Installing ampr-ripd on a Ubiquiti EdgeRouter or EdgeRouter X: Difference between revisions

From 44Net Wiki
Jump to navigation Jump to search
No edit summary
mNo edit summary
(42 intermediate revisions by the same user not shown)
Line 1: Line 1:
<span style="color: blue;">'''These setup instructions are not related to any other ones mentioned for an Ubiquity EdgeRouter, describing a simple IPIP tunnel setup and do not assume you have done those steps, nor need you to do anything described there.'''</span>
== Info ==
These are the steps for setting up a fully functional AMPR gateway on Ubiquiti's EdgeRouter Light and EdgeRouter-X.
These are the steps for setting up a fully functional AMPR gateway on Ubiquiti's EdgeRouter Light and EdgeRouter-X.
Tested and found working on the following firmware versions:
ER3 Light 1.10.8
ER3 Light 1.10.9
ER-X 1.10.9
ER3 Light 2.0.0
ER3 Light 2.0.1
ER3 Light 2.0.3
ER3 Light 2.0.4
ER3 Light 2.0.5
ER3 Light 2.0.8
ER3 Light 2.0.9


We start assuming you have a complete working and configured router, that already has internet access (a configured WAN port and a local LAN).
 
<span style="color: red;">'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''</span>




1 First add tunnel interface. You need to reserve an AMPR address from your AMPR subnet for the tunnel interface.
We start assuming you have a complete working and configured router, that already has internet access (a configured WAN port and a local LAN).
If you have a /32 assignement, you need to use that one, else pick an unused address.
Use the name 'tun44' for the tunnel, don't be creative since the script depends on this name.


- Config Tree -> add tun44 -> Update List
; For technical reasons, this set-up does not support dynamic assigned WAN addresses. If you have a dynamic IP, this setup can only be used in the primary router's DMZ.


- tun44:
Some technical details:
<blockquote>
<blockquote>
address: <your AMPR IP assigned to the router, see above>/32 (this MUST be 0.0.0.0, no matter what, to allow P2MP connections)
<i>We will use an IPIP tunnel interface called 'tun44' connected to your external interface (with a fixed public IP or an interface in a DMZ). All ampr routes will be created in routing table 44. Routing table 45 will be used for routing requests from the public internet back via the ampr-gw.</i>
</blockquote>


description: AMPR GW
; On a firmware update, you need to reinstall ampr-ripd, since the file system gets replaced. The other settings like tunnel setup and the status wizard will stay.


encapsulation: ipip
== Router preparation ==
Our first step is to set up the router to accept IPENCAP (protocol 4 frames on the WAN interface).


local-ip: <your WAN IP - ISP assigned or router's DMZ IP>
Under Firewall/NAT edit your WAN_LOCAL ruleset (the interface/local handles the access to the router - if there is no such ruleset, you need to create it).
Usually it holds 2 rules, with a default policy of 'drop':
- accept established/related
- drop invalid


remote-ip: 0.0.0.0 (this MUST be 0.0.0.0, no matter what)
Now add a new rule:
</blockquote>
- description: IPIP from WAN
- Action: accept
- Protocol: choose by name -> ipencap


- tun44 -> disabe-link-detect
...and save. You need to drag this rule into the first position of the ruleset and save the ruleset order
press + right of it to enable


- Press Preview ans Apply
You may consider adding a similar rule for 'icmp' on WAN since this really helps debugging and ensures proper error handling (no, it will not compromise security since your gateway is detectable anyway).


If you prefer to do it by CLI:
== Tunnel Setup ==
<blockquote>
First add tunnel interface. You need to reserve an AMPR address from your AMPR subnet for the tunnel interface.
ubnt@YO2LOJ-ER3:~$ configure
If you have a /32 assignment, you need to use that one, else pick an unused address.


ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44
<span style="color: red;">Use the name 'tun44' for the tunnel, don't get creative since the script depends on this name.</span>


ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 local-ip <put the external ip>
- Config Tree -> add tun44 -> Update List


ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 remote-ip 0.0.0.0
- tun44:
  address: <your AMPR IP assigned to the router>/32 <span style="color: red;">(this needs to be /32, no matter your allocated subnet, see above)</span>
  description: AMPR GW
  encapsulation: ipip
  local-ip: <your WAN IP - ISP assigned or router's DMZ IP>
  remote-ip: 0.0.0.0 <span style="color: red;">(this MUST be 0.0.0.0, no matter what, to allow P2MP connections)</span>


ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 encapsulation ipip
- tun44 -> disable-link-detect, press + right of it to enable


ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 address <44net router ip>/32
- Press Preview and Apply


ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 description "AMPR GW"
If you prefer to do it by CLI:
 
  ubnt@YO2LOJ-ER3:~$ configure
ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 disable-link-detect
  ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44
  ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 local-ip <put the external ip>
  ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 remote-ip <span style="color: red;">0.0.0.0</span>
  ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 encapsulation ipip
  ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 address <44net router ip><span style="color: red;">/32</span>
  ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 description "AMPR GW"
  ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 disable-link-detect
  ubnt@YO2LOJ-ER3:~$ commit; save


ubnt@YO2LOJ-ER3:~$ commit; save
== Installing ampr-ripd ==
</blockquote>
Download your packages from here (read this section to the end...):


2. Download your packages from here (read this section to the end...):
<span style="color: red;">Be certain to get the package that fits your router model. They use different processor types so they will not be compatible</span>


Find the EdgeRouter setup package here: http://www.yo2loj.ro/hamprojects/Ampr_EdgeRouter.tgz (mips64)
Find the EdgeRouter setup package here: http://www.yo2loj.ro/hamprojects/Ampr_EdgeRouter.tgz (mips64)
Line 55: Line 89:
For the EdgeRouterX setup use this one: http://www.yo2loj.ro/hamprojects/Ampr_EdgeRouterX.tgz (mipsel)
For the EdgeRouterX setup use this one: http://www.yo2loj.ro/hamprojects/Ampr_EdgeRouterX.tgz (mipsel)


In short, get it, unpack on the router and run the install.sh script.
<br>In short, get it, unpack on the router and run the install.sh script.


Then edit your startup script if needed, and run it:
Then edit your startup script if needed, and run it.


<br>Now the details...


a. First, log in and become root (don't omit that '-'...):
<blockquote>
Welcome to EdgeOS


ubnt@YO2LOJ-ER3:~$ sudo su -
a. First, log in and become root (don't omit that '-'):
  Welcome to EdgeOS
  ubnt@YO2LOJ-ER3:~$ sudo su -


</blockquote>
b. Now download <span style="color: red;">the correct package</span> as described in the links above and unpack it:


b. Now download the correct package as described in the links above and unpack it:
EdgeRouter Lite3, possibly ER4, ER6 (mips64):
<blockquote>
  root@YO2LOJ-ER3:~# curl http://yo2loj.ro/hamprojects/Ampr_EdgeRouter.tgz -o er.tgz
root@YO2LOJ-ER3:~# curl http://yo2loj.ro/hamprojects/Ampr_EdgeRouter.tgz -o er.tgz
  <i>(you should get some download stats here...)</i>
EdgeRouter X (mipsel):
  root@YO2LOJ-ERX:~# curl http://yo2loj.ro/hamprojects/Ampr_EdgeRouterX.tgz -o er.tgz
  <i>(you should get some download stats here...)</i>
Check and unpack:
  root@YO2LOJ-ER3:~# ls
  er.tgz
  root@YO2LOJ-ER3:~# tar -xf er.tgz
c. install the package:
  root@YO2LOJ-ER3:~# ./install.sh


(you should get some download stats here...)
d. edit the startup script to fit your needs. This is only needed if your router is behind NAT or you need to reject specific subnets. Edit only the -a options like below, don't touch the rest. If you want to have your position shown on the ampr map, also add the -L option using your callsign and your QTH locator ( -L your-call@AA00aa ).


root@YO2LOJ-ER3:~# ls
<span style="color: blue;">If you are using pppoe, the local gateway can not be properly detected by ampr-ripd, so an additional -g parameter is needed.</span>


er.tgz
<span style="color: blue;">Also, 44.0.0.1 is not reachable via tunnel, so it should be dropped in the command line to use the default gateway instead</span>


root@YO2LOJ-ER3:~# tar -xf er.tgz
  root@YO2LOJ-ER3:~# cd /etc
  root@YO2LOJ-ER3:/etc# vi ampr.sh
  <span style="color: blue;"><i><press insert to start editing></i></span>
  [...]
  ampr-ripd -s -t 44 -i tun44 -m 90 <span style="color: blue;">-g pppoe0</span> -a <span style="color: blue;">44.0.0.1/32,</span>44.128.1.0/24,44.128.2.0/24,your.gw.com <i>(adapt this list to your needs - commna separated, no spaces)</i>
  ~
  ~
  ~
  <span style="color: blue;"><i><press esc>:wq (to save and exit - yes, vi is strange)</i></span>


</blockquote>
e. Now run the startup script:
 
  root@YO2LOJ-ER3:/etc# ./ampr.sh
c. install the package:
(On router restart, this will happen automatically)
<blockquote>
root@YO2LOJ-ER3:~# ./install.sh


</blockquote>


d. edit the startup script to fit your needs. This is only needed if your router is behind NAT or you need to reject specific subnets. Edit only the -a options like below, don't touch the rest. If you want to have your position shown on the ampr map, also add the -L option using your callsign and your QTH locator.
<span style="color: red;">'''NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.'''</span>
<blockquote>
root@YO2LOJ-ER3:~# cd /etc


root@YO2LOJ-ER3:/etc# vi ampr.sh
== Adding basic security ==
Now your 44 subnet is still wide open for access, both from other users (let's assume we can trust those), and from the internet.


<press insert to start editing>
We need to add 2 rulesets in Firewall/NAT to get some kind of minimal protection:


[...]
Create an ruleset called TUNNEL_FORWARD (or something suggestive) <span style="color: red;">with a default drop policy</span>.


ampr-ripd -s -t 44 -i tun44 -m 90 -a 44.182.20.0/24,44.182.21.0/24,44.182.61.0/24,yo2loj.go.ro (adapt this list to your needs - commna separated, no spaces) -L your-call@AA00aa (optional)
Set interface for the ruleset to 'tun44' and direction to 'in'.


~
This will hold 3 rules (take care, <span style="color: red;">order is important</span>):


~
1. Allow access from ampr hosts to your subnet:
- Description: Allow access to hosts from AMPR
- Action: Accept
- Protocol: All protocols
- Source: 44.0.0.0/9
- Destination: <span style="color: red;"><your subnet></span>
2. Second rule to allow access from ampr hosts to your subnet:
- Description: Allow access to hosts from AMPR
- Action: Accept
- Protocol: All protocols
- Source: 44.128.0.0/10
- Destination: <span style="color: red;"><your subnet></span>
3. Rule to allow all establihed and related traffic:
- Description: Allow Established/Related
- Action: Accept
- Protocol: All protocols
- State: Established, Related


~
Also we need to protect router access itself, so we need another ruleset, say TUNNEL_LOCAL, also <span style="color: red;">with a default drop policy</span>.


<press esc>:wq (to save and exit - yes, vi is strange)
Set interface for the ruleset to 'tun44' and direction to 'local'.


</blockquote>
One minimal rule is required, to accept incoming RIP packets from the gateway:
- Description: Allow incoming RIP
- Action: Accept
- Protocol: UDP
- Source Port: 520
- Destination Port: 520


e. Now run the startup script:
If you want to allow access to the router itself, the rules should include the same as for the forward section.
<blockquote>
root@YO2LOJ-ER3:/etc# ./ampr.sh
 
</blockquote>
(On router restart, this will happen automatically)


That should do it :-)
If router access should not be permitted, then only add rule number 3 (established/related) from above:
- Description: Allow Established/Related
- Action: Accept
- Protocol: All protocols
- State: Established, Related


== Finishing touches ==


NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL ROUTES YOURSELF.
It is a good idea to disable ubnt discovery protocol on our tunnels.


In this case, the easiest way is to disable it completely:
- go to Config Tree -> service -> ubnt-discover
- click the '+' sign after 'disable'
This will completely disable ubnt neighbor discovery.


3. Optionally you can install a status page in the wizzard section.
== Adding a Local AMPR subnet ==
To use a local AMPR subnet, just assign the router's AMPR IP with the proper subnet mask to a local network interface (eth2-3, switch0 on the ER-X, or even a VLAN), using the regular EdgeRouter management interface. Remember to also set up the proper firewall rules to allow or disallow access to your hosts (if you use the rules as described in the previous chapter, 44net hosts will be allowed to access your whole network, while access from the internet is prohibited).


Download here: http://www.yo2loj.ro/hamprojects/Ampr_Status_Wizard.tar
== Status Wizard ==
Optionally you can install a status page in the wizard section.


Download here: http://www.yo2loj.ro/hamprojects/Ampr_Status_Wizard.tar and add it in your configuration wizard tab.


Marius, YO2LOJ
On firmware update, there is no need to reinstall the wizard.

Revision as of 17:52, 20 February 2021

These setup instructions are not related to any other ones mentioned for an Ubiquity EdgeRouter, describing a simple IPIP tunnel setup and do not assume you have done those steps, nor need you to do anything described there.


Info

These are the steps for setting up a fully functional AMPR gateway on Ubiquiti's EdgeRouter Light and EdgeRouter-X. Tested and found working on the following firmware versions:

ER3 Light 1.10.8
ER3 Light 1.10.9
ER-X 1.10.9
ER3 Light 2.0.0
ER3 Light 2.0.1
ER3 Light 2.0.3
ER3 Light 2.0.4
ER3 Light 2.0.5
ER3 Light 2.0.8
ER3 Light 2.0.9


NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.


We start assuming you have a complete working and configured router, that already has internet access (a configured WAN port and a local LAN).

For technical reasons, this set-up does not support dynamic assigned WAN addresses. If you have a dynamic IP, this setup can only be used in the primary router's DMZ.

Some technical details:

We will use an IPIP tunnel interface called 'tun44' connected to your external interface (with a fixed public IP or an interface in a DMZ). All ampr routes will be created in routing table 44. Routing table 45 will be used for routing requests from the public internet back via the ampr-gw.

On a firmware update, you need to reinstall ampr-ripd, since the file system gets replaced. The other settings like tunnel setup and the status wizard will stay.

Router preparation

Our first step is to set up the router to accept IPENCAP (protocol 4 frames on the WAN interface).

Under Firewall/NAT edit your WAN_LOCAL ruleset (the interface/local handles the access to the router - if there is no such ruleset, you need to create it). Usually it holds 2 rules, with a default policy of 'drop':

- accept established/related
- drop invalid

Now add a new rule:

- description: IPIP from WAN
- Action: accept
- Protocol: choose by name -> ipencap

...and save. You need to drag this rule into the first position of the ruleset and save the ruleset order

You may consider adding a similar rule for 'icmp' on WAN since this really helps debugging and ensures proper error handling (no, it will not compromise security since your gateway is detectable anyway).

Tunnel Setup

First add tunnel interface. You need to reserve an AMPR address from your AMPR subnet for the tunnel interface. If you have a /32 assignment, you need to use that one, else pick an unused address.

Use the name 'tun44' for the tunnel, don't get creative since the script depends on this name.

- Config Tree -> add tun44 -> Update List

- tun44:

 address: <your AMPR IP assigned to the router>/32 (this needs to be /32, no matter your allocated subnet, see above)
 description: AMPR GW
 encapsulation: ipip
 local-ip: <your WAN IP - ISP assigned or router's DMZ IP>
 remote-ip: 0.0.0.0 (this MUST be 0.0.0.0, no matter what, to allow P2MP connections)

- tun44 -> disable-link-detect, press + right of it to enable

- Press Preview and Apply

If you prefer to do it by CLI:

 ubnt@YO2LOJ-ER3:~$ configure
 ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44
 ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 local-ip <put the external ip>
 ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 remote-ip 0.0.0.0
 ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 encapsulation ipip
 ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 address <44net router ip>/32
 ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 description "AMPR GW"
 ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 disable-link-detect
 ubnt@YO2LOJ-ER3:~$ commit; save

Installing ampr-ripd

Download your packages from here (read this section to the end...):

Be certain to get the package that fits your router model. They use different processor types so they will not be compatible

Find the EdgeRouter setup package here: http://www.yo2loj.ro/hamprojects/Ampr_EdgeRouter.tgz (mips64)

For the EdgeRouterX setup use this one: http://www.yo2loj.ro/hamprojects/Ampr_EdgeRouterX.tgz (mipsel)


In short, get it, unpack on the router and run the install.sh script.

Then edit your startup script if needed, and run it.


Now the details...


a. First, log in and become root (don't omit that '-'):

 Welcome to EdgeOS
 ubnt@YO2LOJ-ER3:~$ sudo su -

b. Now download the correct package as described in the links above and unpack it:

EdgeRouter Lite3, possibly ER4, ER6 (mips64):

 root@YO2LOJ-ER3:~# curl http://yo2loj.ro/hamprojects/Ampr_EdgeRouter.tgz -o er.tgz
 (you should get some download stats here...)

EdgeRouter X (mipsel):

 root@YO2LOJ-ERX:~# curl http://yo2loj.ro/hamprojects/Ampr_EdgeRouterX.tgz -o er.tgz
 (you should get some download stats here...)

Check and unpack:

 root@YO2LOJ-ER3:~# ls
 er.tgz
 root@YO2LOJ-ER3:~# tar -xf er.tgz

c. install the package:

 root@YO2LOJ-ER3:~# ./install.sh

d. edit the startup script to fit your needs. This is only needed if your router is behind NAT or you need to reject specific subnets. Edit only the -a options like below, don't touch the rest. If you want to have your position shown on the ampr map, also add the -L option using your callsign and your QTH locator ( -L your-call@AA00aa ).

If you are using pppoe, the local gateway can not be properly detected by ampr-ripd, so an additional -g parameter is needed.

Also, 44.0.0.1 is not reachable via tunnel, so it should be dropped in the command line to use the default gateway instead

 root@YO2LOJ-ER3:~# cd /etc
 root@YO2LOJ-ER3:/etc# vi ampr.sh
 <press insert to start editing>
 [...]
 ampr-ripd -s -t 44 -i tun44 -m 90 -g pppoe0 -a 44.0.0.1/32,44.128.1.0/24,44.128.2.0/24,your.gw.com (adapt this list to your needs - commna separated, no spaces)
 ~
 ~
 ~
 <press esc>:wq (to save and exit - yes, vi is strange)

e. Now run the startup script:

 root@YO2LOJ-ER3:/etc# ./ampr.sh

(On router restart, this will happen automatically)


NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.

Adding basic security

Now your 44 subnet is still wide open for access, both from other users (let's assume we can trust those), and from the internet.

We need to add 2 rulesets in Firewall/NAT to get some kind of minimal protection:

Create an ruleset called TUNNEL_FORWARD (or something suggestive) with a default drop policy.

Set interface for the ruleset to 'tun44' and direction to 'in'.

This will hold 3 rules (take care, order is important):

1. Allow access from ampr hosts to your subnet:

- Description: Allow access to hosts from AMPR
- Action: Accept
- Protocol: All protocols
- Source: 44.0.0.0/9
- Destination: <your subnet>

2. Second rule to allow access from ampr hosts to your subnet:

- Description: Allow access to hosts from AMPR
- Action: Accept
- Protocol: All protocols
- Source: 44.128.0.0/10
- Destination: <your subnet>

3. Rule to allow all establihed and related traffic:

- Description: Allow Established/Related
- Action: Accept
- Protocol: All protocols
- State: Established, Related

Also we need to protect router access itself, so we need another ruleset, say TUNNEL_LOCAL, also with a default drop policy.

Set interface for the ruleset to 'tun44' and direction to 'local'.

One minimal rule is required, to accept incoming RIP packets from the gateway:

- Description: Allow incoming RIP
- Action: Accept
- Protocol: UDP
- Source Port: 520
- Destination Port: 520

If you want to allow access to the router itself, the rules should include the same as for the forward section.

If router access should not be permitted, then only add rule number 3 (established/related) from above:

- Description: Allow Established/Related
- Action: Accept
- Protocol: All protocols
- State: Established, Related

Finishing touches

It is a good idea to disable ubnt discovery protocol on our tunnels.

In this case, the easiest way is to disable it completely:

- go to Config Tree -> service -> ubnt-discover
- click the '+' sign after 'disable'

This will completely disable ubnt neighbor discovery.

Adding a Local AMPR subnet

To use a local AMPR subnet, just assign the router's AMPR IP with the proper subnet mask to a local network interface (eth2-3, switch0 on the ER-X, or even a VLAN), using the regular EdgeRouter management interface. Remember to also set up the proper firewall rules to allow or disallow access to your hosts (if you use the rules as described in the previous chapter, 44net hosts will be allowed to access your whole network, while access from the internet is prohibited).

Status Wizard

Optionally you can install a status page in the wizard section.

Download here: http://www.yo2loj.ro/hamprojects/Ampr_Status_Wizard.tar and add it in your configuration wizard tab.

On firmware update, there is no need to reinstall the wizard.