Installing ampr-ripd on a Ubiquiti EdgeRouter or EdgeRouter X

From AMPRNet
Jump to: navigation, search

Info

These are the steps for setting up a fully functional AMPR gateway on Ubiquiti's EdgeRouter Light and EdgeRouter-X. Tested and found working on the following firmware versions:

ER3 Light 1.10.8
ER3 Light 1.10.9
ER-X 1.10.9
ER3 Light 2.0.0
ER3 Light 2.0.1
ER3 Light 2.0.3
ER3 Light 2.0.4
ER3 Light 2.0.5
ER3 Light 2.0.8
ER3 Light 2.0.9


NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.


We start assuming you have a complete working and configured router, that already has internet access (a configured WAN port and a local LAN).

For technical reasons, this set-up does not support dynamic assigned WAN addresses. If you have a dynamic IP, this setup can only be used in the primary router's DMZ.

Some technical details:

We will use an IPIP tunnel interface called 'tun44' connected to your external interface (with a fixed public IP or an interface in a DMZ). All ampr routes will be created in routing table 44. Routing table 45 will be used for routing requests from the public internet back via the ampr-gw.

On a firmware update, you need to reinstall ampr-ripd, since the file system gets replaced. The other settings like tunnel setup and the status wizard will stay.

Router preparation

Our first step is to set up the router to accept IPENCAP (protocol 4 frames on the WAN interface).

Under Firewall/NAT edit your WAN_LOCAL ruleset (the interface/local handles the access to the router - if there is no such ruleset, you need to create it). Usually it holds 2 rules, with a default policy of 'drop':

- accept established/related
- drop invalid

Now add a new rule:

- description: IPIP from WAN
- Action: accept
- Protocol: choose by name -> ipencap

...and save. You need to drag this rule into the first position of the ruleset and save the ruleset order

You may consider adding a similar rule for 'icmp' on WAN since this really helps debugging and ensures proper error handling (no, it will not compromise security since your gateway is detectable anyway).

Tunnel Setup

First add tunnel interface. You need to reserve an AMPR address from your AMPR subnet for the tunnel interface. If you have a /32 assignment, you need to use that one, else pick an unused address.

Use the name 'tun44' for the tunnel, don't get creative since the script depends on this name.

- Config Tree -> add tun44 -> Update List

- tun44:

 address: <your AMPR IP assigned to the router>/32 (this needs to be /32, no matter your allocated subnet, see above)
 description: AMPR GW
 encapsulation: ipip
 local-ip: <your WAN IP - ISP assigned or router's DMZ IP>
 remote-ip: 0.0.0.0 (this MUST be 0.0.0.0, no matter what, to allow P2MP connections)

- tun44 -> disable-link-detect, press + right of it to enable

- Press Preview and Apply

If you prefer to do it by CLI:

 ubnt@YO2LOJ-ER3:~$ configure
 ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44
 ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 local-ip <put the external ip>
 ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 remote-ip 0.0.0.0
 ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 encapsulation ipip
 ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 address <44net router ip>/32
 ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 description "AMPR GW"
 ubnt@YO2LOJ-ER3:~$ set interfaces tunnel tun44 disable-link-detect
 ubnt@YO2LOJ-ER3:~$ commit; save

Installing ampr-ripd

Download your packages from here (read this section to the end...):

Find the EdgeRouter setup package here: http://www.yo2loj.ro/hamprojects/Ampr_EdgeRouter.tgz (mips64)

For the EdgeRouterX setup use this one: http://www.yo2loj.ro/hamprojects/Ampr_EdgeRouterX.tgz (mipsel)


In short, get it, unpack on the router and run the install.sh script.

Then edit your startup script if needed, and run it.


Now the details...


a. First, log in and become root (don't omit that '-'):

 Welcome to EdgeOS
 ubnt@YO2LOJ-ER3:~$ sudo su -

b. Now download the correct package as described in the links above and unpack it:

EdgeRouter Lite3, possibly ER4, ER6 (mips64):

 root@YO2LOJ-ER3:~# curl http://yo2loj.ro/hamprojects/Ampr_EdgeRouter.tgz -o er.tgz
 (you should get some download stats here...)

EdgeRouter X (mipsel):

 root@YO2LOJ-ERX:~# curl http://yo2loj.ro/hamprojects/Ampr_EdgeRouterX.tgz -o er.tgz
 (you should get some download stats here...)

Check and unpack:

 root@YO2LOJ-ER3:~# ls
 er.tgz
 root@YO2LOJ-ER3:~# tar -xf er.tgz

c. install the package:

 root@YO2LOJ-ER3:~# ./install.sh

d. edit the startup script to fit your needs. This is only needed if your router is behind NAT or you need to reject specific subnets. Edit only the -a options like below, don't touch the rest. If you want to have your position shown on the ampr map, also add the -L option using your callsign and your QTH locator ( -L your-call@AA00aa ).

If you are using pppoe, the local gateway can not be properly detected by ampr-ripd, so an additional -g parameter is needed.

Also, 44.0.0.1 is not reachable via tunnel, so it should be dropped in the command line to use the default gateway instead

 root@YO2LOJ-ER3:~# cd /etc
 root@YO2LOJ-ER3:/etc# vi ampr.sh
 <press insert to start editing>
 [...]
 ampr-ripd -s -t 44 -i tun44 -m 90 -g pppoe0 -a 44.0.0.1/32,44.128.1.0/24,44.128.2.0/24,your.gw.com (adapt this list to your needs - commna separated, no spaces)
 ~
 ~
 ~
 <press esc>:wq (to save and exit - yes, vi is strange)

e. Now run the startup script:

 root@YO2LOJ-ER3:/etc# ./ampr.sh

(On router restart, this will happen automatically)


NOTE: THE SETUP SCRIPT DOES NOT SECURE YOUR ROUTER. YOU NEED TO SET UP FIREWALL RULES YOURSELF.

Adding basic security

Now your 44 subnet is still wide open for access, both from other users (let's assume we can trust those), and from the internet.

We need to add 2 rulesets in Firewall/NAT to get some kind of minimal protection:

Create an ruleset called TUNNEL_FORWARD (or something suggestive) with a default drop policy.

Set interface for the ruleset to 'tun44' and direction to 'in'.

This will hold 3 rules (take care, order is important):

1. Allow access from ampr hosts to your subnet:

- Description: Allow access to hosts from AMPR
- Action: Accept
- Protocol: All protocols
- Source: 44.0.0.0/9
- Destination: <your subnet>

2. Second rule to allow access from ampr hosts to your subnet:

- Description: Allow access to hosts from AMPR
- Action: Accept
- Protocol: All protocols
- Source: 44.128.0.0/10
- Destination: <your subnet>

3. Rule to allow all establihed and related traffic:

- Description: Allow Established/Related
- Action: Accept
- Protocol: All protocols
- State: Established, Related

Also we need to protect router access itself, so we need another ruleset, say TUNNEL_LOCAL, also with a default drop policy.

Set interface for the ruleset to 'tun44' and direction to 'local'.

If you want to allow access to the router itself, the rules should be the same as above.

If router access should not be permitted, then only add rule 3 from above.

Finishing touches

It is a good idea to disable ubnt discovery protocol on our tunnels.

In this case, the easiest way is to disable it completely:

- go to Config Tree -> service -> ubnt-discover
- click the '+' sign after 'disable'

This will completely disable ubnt neighbor discovery.

Adding a Local AMPR subnet

To use a local AMPR subnet, just assign the router's AMPR IP with the proper subnet mask to a local network interface, using the regular EdgeRouter management interface. Remember to also set up the proper firewall rules to allow or disallow access to your hosts.

Status Wizard

Optionally you can install a status page in the wizard section.

Download here: http://www.yo2loj.ro/hamprojects/Ampr_Status_Wizard.tar and add it in your configuration wizard tab.

On firmware update, there is no need to reinstall the wizard.