AmprNet Gateway Setup on a PC

The Computer Setup:

Dell OptiPlex GX280 (Intel 3.2Ghz CPU), 3GB’s of RAM, 160GB HD, (2) 1Gb Ethernet adapters:
  • Built-in Ethernet adapter for Internet connection.  
  • PCI Ethernet adapter for the AmprNet Network.
Debian 11.5.0 32-bit netinstall image.  It is not in the scope of these instructions to show you how to install Debian so please search Google for information on the topic if needed.

The SSH server and the standard system utilities were the only software options selected for the bare Debian 11 install.

After the installation was completed, log in as root and make sure Debian has the latest fixes and patches:  apt update && apt full-upgrade -y  

If you want to use sudo, it is not installed by default on Debian so again search Google on how to install it.  sudo was installed on my machine after getting the server/gateway up and running for future administration and security.

Reboot to make sure updates, if any, take affect (old Windows habit).


Some Programs:

Next, the following programs were installed.  Some may already be installed so Debian will bypass them.
  • screen (optional):  This software allows you to connect back to a particular session if you are remote and loose connection to your server/gateway.
  • compile tools:  Needed to compile software.
  • iptables-persistent:  This installs the most used Linux firewall iptables and its tools, well to my knowledge.  When asked, it's not necessary to save the current v.4 and v.6 iptables rules.
  • psmisc:  Installed for the killall command.  Used for the update-server script found on the Server Nic Nac page.
  • curl (optional):  Used to install optional software also found on the Server Nic Nac page.
  • cron:  Used to schedule task.  This is more than likely already installed.
  • tcpdump: Useful networking tool.
  • traceroute: Useful networking tool.  This is more than likely already installed.
apt install -y avahi-daemon screen build-essential iptables-persistent psmisc curl tcpdump traceroute

Reboot.  (Again, old Windows habit)
 





Gateway Setup:

The above image depicts the current configuration which I believe is the most basic and these steps were compiled from many sources found on the AmprNet wiki and Google.
 
These instructions are assuming...
  • You are licensed in your Country as an Amateur Radio operator.  It is required in order to be assigned an AmprNet IP network segment.  Your call will be checked.
  • This installation is being performed on a fresh Debian 11 server (no desktop environment) install.
  • You have signed up on the AmprNet Portal and requested an AmprNet network segment assignment.  The segment will be assigned to you in the form of 44.X.Y.Z/BITMASK and will need to be changed throughout these instructions where appropriate.  When you receive your IP information, you will need to go back to the portal and setup your gateway so that you receive RIP announcements and the rest of the AmprNet knows how to find you.  Make sure you visit the main AmprNet website ARDC and the 44Net Mailing List for more information about TCP/IP Networking for Amateur Radio.  Trust me, it helps.  I am still learning.
  • You are issued a Dynamic IP address by your ISP.  Having a static IP is preferred because they never change but my ISP does not offer them to residential customers along with probably millions of others in the World.  I have documented here how to use your public dynamic IP with your gateway.
  • Your ISP and/or its CPE (Customer Premise Equipment) does not filter out IP Protocol 4 (IPIP Tunneling) which is needed in order for any of this to work. But!!!!!!  If this does not work in the beginning after following these instructions, and you are sure you followed every step as documented, do not give up and immediately assume your ISP is blocking IP Protocol 4 and it's all over.  I assumed this in the beginning but found that the rented CPE from my ISP, which is a basic modem/router/WIFI AP combo, was the cause of my issues the whole time.  As one ham said in the mail group while i was troubleshooting this issue, "their stuff is not made for us", LOL.  I bought an aftermarket router and put my modem/router combo CPE in BRIDGE MODE which makes it a basic modem and disables routing, WIFI, and any other proprietary features offered by that device.  Plus, the WIFI on it was failing anyway so replacing it was on my to-do list.
  • The server/gateway machine you are attempting to use has at least 2 Network Interfaces, 1 for your Internet connection and 1 for, what's going to become, your "LOCAL" AmprNet network. 
  • Your current Internet connection at the server/gateways home is behind a NAT router as mentioned above.
  • All of the above satisfies your needs.
After receiving the AmprNet Segment assignment, configure the 2 Ethernet Interfaces for both the Primary (Internet) and Secondary (Local AmprNet Network) connections. Mine were identified as eth0 for the primary and eth1 for the secondary.  eth0 settings in Debian was left as DHCP and a function of my NAT router called Address Reservation was used to assign the server/gateway my chosen internal IP address for internet connections.

The AmprNet Ethernet Interface was configured with a static IP address, using the second usable IP address from my assigned segment, using the first usable IP address for the tunnel IP address explained later in these instructions.  If you have not received your assignment yet, I suggest you wait here until you get it, so you don't get lost and confused.

If you would rather set the Primary Interface as static in Debian itself and to and to see how to setup the Secondary (AmprNet) Interface, go HERE.   WARNING: Make these changes local at the machine because this is a modification where you can lock yourself out if mistakes are made in the settings and you are physically remote from the computer. After these changes, confirm internet access by pinging google.com or some other site.

If the server/gateway is behind a hardware router as shown in the pic, put the servers local static IP address (mine is 10.10.0.2) in the DMZ zone.  This allows the server/gateway to receive all traffic from the internet and iptables is used for all of the server/gateways firewall filtering to and from the Internet and AmprNet networks.  Consult your router's help files to direct you in how this is done.
 
This is how the Public Dynamic IP assigned by my ISP to my main router was handled.  This will make sure the gateways entry on the AmprNet portal is always updated if/when your Public IP address changes.

Now download, compile and install the ampr-ripd daemon. Its purpose is for listening for AMPRNet gateway announcements and updating routing tables based on the information it receives.
  • cd /usr/src
  • wget http://www.yo2loj.ro/hamprojects/ampr-ripd-2.4.1.tgz 
  • tar -xzvf ampr-ripd-2.4.1.tgz
  • cd ampr-ripd-2.4.1  
  • make 
  • make install
This installs the executable ampr-ripd in /usr/sbin and creates a folder in /var/lib/ called ampr-ripd where the encap.txt file will be saved when downloaded and updated by the ampr-ripd daemon.
 
To test the daemon and verify IP Protocol 4 (ipip tunneling) works through your ISP, CPE and other parts of your Internet network, type the following in order in a terminal session:  
  • modprobe ipip   # Enables the ipip tunneling kernel module  
  • ip addr add 44.X.X.193/32 dev tunl0    # Creates the tunnel interface and assigns an IP. The 32 BITMASK means 1 IP address.
  • ip link set dev tunl0 up                # Enables the tunnel interface.
  • ip link set mtu 1480 dev tunl0     # Sets the tunnels mtu,
  • ampr-ripd -d -i tunl0                    # Starts the daemon in the terminal.
If there are no issues, in about 5 minutes after issuing the ampr-ripd -d -i tunl0 command, you should see the RIP announcements.  This means IP Protocol 4 is working as expected and you are good to go, and you can stop the daemon with Cntrl (C).

This process was when my issue mentioned earlier was exposed, which showed me that I needed to purchase a new router.  For some reason, the rented ISP's modem/router combo was blocking IP Protocol 4 which kept me from receiving RIP announcements from UCSD, not my ISP themselves.



The 2 scripts below are saved as files to be used together as a Linux service that will enable and disable the AmprNet capabilities of the server/gateway and will be set to run on boot.  It is not necessary to create these as a service but just makes a cool feature of the gateway. 
 
The first script, which is for enabling the service, does three fundamental things:
  • Creates the needed AMPRNet tunnel (interface tunl0.
  • Creates a routing table for AMPRNet (table 44)
    • This routing table is updated dynamically using the AMPR-RIPD daemon.
  • Configures and enables a basic firewall using iptables.

This type of gateway setup will use a total of 2 IP addresses from the assigned network segment, as mentioned earlier, the first usable IP address for the tunnel and the second usable IP address for the AmprNet Ethernet interface (eth1)


Here are explanations of the variables in the scripts: 

my_ampr_network="44.x.x.x/BIT-MASK":    This is your CIDR AMPRNet Network segment assigned to you by the # ip coordinator.  I have a /26, (255.255.255.192) BIT-MASK assignment so that means I have 62 usable hosts, IP addresses starting with 193 and ending with 254.
my_ampr_tunnel_ip="44.x.x.x/32":    This is the Tunnel IP Address.  I used the first usable ip address in my assigned # CIDR AmprNet segment which again, starts with 193 and used the BIT-MASK of 32 which means 1 usable ip address.
 
ampr_ripd_password="The_AmprNet_RIPD_Password":    Enter the RIPD AMPRNet password.
 
external_interface="ethX":    This is your Network Interface that's connected to the Internet. Mine is eth0.
 
internal_interface="ethX":    This is your Local AmprNet Network Interface. Mine is eth1. 
 
ssh_port="22":    This is your SSH port number if using ssh to remotely admin your server.  The default is 22 but I used a custom port number to try to make it that much harder for hackers to get in.
 
 
NOTE:  To permanently enable IP forwarding and the ipip tunneling kernel module at boot:
  • For ip forwarding:
    • type: nano /etc/sysctl.conf
    • un-comment #net.ipv4.ip_forward=1
    • Save the file:    Cntrl X, (Y)es, Enter
  • For ipip tunneling:
    • type: nano /etc/modules
    • at the bottom type: ipip
    • Save the file:    Cntrl X, (Y)es, Enter
If you prefer to enable them via the script below instead, un-comment them in the enable_gw file instead.
 

Create the enable function (file) for the service:
  • Create a folder to store this scripts in.    mkdir /etc/amprgw_service  
  • Change into that director:    cd /etc/amprgw_service  
  • Create a file called enable_gw:    nano enable_gw 
  • Copy/paste the contents below in BLUE into the file.  Make appropriate changes in the Variables section.  
  • Save the file:    Cntrl X, (Y)es, Enter 
  • Make the file executable:    chmod u+x enable_gw
 
#!/bin/bash
#
# K7ILO 10/2022 AmprNet routing including rules.
# Pulled mainly from Steven - KB9MWR
# Uses ampr-ripd 2.4.1 by Marius, YO2LOJ
# Further explained at: https://k7ilo.blogspot.com/
#
# Referenced from: https://www.qsl.net/kb9mwr/wapr/tcpip/startampr
# https://www.qsl.net/k/kb9mwr//wapr/tcpip/ampr-ripd.html
# https://ioclarity.ca/building-a-raspberry-pi-amprnet-ipip-gateway/
#
#
#################################################################
#    -- Variables:
#----------------------------------------------------------------
my_ampr_network="44.X.Y.Z/BITMASK"    # CIDR AMPRNet Network
my_ampr_tunnel_ip="44.X.Y.Z/32"    # This is your Tunnel IP Address 
ampr_ripd_password="The_AmprNet_RIPD_Password"
external_interface="eth0"    # External interface (Internet Interface)
internal_interface="eth1"    # Internal interface (Local AmprNet Interface)
ssh_port="22"    # SSH Port. Default is 22
#
#
#################################################################
#    -- Enable Forwarding, IP Tunnel and Routing:
#    Enable IP Forwarding
#    Enable IPIP Kernel Module
#    Assign tunnel an ampr ip address.
#    Give the tunnel its own TTL of 64 hops enabling traceroute over the tunnel
#    Bring up the tunnel interface
#    Set the tunnel MTU
#----------------------------------------------------------------
#sysctl -w net.ipv4.ip_forward=1
#modprobe ipip
ip addr add $my_ampr_tunnel_ip dev tunl0
ip tunnel change ttl 64 mode ipip tunl0
ip link set dev tunl0 up
ip link set mtu 1480 dev tunl0
#
#
#################################################################
#    -- Set AmprNet routing table rules:
#    Any packets from any AMPRNet space use routing table 44
#    Any packets from my AMPRNet space use routing table 44
#----------------------------------------------------------------
ip rule add to 44.0.0.0/9 table 44 priority 44
ip rule add to 44.128.0.0/10 table 44 priority 44
ip rule add from $my_ampr_network table 44 priority 45
#
#
#################################################################
#    -- Set AmprNet routes:
#    Default route out of AMPRNet is 169.228.34.84 (The Central AMPR Gateway)
#    Set local route for AMPRNet on local AMPRNet interface
#    Rest of the routes are added dynamically by the AMPR-RIPD routing Daemon.
#----------------------------------------------------------------
ip route add default dev tunl0 via 169.228.34.84 onlink table 44
ip route add $my_ampr_network dev $internal_interface table 44
#
#
#################################################################
#    -- Starts the  ampr-ripd router daemon
# -s saves routes to /var/lib/ampr-ripd/encap.txt
# -r use raw socket instead of multicast
# -t routing table to use
# -i tunnel interface to use
# -p RIPv2 password (latest ampr-ripd defaults to the current valid password)
# -a ampr subnets to be ignored (remove your allocation from the table)
#----------------------------------------------------------------
/usr/sbin/ampr-ripd -p $ampr_ripd_password -s -r -t 44 -i tunl0 -a $my_ampr_network
#################################################################
#
#
###############################################################
# -- Enable Firewall and configure rule set
# Flush all rules to start fresh:
iptables -F
iptables -X
#
# Setting default filter policy:
iptables -P INPUT DROP    # By default drop all incoming connections
iptables -P OUTPUT ACCEPT    # By default allow outgoing connections
iptables -P FORWARD DROP    # by default drop all forwarding connections
#
# This prevents nested ipencap (if it's coming from the tunnel, don't allow protocol 4):
iptables -t raw -I PREROUTING -p 4 -i tunl0 -j DROP
#
#
####################################################################
# Rules for traffic leaving this gateway node, AKA OUTPUT chain
# That is, any traffic leaving from any local IP
####################################################################
# Drops destination unreachable replies to various probe responses:
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
#
# Allow rest of outgoing traffic from this gateway:
iptables -A OUTPUT -j ACCEPT
#
#
#####################################################################
# Rules for traffic coming to this gateway node, AKA INPUT chain
# That is, any traffic destined to any local IP
#####################################################################
# Allow tunnel traffic (ip proto 4) on external interface:
iptables -p 4 -A INPUT -i $external_interface -j ACCEPT
#
# Allow unlimited traffic on loopback and local eth 44 Net adapters:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $internal_interface -j ACCEPT
#
# Allow established sessions to receive traffic back:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#
# Allow incoming ssh/icmp/ampr-ripd:
iptables -A INPUT -p tcp --sport 1024:65535 --dport $ssh_port -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 520 -j ACCEPT
#
# Drop the rest:
iptables -A INPUT -j DROP
#
#
#####################################################################
# Forwarding for traffic passing though this gateway
# That is, any traffic going to or from the local AmprNet space
#####################################################################
# This prevents a general loop - If the traffic comes in the tunnel, don't send it back out the same way:
iptables -I FORWARD -i tunl0 -o tunl0 -j DROP
#
# Drop any traffic leaving via the tunnel that is not from the local AmprNet:
iptables -I FORWARD ! -s $my_ampr_network -o tunl0 -j DROP
#
# Allow established sessions to receive traffic:
iptables -A FORWARD -m conntrack -d $my_ampr_network --ctstate ESTABLISHED,RELATED -j ACCEPT
#
# Allow ssh/icmp connections to my AmprNet:
iptables -A FORWARD -p tcp --sport 1024:65535 -d $my_ampr_network --dport $ssh_port -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p icmp -d $my_ampr_network -m state --state NEW,ESTABLISHED -j ACCEPT
#
# Drop unwanted traffic from leaking out-or coming in (smb discovery, etc):
iptables -A FORWARD -p udp --dport 10001 -j DROP
iptables -A FORWARD -p udp --dport 137:139 -j DROP
iptables -A FORWARD -p udp --dport 5678 -j DROP
#
# Drops destination unreachable replies to various probe responses:
iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j DROP
#
# Finally, allow outgoing connections from the local AmprNet:
iptables -A FORWARD -s $my_ampr_network -j ACCEPT
#
# Drop everything else:
iptables -A FORWARD -j DROP

 
This second script below which is for disabling the service:
  • Removes the tunnel.
  • Clears and resets the iptables firewall. 
Create the disable function (file) for the service: 
  • Change into the amprgw_service directory if not already:    cd /etc/amprgw_service
  • Create a file called disable_gw:    nano disable_gw
  • Copy/paste the contents below in BLUE into the file.  Make appropriate changes in the Variables section. 
  • Save the file:    Cntrl X, (Y)es, Enter
  • Make the file executable:    chmod u+x disable_gw
 
#!/bin/bash
#
#################################################################
#    -- Variables:
#################################################################
my_ampr_network="44.X.Y.Z/BITMASK"   # CIDR AMPRNet Network
internal_interface="eth1"                             # Local AMPRNet Interface
#
### DISABLE IP FORWARDING ###
sysctl -w net.ipv4.ip_forward=0
#
### Take the tunnel offline ###
ip link set dev tunl0 down
#
### Remove the table 44 routes ###
ip route delete default dev tunl0 via 169.228.34.84 onlink table 44
#
# Deletes local 44 network to Table 44
ip route delete $my_ampr_network dev $internal_interface table 44
#
# Stops the  ampr-ripd router daemon
killall -KILL ampr-ripd
#
# Resetting the iptables firewall
iptables -F
iptables -X
#
# Setting default iptables filter policy
iptables -P INPUT ACCEPT        # By default allow all incoming connections
iptables -P FORWARD ACCEPT      # By default allow all forwarding connections
iptables -P OUTPUT ACCEPT       # By default allow outgoing connections


Now test by executing each file individually.  While in the /etc/amprgw_service directory, type ./enable_gw which should create the tunnel.  Check by typing ip a and you should see an interface called tunl0.  Typing iptables -S should show you the loaded iptables rules.  Now run ./disable_gw. The tunnel interface should not be listed and the iptables rules should be cleared.

 Create the service and enable it to run at boot:
  • Create the service file:    nano /etc/systemd/system/amprgw.service
  • Copy/Paste the following contents in BLUE into the blank file:
[Unit]
Description=AmprGwService
After=network-online.target
Wants=network-online.target


[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/etc/amprgw_service/enable_gw
ExecStop=/etc/amprgw_service/disable_gw

[Install]
WantedBy=multi-user.target
  • Save the file:    Cntrl X, (Y)es, Enter
  • Make the file executable:    chmod u+x /etc/systemd/system/amprgw.service
  • Then enable the service:     systemctl enable amprgw
  • Reboot the system:    reboot 
 
After reboot, your gateways tunnel, firewall rules and routing rules should be active.  You can check this by the same process's you used to test the files earlier, ip a and iptables -S.

After a few minutes, check the /var/lib/ampr-ripd folder and there should eventually be a file called encap.txt.  This is the routing information downloaded by the ampr-ripd daemon.

That's pretty much it.  Once the server/gateway has routes, you should be able to ping, ping-able AmprNet IP address's.  You will probably have to ask someone to provide you an IP address for testing like I did. I also asked to have a few reach my AmprNet network from their end.  Again I am still learning so I'm sure I will be tinkering and adding features.

Here are some optional things I did to the server/gateway after confirming I was working... 
  • Added a DHCP server to issue AmprNet clients not needing static IP addresses their dynamic IP's and routing information
  • Added an auto-update script for the server to update every week
Check those out HERE..

Later all and make sure you comment with concerns, corrections and/or questions.

No comments:

Post a Comment

Subscribe to: Posts (Atom)