Setting up an AMPR gateway
As an amateur radio operator I've had a 44net allocation for a little while but hadn't put it to use. Since a lot of the information on the web is a little outdated, it's been good to learn some networking getting this set up.
Concepts
Conceptually, AMPRnet over the internet is a mesh, not a star. IP-in-IP tunnels are used to shuttle traffic across the internet.
flowchart LR;
Internet <--> UCSD
UCSD[UCSD gateway] <-.-> n7apo[N7APO gateway]
44.88.0.0/16 <-.-> n7apo
44.4.0.0/16 <-.-> n7apo
Prerequisities
- IP allocation in [AMPRnet]. Let's imagine it to be 44.200.200.0/28.
- DNS entries provisioned by the regional coordinator. Let's imagine something like:
44.200.200.1 callsign.ampr.org 44.200.200.2 packet.callsign.ampr.org
Edge/firewall setup
I'm using a separate VM to do the routing with two network interfaces. This means on my edge-facing router it was necessary to forward all IP-in-IP (ipencap, protocol 4) packets to the internal address
The basic topology in my home setup.
flowchart LR;
Internet --> Router
Router --> gw[N7APO gateway VM]
gw <--> packet[Packet station]
gw <--> project2
On an EdgeRouter this looks something like
# under firewall, name WAN_IN
rule 20 {
action accept
protocol 4
}
# under service, nat
rule 20 {
description "AMPR"
inbound-interface pppoe0
inside-address {
address 10.20.10.155
}
protocol 4
type destination
}
AMPR gateway virtual machine
The gateway is an Ubuntu VM running in Proxmox. It has two network interfaces, an internal one with IP 10.20.10.155, and a AMPR-net only one, IP 44.200.200.1.
The basic idea
Allow packet forwarding
Create /etc/sysctl.d/local.conf
and add
# enable tunnel forwarding for ampr
#
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.tun44.forwarding=1
Create interfaces with netplan
Netplan is the more modern way of configuring network interfaces.
network:
ethernets:
ens18:
addresses:
- 10.20.10.155/16
gateway4: 10.20.1.1
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
search: []
ens19:
addresses:
- 44.200.200.1/28
tunnels:
tun44:
mode: ipip
local: 10.20.10.155
remote: 0.0.0.0
mtu: 1472
addresses:
- 44.200.200.1/32
routes:
- to: default
via: 169.228.34.84
on-link: true
table: 45
routing-policy:
- to: 0.0.0.0/0
mark: 45
table: 45
priority: 9
- to: 44.0.0.0/9
from: 44.200.200.0/28
table: 44
priority: 10
- to: 44.128.0.0/10
from: 44.200.200.0/28
table: 44
priority: 10
- to: 0.0.0.0/0
from: 44.200.200.0/28
table: 45
priority: 20
Set up ampr-ripd daemon
The UCSD gateway sends routes every five minutes. Something needs to receive these to be able to configure the point-to-point tunnels.
Get the ampr-ripd source. Build from source apt-get install build-essential && make
.
Install as a systemd unit in /etc/systemd/system/ampr-ripd.service
. Then systemctl daemon-reload
and systemctl enable ampr-ripd
[Unit]
Description=AMPR routing
After=network-online.target
[Service]
ExecStart=/home/andy/ampr-ripd/ampr-ripd -d -r -s -i tun44 -t 44 -m 90
[Install]
WantedBy=multi-user.target
Set up munging rules
Almost done. We just need to create some munging rules. The main goal here is for traffic that comes from the internet over the tunnel, the reply should also be sent back through the tunnel. Marks are used for this.
Combined the with the netplan routing policy, we are saying table 44 is used for 44.0.0.0/8 traffic (and all of its routes are populated/updated by ampr-ripd
) while table 45 is used to tunnel internet traffic back through the UCSD gateway.
iptables -t mangle -A PREROUTING -i tun44 -s 44.0.0.0/9 -j RETURN
iptables -t mangle -A PREROUTING -i tun44 -s 44.128.0.0/10 -j RETURN
iptables -t mangle -A PREROUTING -i tun44 -j CONNMARK --set-mark 45
iptables -t mangle -A PREROUTING ! -i tun44 -m connmark --mark 45 -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK --restore-mark
Finally install iptables-persist
to save these rules across reboots.
Notes
- Routes are sent every five minutes from the UCSD gateway.
- Sometimes traffic takes a while to appear e.g. after a reboot. Resist the urge to start changing configuration to troubleshoot right away.
- The
ampr-ripd
use of raw sockets with-r
is needed, despite the docs saying it is ignored! - MTU 1472 may be needed on downstream clients where there's multiple encapsulation steps (e.g. IP-in-IP-in-PPPoE).
Todo
The system is functional. ICMP ping requests work fine end to end but have a couple of issues: the N7APO gateway returns its internal IP address, and traceroute from 44 net devices don't get any responses from along the route.