Configure your gateway to NAT your lan as AMPRNet


The AMPRNet as we all know is a tunneled network using IP protocol 4/IPEncap. Most of us have our lans configured using RFC-1918 space (ie: non-globally routable IPs such as or 10.x.x.x). In some of the recent packet reporting by amprgw, some show up trying to hit other 44-net sources while sourced as their RFC-1918 IPs. There is a fix!.. pending you do NOT use BPQ or xNOS softwares. They simply lack the required resources to do this properly.

What's the secret?

Since most of us are using Linux whether as a 44-net "router" or to inject routes into an external device, what you will wish to do is configure a NAT rule for your devices (such as a smartphone on your lan for example). This will insure that when you go out from your device/non-ampr desktop/etc you'll source yourself as your gateway's 44-net IP. You'll get routing back through the ipencap mesh and it may even be a bit quicker since you'll be using your own gateway to be your encap encoder/decoder while sourcing you as a 44-net IP. This should keep everything happy.

Configure a route in your main router for 44/8

In your router, set a route for 44/8 to go to your gateway's internal lan IP. This will tell your device to push all frames for 44/8 to your gateway for ip encapsulation as seen here... I use linksys devices:

Easy as 3 lines!

All it takes is 3 lines to your iptables to achieve this. You need to know what your internal LAN schema is, usually it's a 192.168.x.x/24 configuration but eveyone's is different. Once you figure that out you can configure your amprNAT rules accordingly. I have a main router and also a wifi extender. The main router is while the wifi extender is This combined gives me a subnet of

# AmprNAT setup
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1/22 -o tunl0 -j MASQUERADE -d 44/8
/sbin/iptables -A FORWARD -s 192.168.1/22 -i eth0 -o tunl0 -m state --state RELATED,ESTABLISHED -j ACCEPT -d 44/8
/sbin/iptables -A FORWARD -s 192.168.1/22 -i eth0 -o tunl0 -j ACCEPT -d 44/8

I suggest you don't write this into your iptables config file(s) until you simply enter it as root on a command-line and test. It should test fine. Once tested and you find you now source yourself from your RFC-1918 space as your gateway's IP you can write the 3 lines into your files so they'll load next time you find you have to reboot.


One simple way to test is to just telnet from your client device (PC/phone/etc) to any system you know that accepts your login... a JNOS or URONode system or if you know a website on the amprnet that will display your IP such as: here you can verify what your sourced IP is. If it's the 44-net IP of your gateway, you're GOLDEN! If not, then double check your iptables configuration. Here's two tests that were positive, one from my website and the other from Lynwood's website:

Documentation by Brian N1URO.
Back home.