Setting up a gateway on Cisco Routers: Difference between revisions

From 44Net Wiki
Jump to navigation Jump to search
No edit summary
(removed reference to specific AMPRNet subnet)
(40 intermediate revisions by 5 users not shown)
Line 1: Line 1:
You  can setup gateway on Cisco routers
== Option 1: Secondary IP on WAN interface ==


Cisco support  IPIP  tunneling and that's what needed
To create a gateway using Cisco equipment you must have a Cisco Router (preferred from series 2600 and above)


First of all you must have a Cisco Router  (preferred from  series 2600  and  above)
Preferred with two Ethernet ports (but can be done also with one Ethernet port)


Preferred with two  Ethernet cards (but can be done also with one Ethernet card)
Pre requirement to the setup to work are as follows:


I  will give example of  one Ethernet card
You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file (see "If you are looking to get an IP allocation within the AMPRNet please read the Portal page.") info on the main page .


You have to assign the router Ethernet card the Commercial IP 


The command is :
You have registered some hosts of your allocated network in the AMPRNet DNS like <your call sign>.ampr.org


int eth0  ip add <and here you give the ip of the commercial ip the router sit on >
The example given here here is of one Ethernet port.
(it can be also IP of a network the router sit on  (as long as  this IP is accessible
to the outside world))> <The NetMask of the network>


Then you have to assign the 44 Net IP   
You have to assign the router Ethernet port the Commercial IP   


The command for  router with 0ne ethernet card is:
The commands are:


  int eth0  ip add <the AMPR IP > <the netmask of the network > secondary
enable
configure terminal
interface ethernet0
ip address <and here you give the ip of the commercial isp the router is connected to> (it can also be the IP of a network the router is on  (as long as this IP is accessible to the outside world))> <The NetMask of the network>
 
The interface name can vary depending on your router type, it can be  Ethernet0  FastEthernet0 GigabitEthernet0/0 etc. 
 
(To see what interfaces you have in order to assign them the address  use the command Show interface and identify the Ethernet port name.)
 
Then you have to assign the AMPRNet 44.x.x.x IP .
 
For a router with one port any additional network IP has to be secondary and the command is:
 
  int eth0
  ip add <the AMPR IP > <the netmask of the network > secondary
    
    
Now you have to add some  tunneling command to redirect your outgoing  traffic  (via tunnel) to  the main  AMPRNET router , you do it because every ISP  block  outgoing IP's which is not a part of his network  (and 44 net is not belong to any  ISP) so in order to allow the 44 Net Packet to gain  access to the outside world  you need to do a tunnel to the AMPR.ORG Router also to the  outgoing  traffic (traffic that intend to reach the internet (all other IP's that are not part of the 44 NET))
Now some  tunneling commands have to be added to redirect your outgoing  traffic  (via tunnel) to  the main  AMPRNET router , you do it because every ISP  block  outgoing IP's which is not a part of their network  (and 44 net is not belong to any  ISP) so in order to allow the 44 net IP traffic  to gain  access to the outside world  you need to do a tunnel to the AMPR.ORG router to the  outgoing  traffic (traffic that intend to reach the internet (all other IP's that are not part of the AMPRNet))


To open a tunnel command you have to put the tunnel Source address (from where the tunnel is established) and to where the tunnel establish to (tunnel destination)
To open a tunnel channel you have to specify the tunnel source address (from where the tunnel is established) and tunnel destination (to where the tunnel establish to)
it is a few commands  here they are
 
This is done by a few commands  here they are


  interface tunnel0
  interface tunnel0
  tunnel source <here you put the router commercial IP>
  tunnel source <here you put the router commercial IP>
  tunnel destination <here you put  the AMPR.ORG main tunnel router IP>
  tunnel destination <here you put  the AMPR.ORG main tunnel router IP>
  tunnel mode ipip   (this command is to tell the tunnel (cisco support lot of tunneling types) which  mode to use)
  tunnel mode ipip (this command is to tell the tunnel (cisco support lot of tunneling types) which  mode to use)


In addition you must tell  the router to pass all the  outgoing 44 Net Traffic to the tunnel interface and not to route it just like that to the  Internet  (because as explained  they will be probably  blocked by the  closest ISP you are connecting to )  
In addition the router has to be  notified to pass all the  outgoing 44 Net Traffic to the tunnel interface and not to route it just like that to the  Internet  (because as explained  they will be probably  blocked by the  closest ISP you are connected  to )  


The command to do it is   
The command to do it is   
Line 39: Line 51:
  ip route 0.0.0.0 0.0.0.0 Tunnel0 <the ip address of the AMPR.ORG main tunnel router >
  ip route 0.0.0.0 0.0.0.0 Tunnel0 <the ip address of the AMPR.ORG main tunnel router >
   
   
(0.0.0.0 0.0.0.0 mean "everything")  (will be explained latter)
(0.0.0.0 0.0.0.0 mean "any IP")  (will be explained latter)


Another important command is a command to let the traffic from the router  to the main ampr.org router to pass their IP not via a tunnel (this important to establish  tunnel)   
Another important command is a command to route  the tunneled traffic from the router  to the main ampr.org router not via a tunnel (this important to establish  tunnel)   


This command is more specific then the "everything" route command  described before and say to the router  pass the traffic  belong to the other side of the tunnel
This command is more specific then the "any IP" route command  described before and say to the router : "pass the tunneled traffic  belong to the other side of the tunnel direct and not via tunnel"


The Command is :  
The Command is :  


  ip route <the ampr.org main tunnel IP > 255.255.255.255 Ethernet0 <your  router commercial IP>
  ip route <the ampr.org main tunnel IP > 255.255.255.255 Ethernet0 <your  router commercial IP>


This  are the minimum  Commands to be able to route your  inside 44  Net ip to the outside world (but not to any  other 44 net  networks worldwide)
This  are the minimum  commands necessary  to be able to route your  inside 44  net IP to the outside world (but not to any  other 44 net  networks worldwide)  
 
 
This method  will redirect any  outgoing traffic (no matter what local IP  is  used ) to the tunnel and since the AMPR.ORG tunnel deal with tunneling from only  44 Net IP  it mean  that if the router local  Lan is sharing 44 and non 44 IP machines the non 44 Net machines  will have no connectivity  to the world
 
 
To overcome this problem a route policy will have to  be used (with the command route-map) because regular route command deal with route  for destination  IP  without  looking at the source (local net)  and  route policy  can do it ...
 
So two policy  have to be created  one for all addresses (excluding the AMPRnet that needed to be routed direct to the internet (without tunnel) and second one specifically for the 44 net hosts that needed to redirect their  outgoing traffic to the tunnels
 
== Option 2: VLAN and zone-based firewall ==
 
If you're familiar with zone-based policy firewalls in IOS, it's possible to combine that feature with VTI and policy-based routing in a way that doesn't require multiple route-maps and won't impact non-44net traffic on the router.
 
<nowiki>!
! Define security zones for the tunnel interface and 44net vlan
!
zone security AMPRNet
zone security AMPRAlloc
!
! An ACL for source traffic on the 44net vlan
!
ip access-list standard Vlan44
permit <your_44net_allocation> <your_allocation_mask>
deny  any log
!
! Send all traffic coming from the 44net vlan through the tunnel.
!
route-map ampr-tunnel permit 10
set interface Tunnel44
!
interface GigabitEthernet0/0/0.44
description AMPRNet allocation
encapsulation dot1Q 44
ip address <your_44net_allocation> <your_subnet_mask>
zone-member security AMPRAlloc
ip policy route-map ampr-tunnel
!
interface Tunnel44
description AMPRNet
ip unnumbered GigabitEthernet0/0/0.44
zone-member security AMPRNet
tunnel source GigabitEthernet0/0/1
tunnel mode ipip
tunnel destination 169.228.34.84
!
! Now we get into the zone-based firewall configuration
! Access lists for class-maps
!
ip access-list extended Ping
permit icmp any any echo
ip access-list extended Traceroute
permit icmp any any time-exceeded
permit icmp any any unreachable
!
! Classify traffic for the zone-based firewall
!
class-map type inspect match-all Traceroute
match access-group name Traceroute
match protocol icmp
class-map type inspect match-all Ping
match protocol icmp
match access-group name Ping
class-map type inspect match-any Generic
match protocol tcp
match protocol udp
match protocol icmp
!
! Define policies for the classes above.
! Here we will only allow ping and traceroute in, and have no restrictions on outbound traffic.
! Customize to your needs, of course.
!
policy-map type inspect AMPRNetIn
class type inspect Traceroute
  pass
class type inspect Ping
  inspect
class class-default
  drop
policy-map type inspect AllowAllOut
class type inspect Generic
  inspect
class class-default
  drop
!
! Apply policy-maps to traffic flows between zones.
!
zone-pair security AMPRNet_to_AMPRAlloc source AMPRNet destination AMPRAlloc
service-policy type inspect AMPRNetIn
zone-pair security AMPRAlloc_to_AMPRNet source AMPRAlloc destination AMPRNet
service-policy type inspect AllowAllOut</nowiki>
 
== Routing to other 44net gateways ==


In order to route your traffic  to other 44 net gateways  you need to build  a tunnel interface to every gateway  (unlike JNOS that one tunnel deal with all  tunnels)
In order to route your traffic  to other 44 net gateways  you need to build  a tunnel interface to every gateway  (unlike JNOS that one tunnel deal with all  tunnels)
Line 66: Line 169:


The section  of tunnel74xxx have to duplicated to every 44 net gateway  (of course with the corresponding ip of the specific gateway) (currently about 400 times)
The section  of tunnel74xxx have to duplicated to every 44 net gateway  (of course with the corresponding ip of the specific gateway) (currently about 400 times)
TIP: If you  are not familiar with Cisco Commands you can use the GUI  Software  called Cisco Configuration Professional (CCP)
to config  the router with it


Later on we will deal of how to create these tunnels  lines configuration  using a script  
Later on we will deal of how to create these tunnels  lines configuration  using a script  
Line 71: Line 178:




  interface Tunnel0
  <nowiki>interface Tunnel0
ip unnumbered Ethernet0
ip unnumbered Ethernet0
no ip directed-broadcast
no ip directed-broadcast
tunnel source Ethernet0
tunnel source Ethernet0
tunnel destination 169.228.66.251
tunnel destination 169.228.34.84
tunnel mode ipip
tunnel mode ipip
!
!
interface Tunnel741916672
interface Tunnel741916672
description Link to 44.56.192.0
description Link to 44.56.192.0
ip unnumbered Ethernet0
ip unnumbered Ethernet0
ip access-group acl_44 in
ip access-group acl_44 in
no ip directed-broadcast
no ip directed-broadcast
tunnel source 10.0.0.180
tunnel source 10.0.0.180
tunnel destination 24.229.88.253
tunnel destination 24.229.88.253
tunnel mode ipip
tunnel mode ipip


interface Ethernet0
interface Ethernet0
description connected to EthernetLAN_HAIFA
description connected to EthernetLAN_HAIFA
ip address 44.138.1.1 255.255.255.0 secondary
ip address 44.138.1.1 255.255.255.0 secondary
ip address 10.0.0.180 255.255.255.0
ip address 10.0.0.180 255.255.255.0
no ip directed-broadcast
no ip directed-broadcast


ip classless
ip classless
ip route 0.0.0.0 0.0.0.0 Tunnel0 169.228.66.251
ip route 0.0.0.0 0.0.0.0 Tunnel0 169.228.34.84
ip route 169.228.66.251 255.255.255.255 Ethernet0 10.0.0.138
ip route 169.228.34.84 255.255.255.255 Ethernet0 10.0.0.138
ip route 44.56.192.0 255.255.255.0 Tunnel741916672
ip route 44.56.192.0 255.255.255.0 Tunnel741916672
ip route 24.229.88.253 255.255.255.255 Ethernet0 10.0.0.138
ip route 24.229.88.253 255.255.255.255 Ethernet0 10.0.0.138</nowiki>


Making the roue  commands automaticly
== Making the route commands automatically ==


Because  the route info of the gateways (the encap file) changes  periodically
Because  the route info of the gateways (the encap file) changes  periodically
mainly because alot of gateway sit on dynamic ip  
mainly because a lot of gateway sits on dynamic ip  


and because the  tunnel ip as a result  change you may loose the tunnel to these gateways  
and because the  tunnel ip as a result  change you may loose the tunnel to these gateways  
Line 112: Line 219:
So a Script that take the encap file and make a new file of Cisco commands  must  be run
So a Script that take the encap file and make a new file of Cisco commands  must  be run


There are two scripts that do it  available one is Perl  and other is VBS
There are two scripts that do it  available , one is Perl  and other is VBS


The example will give the results of the  Perl Script
The example will give the results of the  Perl Script
Line 118: Line 225:
The Perl  Script for the Cisco  enclosed  
The Perl  Script for the Cisco  enclosed  


  #!/usr/bin/perl
  <nowiki> #!/usr/bin/perl
#encapconvert.pl V0.1 10-31-12
#encapconvert.pl V0.1 10-31-12
#Script created by Jason Begley KY9J ky9j.com ky9j@arrl.net
#Script created by Jason Begley KY9J ky9j.com ky9j@arrl.net
#This script is used for converting the encap.txt file from the AMPR net
#This script is used for converting the encap.txt file from the AMPR net
#into a loadable config file for use on cisco routers. It is advised to use
#into a loadable config file for use on cisco routers. It is advised to use
#this on a 2600 or better router due to interface limits.
#this on a 2600 or better router due to interface limits.
#
#


my ($line);
my ($line);
my %nets = ();
my %nets = ();
my $net = undef;
my $net = undef;
my $mask = undef;
my $mask = undef;


#####
#####
#Below are user defined varibles
#Below are user defined varibles


my $loop = "Ethernet0"; #LOOPBACK INT CHANGE IF ALREADY IN USE
my $loop = "Ethernet0"; #LOOPBACK INT CHANGE IF ALREADY IN USE
my $outip = "10.0.0.180"; #YOUR PUBLIC IP ADDRESS
my $outip = "10.0.0.180"; #YOUR PUBLIC IP ADDRESS
my $loopip = "44.138.1.1"; #YOUR AMPR IP ADDRESS
my $loopip = "44.138.1.1"; #YOUR AMPR IP ADDRESS
#EO user defined varibles
#EO user defined varibles
#####
#####




my $file = $ARGV[0];
my $file = $ARGV[0];
my $debug = $ARGV[1];
my $debug = $ARGV[1];
if(!$file) { usage(); exit; }  
if(!$file) { usage(); exit; }  
if($file =~ /--help/) { usage(); exit; }  
if($file =~ /--help/) { usage(); exit; }  


  open (MYFILE, '>cisco-config.txt');
  open (MYFILE, '>cisco-config.txt');
  print MYFILE "!\ninterface $loop\nip address $loopip 255.255.255.255\n!\n";
  print MYFILE "!\ninterface $loop\nip address $loopip 255.255.255.255\n!\n";
  close (MYFILE);
  close (MYFILE);
open(ENCAP, $file);
open(ENCAP, $file);
@line = <ENCAP>;
@line = <ENCAP>;
close (ENCAP);
close (ENCAP);
@line = grep (!/^\s*$/,@line);
@line = grep (!/^\s*$/,@line);
@line = grep (!/^#/,@line);
@line = grep (!/^#/,@line);
chomp(@line);
chomp(@line);


foreach $line(@line)
foreach $line(@line)
{
{
         $n1 = $n2 = $n3 = $n4 = undef;
         $n1 = $n2 = $n3 = $n4 = undef;
         @ln = (split(/ +/, $line));
         @ln = (split(/ +/, $line));
Line 211: Line 318:
   open (MYFILE, '>>cisco-config.txt');
   open (MYFILE, '>>cisco-config.txt');


if ($debug != NULL) {
if ($debug != NULL) {
   print "LINE:$line";
   print "LINE:$line";
   print "\n!\n";
   print "\n!\n";
Line 220: Line 327:
   print "tunnel destination $gw\n";
   print "tunnel destination $gw\n";
   print "tunnel mode ipip\n!\n";
   print "tunnel mode ipip\n!\n";
}
}


if ($gw != $outip) {
if ($gw != $outip) {


   print MYFILE "!\n";
   print MYFILE "!\n";
Line 234: Line 341:
   print MYFILE "tunnel mode ipip\n!\n";
   print MYFILE "tunnel mode ipip\n!\n";
   print MYFILE "ip route $net $mask tunnel$ifid\n!\n";
   print MYFILE "ip route $net $mask tunnel$ifid\n!\n";
}
}
   print MYFILE "ip route  $gw 255.255.255.255 Eth0 10.0.0.138\n";
   print MYFILE "ip route  $gw 255.255.255.255 Eth0 10.0.0.138\n";
}
}
  print MYFILE "!\nend\n!\n";
  print MYFILE "!\nend\n!\n";
  close (MYFILE);
  close (MYFILE);


sub usage
sub usage
   {
   {
   print << "EOT";
   print << "EOT";
*** This script is for creating a loadable config (copy tftp run) for cisco routers ***
*** This script is for creating a loadable config (copy tftp run) for cisco routers ***
*** Please note that this was tested to work on 2651XM or better, expect poor resp- ***
*** Please note that this was tested to work on 2651XM or better, expect poor resp- ***
*** -onse on smaller/slower platforms.                                              ***
*** -onse on smaller/slower platforms.                                              ***
*** Edit this file and change varibles as noted to your values.                    ***
*** Edit this file and change varibles as noted to your values.                    ***
*** File \"cisco-config.txt\" will be generated in this directory for tftp upload    ***
*** File \"cisco-config.txt\" will be generated in this directory for tftp upload    ***
*** Run as follows:                                                                ***
*** Run as follows:                                                                ***
*** perl encapconvert.pl encap.txt                                                  ***
*** perl encapconvert.pl encap.txt                                                  ***
EOT
EOT
   }
   }
   
   


########################################################
########################################################
# Sub cipdec
# Sub cipdec
# USAGE: For converting IP to DEC values and reverse
# USAGE: For converting IP to DEC values and reverse
#
#
# my ($err, $ret) = cipdec(1, $ip);  #1 =from ip to dec, 2 = from dec to ip  
# my ($err, $ret) = cipdec(1, $ip);  #1 =from ip to dec, 2 = from dec to ip  
# if($err != 0) { print "MAIN: ERR ON \"$ret\"\n"; next; }   
# if($err != 0) { print "MAIN: ERR ON \"$ret\"\n"; next; }   
#
#
sub cipdec
sub cipdec
  {
  {
   my $debug = 0;
   my $debug = 0;
   my (@oct, $opt, $var, $err, $ret, $errmsg);
   my (@oct, $opt, $var, $err, $ret, $errmsg);
Line 375: Line 482:
   return($err, $ret);
   return($err, $ret);
   }
   }
################### EO SUB CIPDEC#################################
################### EO SUB CIPDEC#################################


### wildcard sub ###
### wildcard sub ###
sub do_subtract(  ) {
sub do_subtract(  ) {
   local($ip) = @_;
   local($ip) = @_;


Line 396: Line 503:


   return ($a . "." . $b . "." . $c . "." . $d);
   return ($a . "." . $b . "." . $c . "." . $d);
}
}


### EO wildcard sub ###
### EO wildcard sub ### </nowiki>
 
 
 
Before you run the script make sure to take out the line of your gateway  from the encap file


Before you run the script make sure to take the line of your gateway  from the encap file


The result of the script is set of  commands  that look like that  
The result of the script is set of  commands  that look like that  
Line 419: Line 529:
  !
  !


This section return (with different IP , destination and route  IPs's ) as the amount of lines in the encap file
This section return on itself (with different IP , destination and route  IPs's ) as the amount of lines in the encap file


When the file  is ready  (after running the perl script)  you can  copy it with editor and send it to the cisco or by terminal  (with the config t  command) or by  TFTP  
When the file  is ready  (after running the perl script)  you can  copy it with editor and send it to the cisco or by terminal  (with the config t  command) or by  TFTP  
Line 427: Line 537:


So with a small software work  the whole  procedure can be done fully automatic
So with a small software work  the whole  procedure can be done fully automatic
The VBS Script is enclosed here
  ' encap2cisco.vbs, v0.2
' Scripts to convert encap.txt file in Cisco IOS configuration commands
  ' to create Tunnel interfaces and routing to "gateway" traffic for ampr.org.
' For each gateways the script creates a Tunnel interface (starting from # 1001)
' with routing and other detailed cfg commands.
' Before to start keep in mind:
' - Tunnel interfaces are unnumbered of interface declared in MyLoopback variable
' - Public IP address of local gateway is declared in MyPublic variable 
' - Output is to console (use redirecting to save it to a file).
' - Running from command line example: cscript encap2cisco.vbs > cisco.cfg
'
' Tested on Cisco IOS 12.3(22) version
'
' Made by IW0SAB Renzo, free to use and to adapt to specific usages.
' Thanks to IW0RZM Andrea for script suggestions.
' CisarNet Project of Italian Radio Ham Association CISAR
'
' Static entry for Master Tunnel to ampr.org
'!
'interface Tunnel44
'description Tunnel vs. ampr.org (Master tunnel: 44.0.0.0/8)
'! Loopback440 is my main 44.208.0.1 interface
'ip unnumbered Loopback440
'! Loopback1 is my public IP address
'tunnel source Loopback1
'! 160.228.66.251 is main ampr.org tunnel gateway (amprgw.sysnet.ucsd.edu)
'tunnel destination 169.228.66.251
'tunnel mode ipip
'ip route 44.0.0.0 255.0.0.0 Tunnel44
'
' Gubbio (ITALY), 31.10.2011 - Ver 0.2
'
'On Error Resume Next
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("encap.txt", ForReading)
Const ForReading = 1
Dim arrFileLines()
Dim Net, Mask, Gw, Tun, MyNets, MyLoopback, MyPublic, MyCredits
MyNets = Array("44.208/16", "44.134.226/24", "44.134.227/24", "44.134.228/24")
MyPublic = "Loopback1"
MyLoopback = "Loopback440"
MyCredits = "encap2cisco v0.2 by IW0SAB Renzo"
i = 0
Tun = 1000
line = 0
'
' Reading encap.txt file in memory array
'
Do Until objFile.AtEndOfStream
Redim Preserve arrFileLines(i)
arrFileLines(i) = objFile.ReadLine
i = i + 1
Loop
objFile.Close
'
'Process all encap.txt lines
'
WScript.Echo "!"
WScript.Echo "! Begin of Cisco IOS configuration file generated with " & MyCredits & "("    &  Date & " " & Time & ")"
For Each strLine in arrFileLines
x = Split(strLine, " ")
line = line + 1
SkipLine = 0
'
' Skipping comments...
'
If StrComp(x(0),"#") = 0 Then
SkipLine = 1
else
'
' ... or it's a subnet of mine
'
For Each Network in MyNets
If StrComp(Network, x(2)) = 0 Then SkipLine = 1
Next
end if
'
' If I need I process this line of encap.txt and create tunnel interfaces for ipip 
gateway
'
If SkipLine = 0 Then
'
' Extracting variables from current encap.txt line
'
Net = MyNet(x(2))
Mask = MyMask(x(2))
Gw = x(4)
Tun = Tun + 1
'
' Generating cisco IOS configuration commands (including remarks)
'
WScript.Echo "!"
WScript.Echo "! Entry for encap.txt line:(" & line & ")-" & strLine
WScript.Echo "!"
'
' remove any previous route to current subnet line of encap.txt
'
WScript.Echo "no ip route " & Net & " " & Mask
'
' build cisco cfgs for entry (tunnel interface & route)
'
WScript.Echo "interface Tunnel " & Tun
WScript.Echo "description Gateway to ampr.org (" & Net & "/" & Mask & ")"
WScript.Echo "ip unnumbered " & MyLoopback
WScript.Echo "tunnel source " & MyPublic
WScript.Echo "tunnel destination " & Gw
WScript.Echo "tunnel mode ipip"
WScript.Echo "ip route " & Net & " " & Mask & " Tunnel " & Tun & " 200" ' 
Route Weight is high to be safe evolving to dynamic routing
'
End If
Next
WScript.Echo "!"
WScript.Echo "! End of configuration file generated with " & MyCredits
'
' Finished
'
'=====================================================
'
' Function to extract subnet network from line
'
Function MyNet(b)
' b= "1.2.3.4/24"
' Wscript.Echo "MyNet b:" & b & " - " & InStr(b,"/")
if InStr(b,"/") <= 0 Then
MyNet = b
else
MyNet = Left(b, InStr(b,"/")- 1)
end if
Tot = 0
For i = 1 to Len(MyNet)
If StrComp(Mid(MyNet,i,1),".") = 0 Then
Tot = Tot + 1
End If
Next
If Tot = 1 Then
MyNet = MyNet & ".0.0"
End If
If Tot = 2 Then
MyNet = MyNet & ".0"
End If
End Function
'
' Function to extract subnet mask from line
'
Function MyMask(c)
' c = "1.2.3.4/24"
Num = Right(c, Len(c) - InStr(c, "/"))
Select Case Num
Case "8"
MyMask = "255.0.0.0"
Case "9"
MyMask = "255.128.0.0"
Case "10"
MyMask = "255.192.0.0"
Case "11"
MyMask = "255.224.0.0"
Case "12"
MyMask = "255.240.0.0"
Case "13"
MyMask = "255.248.0.0"
Case "14"
MyMask = "255.252.0.0"
Case "15"
MyMask = "255.254.0.0"
Case "16"
MyMask = "255.255.0.0"
Case "17"
MyMask = "255.255.128.0"
Case "18"
MyMask = "255.255.192.0"
Case "19"
MyMask = "255.255.224.0"
Case "20"
MyMask = "255.255.240.0"
Case "21"
MyMask = "255.255.248.0"
Case "22"
MyMask = "255.255.252.0"
Case "23"
MyMask = "255.255.254.0"
Case "24"
MyMask = "255.255.255.0"
Case "25"
MyMask = "255.255.255.128"
Case "26"
MyMask = "255.255.255.192"
Case "27"
MyMask = "255.255.255.224"
Case "28"
MyMask = "255.255.255.240"
Case "29"
MyMask = "255.255.255.248"
Case "30"
MyMask = "255.255.255.252"
Case "31"
MyMask = "255.255.255.254"
Case "32"
MyMask = "255.255.255.255"
Case Else
MyMask = "255.255.255.255"
End Select
End Function

Revision as of 00:22, 23 March 2020

Option 1: Secondary IP on WAN interface

To create a gateway using Cisco equipment you must have a Cisco Router (preferred from series 2600 and above)

Preferred with two Ethernet ports (but can be done also with one Ethernet port)

Pre requirement to the setup to work are as follows:

You have already registered with AMPRNet and got your 44.x.x.x/y allocation and it is showing in the encap.txt file (see "If you are looking to get an IP allocation within the AMPRNet please read the Portal page.") info on the main page .


You have registered some hosts of your allocated network in the AMPRNet DNS like <your call sign>.ampr.org

The example given here here is of one Ethernet port.

You have to assign the router Ethernet port the Commercial IP

The commands are:

enable
configure terminal
interface ethernet0
ip address <and here you give the ip of the commercial isp the router is connected to> (it can also be the IP of a network the router is on  (as long as this IP is accessible to the outside world))> <The NetMask of the network>

The interface name can vary depending on your router type, it can be Ethernet0 FastEthernet0 GigabitEthernet0/0 etc.

(To see what interfaces you have in order to assign them the address use the command Show interface and identify the Ethernet port name.)

Then you have to assign the AMPRNet 44.x.x.x IP .

For a router with one port any additional network IP has to be secondary and the command is:

int eth0
ip add <the AMPR IP > <the netmask of the network > secondary
 

Now some tunneling commands have to be added to redirect your outgoing traffic (via tunnel) to the main AMPRNET router , you do it because every ISP block outgoing IP's which is not a part of their network (and 44 net is not belong to any ISP) so in order to allow the 44 net IP traffic to gain access to the outside world you need to do a tunnel to the AMPR.ORG router to the outgoing traffic (traffic that intend to reach the internet (all other IP's that are not part of the AMPRNet))

To open a tunnel channel you have to specify the tunnel source address (from where the tunnel is established) and tunnel destination (to where the tunnel establish to)

This is done by a few commands here they are

interface tunnel0
tunnel source <here you put the router commercial IP>
tunnel destination <here you put  the AMPR.ORG main tunnel router IP>
tunnel mode ipip (this command is to tell the tunnel (cisco support lot of tunneling types) which  mode to use)

In addition the router has to be notified to pass all the outgoing 44 Net Traffic to the tunnel interface and not to route it just like that to the Internet (because as explained they will be probably blocked by the closest ISP you are connected to )

The command to do it is

ip route 0.0.0.0 0.0.0.0 Tunnel0 <the ip address of the AMPR.ORG main tunnel router >

(0.0.0.0 0.0.0.0 mean "any IP") (will be explained latter)

Another important command is a command to route the tunneled traffic from the router to the main ampr.org router not via a tunnel (this important to establish tunnel)

This command is more specific then the "any IP" route command described before and say to the router : "pass the tunneled traffic belong to the other side of the tunnel direct and not via tunnel"

The Command is :

ip route <the ampr.org main tunnel IP > 255.255.255.255 Ethernet0 <your  router commercial IP>

This are the minimum commands necessary to be able to route your inside 44 net IP to the outside world (but not to any other 44 net networks worldwide)


This method will redirect any outgoing traffic (no matter what local IP is used ) to the tunnel and since the AMPR.ORG tunnel deal with tunneling from only 44 Net IP it mean that if the router local Lan is sharing 44 and non 44 IP machines the non 44 Net machines will have no connectivity to the world


To overcome this problem a route policy will have to be used (with the command route-map) because regular route command deal with route for destination IP without looking at the source (local net) and route policy can do it ...

So two policy have to be created one for all addresses (excluding the AMPRnet that needed to be routed direct to the internet (without tunnel) and second one specifically for the 44 net hosts that needed to redirect their outgoing traffic to the tunnels

Option 2: VLAN and zone-based firewall

If you're familiar with zone-based policy firewalls in IOS, it's possible to combine that feature with VTI and policy-based routing in a way that doesn't require multiple route-maps and won't impact non-44net traffic on the router.

!
! Define security zones for the tunnel interface and 44net vlan
!
zone security AMPRNet
zone security AMPRAlloc
!
! An ACL for source traffic on the 44net vlan
!
ip access-list standard Vlan44
 permit <your_44net_allocation> <your_allocation_mask>
 deny   any log
!
! Send all traffic coming from the 44net vlan through the tunnel.
!
route-map ampr-tunnel permit 10
 set interface Tunnel44
!
interface GigabitEthernet0/0/0.44
 description AMPRNet allocation
 encapsulation dot1Q 44
 ip address <your_44net_allocation> <your_subnet_mask>
 zone-member security AMPRAlloc
 ip policy route-map ampr-tunnel
!
interface Tunnel44
 description AMPRNet
 ip unnumbered GigabitEthernet0/0/0.44
 zone-member security AMPRNet
 tunnel source GigabitEthernet0/0/1
 tunnel mode ipip
 tunnel destination 169.228.34.84
!
! Now we get into the zone-based firewall configuration
! Access lists for class-maps
!
ip access-list extended Ping
 permit icmp any any echo
ip access-list extended Traceroute
 permit icmp any any time-exceeded
 permit icmp any any unreachable
!
! Classify traffic for the zone-based firewall
!
class-map type inspect match-all Traceroute
 match access-group name Traceroute
 match protocol icmp
class-map type inspect match-all Ping
 match protocol icmp
 match access-group name Ping
class-map type inspect match-any Generic
 match protocol tcp
 match protocol udp
 match protocol icmp
!
! Define policies for the classes above.
! Here we will only allow ping and traceroute in, and have no restrictions on outbound traffic.
! Customize to your needs, of course.
!
policy-map type inspect AMPRNetIn
 class type inspect Traceroute
  pass
 class type inspect Ping
  inspect
 class class-default
  drop
policy-map type inspect AllowAllOut
 class type inspect Generic
  inspect
 class class-default
  drop
!
! Apply policy-maps to traffic flows between zones.
!
zone-pair security AMPRNet_to_AMPRAlloc source AMPRNet destination AMPRAlloc
 service-policy type inspect AMPRNetIn
zone-pair security AMPRAlloc_to_AMPRNet source AMPRAlloc destination AMPRNet
 service-policy type inspect AllowAllOut

Routing to other 44net gateways

In order to route your traffic to other 44 net gateways you need to build a tunnel interface to every gateway (unlike JNOS that one tunnel deal with all tunnels) and the tunnel have to have a tunnel source tunnel destination (as explained above ) and tunnel mode

In addition two route lines have to be added

One is route command to route the specific 44 network of the gateway this tunnel deal into this tunnel

And another is to allow the tunnel traffic to go thorough the internet

Enclosed is example from router that is doing tunnel to the main AMPR router and to one gateway somewhere in the world

The tunnel0 interface is the Main AMPR.ORG router and the tunnel with 741916672 is one tunnel to a gateway

The section of tunnel74xxx have to duplicated to every 44 net gateway (of course with the corresponding ip of the specific gateway) (currently about 400 times)

TIP: If you are not familiar with Cisco Commands you can use the GUI Software called Cisco Configuration Professional (CCP)

to config the router with it

Later on we will deal of how to create these tunnels lines configuration using a script that takes the info from the ENCAP.TXT file and convert it to Cisco config


interface Tunnel0
ip unnumbered Ethernet0
no ip directed-broadcast
tunnel source Ethernet0
tunnel destination 169.228.34.84
tunnel mode ipip
!
interface Tunnel741916672
description Link to 44.56.192.0
ip unnumbered Ethernet0
ip access-group acl_44 in
no ip directed-broadcast
tunnel source 10.0.0.180
tunnel destination 24.229.88.253
tunnel mode ipip

interface Ethernet0
description connected to EthernetLAN_HAIFA
ip address 44.138.1.1 255.255.255.0 secondary
ip address 10.0.0.180 255.255.255.0
no ip directed-broadcast

ip classless
ip route 0.0.0.0 0.0.0.0 Tunnel0 169.228.34.84
ip route 169.228.34.84 255.255.255.255 Ethernet0 10.0.0.138
ip route 44.56.192.0 255.255.255.0 Tunnel741916672
ip route 24.229.88.253 255.255.255.255 Ethernet0 10.0.0.138

Making the route commands automatically

Because the route info of the gateways (the encap file) changes periodically mainly because a lot of gateway sits on dynamic ip

and because the tunnel ip as a result change you may loose the tunnel to these gateways

In order to be "updated" it is needed to take the new encap file periodically and put it into the cisco router

Because the encap file lines are not a format of commands that Cisco "understand" a fomat conversion need to be made in order to convert route info in the encap file to commands that cisco can "understand"

So a Script that take the encap file and make a new file of Cisco commands must be run

There are two scripts that do it available , one is Perl and other is VBS

The example will give the results of the Perl Script

The Perl Script for the Cisco enclosed

 #!/usr/bin/perl
 #encapconvert.pl V0.1 10-31-12
 #Script created by Jason Begley KY9J ky9j.com ky9j@arrl.net
 #This script is used for converting the encap.txt file from the AMPR net
 #into a loadable config file for use on cisco routers. It is advised to use
 #this on a 2600 or better router due to interface limits.
 #

 my ($line);
 my %nets = ();
 my $net = undef;
 my $mask = undef;

 #####
 #Below are user defined varibles

 my $loop = "Ethernet0"; #LOOPBACK INT CHANGE IF ALREADY IN USE
 my $outip = "10.0.0.180"; #YOUR PUBLIC IP ADDRESS
 my $loopip = "44.138.1.1"; #YOUR AMPR IP ADDRESS
 #EO user defined varibles
 #####


 my $file = $ARGV[0];
 my $debug = $ARGV[1];
 if(!$file) { usage(); exit; } 
 if($file =~ /--help/) { usage(); exit; } 

 open (MYFILE, '>cisco-config.txt');
 print MYFILE "!\ninterface $loop\nip address $loopip 255.255.255.255\n!\n";
 close (MYFILE);
 open(ENCAP, $file);
 @line = <ENCAP>;
 close (ENCAP);
 @line = grep (!/^\s*$/,@line);
 @line = grep (!/^#/,@line);
 chomp(@line);

 foreach $line(@line)
 {
        $n1 = $n2 = $n3 = $n4 = undef;
        @ln = (split(/ +/, $line));
        ($n, $s) = (split(/\//, $ln[2]));
        ($n1, $n2, $n3, $n4) = split(/\./, $n);
        $gw = $ln[4];
        $gw =~ s/\s*$//;
 
        if      ($n1 == '')  {  $n1='0'};
        if      ($n2 == '')  {  $n2='0'};
        if      ($n3 == '')  {  $n3='0'};
        if      ($n4 == '')  {  $n4='0'};

        if ($s == '1')  { $mask='128.0.0.0'};
        if ($s == '2')  { $mask='192.0.0.0'};
        if ($s == '3')  { $mask='224.0.0.0'};
        if ($s == '4')  { $mask='240.0.0.0'};
        if ($s == '5')  { $mask='248.0.0.0'};
        if ($s == '6')  { $mask='252.0.0.0'};
        if ($s == '7')  { $mask='254.0.0.0'};
        if ($s == '8')  { $mask='255.0.0.0'};
        if ($s == '9')  { $mask='255.128.0.0'};
        if ($s == '10') { $mask='255.192.0.0'};
        if ($s == '11') { $mask='255.224.0.0'};
        if ($s == '12') { $mask='255.240.0.0'};
        if ($s == '13') { $mask='255.248.0.0'};
        if ($s == '14') { $mask='255.252.0.0'};
        if ($s == '15') { $mask='255.254.0.0'};
        if ($s == '16') { $mask='255.255.0.0'};
        if ($s == '17') { $mask='255.255.128.0'};
        if ($s == '18') { $mask='255.255.192.0'};
        if ($s == '19') { $mask='255.255.224.0'};
        if ($s == '20') { $mask='255.255.240.0'};
        if ($s == '21') { $mask='255.255.248.0'};
        if ($s == '22') { $mask='255.255.252.0'};
        if ($s == '23') { $mask='255.255.254.0'};
        if ($s == '24') { $mask='255.255.255.0'};
        if ($s == '25') { $mask='255.255.255.128'};
        if ($s == '26') { $mask='255.255.255.192'};
        if ($s == '27') { $mask='255.255.255.224'};
        if ($s == '28') { $mask='255.255.255.240'};
        if ($s == '29') { $mask='255.255.255.248'};
        if ($s == '30') { $mask='255.255.255.252'};
        if ($s == '31') { $mask='255.255.255.254'};
        if ($s == '32') { $mask='255.255.255.255'};
        if ($s == '')   { $mask='255.255.255.255'};

  $net = "$n1.$n2.$n3.$n4";
  $ifid = cipdec(1, $net);
  $wmask = do_subtract($mask);
  print "*ip info*\n";
  print "NET:$n\nBITS:$s MASK:$mask-$wmask\nGW:$gw\nIF:$ifid\n\n";
  open (MYFILE, '>>cisco-config.txt');

 if ($debug != NULL) {
  print "LINE:$line";
  print "\n!\n";
  print "interface tunnel $ifid\n";
  print "description Link to $net\n";
  print "ip unnumbered $loop\n";
  print "tunnel source $outip\n";
  print "tunnel destination $gw\n";
  print "tunnel mode ipip\n!\n";
 }

 if ($gw != $outip) {

  print MYFILE "!\n";
  print MYFILE "interface tunnel $ifid\n";
  print MYFILE "description Link to $net\n";
  print MYFILE "ip unnumbered $loop\n";
  print MYFILE "tunnel source $outip\n";
  print MYFILE "tunnel destination $gw\n";
  print MYFILE "ip tcp adjust-mss 1436\n";
  print MYFILE "ip access-group acl_44 in\n!\n";
  print MYFILE "tunnel mode ipip\n!\n";
  print MYFILE "ip route $net $mask tunnel$ifid\n!\n";
 }
  print MYFILE "ip route  $gw 255.255.255.255 Eth0 10.0.0.138\n";
 }
 print MYFILE "!\nend\n!\n";
 close (MYFILE);

 sub usage
  {
  print << "EOT";
 *** This script is for creating a loadable config (copy tftp run) for cisco routers ***
 *** Please note that this was tested to work on 2651XM or better, expect poor resp- ***
 *** -onse on smaller/slower platforms.                                              ***
 *** Edit this file and change varibles as noted to your values.                     ***
 *** File \"cisco-config.txt\" will be generated in this directory for tftp upload     ***
 *** Run as follows:                                                                 ***
 *** perl encapconvert.pl encap.txt                                                  ***
 EOT
  }
 

 ########################################################
 # Sub cipdec
 # USAGE: For converting IP to DEC values and reverse
 #
 # my ($err, $ret) = cipdec(1, $ip);  #1 =from ip to dec, 2 = from dec to ip 
 # if($err != 0) { print "MAIN: ERR ON \"$ret\"\n"; next; }  
 #
 sub cipdec
   {
  my $debug = 0;
  my (@oct, $opt, $var, $err, $ret, $errmsg);
  my ($oct1, $oct2, $oct3, $oct4);
  my ($dec1, $dec2, $dec3);
  $opt = shift(@_); #1 =from ip to dec, 2 = from dec to ip
  $var = shift(@_); # IP or a DEC 
  $err = 0;
  $ret = 0;
  if($debug == 1) 
    { 
    print "SUB TEST: OPT=\"$opt\"\n";
    print "SUB TEST: VAR=\"$var\"\n";
    }
  if($opt == 1) #1 =from ip to dec
    {
    my $ip = $var;

    if(!($ip) || ($ip eq "") || !($ip =~ /\./))
      {
      if($debug == 1) { print "NO . in IP.. Next\n"; }
      $err = 1;
      $ret = "ERR: IP WITH NO \".\"";
      return($err, $ret);
      }
    @oct = split(/\./, $ip);
    my $numoct = @oct;
    if($numoct != 4)
      {
      if($debug == 1) { print "--INVALID IP: \"$ip\"\n"; }
      $err = 1;
      $ret = "ERR: OCT CT \"$ip\"";
      return($err, $ret);
      }
    foreach my $val (@oct)
      {
      if(!(defined $val) || ($val eq "") || ($val =~ /\D/) || ($val > 255) || ($val < 0))
        { 
        if($debug == 1) { print "--INVALID IP: \"$ip\"\n"; }
        $err = 1;
        $ret = "ERR: OCT SIZE \"$ip:$val\"";
        return($err, $ret);
        } # EO IF oct container
      } #EO FOREACH OCT
    $ret += ($oct[0] * (256**3)); #Convert 1st octet to decimal and add
    $ret += ($oct[1] * (256**2)); #Convert 2nd octet to decimal and add
    $ret += $oct[2] * 256; #Convert 3rd octet to decimal and add
    $ret += $oct[3]; #Add the 4th octet to decimal
    if(($ret < 0) || ($ret > 4294967296)) #0.0.0.0 or 255.255.255.255 = Err
      {
      if($debug == 1) { print "--INVALID IP: \"$ip\"\n"; }
      $err = 1;
      $ret = "ERR: DEC SIZE \"$ip\"";
      return($err, $ret);
      } #EO DEC Size
    
    return($err, $ret);
    } #EO OPT == 1

  
  if($opt == 2) #1 = dec to ip
    {
    $oct1 = 0; $oct2 = 0; $oct3 = 0; $oct4 = 0;
    my $dec = $var;
    if($debug == 1) { print "SUB TEST: DEC=\"$dec\"\n"; }
    
    if(!(defined $dec) || ($dec eq "") || ($dec < 1) || ($dec > 4294967295)) #0.0.0.0 or 255.255.255.255 = Err
      {
      if($debug == 1) { print "--INVALID DEC: \"$dec\"\n"; }
      $err = 1;
      $ret = "ERR: DEC SIZE \"$dec\"";
      return($err, $ret);
      } #EO DEC Size   
   
    if($dec >= 256**3)
      {
      $oct1 = ($dec / 256**3);
      my @num = split(/\./, $oct1);
      $oct1 = $num[0];
      if($debug == 1) { print "OCT1: \"$oct1\"\n"; }
      $dec1 = ($oct1 * 256**3);
      $dec = $dec - $dec1;
      }
    if($dec >= 256**2)
      {
      $oct2 = ($dec / 256**2);
      my @num = split(/\./, $oct2);
      $oct2 = $num[0];
      if($debug == 1) { print "OCT2: \"$oct2\"\n"; }
      $dec2 = ($oct2 * 256**2);
      $dec = $dec - $dec2;
      }

    if($dec >= 256)
      {
      $oct3 = ($dec / 256);
      my @num = split(/\./, $oct3);
      $oct3 = $num[0];
      if($debug == 1) { print "OCT3: \"$oct3\"\n"; }
      $dec3 = $oct3 * 256;
      $dec = $dec - $dec3;
      }
  
    $oct4 = $dec;  
    if($debug == 1) { print "OCT4: \"$oct4\"\n"; }
    $ret = "$oct1.$oct2.$oct3.$oct4";
    return($err, $ret);
    } #EO If $opt == 2  
  
  $err = 1;
  $ret = "I'm lost and sent to leftovers";  
  return($err, $ret);
  }
 ################### EO SUB CIPDEC#################################

 ### wildcard sub ###
 sub do_subtract(  ) {
  local($ip) = @_;

  # break up the bytes of the incoming IP address
  $_ = $ip;
  ($a, $b, $c, $d) = split(/\./);

  if ($a > 255 || $b > 255 || $c > 255 || $d > 255 || /[^0-9.]/) {
     print "invalid input mask or wildcard\n";
     exit(  );
  }

  $a = 255 - $a;
  $b = 255 - $b;
  $c = 255 - $c;
  $d = 255 - $d;

  return ($a . "." . $b . "." . $c . "." . $d);
 }

 ### EO wildcard sub ### 


Before you run the script make sure to take out the line of your gateway from the encap file


The result of the script is set of commands that look like that

interface tunnel 748306432
description Link to 44.154.64.0
ip unnumbered Ethernet0
tunnel source 10.0.0.180
tunnel destination 79.107.164.191
ip tcp adjust-mss 1436
ip access-group acl_44 in
!
tunnel mode ipip
!
ip route 44.154.64.0 255.255.255.0 tunnel748306432
!
ip route  79.107.164.191 255.255.255.255 Ethernet0 10.0.0.138
!

This section return on itself (with different IP , destination and route IPs's ) as the amount of lines in the encap file

When the file is ready (after running the perl script) you can copy it with editor and send it to the cisco or by terminal (with the config t command) or by TFTP

The Encap file can be taken automatically from the Portal using the API and you can push the commands to the cisco (after the encap convert to cisco commands after running perl) with TFTP

So with a small software work the whole procedure can be done fully automatic