Skip to content

Setting up an AMPR gateway

As an amateur radio operator I've had a 44net allocation for a little while but hadn't put it to use. Since a lot of the information on the web is a little outdated, it's been good to learn some networking getting this set up.


Conceptually, AMPRnet over the internet is a mesh, not a star. IP-in-IP tunnels are used to shuttle traffic across the internet.

flowchart LR;
Internet <--> UCSD
UCSD[UCSD gateway] <-.-> n7apo[N7APO gateway] <-.-> n7apo <-.-> n7apo


  1. IP allocation in [AMPRnet]. Let's imagine it to be
  2. DNS entries provisioned by the regional coordinator. Let's imagine something like:

Edge/firewall setup

I'm using a separate VM to do the routing with two network interfaces. This means on my edge-facing router it was necessary to forward all IP-in-IP (ipencap, protocol 4) packets to the internal address

The basic topology in my home setup.

flowchart LR;
Internet --> Router 
Router --> gw[N7APO gateway VM]
gw <--> packet[Packet station]
gw <--> project2

On an EdgeRouter this looks something like

# under firewall, name WAN_IN
rule 20 {
    action accept
    protocol 4

# under service, nat
rule 20 {
    description "AMPR"
    inbound-interface pppoe0
    inside-address {
    protocol 4
    type destination

AMPR gateway virtual machine

The gateway is an Ubuntu VM running in Proxmox. It has two network interfaces, an internal one with IP, and a AMPR-net only one, IP

The basic idea

Allow packet forwarding

Create /etc/sysctl.d/local.conf and add

# enable tunnel forwarding for ampr

Create interfaces with netplan

Netplan is the more modern way of configuring network interfaces.

        search: []
      mode: ipip
      mtu: 1472
        - to: default
          on-link: true
          table: 45
      - to:
        mark: 45
        table: 45
        priority: 9
      - to:
        table: 44
        priority: 10
      - to:
        table: 44
        priority: 10
      - to:
        table: 45
        priority: 20

Set up ampr-ripd daemon

The UCSD gateway sends routes every five minutes. Something needs to receive these to be able to configure the point-to-point tunnels.

Get the ampr-ripd source. Build from source apt-get install build-essential && make.

Install as a systemd unit in /etc/systemd/system/ampr-ripd.service. Then systemctl daemon-reload and systemctl enable ampr-ripd

Description=AMPR routing

ExecStart=/home/andy/ampr-ripd/ampr-ripd -d -r -s -i tun44 -t 44 -m 90


Set up munging rules

Almost done. We just need to create some munging rules. The main goal here is for traffic that comes from the internet over the tunnel, the reply should also be sent back through the tunnel. Marks are used for this.

Combined the with the netplan routing policy, we are saying table 44 is used for traffic (and all of its routes are populated/updated by ampr-ripd) while table 45 is used to tunnel internet traffic back through the UCSD gateway.

iptables -t mangle -A PREROUTING -i tun44 -s -j RETURN
iptables -t mangle -A PREROUTING -i tun44 -s -j RETURN
iptables -t mangle -A PREROUTING -i tun44 -j CONNMARK --set-mark 45
iptables -t mangle -A PREROUTING ! -i tun44 -m connmark --mark 45 -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -m connmark --mark 45 -j CONNMARK --restore-mark

Finally install iptables-persist to save these rules across reboots.


  • Routes are sent every five minutes from the UCSD gateway.
  • Sometimes traffic takes a while to appear e.g. after a reboot. Resist the urge to start changing configuration to troubleshoot right away.
  • The ampr-ripd use of raw sockets with -r is needed, despite the docs saying it is ignored!
  • MTU 1472 may be needed on downstream clients where there's multiple encapsulation steps (e.g. IP-in-IP-in-PPPoE).


The system is functional. ICMP ping requests work fine end to end but have a couple of issues: the N7APO gateway returns its internal IP address, and traceroute from 44 net devices don't get any responses from along the route.