44Net Wiki - User contributions [en]

Setting up a gateway on Ubiquiti EdgeRouter

2016-11-06T20:09:00Z

4Z5YR:

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

This guide covers only one tunnel to the master AMPRnet gateway at UCSD. This guide doesn't cover the automatic setup of tunnels to other gateways.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

Picture [TBD]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility if you mess up/brick your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.

The default username/password is ubnt/ubnt unless you have already changed it.

Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI from your home LAN only
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console from your home LAN only
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained.

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
In configuration mode enter the following
• ubnt@ubnt:~$ save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
There should be two rulesets
o WAN_IN
o WAN_LOCAL

For each rule, press the actions button on the right and select the interfaces option.

• Press the + Add Interface button.
• Select tun0 as the interface and select in as the direction.
• Finish by pressing the Save Ruleset button.

Talk:OH7LZB VPN

2016-06-18T22:18:01Z

4Z5YR: Created page with "Hi, LOTW private key certificate is a PKCS12 format (p12 file) To use it with AMPR VPN, you need to first convert it using openssl. Example: openssl pkcs12 -in <callsign>.p12..."

Hi,
LOTW private key certificate is a PKCS12 format (p12 file)
To use it with AMPR VPN, you need to first convert it using openssl.

Example:
openssl pkcs12 -in <callsign>.p12 -out <callsign>.cer

from this text file, copy the private key section

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T17:01:00Z

4Z5YR: /* The plan */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

Picture [TBD]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility if you mess up/brick your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.

The default username/password is ubnt/ubnt unless you have already changed it.

Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI from your home LAN only
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console from your home LAN only
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained.

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
In configuration mode enter the following
• ubnt@ubnt:~$ save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
There should be two rulesets
o WAN_IN
o WAN_LOCAL

For each rule, press the actions button on the right and select the interfaces option.

• Press the + Add Interface button.
• Select tun0 as the interface and select in as the direction.
• Finish by pressing the Save Ruleset button.

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T17:00:15Z

4Z5YR: /* Setting up source address routing policy */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility if you mess up/brick your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.

The default username/password is ubnt/ubnt unless you have already changed it.

Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI from your home LAN only
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console from your home LAN only
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained.

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
In configuration mode enter the following
• ubnt@ubnt:~$ save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
There should be two rulesets
o WAN_IN
o WAN_LOCAL

For each rule, press the actions button on the right and select the interfaces option.

• Press the + Add Interface button.
• Select tun0 as the interface and select in as the direction.
• Finish by pressing the Save Ruleset button.

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:59:54Z

4Z5YR: /* Setting up source address routing policy */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility if you mess up/brick your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.

The default username/password is ubnt/ubnt unless you have already changed it.

Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI from your home LAN only
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console from your home LAN only
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
In configuration mode enter the following
• ubnt@ubnt:~$ save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
There should be two rulesets
o WAN_IN
o WAN_LOCAL

For each rule, press the actions button on the right and select the interfaces option.

• Press the + Add Interface button.
• Select tun0 as the interface and select in as the direction.
• Finish by pressing the Save Ruleset button.

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:58:52Z

4Z5YR: /* Initial setup */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility if you mess up/brick your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.

The default username/password is ubnt/ubnt unless you have already changed it.

Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI from your home LAN only
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console from your home LAN only
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
In configuration mode enter the following
• ubnt@ubnt:~$ save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
There should be two rulesets
o WAN_IN
o WAN_LOCAL

For each rule, press the actions button on the right and select the interfaces option.

• Press the + Add Interface button.
• Select tun0 as the interface and select in as the direction.
• Finish by pressing the Save Ruleset button.

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:57:30Z

4Z5YR: /* Initial setup */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility if you mess up/brick your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.

The default username/password is ubnt/ubnt unless you have already changed it.

Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
In configuration mode enter the following
• ubnt@ubnt:~$ save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
There should be two rulesets
o WAN_IN
o WAN_LOCAL

For each rule, press the actions button on the right and select the interfaces option.

• Press the + Add Interface button.
• Select tun0 as the interface and select in as the direction.
• Finish by pressing the Save Ruleset button.

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:57:13Z

4Z5YR: /* Initial setup */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility if you mess up/brick your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.

The default username/password is ubnt/ubnt unless you have already changed it.
Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
In configuration mode enter the following
• ubnt@ubnt:~$ save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
There should be two rulesets
o WAN_IN
o WAN_LOCAL

For each rule, press the actions button on the right and select the interfaces option.

• Press the + Add Interface button.
• Select tun0 as the interface and select in as the direction.
• Finish by pressing the Save Ruleset button.

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:56:15Z

4Z5YR: /* Warning!! */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility if you mess up/brick your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
In configuration mode enter the following
• ubnt@ubnt:~$ save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
There should be two rulesets
o WAN_IN
o WAN_LOCAL

For each rule, press the actions button on the right and select the interfaces option.

• Press the + Add Interface button.
• Select tun0 as the interface and select in as the direction.
• Finish by pressing the Save Ruleset button.

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:53:32Z

4Z5YR: /* The plan */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
In configuration mode enter the following
• ubnt@ubnt:~$ save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
There should be two rulesets
o WAN_IN
o WAN_LOCAL

For each rule, press the actions button on the right and select the interfaces option.

• Press the + Add Interface button.
• Select tun0 as the interface and select in as the direction.
• Finish by pressing the Save Ruleset button.

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:44:51Z

4Z5YR: /* Finishing touches */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
In configuration mode enter the following
• ubnt@ubnt:~$ save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
There should be two rulesets
o WAN_IN
o WAN_LOCAL

For each rule, press the actions button on the right and select the interfaces option.

• Press the + Add Interface button.
• Select tun0 as the interface and select in as the direction.
• Finish by pressing the Save Ruleset button.

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:44:21Z

4Z5YR: /* Finishing touches */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
In configuration mode enter the following
• ubnt@ubnt:~$ save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
There should be two rulesets
o WAN_IN
o WAN_LOCAL

• For each rule, press the actions button on the right and select the interfaces option.

• Press the + Add Interface button.

• Select tun0 as the interface and select in as the direction.

• Finish by pressing the Save Ruleset button.

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:43:35Z

4Z5YR: /* Finishing touches */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
In configuration mode enter the following
• ubnt@ubnt:~$ save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option.

• Press the + Add Interface button.

• Select tun0 as the interface and select in as the direction.

• Finish by pressing the Save Ruleset button.

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:42:59Z

4Z5YR: /* Finishing touches */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
In configuration mode enter the following
• ubnt@ubnt:~$ save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
There should be two rulesets
o WAN_IN
o WAN_LOCAL
For each rule, press the actions button on the right and select the interfaces option.

Press the + Add Interface button.

Select tun0 as the interface and select in as the direction.

Finish by pressing the Save Ruleset button.

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:42:28Z

4Z5YR: /* Finishing touches */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
In configuration mode enter the following
• ubnt@ubnt:~$ save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
There should be two rulesets
o WAN_IN
o WAN_LOCAL
For each rule, press the actions button on the right and select the interfaces option.
Press the + Add Interface button.
Select tun0 as the interface and select in as the direction.
Finish by pressing the Save Ruleset button.

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:37:31Z

4Z5YR: /* Finishing touches */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
In configuration mode enter the following
• ubnt@ubnt:~$ save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:36:15Z

4Z5YR: /* Smoke test */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response, you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:32:59Z

4Z5YR: /* Smoke test */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.

To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)

To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response you at least know that your above mentioned host is reaching the internet.

To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel.

The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.

== Finishing touches ==

If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:31:23Z

4Z5YR: /* Setting up the tunnel */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
Now commit the changes
• ubnt@ubnt:~$ commit
To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
The output should look like this
• description "Tunnel to AMPRNet gateway"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.
To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)
To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response you at least know that your above mentioned host is reaching the internet.
To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel
The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.
Finishing touches
If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:30:40Z

4Z5YR: /* Initial setup */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
Enter configuration mode
• ubnt@ubnt:~$ configuration
Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
Now commit the changes
• ubnt@ubnt:~$ commit
Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
• Now commit the changes
• ubnt@ubnt:~$ commit
• To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
• The output should look like this
• description "Tunnel to AMPRNet"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.
To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)
To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response you at least know that your above mentioned host is reaching the internet.
To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel
The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.
Finishing touches
If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:29:42Z

4Z5YR: /* Setting up source address routing policy */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

• Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
• Enter configuration mode
• ubnt@ubnt:~$ configuration
• Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
• Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
• Now commit the changes
• ubnt@ubnt:~$ commit
• Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
• Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
• Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
• Now commit the changes
• ubnt@ubnt:~$ commit
• To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
• The output should look like this
• description "Tunnel to AMPRNet"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.
To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)
To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response you at least know that your above mentioned host is reaching the internet.
To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel
The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.
Finishing touches
If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:29:09Z

4Z5YR: /* Setting up source address routing policy */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

• Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
• Enter configuration mode
• ubnt@ubnt:~$ configuration
• Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
• Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
• Now commit the changes
• ubnt@ubnt:~$ commit
• Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
• Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
• Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
• Now commit the changes
• ubnt@ubnt:~$ commit
• To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
• The output should look like this
• description "Tunnel to AMPRNet"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

• Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.
To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)
To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response you at least know that your above mentioned host is reaching the internet.
To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel
The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.
Finishing touches
If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:28:55Z

4Z5YR: /* Setting up source address routing policy */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

• Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
• Enter configuration mode
• ubnt@ubnt:~$ configuration
• Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
• Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
• Now commit the changes
• ubnt@ubnt:~$ commit
• Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
• Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
• Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
• Now commit the changes
• ubnt@ubnt:~$ commit
• To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
• The output should look like this
• description "Tunnel to AMPRNet"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained
• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

• Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.
To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)
To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response you at least know that your above mentioned host is reaching the internet.
To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel
The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.
Finishing touches
If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:28:18Z

4Z5YR: /* Setting up source address routing policy */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

• Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
• Enter configuration mode
• ubnt@ubnt:~$ configuration
• Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
• Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
• Now commit the changes
• ubnt@ubnt:~$ commit
• Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
• Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
• Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
• Now commit the changes
• ubnt@ubnt:~$ commit
• To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
• The output should look like this
• description "Tunnel to AMPRNet"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure the following happen:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

• Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.
To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)
To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response you at least know that your above mentioned host is reaching the internet.
To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel
The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.
Finishing touches
If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:27:18Z

4Z5YR: /* Setting up source address routing policy */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

• Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
• Enter configuration mode
• ubnt@ubnt:~$ configuration
• Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
• Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
• Now commit the changes
• ubnt@ubnt:~$ commit
• Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
• Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
• Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
• Now commit the changes
• ubnt@ubnt:~$ commit
• To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
• The output should look like this
• description "Tunnel to AMPRNet"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure of the following:

• Normal routing for your home computers LAN is maintained

• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.

Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

• Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.
To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)
To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response you at least know that your above mentioned host is reaching the internet.
To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel
The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.
Finishing touches
If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:26:45Z

4Z5YR: /* Setting up source address routing policy */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

• Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
• Enter configuration mode
• ubnt@ubnt:~$ configuration
• Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
• Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
• Now commit the changes
• ubnt@ubnt:~$ commit
• Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
• Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
• Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
• Now commit the changes
• ubnt@ubnt:~$ commit
• To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
• The output should look like this
• description "Tunnel to AMPRNet"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure of the following:
• Normal routing for your home computers LAN is maintained
• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.
Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

• Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.
To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)
To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response you at least know that your above mentioned host is reaching the internet.
To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel
The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.
Finishing touches
If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:25:44Z

4Z5YR: /* Setting up source address routing policy */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

• Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
• Enter configuration mode
• ubnt@ubnt:~$ configuration
• Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
• Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
• Now commit the changes
• ubnt@ubnt:~$ commit
• Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
• Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
• Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
• Now commit the changes
• ubnt@ubnt:~$ commit
• To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
• The output should look like this
• description "Tunnel to AMPRNet"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"

We want to make sure of the following:
• Normal routing for your home computers LAN is maintained
• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.
Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

• Now commit the changes
• ubnt@ubnt:~$ commit

== Smoke test ==

To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.
To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)
To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response you at least know that your above mentioned host is reaching the internet.
To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel
The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.
Finishing touches
If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:23:53Z

4Z5YR: /* Setting up source address routing policy */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

• Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
• Enter configuration mode
• ubnt@ubnt:~$ configuration
• Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
• Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
• Now commit the changes
• ubnt@ubnt:~$ commit
• Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
• Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
• Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
• Now commit the changes
• ubnt@ubnt:~$ commit
• To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
• The output should look like this
• description "Tunnel to AMPRNet"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"
We want to make sure of the following:
• Normal routing for your home computers LAN is maintained
• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.
Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

• Now commit the changes
• ubnt@ubnt:~$ commit

Smoke test
To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.
To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)
To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response you at least know that your above mentioned host is reaching the internet.
To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel
The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.
Finishing touches
If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:23:16Z

4Z5YR: /* Setting up source address routing policy */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

• Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
• Enter configuration mode
• ubnt@ubnt:~$ configuration
• Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
• Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
• Now commit the changes
• ubnt@ubnt:~$ commit
• Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
• Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
• Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
• Now commit the changes
• ubnt@ubnt:~$ commit
• To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
• The output should look like this
• description "Tunnel to AMPRNet"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info

IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"
We want to make sure of the following:
• Normal routing for your home computers LAN is maintained
• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.
Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

• Now commit the changes
• ubnt@ubnt:~$ commit

Smoke test
To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.
To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)
To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response you at least know that your above mentioned host is reaching the internet.
To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel
The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.
Finishing touches
If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:22:18Z

4Z5YR: /* Setting up the tunnel */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

• Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
• Enter configuration mode
• ubnt@ubnt:~$ configuration
• Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
• Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
• Now commit the changes
• ubnt@ubnt:~$ commit
• Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
• Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
• Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
• Now commit the changes
• ubnt@ubnt:~$ commit
• To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
• The output should look like this
• description "Tunnel to AMPRNet"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

== Setting up source address routing policy ==

Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP.
In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"
We want to make sure of the following:
• Normal routing for your home computers LAN is maintained
• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.
Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

• Now commit the changes
• ubnt@ubnt:~$ commit

Smoke test
To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.
To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)
To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response you at least know that your above mentioned host is reaching the internet.
To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel
The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.
Finishing touches
If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:19:34Z

4Z5YR: /* Setting up the tunnel */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

• Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
• Enter configuration mode
• ubnt@ubnt:~$ configuration
• Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
• Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
• Now commit the changes
• ubnt@ubnt:~$ commit
• Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
• Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
• Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

In configuration mode enter the following commands
• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
• Now commit the changes
• ubnt@ubnt:~$ commit
• To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
• The output should look like this
• description "Tunnel to AMPRNet"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

Setting up source address routing policy
Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP. In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"
We want to make sure of the following:
• Normal routing for your home computers LAN is maintained
• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.
Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

• Now commit the changes
• ubnt@ubnt:~$ commit

Smoke test
To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.
To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)
To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response you at least know that your above mentioned host is reaching the internet.
To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel
The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.
Finishing touches
If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:10:35Z

4Z5YR: /* Assumptions / Pre requisites */

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file

• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org

• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)

• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

• Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
• Enter configuration mode
• ubnt@ubnt:~$ configuration
• Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
• Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
• Now commit the changes
• ubnt@ubnt:~$ commit
• Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
• Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
• Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
• Now commit the changes
• ubnt@ubnt:~$ commit
• To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
• The output should look like this
• description "Tunnel to AMPRNet"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

Setting up source address routing policy
Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP. In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"
We want to make sure of the following:
• Normal routing for your home computers LAN is maintained
• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.
Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

• Now commit the changes
• ubnt@ubnt:~$ commit

Smoke test
To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.
To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)
To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response you at least know that your above mentioned host is reaching the internet.
To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel
The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.
Finishing touches
If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Setting up a gateway on Ubiquiti EdgeRouter

2016-06-10T16:08:12Z

4Z5YR: Created page with " == Setting up a gateway on Ubiquiti EdgeRouter == EdgeRouter is a low cost professional grade router made by Ubiquiti. All routers in the product family such as EdgeRouter X..."

== Setting up a gateway on Ubiquiti EdgeRouter ==

EdgeRouter is a low cost professional grade router made by Ubiquiti.
All routers in the product family such as EdgeRouter X, EdgeRouter Lite and EdgeRouter PoE run the EdgeOS router operating system.
EdgeOS seems to be an OEM version of Vyatta (now Brocade) and Vyos (an open source version).
The commands are almost identical so with little adjustments this guide could serve the different variant.

EdgeRouter is appealing to anyone interested in setting up a gateway to AMPRNet due to the built in support for the IPIP tunneling protocol.
This guide was created based on my experience with setting up a gateway to AMPRNet using the EdgeRouter PoE model.
I haven't tested it on other models, but since they all use the same OS, it should work with minimal adjustment if any.

== Assumptions / Pre requisites ==

• You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file
• You have registered some hosts in the AMPRNet DNS like <your call sign>.ampr.org
• Your EdgeRouter is upgraded to the latest EdgeOS (currently version 1.8)
• You have used the wizard to set your router as WAN+2LAN, where:
• Interface eth1 is your connection to your ISP
• Interface eth2 is your home LAN where your computers are connected
• Interface eth0 is a second LAN, unused mapped to 192.168.1.1/24
• You have successfully setup the EdgeRouter and it is connected to the internet and providing service to your home computers

== The plan ==

As shown in figure 1.1, we will use eth0 as our AMPRNet LAN where computers and other devices with assigned AMPRNet address
will connect via an IPIP tunnel to the UCSD AMPRNet gateway and the internet.

[[File:Example.jpg]]

Figure 1.1 the network plan

== Warning!! ==

The author does not assume responsibility for you messing up/bricking your router. Please make sure to back up your EdgeRouter configuration prior to any change.
Also make sure you know how to restore your configuration and you know how to restore your router to factory defaults if everything else fails.

== Initial setup ==

• Open the CLI using the GUI button or connect using an ssh client such as PuTTY to 192.196.2.1.
The default username/password is ubnt/ubnt unless you have already changed it.
• Enter configuration mode
• ubnt@ubnt:~$ configuration
• Limit access to GUI only from home LAN
• ubnt@ubnt:~$ set service gui listen-address 192.168.2.1
• Limit access to ssh console only from home LAN
• ubnt@ubnt:~$ set service ssh listen-address 192.168.2.1
• Now commit the changes
• ubnt@ubnt:~$ commit
• Delete the network assignment of eth0
• ubnt@ubnt:~$ delete interfaces ethernet eth0 address 192.168.1.1/24
• Set the AMPRNet network assignment you have received to eth0
• ubnt@ubnt:~$ set interfaces ethernet eth0 address <put your AMPRNet network assignment>
• Now commit the changes
• ubnt@ubnt:~$ commit

== Setting up the tunnel ==

• ubnt@ubnt:~$ set interfaces tunnel tun0
• ubnt@ubnt:~$ set interfaces tunnel tun0 local-ip <put the external ip assigned to you by your ISP>
• ubnt@ubnt:~$ set interfaces tunnel tun0 remote-ip 169.228.66.251
• ubnt@ubnt:~$ set interfaces tunnel tun0 encapsulation ipip
• ubnt@ubnt:~$ set interfaces tunnel tun0 description "Tunnel to AMPRNet gateway"
• Now commit the changes
• ubnt@ubnt:~$ commit
• To verify your input so far, enter the following command
• ubnt@ubnt:~$ show interfaces tunnel tun0
• The output should look like this
• description "Tunnel to AMPRNet"
• encapsulation ipip
• local-ip <your assigned ISP address>
• remote-ip 169.228.66.251

Setting up source address routing policy
Most likely your home computers LAN is setup to route to any internet destination via the interface connected to the ISP. In addition, all your private ip addresses are being masqueraded before getting to the outside world.
Entering the following command (in operational mode) will print the routing table
• ubnt@ubnt:~$ show ip route

You should get something similar to this routing table
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S *> 0.0.0.0/0 [210/0] via <your ISP default gateway>, eth1
C *> <your ISP network> is directly connected, eth1
C *> 127.0.0.0/8 is directly connected, lo
C *> 192.168.2.0/24 is directly connected, switch0

0.0.0.0/0 basically means "every ip address"
We want to make sure of the following:
• Normal routing for your home computers LAN is maintained
• Your AMPRNet hosts are being routed to the tunnel to connect to the internet. No masquerading is needed.
Let's define source address routing policy that will make sure only AMPRNet hosts are routed to the tunnel
• ubnt@ubnt:~$ set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface tun0
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 description 'traffic to AMPRNet'
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 source address <put your AMPRNet assigned network>
• ubnt@ubnt:~$ set firewall modify SOURCE_ROUTE rule 10 modify table 1
• ubnt@ubnt:~$ set interfaces ethernet eth0 firewall in modify SOURCE_ROUTE

• Now commit the changes
• ubnt@ubnt:~$ commit

Smoke test
To test our configuration, we first need to connect a computer to the EdgeRouter interface eth0 and manually assign an ip address from our assigned AMPRNet network range that has already been registered with the DNS.
To test that we are accessible from the outside world, use a "ping service" such as ping.eu to ping the above mentioned host. If you see response, this basically means that the tunnel is working! (At least from the outside in)
To see that our source routing policy works, ping an external host such as google DNS server @ 8.8.8.8. If you see a response you at least know that your above mentioned host is reaching the internet.
To verify that we are exiting the router via the tunnel, do a traceroute command to 8.8.8.8. If in the trace you see some ucsd.edu host, you know that you are using the tunnel
The last test we can do is to use a site like whatismyip.com to see the address which we are coming from. If it is the address is the above mentioned host, then we have successfully setup the AMPRNet gateway.
Finishing touches
If you have reached so far and everything is working correctly, it is time to save our configuration.
• In configuration mode enter the following
• Save

Since we have now an open tunnel to the world ending in our EdgeRouter, we need to extend our firewall protection to interface tun0. This can easily be done in the EdgeRouter GUI.
• Select the Firewall/NAT tab
• Select firewall policies tab
• There should be two rulesets
o WAN_IN
o WAN_LOCAL
• For each rule, press the actions button on the right and select the interfaces option
• Press the + Add Interface button
• Select tun0 as the interface and select in as the direction
• Finish by pressing the Save Ruleset button

Archive/Main Page

2016-06-10T15:59:13Z

4Z5YR: /* How to connect to AMPRNet */

Welcome to the AMPRNet Wiki.

Since its allocation to Amateur Radio in the mid-1980's, Internet network 44 (44.0.0.0/8), known as the AMPRNet™, has been used by amateur radio operators to conduct scientific research and to experiment with digital communications over radio with a goal of advancing the state of the art of Amateur Radio networking, and to educate amateur radio operators in these techniques. - [http://www.ampr.org/ www.ampr.org]
__NOTOC__
== Starting points ==
* Basic information about the [[AMPRNet]] and the [[ampr.org]] domain
* [[Services]] available on AMPRNet
* If you are looking to get an IP allocation within the 44/8 AMPRNet please read the [[Portal]] page.
* Frequently Asked Questions (FAQ) [[FAQ]]

== How to connect to AMPRNet ==

* Instructions for [[Setting up a gateway on Linux|setup a Linux gateway]]
* Instructions for [[setting up a gateway on Cisco Routers|setting up a gateway on Cisco Routers]].
* Instructions for [[setting up a gateway on MikroTik Routers|setting up a gateway on MikroTik Routers]].
* Instructions for [[setting up a gateway on OpenWRT|setting up a gateway on OpenWRT]].
* Instructions for [[setting up a gateway on Ubiquiti EdgeRouter|setting up a gateway on Ubiquiti EdgeRouter]].
* Instructions for [[announcing your allocation directly|directly announcing your allocation via your Internet Service Provider (ISP)]].
* Instructions for [[AMPRNet VPN|Accessing AMPRNet via VPN]] (experimental).
* <b>[[Why can't I just route my AMPRNet allocation directly myself ?]]</b>
* If you already operate a [[gateway]] please ensure you have registered on the [[portal]] and "claimed" your [[gateway]].

== Mailing List ==
To keep up-to-date on AMPRNet information please consider joining the [[44Net mailing list]].

== Contribute! ==
If you wish to contribute to the wiki, please send an email to <tt>wiki (at) ampr.org</tt> introducing yourself. Please specify your full name, amateur radio callsign and your preferred username. A login will then be created for you.

== Terms of Service ==
Use of 44.0.0.0/8 address space and ampr.org DNS is governed by the following [http://www.ampr.org/tos.txt Terms of Service]

== All Pages ==
[http://wiki.ampr.org/wiki/Special:AllPages Here's a list of all pages currently on the AMPRNet Wiki]