymore.
- Due to the highly experimental nature of the network and the tiny
size, we do not have full internal dynamic routing yet, and we use
static routing for now. Our dynamic experiments on some sites are using
OSPF.
- 44.190 subnet is routed on Internet with BGP via a Vultr VPS (which
costs $5/month, is easy to implement, and is independent of local ISP
BGP capabilities)
- 44.168 subnet is currently not routed on Internet via BGP, because
this does not have much sense. For now, it's not routed outside of our
island. But we plan to implement IP-IP routing on the central gateway
(as we had in our previous iteration)
Maybe we should try to identify all people using this kind of topology
all over the world (what I called a "Regional" or "local" gateways) ?
Then, we may try to "normalize" our implementations :
- Adoption of dual-addressing : 44.190 for things that require Internet
access, and 44.<country> for other things
- Choice of internal VPN tunneling protocol(s)
- Choice of internal routing protocol
- Choice of external routing method (tunnels and routing between gateways)
73 de TK1BI
1507
days inactive
1509
days old
1 comments
2 participants
participants (2)
-
Rob Janssen -
Toussaint OTTAVI