ampr-ripd and Amprnet Net-44 notes

Posted on Tuesday January 10th, 2017 by lz4ny

ampr-ripd and Amprnet Net-44 notes

Info from page of KB9MWR

First some history:

In early 2012, Heikki Hannikainen, OH7LZB (the ham behind aprs.fi) modernized the amprnet routing by writing a custom RIPv2 daemon to receive RIP updates from the 44/8 ampr.org routing service, and insert them in the Linux routing table.  This has replaced the encap.txt and munge script method.

In late 2012 a new unified interface was given to www.ampr.org.

Prior; another email robot that Jim Fuller, N7VR maintained emailed a daily encap.txt list of NOS style route commands.  From there if you were on the ball you had a cron script munge these into your gateways routing tables. Most folks who ran gateways were not on the ball and would manually install route updates as time permitted.

To clarify the rip announcer at UCSD is one-way so the gateways robot is still there so that hams can create/define gateways that RIP packets will be directed to.  The rip packets are sent encapsulated from 44.0.0.1.

For inbound IPIP/IPENCAP encapsulation and the RIP packets to reach your gateway you’ll need to forward protocol 4 (IPIP) to your gateway server.  Most consumer grade router/gateways and modems will lack a direct way to specify this via the GUI.  If nothing else; if you ssh/telnet into your router can can specify it there.  Or it may just be easier to enable the DMZ and point it to your ampr gateway.

Just to make it clear, IPENCAP (4) is a Layer 4 IP protocol, like ICMP (1), TCP (6), UDP (17), GRE(47), OSPF(89), AXIP (93) and a lot of others, with the difference that
it transports another L3 protocol (IP).  It works on top of IP, which is the Layer 3 protocol on the internet. And there are other L3 protocols, like ARP, IPv6, AppleTalk DDP, IPX, IPSEC and others. IPENCAP has no port numbers. Those are specific for TCP and UDP, and that’s it. You can not “simulate” it by port numbers.

Heikki wrote the original daemon in the Perl programming language.  Later Marius, YO2LOJ, wrote a ampr-ripd dameon in C.

Here are some notes using Ubuntu Server 10.04.4 LTS,  but also confirmed to work on Debian Wheezy. In these notes, using the gateways robot we have specified that subnet 44.92.21.0/24 can be reached by gateway 174.103.224.07.  We use Marius YO2LOJ’s ampr-ripd dameon (v 1.13)  (Note: worst case is a two hour wait from the time you first create a gateway in the portal to the time you start receiving route information)

 

eth0 directly connected to the internet (174.103.224.07) WAN
eth1 faces the wireless LAN (44.92.21.2) 44.92.21.0/25
tunl0 is the IPIP wormhole tunnel to the rest of the AMPRNet (44.92.21.1)
tun0 is for the optional OpenVPN server. 44.92.21.129/25

Wireless hosts use these routes to reach each other and the rest of the amprnet:: mprnet :

route add 44.92.21.0/24 netmask 255.255.255.0 dev eth0
route add 44.0.0.0/8 netmask 255.0.0.0 gw 44.92.21.2 dev eth0

You can use these notes as a basis for your setup, but you’ll need to make changes accordingly.

I have successfully installed this on a low power, cheap Raspberry Pi and added a USB network adapter.

Installing 

Debian drives me insane, I suggest making a root account so you don’t go mad:

sudo passwd root

Or at the very least switch to root:

sudo -i

Install the tools and dependencies you’ll need:

apt-get install tcpdump dnsutils iptables-persistant ipset fail2ban lynx

Enable IP forwarding and/or edit in /etc/sysctl.conf:

echo 1 > /proc/sys/net/ipv4/ip_forward

If you run a firewall, ensure IPIP protocol 4 is allowed:

iptables -A INPUT -p 4 -j ACCEPT
iptables -A INPUT -p udp --dport 520 -j ACCEPT
Or if you are behind NAT, something like (where 192.168.1.10 is your gateway):
iptables -t nat -A PREROUTING -p 4 -j DNAT --to 192.168.1.10

To reduce traffic, drop neighbor discovery and smb as well as MikroTik Neighbor Discovery Protocol on tunl0 (optional, but a good idea):

iptables -A OUTPUT -o tunl0 -p udp --dport 10001 -j DROP
iptables -A OUTPUT -o tunl0 -p udp --dport 137:139 -j DROP
iptables -A OUTPUT -o tunl0 -p udp --dport 5678 -j DROP

Create a tunnel interface (this should reflect the ampr IP address of your gateway) :

ifconfig tunl0 up 44.92.21.1 netmask 255.255.255.255

Download the latest daemon,  untar it, compile it, and copy it to a proper location (/usr/sbin)

wget http://www.yo2loj.ro/hamprojects/ampr-ripd-xxx.tgz
tar -xvzf  ampr-ripd-xxx.tgz
make
cp ampr-ripd /usr/sbin

Run it for the first time:

Run it first with the -d -i tunl0 option to verify that it sees the route announcements from amprgw, and to learn the plaintext password used to authenticate the RIP packets (it’s not included in the script, and I’m not posting it here, so that spoofing can only be done by those who are already receiving the announcements). Wait up to 5 minutes until the routes are transmitted, and it’ll complain about the password it’s not expecting.  (Note if you just submitted/changed your gateway in the portal, those updates are only loaded every hour):

root@hsmm-gw:~# ./ampr-ripd -d -i tunl0
found local address: 174.103.224.07
found local address: 44.92.21.2
found local address: 127.0.0.1
found local address: 44.92.21.1
opening UDP socket...
entering main loop, waiting for RIPv2 datagrams
received from 44.0.0.1: 520: 504 bytes
RIPv2 packet contains password PasswordFoundHere but we require none

 

Configure it all to start at boot:

Set up your system so the startup script should be run automatically, e.g. call it in /etc/rc.local.

My full startup script: http://www.qsl.net/kb9mwr/wapr/tcpip/startampr

 

Full post in english language is here !

This entry was posted in . Bookmark the permalink.

Leave a Reply