Info from page of KB9MWR<\/a><\/h2>\nFirst some history:<\/p>\n
In early 2012, Heikki Hannikainen, OH7LZB (the ham behind aprs.fi<\/a>) modernized the amprnet routing by writing a custom RIPv2 daemon to receive RIP updates from the 44\/8 ampr.org routing service, and insert them in the Linux routing table.\u00a0 This has replaced the encap.txt and munge script method.<\/span><\/p>\nIn late 2012 a new unified interface was given to www.ampr.org<\/a>.<\/p>\nPrior; another email robot that Jim Fuller, N7VR maintained emailed a daily encap.txt list of NOS style route commands.\u00a0 From there if you were on the ball you had a cron script munge<\/a> these into your gateways routing tables. Most folks who ran gateways were not on the ball and would manually install route updates as time permitted.<\/p>\nTo clarify the rip announcer at UCSD is one-way so the gateways robot is still there so that hams can create\/define gateways that RIP packets will be directed to.\u00a0 The rip packets are sent encapsulated from 44.0.0.1.<\/p>\n
For inbound IPIP\/IPENCAP encapsulation and the RIP packets to reach your gateway you’ll need to forward protocol 4 (IPIP) to your gateway server.\u00a0 Most consumer grade router\/gateways and modems will lack a direct way to specify this via the GUI.\u00a0 If nothing else; if you ssh\/telnet into your router can can specify it there.\u00a0 Or it may just be easier to enable the DMZ and point it to your ampr gateway.<\/p>\n
Just to make it clear, IPENCAP (4) is a Layer 4 IP protocol, like ICMP (1), TCP (6), UDP (17), GRE(47), OSPF(89), AXIP (93) and a lot of others, with the difference that
\nit transports another L3 protocol (IP).\u00a0 It works on top of IP, which is the Layer 3 protocol on the internet. And there are other L3 protocols, like ARP, IPv6, AppleTalk DDP, IPX, IPSEC and others. IPENCAP has no port numbers. Those are specific for TCP and UDP, and that’s it. You can not “simulate” it by port numbers.<\/p>\n
Heikki wrote the original daemon in the Perl programming language.\u00a0 Later Marius, YO2LOJ, wrote a ampr-ripd dameon in C.<\/a><\/p>\nHere are some notes using Ubuntu Server 10.04.4 LTS,<\/a>\u00a0 but also confirmed to work on Debian Wheezy. In these notes, using the gateways robot<\/a> we have specified that subnet 44.92.21.0\/24 can be reached by gateway 174.103.224.07.\u00a0 We use Marius YO2LOJ’s ampr-ripd dameon (v 1.13)\u00a0 (Note: worst case is a two hour wait from the time you first create a gateway in the portal to the time you start receiving route information)<\/p>\n <\/p>\n
![](\"http:\/\/lz4ny.eu\/wp-content\/uploads\/2017\/01\/gateway.jpg\")
<\/a><\/span><\/p>\neth0 directly connected to the internet (174.103.224.07) WAN
\neth1 faces the wireless LAN (44.92.21.2) 44.92.21.0\/25
\ntunl0 is the IPIP wormhole tunnel to the rest of the AMPRNet (44.92.21.1)
\ntun0 is for the optional OpenVPN\u00a0server. 44.92.21.129\/25<\/p>\n
Wireless hosts use these routes to reach each other and the rest of the amprnet:: mprnet :<\/span><\/p>\nroute add 44.92.21.0\/24 netmask 255.255.255.0 dev eth0<\/strong>
\nroute add 44.0.0.0\/8 netmask 255.0.0.0 gw 44.92.21.2 dev eth0<\/strong><\/p>\nYou can use these notes as a basis for your setup, but you’ll need to make changes accordingly.<\/p>\n
I have successfully installed this on a low power, cheap Raspberry Pi<\/a> and added a USB network adapter.<\/p>\n
\nInstalling\u00a0<\/b><\/p>\n
Debian drives me insane, I suggest making a root account so you don’t go mad:<\/p>\n
\nsudo passwd root<\/pre>\n<\/blockquote>\nOr at the very least switch to root:<\/p>\n
\nsudo -i<\/pre>\n<\/blockquote>\nInstall the tools and dependencies you’ll need:<\/p>\n
\napt-get install tcpdump dnsutils iptables-persistant ipset fail2ban lynx<\/pre>\n<\/blockquote>\nEnable IP forwarding and\/or edit in \/etc\/sysctl.conf:<\/p>\n
\necho 1 > \/proc\/sys\/net\/ipv4\/ip_forward<\/pre>\n<\/blockquote>\nIf you run a firewall, ensure IPIP protocol 4 is allowed:<\/p>\n
\niptables -A INPUT -p 4 -j ACCEPT\r\niptables -A INPUT -p udp --dport 520 -j ACCEPT<\/pre>\n<\/blockquote>\nOr if you are behind NAT, something like (where 192.168.1.10 is your gateway):<\/pre>\n\niptables -t nat -A PREROUTING -p 4 -j DNAT --to 192.168.1.10<\/pre>\n<\/blockquote>\nTo reduce traffic, drop neighbor discovery and smb as well as MikroTik Neighbor Discovery Protocol on tunl0 (optional, but a good idea):<\/p>\n
\niptables -A OUTPUT -o tunl0 -p udp --dport 10001 -j DROP\r\niptables -A OUTPUT -o tunl0 -p udp --dport 137:139 -j DROP\r\niptables -A OUTPUT -o tunl0 -p udp --dport 5678 -j DROP<\/pre>\n<\/blockquote>\nCreate a tunnel interface (this should reflect the ampr IP address of your gateway) :<\/p>\n
\nifconfig tunl0 up 44.92.21.1 netmask 255.255.255.255<\/pre>\n<\/blockquote>\nDownload the latest daemon,\u00a0 untar it, compile it, and copy it to a proper location (\/usr\/sbin)<\/p>\n
\nwget http:\/\/www.yo2loj.ro\/hamprojects\/ampr-ripd-xxx.tgz<\/a>\r\ntar -xvzf <\/code> ampr-ripd-xxx.tgz\r\nmake\r\ncp ampr-ripd \/usr\/sbin<\/pre>\n<\/blockquote>\nRun it for the first time:<\/p>\n
Run it first with the -d -i tunl0 option to verify that it sees the route announcements from amprgw, and to learn the plaintext password used to authenticate the RIP packets (it’s not included in the script, and I’m not posting it here, so that spoofing can only be done by those who are already receiving the announcements). Wait up to 5 minutes until the routes are transmitted, and it’ll complain about the password it’s not expecting.\u00a0 (Note if you just submitted\/changed your gateway in the portal, those updates are only loaded every hour):<\/p>\n
\nroot@hsmm-gw:~# .\/ampr-ripd -d -i tunl0\r\nfound local address: 174.103.224.07\r\nfound local address: 44.92.21.2\r\nfound local address: 127.0.0.1\r\nfound local address: 44.92.21.1\r\nopening UDP socket...\r\nentering main loop, waiting for RIPv2 datagrams\r\nreceived from 44.0.0.1: 520: 504 bytes\r\nRIPv2 packet contains password PasswordFoundHere but we require none<\/pre>\n<\/blockquote>\n <\/p>\n
Configure it all to start at boot:<\/p>\n
Set up your system so the startup script should be run automatically, e.g. call it in \/etc\/rc.local.<\/p>\n
My full startup script: http:\/\/www.qsl.net\/kb9mwr\/wapr\/tcpip\/startampr<\/a><\/p>\n
\n <\/p>\n
Full post in english language is here !<\/a><\/strong><\/p>\n<\/p>","protected":false},"excerpt":{"rendered":"
In early 2012, Heikki Hannikainen, OH7LZB (the ham behind aprs.fi) modernized the amprnet routing by writing a custom RIPv2 daemon to receive RIP updates from the 44\/8 ampr.org routing service, and insert them in the Linux routing table. This has replaced the encap.txt and munge script method. Continue reading
In late 2012 a new unified interface was given to www.ampr.org<\/a>.<\/p>\n Prior; another email robot that Jim Fuller, N7VR maintained emailed a daily encap.txt list of NOS style route commands.\u00a0 From there if you were on the ball you had a cron script munge<\/a> these into your gateways routing tables. Most folks who ran gateways were not on the ball and would manually install route updates as time permitted.<\/p>\n To clarify the rip announcer at UCSD is one-way so the gateways robot is still there so that hams can create\/define gateways that RIP packets will be directed to.\u00a0 The rip packets are sent encapsulated from 44.0.0.1.<\/p>\n For inbound IPIP\/IPENCAP encapsulation and the RIP packets to reach your gateway you’ll need to forward protocol 4 (IPIP) to your gateway server.\u00a0 Most consumer grade router\/gateways and modems will lack a direct way to specify this via the GUI.\u00a0 If nothing else; if you ssh\/telnet into your router can can specify it there.\u00a0 Or it may just be easier to enable the DMZ and point it to your ampr gateway.<\/p>\n Just to make it clear, IPENCAP (4) is a Layer 4 IP protocol, like ICMP (1), TCP (6), UDP (17), GRE(47), OSPF(89), AXIP (93) and a lot of others, with the difference that Heikki wrote the original daemon in the Perl programming language.\u00a0 Later Marius, YO2LOJ, wrote a ampr-ripd dameon in C.<\/a><\/p>\n Here are some notes using Ubuntu Server 10.04.4 LTS,<\/a>\u00a0 but also confirmed to work on Debian Wheezy. In these notes, using the gateways robot<\/a> we have specified that subnet 44.92.21.0\/24 can be reached by gateway 174.103.224.07.\u00a0 We use Marius YO2LOJ’s ampr-ripd dameon (v 1.13)\u00a0 (Note: worst case is a two hour wait from the time you first create a gateway in the portal to the time you start receiving route information)<\/p>\n <\/p>\n eth0 directly connected to the internet (174.103.224.07) WAN Wireless hosts use these routes to reach each other and the rest of the amprnet:: mprnet :<\/span><\/p>\n route add 44.92.21.0\/24 netmask 255.255.255.0 dev eth0<\/strong> You can use these notes as a basis for your setup, but you’ll need to make changes accordingly.<\/p>\n I have successfully installed this on a low power, cheap Raspberry Pi<\/a> and added a USB network adapter.<\/p>\n Installing\u00a0<\/b><\/p>\n Debian drives me insane, I suggest making a root account so you don’t go mad:<\/p>\n Or at the very least switch to root:<\/p>\n Install the tools and dependencies you’ll need:<\/p>\n Enable IP forwarding and\/or edit in \/etc\/sysctl.conf:<\/p>\n If you run a firewall, ensure IPIP protocol 4 is allowed:<\/p>\n To reduce traffic, drop neighbor discovery and smb as well as MikroTik Neighbor Discovery Protocol on tunl0 (optional, but a good idea):<\/p>\n Create a tunnel interface (this should reflect the ampr IP address of your gateway) :<\/p>\n Download the latest daemon,\u00a0 untar it, compile it, and copy it to a proper location (\/usr\/sbin)<\/p>\n Run it for the first time:<\/p>\n Run it first with the -d -i tunl0 option to verify that it sees the route announcements from amprgw, and to learn the plaintext password used to authenticate the RIP packets (it’s not included in the script, and I’m not posting it here, so that spoofing can only be done by those who are already receiving the announcements). Wait up to 5 minutes until the routes are transmitted, and it’ll complain about the password it’s not expecting.\u00a0 (Note if you just submitted\/changed your gateway in the portal, those updates are only loaded every hour):<\/p>\n <\/p>\n Configure it all to start at boot:<\/p>\n Set up your system so the startup script should be run automatically, e.g. call it in \/etc\/rc.local.<\/p>\n My full startup script: http:\/\/www.qsl.net\/kb9mwr\/wapr\/tcpip\/startampr<\/a><\/p>\n <\/p>\n Full post in english language is here !<\/a><\/strong><\/p>\n <\/p>","protected":false},"excerpt":{"rendered":" In early 2012, Heikki Hannikainen, OH7LZB (the ham behind aprs.fi) modernized the amprnet routing by writing a custom RIPv2 daemon to receive RIP updates from the 44\/8 ampr.org routing service, and insert them in the Linux routing table. This has replaced the encap.txt and munge script method. Continue reading
\nit transports another L3 protocol (IP).\u00a0 It works on top of IP, which is the Layer 3 protocol on the internet. And there are other L3 protocols, like ARP, IPv6, AppleTalk DDP, IPX, IPSEC and others. IPENCAP has no port numbers. Those are specific for TCP and UDP, and that’s it. You can not “simulate” it by port numbers.<\/p>\n<\/a><\/span><\/p>\n
\neth1 faces the wireless LAN (44.92.21.2) 44.92.21.0\/25
\ntunl0 is the IPIP wormhole tunnel to the rest of the AMPRNet (44.92.21.1)
\ntun0 is for the optional OpenVPN\u00a0server. 44.92.21.129\/25<\/p>\n
\nroute add 44.0.0.0\/8 netmask 255.0.0.0 gw 44.92.21.2 dev eth0<\/strong><\/p>\n
\n\n
sudo passwd root<\/pre>\n<\/blockquote>\n
\n
sudo -i<\/pre>\n<\/blockquote>\n
\n
apt-get install tcpdump dnsutils iptables-persistant ipset fail2ban lynx<\/pre>\n<\/blockquote>\n
\n
echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward<\/pre>\n<\/blockquote>\n
\n
iptables -A INPUT -p 4 -j ACCEPT\r\niptables -A INPUT -p udp --dport 520 -j ACCEPT<\/pre>\n<\/blockquote>\n
Or if you are behind NAT, something like (where 192.168.1.10 is your gateway):<\/pre>\n
\n
iptables -t nat -A PREROUTING -p 4 -j DNAT --to 192.168.1.10<\/pre>\n<\/blockquote>\n
\n
iptables -A OUTPUT -o tunl0 -p udp --dport 10001 -j DROP\r\niptables -A OUTPUT -o tunl0 -p udp --dport 137:139 -j DROP\r\niptables -A OUTPUT -o tunl0 -p udp --dport 5678 -j DROP<\/pre>\n<\/blockquote>\n
\n
ifconfig tunl0 up 44.92.21.1 netmask 255.255.255.255<\/pre>\n<\/blockquote>\n
\n
wget http:\/\/www.yo2loj.ro\/hamprojects\/ampr-ripd-xxx.tgz<\/a>\r\n
tar -xvzf <\/code> ampr-ripd-xxx.tgz\r\nmake\r\ncp ampr-ripd \/usr\/sbin<\/pre>\n<\/blockquote>\n\n
root@hsmm-gw:~# .\/ampr-ripd -d -i tunl0\r\nfound local address: 174.103.224.07\r\nfound local address: 44.92.21.2\r\nfound local address: 127.0.0.1\r\nfound local address: 44.92.21.1\r\nopening UDP socket...\r\nentering main loop, waiting for RIPv2 datagrams\r\nreceived from 44.0.0.1: 520: 504 bytes\r\nRIPv2 packet contains password PasswordFoundHere but we require none<\/pre>\n<\/blockquote>\n
\n