Marc's Blog

Things from me about me …

HowTo setup an AMPRnet Gateway on Linux

| 23 Comments

I had to setup many AMPRnet gateways on Linux machines and I always had a hard time remembering the different steps, so I try to provide a quick start over here.

I have been using the RIP44d deamon for all my installations, so we’ll start with downloading the current version of RIP44d:

sudo wget -O /usr/local/sbin/rip44d https://raw.github.com/hessu/rip44d/master/rip44d

The file needs to be executable by root

sudo chmod 744 /usr/local/sbin/rip44d

Next we need is a starter script which does all the magic around RIP44d, the IPIP tunnel interface, enable ip forwarding in sysctl etc, etc. I usually create a file in /usr/local/sbin called startampr with the following content

##################################################################
## This script was developed by KB3VWG on a standard Ubuntu 12.04.1 LTS PC
## with IPv4 forwarding enabled in /etc/sysctl.conf by changing the
## net.ipv4.ip_forward variable to 1, eth0 configured to the Public facing
## LAN and eth1 to the 44LAN. It is designed to enable an AMPR Router using the
## rip44d_table44 file, the standard rip44d, using the -t switch to add routes
## to routing table ’44’ with no fruther configuration needed (firewall optional)
##################################################################
## This script was modified by LX1DUC to automate even more tasks.
##################################################################

########################################
### ENABLE IP FORWARDING ###
sysctl -w net.ipv4.ip_forward=1

########################################
### ENABLE IPIP TUNNEL INTERFACE tunl0 ###
### you must enable the tunnel before specifying routes using the tunnel
modprobe ipip
ip addr add 44.256.0.1/32 dev tunl0
### gives tunnel its own TTL of 64 enabling traceroute over tunnel
ip tunnel change ttl 64 mode ipip tunl0
ip link set dev tunl0 up

########################################
### FIREWALL TO COMPLY WITH AMPR ROUTING RULES ###
### REGARDING TEST SUBNET ###
iptables -A FORWARD -s 44.128.0.0/16 -j REJECT
iptables -A FORWARD -d 44.128.0.0/16 -j REJECT

########################################
### LAN ROUTING RULES (required if used as the LAN’s gateway) ###
### Allows 44LAN to use main routing table to access LAN (optional)
### (NAT/masquerade from 44.60.44.0/24 to must be configured
### if LAN hosts do not use AMPR Router as their LAN Gateway)
#ip rule add from 44.60.44.0/24 to table main priority 1

########################################
### AMPR ROUTING RULES ###
### Per PE1CHL: ‘This is “required” to get routing of the net-44 traffic correct ###
### and have a default route for the tunneled traffic different from the default ###
### route of the system. It may be possible to get it working without this, but ###
### policy based routing is so much easier.’ ###
### Packets to and from the 44 Network use Route Table 44
ip rule add to 44.0.0.0/8 table 44 priority 44
ip rule add from 44.256.0.0/24 table 44 priority 45

########################################
### TABLE 44 ROUTES ###
### Default Route [Internet Access] using AMPRGW for 44/8 hosts (optional)
### do NOT change the IP 169.228.66.251, this is the central AMPR Gateway
### and all traffic leaving AMPRnet towards the internet MUST pass this router.
ip route add default dev tunl0 via 169.228.66.251 onlink table 44
### Leave the 44.0.0.1 route below commented if the default route is used,
### in which case, RIP44 will create it automatically
### ip route add 44.0.0.1 dev tunl0 via 169.228.66.251 onlink table 44 window 840
### Adds 44LAN Network to Table 44
ip route add 44.256.0.0/24 dev eth1 table 44
########################################

### STARTS THE rip44d ROUTER DAMEON – removing the WAN IP address of the local gateway ###
### (rip44d announcements, 44LAN route, and removing local WAN IP with -a switch
### equals full AMPR routing table)
/usr/local/sbin/rip44d -a 192.0.2.1 -p pAsSwOrDgOeShErE -t 44 < /dev/null &

Many thanks to KB3VWG and PE1CHL.

The file must also be executable by root

sudo chmod 744 /usr/local/sbin/startampr

IMPORTANT, please replace the invalid IP address network 44.256.0.0/24, the invalid IP address 44.256.0.1 and the documentation IP 192.0.2.1 according to your local setup:

  • 44.256.0.0/24 must be replaced with your network and netmask (your netmask may differ from /24!!!)
  • 44.256.0.1 should be replaced by the IP address assigned to the gateway on your AMPRnet LAN
  • 192.0.2.1 should be replaced by your public static IP address

Next you can run execute

sudo startampr &

TODO:

  • setup iptables to limit access to the system
  • setup AMPRnet gatway behind NAT (hoepfully there will be another solution for this soon)
  • detect external public IP address automatically

UPDATES:

  • make startampr script executable
  • show how to launch startampr
  • explain the IP address 169.228.66.251

23 Comments

  1. Hi Marc,

    Thanks a lot for this post. Please let me know what is the address 169.228.66.251 ??? Is it the ethernet port IP of your Linux Box?

    73 de Demetre SV1UY

    • 169.228.66.251 is the IP of the UCSD router. All traffic originating from within 44.0.0.0/8 towards the internet MUST be routed via the UCSD router. In case you have defined a DNS name for your IP addresses and you want them to be really reachable from the internet (anything outside 44.0.0.0/8) you MUST have that route in your routing table.

  2. Oh I forgot, do you think this script will work with a GATEWAY without a static IP? I have a Dynamic IP. Will it work if I put my hostname (sv1uy.dyndns.org) instead of my Internet IP in the last line of the script?

    73 de Demetre SV1UY

    • In case the dynamic public IP address is delegated to eth0, you may try:

      /usr/local/sbin/rip44d -a `ip -o -f inet addr show dev eth0 scope global |awk '{print $4}'|awk -F "/" '{print $1}'` -p pLaInTeXtpAsSwD -t 44 < /dev/null &

      If you use another interface name for your external public interface, please substitute eth0 by that name.

      I haven't tested this, so you may need to verify if it really works.

      Also, when your dynamic IP changes you will have to restart RIP44d. Currently this only works by killing the process and restarting the process with the above command line.

      • Alternatively, in case you are using a DynDNS service you may use this command line:

        /usr/local/sbin/rip44d -a `dig +short your-dynamic-host-name.example.local` -p pLaInTeXtpAsSwD -t 44 < /dev/null & HOWEVER! This requires the following: - the hostname record MUST be an IN A record, it MUST NOT be an IN CNAME record which points towards an IN A record! - the hostname MUST have been updated before you restart RIP44d using that command, so you may want to have a delay of several seconds/minutes between running your dyndns script and restarting your RIP44d. If your dyndns client is "intelligent" it can run an external script after your IP address has been updated, add sleep 120; at the beginning of the script and you have a wonderful delay H-I.

  3. FB FB FB Marc,

    I think I am full of information now. I hope I can make it work soon. Will let you know of the outcome.

    I’m much oblidged.

    73 de Demetre SV1UY

  4. Since a lot of people end up pointing DMZ to their gateway, the iptables to limit access is a good idea. It would seem local to lock it down to just the outside IP’s of all the gateways. If you get around tp the iptables part, I hope you share that too.

  5. Yes this is a very good idea. I have finally managed to make my GATEWAY work using the DMZ trick, because the XYL and YL were watching ONLINE TV and fetching my router up and down in order to try to make my DD-WRT forward IP protocol 4 properly, did not make me very popular.

    I only have to try ddclient in my LinuxBox now so that whenever my IP changes (I am on Dynamic IP here) the rip44d line gets the correct IP after the -a and restarts somehow.
    I used my WAN IP as a static and it works. My routing table is getting populated beautifully now by RIP V2 and I have AMPRnet access.

    If you have any examples on how to make an IPTABLES script to secure our Gateways, please let us know.

    73 de Demetre SV1UY

  6. Marc,

    Finally I am running the script you proposed:

    /usr/local/sbin/rip44d -a `dig +short your-dynamic-host-name.example.local` -p pLaInTeXtpAsSwD -t 44 < /dev/null &

    since I am behind a router in the DMZ zone and my eth0 has a local ip in the range of 192.168.x.xx and my AMPRnet routing tables work fine, until the IP address of my Internet connection changes due to a power cutoff or internet going down etc. Infact I faced this problem today. There was a 9 hour electricity interrupt due to cables changing and when my AMRRnet gateway was up and running again I had a New IP Address as it is expected.
    After a while when I did a "ps ax" looking for rip44d. I saw that in the position of my new IP address the line was stating ;;connection timed out;; and other stuff.

    I use ddclient in my LINUX BOX to update my DNS Host (sv1uy.dyndns.org) and I wonder how could I go on with a CRONTAB script that checks the "ps ax | grep rip44d" output and if it shows a ";;connection timed out;;" string to kill and restart rip44d?

    Would you be kind enough to help here, whenever you are not busy?

    73 de Demetre SV1UY

    • I’ll think about a clean way to do things right 🙂 No promises …

    • Hi,

      Can you share with your configuration and script in crontab. I have similar problem. My provider change my dynamic address every one hour for this reason I must restart my ripd daemon like you wrote. It is nice idea for this configuration.
      I have my computer for AmprNet gateway on this:

      | AMPRGw 192.168.1.100|

      How to setup iptables to pass IPIP to 192.168.1.100 ??
      iptables -t nat -A PREROUTING -p 4 -j DNAT –to 192.168.1.100
      iptables -t nat -A PREROUTING -p udp –dport 520 -j DNAT –to 192.168.1.100

      • Ups I have see that in my post was cut digram my network again

        Inet access – |OpenWRT router| — ethernet | AmprGW 192.168.1.100|

        I must setup iptables on OpenWRT router

  7. FB FB FB Marc,

    Whatever you do thanks. You have already been great help to my AMPRnet comeback. I have forgotten much of the stuff I used to do with LINUX (not that I was any good in the past! hi hi hi!!!)

    During the past 15 years I have been working in the datacomms department of a bank so I have forgotten most of my LINUX stuff!

    73 de Demetre SV1UY

  8. I have found other solution ripd2 daemon :

    ampr-ripd or amprd

    http://www.yo2loj.ro/hamprojects/

  9. I suspect the intent (of Heikki et al) was to keep that password from being published … I suspect it would have helped me though if I hadn’t been paranoid to read all the docs anyway 😉

  10. Marc,

    Thank you for this blog on AMPRnet. I am very new at this and am trying to get my gateway up and running this past few months but seeing a lot of misinformation till I found this yesterday.

    I need a few pointers if you are willing to assist.

    I have my computer behind a router in the DMZ and it seems to be accessable, pingable, etc. I did the scripts above and created the file amprstart as instructed. When I run the startampr i see this…
    n5jep@n5jep:~$ sudo startampr &
    [7] 6726
    n5jep@n5jep:~$

    Not sure what that means at this point. As I am the only person in our little town with any experience in this (well, none) I appreciate any help you can offer.

    -Leo, N5JEP, Paris, Texas,
    n5jep.ampr.org 44.28.0.227

    • Hello Leo,

      the output you posted usually means that everythings went fine. You may want to use the command “ps faux” to check if rip44d is running. (BTW if you don’t have the real password, run “/usr/local/sbin/rip44d -a 192.0.2.1 -t 44” (change 192.0.2.1 as required) and wait for the password to appear, then press Ctrl-C and copy paste the password into the startampr script.) You may also run “ip route list table 44” to show all the routes that were added to table 44.

  11. Hi,

    I have some problems to get the password. If i use ./rip44d -a 82.176.84.82 -t 44 i dont get a password.
    The ampr route are coming in. tcpdump -i eth0 -vvv host 82.176.84.82.
    But i dont see the password.

    What im doing wrong. I’m lost.

    Tnx Niels PD2LT

  12. My radio is transmitting gibberish through ax0. I am running linux rms gateway, my output of route -n routing table 44.0.0.0 with ax0. opening browser after booting machine this shows up and transmits rf. I am able to stop it with this command ip addr flush ax0.
    Is there something I can stop this without loosing my gateway?
    thx

    • AFAIK Linux RMS Gateway is used for WinLink Mail via HF, VHF and UHF. So I’m not sure you should route any 44net traffic to the WinLink interface. I might be wrong here, I have never setup an RMS gateway, although I always though about itm, maybe I’m going to do so this winter…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close