I took the following steps for this setup:

1. Obtain and use a 44net IP allocation via 44net Connect
2. Set up a Raspberry Pi Zero 2 W as a WireGuard gateway router, including NAT and iptables firewall with fail2ban
3. Connect AREDN node (e.g., hAp2) via the 44Net tunnel
4. Write a script to configure the routing table on the AREDN node, in case it is not peristed on router reboot

Set up a 44net Allocation and Tunnel from 44net Connect

This step could be replaced with your existing 44net allocation, but, as I mentioned, I chose to work through the 44net Connect tunnel service and network allocation generously offered by their service. Although I have traditional 44net subnets allocated for fixed use, I felt that the tunneled approach would give me some versatility in the deployment behind a variety of WAN connections. Because I have an interest in computing and networking education, the ability to pack up and redeploy this setup in a mobile environment was advantageous for me.

Go to https://44net Connect and create an account

Request a routed subnet (e.g., 44.x.y.z/29) and a WireGuard tunnel

You’ll receive a:

• Tunnel endpoint (e.g., a.b.c.d:44000)
• Allocated IP (e.g., 44.i.j.k/32)
• Route for your subnet via that tunnel by editing the tunnel allocation and specifying static routing to the subnet

Configure a Raspberry Pi as a Gateway to 44net Connect for the AREDN Router

Although the router should generally support it, the AREDN firmware does not allow making a non-AREDN Wireguard connection such as the one I am using to connect to 44net Connect in order to route this network allocation (at least as far as I’m aware at the time of this writing!). Instead, I’ve set up a Raspberry Pi Zero 2W to serve this purpose. I’ll connect the pi to the AREDN router via its WiFI LAN Hotspot connection, and give the pi an IP address on the 44net subnet allocation alongside the router, and will set it up for IPv4 forwarding.

Configure the Wireguard Tunnel

Install WireGuard

Here, we create the Wireguard tunnel connection to 44net Connect from the Raspberry Pi, and configure the IP routes on the pi to send 44net traffic out via this Wireguard interface. In addition, we route our local 44net subnet out via our LAN connection, so that it goes directly to the AREDN router. In my case, I’m connected to the AREDN router via a wifi Part 15 connection, so I use wlan0 for this interface. If you plug the pi into the AREDN router via Ethernet, you might use eth0 here instead.

sudo apt update
sudo apt install wireguard netfilter-persistent iptables-persistent resolvconf sshpass

Create /etc/wireguard/wg0.conf, using your 44net subnet allocation for 44.x.y.z/29, your 44net Connect Wireguard tunnel keys, and substituting wlan0 for the LAN interface you’re using from the pi to the AREDN node, as well as 44.a.b.c for your wireguard tunnel client address and a.b.c.d:44000 for your tunnel endpoint:

[Interface]
PrivateKey = <local private key>
Address = 44.a.b.c
DNS = 1.1.1.1,1.0.0.1

PostUp = ip route add 44.x.y.z/29 dev wlan0
PostDown = ip route del 44.x.y.z/29 dev wlan0

[Peer]
PublicKey = <peer public key>
PresharedKey = <preshared key>
Endpoint = a.b.c.d:44000
AllowedIPs = 44.0.0.0/9, 44.128.0.0/10
PersistentKeepalive = 20

Enable and Start WireGuard

Create /etc/systemd/system/wg-44net-client.service:

[Unit]
Description=WireGuard Client to 44net (wg0)
After=network-online.target
Wants=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/bin/wg-quick up wg0
ExecStop=/usr/bin/wg-quick down wg0
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Enable the Service for Automatic Startup

sudo systemctl enable wg-44net-client
sudo systemctl start wg-44net-client

Set Static IP, Enable IP Forwarding, and Disable RP Filtering

Set the AREDN router (hap2) to give a static IP to the pi. For example, if your 44net subnet is 44.a.b.32/29, then the AREDN router might take 44.a.b.33/29 and the pi could be assigned 44.a.b.34/29 as a DHCP reservation from the AREDN router.

To enable IPv4 forwarding, edit /etc/sysctl.conf and add or uncomment the following line:

net.ipv4.ip_forward=1

Apply the changes:

sudo sysctl -p

If you find that ip_forward is still 1 when you execute cat /proc/sys/net/ipv4/ip_forward on the AREDN node or on the Pi, update them by running: echo 1 > /proc/sys/net/ipv4/ip_forward.

On both the AREDN router, and on the Pi, ensure that IPv4 forwarding is enabled, and that RP filtering is disabled, by running:

cd /proc/sys/net/ipv4/conf
find . -iname 'rp_filter' -exec cat {} \;

If you find any that are set to 1 or 2, update them via: echo 0 > /proc/sys/net/ipv4/conf/<name>/rp_filter.

Set up NAT and Firewall on the Pi

Note that this is a minimal configuration of the firewall to enable the functionality, and should be hardened to filter traffic from the Internet. This firewall is configured to allow all traffic from AREDN (10.0.0.0/8) and 44net (44.0.0.0/9 and 44.128.0.0/10), as well as bidirectional AREDN Wireguard tunnels on UDP port 5525. We also allow ICMP ping packets, and any established connection packets. Finally, we masquerade traffic on the 44net Connect tunnel Wireguard interface wg0. I do not explicitly allow TCP port 22 SSH traffic from the Internet, but rather allow ssh connections via the AREDN and 44net subnets (this is also overly permissive, but is presented this way to demonstrate the functionality).

Edit /etc/iptables/rules.v4, substituting your 44net subnet allocation for 44.x.y.z/29:

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -s 44.x.y.z/29 -o wg0 -j MASQUERADE
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Allow loopback
-A INPUT -i lo -j ACCEPT

# Allow established and related
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow ALL traffic from 44.0.0.0/9
-A INPUT -s 44.0.0.0/9 -j ACCEPT

# Allow ALL traffic from 44.128.0.0/10
-A INPUT -s 44.128.0.0/10 -j ACCEPT

# Allow ALL traffic from 10.0.0.0/8
-A INPUT -s 10.0.0.0/8 -j ACCEPT

# Allow AREDN tunnels
-A INPUT -p udp --dport 5525 -j ACCEPT
-A INPUT -p udp --sport 5525 -j ACCEPT

# Optional: Allow ICMP for ping and diagnostics
-A INPUT -p icmp -j ACCEPT

# Forwarding rules: Send AREDN Wireguard traffic from 44net Connect to the AREDN router
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
COMMIT

Load and save these rules:

sudo iptables-restore < /etc/iptables/rules.v4
sudo netfilter-persistent save

Implement fail2ban on SSH

Install fail2ban:

sudo apt install fail2ban

Create /etc/fail2ban/jail.local:

[sshd]
enabled = true
backend = systemd
logpath = journal
port = ssh
maxretry = 5
findtime = 600
bantime = 86400

Start and Enable fail2ban:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Configure the AREDN Node Router

Configure the node as with a 44net allocation for its local LAN, and specify its IP address (for example, 44.x.y.33/29 for an allocation of 44.x.y.32/29). I used wan0 as a LAN hotspot so that my devices could connect to this router wirelessly over 2.4 ghz, and wlan1 as a WAN client to my home wireless internet connection.

I also created a tunnel server on my home AREDN router node, to which this new 44net AREDN node connects. Because my home AREDN node is exposed with a 44net IP address on a different subnet, the two are able to reach each other via the 44net Connect Wireguard tunnel via the Raspberry pi. So, I used the 44net address of my home AREDN router as the public IP from which this new node connects.

Finally, I allow WAN access to my LAN nodes (and provide a default route) through the network settings on the main page of the GUI.

Configure the Routing Table on the AREDN Router

Now, we will configure the AREDN router to route 44net traffic out via the Raspberry Pi, since the pi has a Wireguard connection to the 44net Connect tunnel.

Custom routes on the AREDN router are overwritten on reboot (as far as I can tell). In addition, the home directory is /tmp, so I was unable to use ssh key login to script the creation of these routes via ssh when the Raspberry pi boots up.

But, for good measure, I created the following startup script on the AREDN node after logging in via ssh root@localnode.local.mesh -p 2222 and creating a file /etc/init.d/customroutes (substitute 44.x.y.z/29 for your 44net subnet allocation, and 44.x.y.A for the reserved DHCP address of your Raspberry Pi that you assigned earlier from your AREDN node out of your 44net subnet allocation, in addition to a route for your tunnel endpoint 44.a.b.c in case it is within one of the routing blocks like 44.0.0.0/9 (so that it doesn’t go out over the same interface, but instead over your WAN default route gateway (which we will detect with the get_wlan1_gw function below) and wlan1 (use your WAN interface for wlan1 everywhere here):

#!/bin/sh /etc/rc.common

START=95
STOP=10

get_wlan1_gw() {
    # Output gateway for default route on wlan1, or empty string if not found
    set -- $(ip -4 route show default dev wlan1 2>/dev/null)
    [ "$1" = "default" ] && [ "$2" = "via" ] && echo "$3"
}

start() {
    logger -t customroutes "Adding custom IP routes"
    sleep 5
    ip rule add to 44.0.0.0/9 lookup main priority 5 
    ip rule add to 44.128.0.0/10 lookup main priority 6 
    ip route add 44.0.0.0/9 via 44.x.y.A
    ip route add 44.128.0.0/10 via 44.x.y.A
    ip route add 44.x.y.z/29 dev br-lan
    
    gw="$(get_wlan1_gw)"
    ip route add 44.a.b.c via "$gw" dev wlan1 
    
    logger -t customroutes "Custom IP routes added"
}

stop() {
    logger -t customroutes "Removing custom IP routes"
    ip rule del to 44.0.0.0/9 lookup main priority 5 
    ip rule del to 44.128.0.0/10 lookup main priority 6     
    ip route del 44.0.0.0/9 via 44.x.y.A
    ip route del 44.128.0.0/10 via 44.x.y.A
    ip route del 44.x.y.z/29 dev br-lan
    
    gw="$(get_wlan1_gw)"
    ip route del 44.a.b.c via "$gw" dev wlan1 
    
    logger -t customroutes "Custom IP routes removed"
}

Inside the start() function, add these lines as needed from the IP forwarding and RP filtering step above:

echo 0 > /proc/sys/net/ipv4/conf/<name>/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward 

Enable the service to run at startup on the AREDN node (although the node might not respect it):

chmod +x /etc/init.d/customroutes
/etc/init.d/customroutes enable

Scripting This from the Rasperry Pi

In case the AREDN router fails to execute this on startup, I also made a script on the Raspberry Pi to execute these ip route commands via ssh.

On the pi, create a file /usr/local/bin/setup-mesh-routes.sh with the same commands and addresses as above:

#!/bin/bash

# Define remote host and port
REMOTE_HOST="root@localnode.local.mesh"
REMOTE_PORT=2222

# Run the routing commands over SSH
ssh -p $REMOTE_PORT $REMOTE_HOST << 'EOF'
ip rule add to 44.0.0.0/9 lookup main priority 5 || true
ip rule add to 44.128.0.0/10 lookup main priority 6 || true
ip route add 44.0.0.0/9 via 44.x.y.A || true
ip route add 44.128.0.0/10 via 44.x.y.A || true
ip route add 44.x.y.z/29 dev br-lan || true

set -- $(ip -4 route show default dev wlan1)
gw="$3"
ip route add 44.a.b.c via "$gw" dev wlan1 || true
EOF

Similarly, add these lines as needed for the IP forwarding and RP filtering steps from earlier:

echo 0 > /proc/sys/net/ipv4/conf/<name>/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward 

Executing /usr/local/bin/setup-mesh-routes.sh from the raspberry pi will set up the routes. The || true clause at each line allows the script to continue and exit successfully even if the routes already exist on the router.

Automating the Script to Run at Startup

If the AREDN mesh could retain ssh keys for logging in, I could fully automate this by enabling an init.d service on the raspberry pi to execute this script whenever the wireless LAN becomes available. However, since this requires a password, I ssh into the pi and run this script myself. If you are willing to store your AREDN root password on your pi, you could pass it through the script to call ssh. The sshpass program does exactly this, and you can replace the line ssh -p $REMOTE_PORT $REMOTE_HOST << 'EOF' with:

sshpass -p "$PASSWORD" ssh -o StrictHostKeyChecking=no -p $REMOTE_PORT $REMOTE_HOST << 'EOF' 

Assuming you’ve set the PASSWORD environment variable in the script, from a file, or from the outside environment.

In that case, this can be established as a startup service on the pi:

Create the file /etc/system/system/aredn-routing.service:

[Unit]
Description=Configure IP routes for AREDN on boot
After=network-online.target
Wants=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/setup-mesh-routes.sh
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Enable it to run at startup via:

sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl enable aredn-routing.service
sudo systemctl start aredn-routing.service

Configure 44net.cloud and 44net network

On the AMPR portal, request a subnet, and on 44net.cloud, request a tunnel.

Once you receive the tunnel, go back to the AMPR portal, and under Networks - My Gateways, click Create a Gateway. Fill in the 44net public IP address of your 44net.cloud tunnel as well as the DNS record for that IP address. You can use nslookup to determine if a DNS entry exists, or create your own with a third party service and use that domain name here.

Link this gateway to your 44net subnet allocation.

Configure AMPR Portal DNS Record for your Mikrotik gateway

On the AMPR portal, and under DNS - My Subdomains, select your subdomain (or create one if needed). Click Add a resource record and give a hostname like gw that points to an A record of your gateway IP address (the first usable address within your 44net subdomain; so 44.x.y.1 if your network is 44.x.y.0/29.

Configuring the Mikrotik

Log into your Mikrotik device.

Establishing Wireguard Connection to 44net.cloud

Execute the following commands in terminal mode to set up your Wireguard connection to 44net.cloud, assuming 44.X.Y.Z/32 is your 44net.cloud tunnel IP address:

# 1. Add the WireGuard interface - PUT YOUR WIREGUARD PRIVATE KEY BELOW
/interface/wireguard/add name=wg-44net listen-port=13231 private-key="YOUR PRIVATE KEY HERE"

# 2. Assign the IP address to the interface - PUT YOUR 44NET.CLOUD 44net IP ADDRESS BELOW
/ip/address/add address=44.X.Y.Z/32 interface=wg-44net

# 3. Set the DNS server (optional, for local resolver usage)
/ip/dns/set servers=1.1.1.1

# 4. Add the WireGuard peer - PUT YOUR 44NET.CLOUD PEER PUBLIC KEY, PRESHARED KEY, ENDPOINT ADDRESS, and PORT BELOW
/interface/wireguard/peers/add interface=wg-44net \
    public-key="YOUR PUBLIC KEY HERE" \
    preshared-key="YOUR PRESHARED KEY HERE" \
    endpoint-address=44.X.Y.Z \
    endpoint-port=YOUR 44NET.CLOUD PORT HERE \
    allowed-address=44.0.0.0/9,44.128.0.0/10,169.228.34.84 \
    persistent-keepalive=20

# 5. Configure traffic
/ip firewall filter add chain=input action=accept in-interface=wg-44net comment="Allow input from wg-44net" place-before=5

/ip route add dst-address=44.0.0.0/9 gateway=wg-44net comment="44Net outbound routing"
/ip route add dst-address=44.128.0.0/10 gateway=wg-44net comment="44Net outbound routing"

Here, we configure the wireguard connection to allow 44net traffic as well as traffic to the amprgw at UCSD.

Configure WAN Options

My hAp ac2 has two wireless radios on 2.4 and 5 ghz (wlan1 and wlan2, respectively). Optionally, you can configure your node as a WiFi client or hotspot to connect to the Internet or to create a hotspot. If you configure a WiFi client, be sure it (i.e., wlan2) is acting as a DHCP client in addition to the ether1 port.

Here, we will configure wlan1 as a client and put it on the bridge with our ethernet LAN ports, and then add ether1 as a DHCP client acting as the WAN port. I will also set wlan2 to act as a WiFi client so that I can connect to the internet.

First, we will set up the bridge to include the ethernet LAN ports:

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5

Configure WiFi Hotspot

wlan1 can be configured as a wireless access point hotspot so that clients can connect to it and receive 44net IP addresses as if they were plugged into a LAN ethernet port. Set wlan1 to ap-bridge mode and associate it with an SSID name and security profile with your desired pre-shared keys. Then add it to the bridge:

/interface bridge port
add bridge=bridge comment=defconf interface=wlan1

Configure WiFi Client

wlan2 can be used as an WiFi client (station mode) for outbound connections from your clients to the Internet via an existing base station. I configured wlan2 as a client, and associated it with a security profile that included my pre-shared keys for the wireless network I was connecting to (similar to the WiFi hotspot I established on wlan1). I set wlan2 to be a wireless station, and set wlan2 as a DHCP client.

/interface wireless set [find name=wlan2] mode=station
/ip dhcp-client add interface=wlan2 add-default-route=yes default-route-distance=1 use-peer-dns=yes use-peer-ntp=yes disabled=no
/interface list member
add interface=wlan2 list=WAN comment="Wi-Fi uplink is WAN too"

Configure DHCP

Set up your router’s DHCP server to use the 44net subnet you’ve been allocated by AMPR, filling in your subnet information (i.e., 44.x.y.0/29), gateway IP (i.e., 44.x.y.1), and usable IP addresses (i.e., 44.x.y.1-44.x.y.6) below. We will also set the ether1 WAN port as a DHCP client.

/ip pool
add name=dhcp ranges=44.x.y.1-44.x.y.6
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ip dhcp-server network
add address=44.x.y.0/29 gateway=44.x.y.1 dns-server=44.x.y.1
/ip dhcp-client
add interface=ether1 comment=defconf

Assigning IP addresses from your 44net Subnet and from 44net.cloud

Assign an IP address for the gateway to internal network bridge. We assume your gateway IP is 44.x.y.1 from your AMPR 44net subnet allocation.

/ip address
add address=44.x.y.1/29 interface=bridge comment=defconf

Create an IPIP Tunnel to the UCSD 44net Gateway

In order to receive IPIP packets to your gateway from UCSD, you will need an IPIP tunnel interface to UCSD (using the IP address associated with amprgw.ucsd.edu) and from your 44net.cloud IP tunnel address 44.X.Y.Z:

/interface ipip
add name=ipip-44net local-address=44.X.Y.Z remote-address=169.228.34.84 allow-fast-path=no
/ip address add address=44.X.Y.Z/32 interface=ipip-44net
/ip firewall mangle
add chain=forward tcp-flags=syn protocol=tcp out-interface=ipip-44net \
    action=change-mss new-mss=clamp-to-pmtu comment="Clamp MSS for IPIP-over-WG on egress"
add chain=forward action=change-mss protocol=tcp tcp-flags=syn in-interface=wg-44net \
    new-mss=clamp-to-pmtu comment="Clamp MSS when ingressing WG"    

Configuring the Basic Routing Table

To route traffic over the Wireguard interface and over the IPIP tunnel, add the following routing tables and routes. Here, we assume 44.x.y.z is your 44net.cloud tunnel IP address, and 44.0.0.0/29 is your AMPR 44net subnet allocation.

/routing table
add name=via-wg
add name=via-ipip
add fib name=via-wg
add fib name=via-ipip

/ip route
add dst-address=44.0.0.0/9 gateway=wg-44net comment="Send all AMPRNet traffic via WireGuard"
add dst-address=44.128.0.0/10 gateway=wg-44net comment="Send all AMPRNet traffic via WireGuard"
add dst-address=0.0.0.0/0 gateway=wg-44net routing-table=via-wg comment="Send all traffic that came in over Wireguard back out via Wireguard"
add dst-address=0.0.0.0/0 gateway=ipip-44net routing-table=via-ipip comment="Send all traffic that came in over the IPIP tunnel back out via the IPIP tunnel"
add dst-address=169.228.34.84/32 out-interface=wg-44net comment="UCSD IPIP transport via WG"
    
/routing rule
add src-address=44.x.y.z/32 interface=wg-44net action=lookup table=via-wg 
add src-address=44.x.y.z/32 interface=ipip-44net action=lookup table=via-ipip
add src-address=44.0.0.0/29 interface=wg-44net action=lookup table=via-wg
add src-address=44.0.0.0/29 interface=ipip-44net action=lookup table=via-ipip

Configuring Basic Firewall Rules

You’ll want to add additional rules to harden this installation! These simply make the tunnel connections functional, and these rules are not intended to secure the network from the outside. Here, we assume 44.x.y.0/29 is your 44net subnet allocation from AMPR, 44.x.y.1 is your gateway IP address and that 44.x.y.2-44.x.y.6 are your remaining routable IP addresses on your subnet.

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="Allow established"
add chain=input action=drop connection-state=invalid comment="Drop invalid"
add chain=input action=accept protocol=icmp comment="Allow ICMP"
add chain=input action=accept in-interface=wg-44net comment="Allow input from wg-44net"
add chain=input action=accept dst-address=44.x.y.1 protocol=icmp comment="Allow ICMP to 44Net address"
add chain=input action=drop in-interface-list=!LAN comment="Drop non-LAN traffic"
add chain=input in-interface=wg-44net protocol=ipip action=accept comment="Allow inbound IPIP via WG"

add chain=forward action=accept connection-state=established,related,untracked
add chain=forward action=drop connection-state=invalid
add chain=forward action=fasttrack-connection connection-state=established,related hw-offload=yes comment="FastTrack"
add chain=forward action=accept dst-address=44.x.y.2-44.x.y.6 comment="Inbound to 44Net hosts"
add chain=forward action=accept dst-address=44.0.0.0/9 src-address=44.x.y.0/29
add chain=forward action=accept dst-address=44.128.0.0/10 src-address=44.x.y.0/29
add chain=forward action=accept dst-address=44.x.y.0/29 in-interface=wg-44net
add chain=forward action=accept out-interface=wg-44net src-address=44.x.y.0/29
add chain=forward action=accept dst-address=44.x.y.0/29 in-interface=ipip-44net
add chain=forward action=accept out-interface=ipip-44net src-address=44.x.y.0/29
add chain=forward out-interface=ipip-44net action=accept comment="Allow outbound to IPIP tunnel"

/ip/firewall/connection/tracking/set enabled=yes

Configuring DNS

Enable outside DNS lookups as follows (feel free to replace your favorite DNS servers for 1.1.1.1,8.8.8.8. We assume 44.x.y.1 is your gateway IP.

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add name=router.lan address=44.x.y.1 type=A comment=defconf

Adding 44net Network Gateways to your Routing Table

You can route traffic over the IPIP tunnel directly to other 44net subnets. To do this, you need to be aware of their routing table. UCSD sends this routing table periodically to all nodes, but there is not an easy way to process them on Mikrotik routers once they’re received. Instead, we can create them manually, and flush/re-create the table on-demand to receive any updates.

This Python program can be run on your local computer, and it generates a Mikrotik script that you can upload and run on your router to populate these routing entries. They are all tagged with ampr-imported-route so that they can be flushed for re-creation without modifying the rest of your routing rules.

import requests
import ipaddress

# Upload output file to router and execute with /import file-name=ampr_routes.rsc

API_TOKEN = "YOUR AMPR PORTAL API TOKEN FROM YOUR AMPR PORTAL PROFILE PAGE"
OUTPUT_FILE = "ampr_routes.rsc"
GATEWAY = "ipip-44net" # or none to use their address, if routing over ipip already for these IP ranges
ROUTE_COMMENT = "ampr-imported-route"

# List of local subnets to skip (any CIDR you handle internally)
SKIP_PREFIXES = [
    "44.x.y.0/29",     # Your allocation
]
SKIP_NETWORKS = [ipaddress.ip_network(p) for p in SKIP_PREFIXES]

# Fetch route list from AMPRNet
response = requests.get(
    "https://portal.ampr.org/api/v2/encap/routes",
    headers={
        "Authorization": f"Bearer {API_TOKEN}",
        "Accept": "application/json"
    }
)

data = response.json()
routes = data.get("encap", [])

with open(OUTPUT_FILE, "w") as f:
    # First, remove all old AMPR routes by comment
    f.write(f"/ip route remove [find comment=\"{ROUTE_COMMENT}\"]\n")

    # Now add the updated routes
    for route in routes:
        prefix = f"{route['network']}/{route['cidr']}"
        leaseholder = route.get("leaseholder", "unknown")
        
        # Skip if the prefix overlaps any local subnet
        if any(ipaddress.ip_network(prefix).overlaps(local) for local in SKIP_NETWORKS):
            continue        
            
        if GATEWAY is None:
            gateway = route['gatewayIP']
        else:
            gateway = GATEWAY
        
        f.write(
            f"/ip route add dst-address={prefix} gateway={gateway} comment=\"{ROUTE_COMMENT}\"\n"
        )

Upload the ampr_routes.rsc file to your Mikrotik router under the Files tab, and back in the terminal, execute the following command to run the script and add the routes:

/import file-name=ampr_routes.rsc

Wrapping Up

Reboot the router and wait an hour for UCSD to start sending packets to your gateway.

Test by pinging your gateway (gw.<your call sign>.ampr.org or 44.x.y.1).

Be sure to set firewall rules to restrict traffic, especially inbound, to your router!

• allscan
• supermon
• allmon3
• skywarn plus
• dvswitch
• digital_link
• alltune

Step 1: Install ASL3

1. Prepare the Raspberry Pi:
   • Download and install the Raspberry Pi Imager.
   • Select Lite 64-bit OS and configure username, password, and enable SSH.
   • Flash the microSD card and boot the Raspberry Pi.
2. Install ASL3:

   sudo -s
   apt update && apt upgrade
   cd /tmp
   wget https://repo.allstarlink.org/public/asl-apt-repos.deb12_all.deb
   dpkg -i asl-apt-repos.deb12_all.deb
   apt update
   apt install git asl3
   

3. Configure ASL3:
   • Run the ASL configuration menu:

     asl-menu
     

   • Adjust node settings as needed and save.
   • For my setup, I set CTCSS From to usb instead of usbinvert

Access ASL3 at http://<your_ip_address>:9090.

Step 2: Configure ASL3 Components

SimpleUSB Configuration

Edit the simpleusb.conf file to set up your hardware interface:

nano /etc/asterisk/simpleusb.conf

Configure Audio Levels

Restart Asterisk and test the setup:

asterisk -r
rpt fun <your_node_number> *355553

Speak into the microphone and adjust the audio settings so that the meter just touches the 5kHz level. Disconnect when done with:

rpt fun <your_node_number> *155553

To set the audio transmit level, edit /etc/asterisk/simpleusb.conf and set the rxmixerset value. I went with a value around 650, such that running asterisk -rvvv (after restarting asterisk) and rpt debug level 7 decodes and displays DTMF codes being sent and audio levels “just about right” or at least just a bit low when testing on node 55553. I found that setting the audio level to the “just about right” setting caused the DTMF tones to be oversaturated and fail to decode, so I adjusted this to a slightly lower value.

Test AllStarLink Connection

Connect to Allstar Echo node: 40894 via the radio by entering *340894 to connect (and speak / echo), and *140894 to disconnect.

Allmon3 Setup

1. Install Allmon3:

   apt install allmon3
   

2. Configure Allmon3 settings in /etc/allmon3/allmon3.ini according to these instructions. Be sure to remove the allmon3 user account and add an admin password:

   Update passwords:

   allmon3-passwd --delete allmon3
   allmon3-passwd admin
   

   Uncomment / set account and manager.conf secret for node 1999.

3. Restart services:

   systemctl restart asterisk
   systemctl start allmon3
   

Access Allmon3 at http://<your_ip_address>/allmon3.

Echolink Setup

Edit the following files to configure Echolink: /etc/asterisk/echolink.conf and /etc/asterisk/modules.conf.

In /etc/asterisk/modules.conf, add or uncomment this line: load => chan_echolink.so. If there is a similar line with noload =>, comment that out.

In /etc/asterisk/echolink.conf, add your AllStarLink node number and set your personal EchoLink information.

Load the Echolink module and restart Asterisk:

systemctl restart asterisk

Test by connecting to *33009999 (EchoLink echo test 9999); then *13009999 to disconnect. To connect to an EchoLink node, dial *33 followed by a 6 digit EchoLink node number. If the node number is fewer than 6 digits long, prepend the node number with enough zeroes to make a 6 digit number. For example, EchoLink node 9999 is entered as 009999.

Step 3: Install and Configure DVSwitch

1. Install DVSwitch:

   wget http://dvswitch.org/bookworm
   chmod +x bookworm
   ./bookworm
   apt update
   apt install dvswitch-server
   apt install php-cgi libapache2-mod-php8.2
   

2. Configure DVSwitch:

   cd /usr/local/dvs
   ./dvs
   

   You can set modes from the dvs menu under Advanced - Configure Other Stanzas (Edit <mode>), Additional DMR Networks, and Configure Favorite TG. Additionally, you may be able to set up DV3000 USB as the vocoder here if available for D-Star support under the initial setup menu, in the Hardware Vocoder section (for example, if you have a USB ThumbDV AMBE vocoder device).

3. Edit configuration files as needed: In /opt/Analog_Bridge/Analog_Bridge.ini, under [USRP], set:

   txPort = 32001                          ; Transmit USRP frames on this port
   rxPort = 34001                          ; Listen for USRP frames on this port
   usrpAudio  AUDIO_USE_GAIN
   usrpGain = 3.00
   tlvAudio = AUDIO_USE_GAIN
   

   In /opt/MMDVM_Bridge/MMDVM_Bridge.ini, set Jitter=750 under [DMR Network], and set RX/TXFrequency to 433800000 under [Info]. You can also set your contact information in this file.

4. Set up private node 1999 in ASL3 to bridge to DVSwitch:

    sudo asl-menu
   

   Under Node Settings - AllStar Node Settings - Add Node with the following parameters: node number 1999, “None of the Above”, “Radio Interface USRP”, and “Duplex Type 0 / Half”.

   Test by connecting/disconnecting to node 1999 in allmon3. You must connect your ASL node to 1999 before using DVSwitch. You can dial *31999 to do this (and *11999 to disconnect).

5. Enable and start DVSwitch services:

   systemctl enable analog_bridge mmdvm_bridge md380-emu
   systemctl start analog_bridge mmdvm_bridge md380-emu
   

6. Test DVSwitch:

   /opt/MMDVM_Bridge/dvswitch.sh mode YSF
   /opt/MMDVM_Bridge/dvswitch.sh tune parrot.ysfreflector.de:42020
   

   In general, you can connect to any mode and endpoint via:

   /opt/MMDVM_Bridge/dvswitch.sh mode {DMR|NXDN|P25|YSF|DSTAR} # Set Analog_Bridge digital mode
   /opt/MMDVM_Bridge/dvswitch.sh tune <tg> # Tune to specific TG number/Reflector
   

   Don’t forget to connect to node 1999 either through DTMF tones, or through allmon3. You can change digital modes using the web interface at http://<your_ip_address>/dvswitch/index.php.

   Note that DVSwitch cannot parse the # private call character in a tune command using the /opt/MMDVM_Bridge/dvswitch.sh tune yourbrandmeisterpasswordhere@3102.repeater.net:62031!91 format (i.e., using !9990#). Instead, run these as two commands:

   /opt/MMDVM_Bridge/dvswitch.sh tune yourbrandmeisterpasswordhere@3102.repeater.net:62031
   /opt/MMDVM_Bridge/dvswitch.sh tune '9990#'
   

   The ! format seems to work when connecting to a non-private call talkgroup; however, it should be separated for any private calls requiring a # at the end (including the 4000# unlink command.

7. Enable DVSwitch Mode Switcher Frontend:

    sudo apt update && sudo apt upgrade && sudo apt install git nodejs
    git clone https://github.com/firealarmss/dvswitch_mode_switcher.git
    cd dvswitch_mode_switcher
   

   Follow the instructions in dvswitch_mode_switcher-README.md.txt within the above repository. I also set enabled: true under usrp in /opt/dvswitch_mode_switcher/configs/config.yml.

    cd /opt/dvswitch_mode_switcher
    cp debian/dvswitch_mode_switcher.service /etc/systemd/system/dvswitch_mode_switcher.service
    systemctl daemon-reload
    systemctl enable dvswitch_mode_switcher.service
    systemctl start dvswitch_mode_switcher.service
   

   Then, log onto the ASL3 Cockpit at http://<your_ip_address>:9090 to update the firewall to allow port 3000 access. After logging in, click Networking on the left, click Edit Rules and Zones in the firewall panel, click Custom Ports, and enable port 3000 over TCP. Alternatively, I logged in over ssh and restricted access to a particular IP block (instead of adding it through the web interface, which opens the port to all IP addresses), by running:

    cat <<EOF > /usr/local/bin/nft-allow-allstarlink.sh
    #!/bin/bash
    CHAIN_NAME="filter_IN_allstarlink_allow"
    TABLE_NAME="inet firewalld"
   
    # Wait up to 30 seconds for firewalld to create the required chain
    for i in {1..30}; do
        if /usr/sbin/nft list chain $TABLE_NAME $CHAIN_NAME >/dev/null 2>&1; then
            break
        fi
        /usr/bin/sleep 1
    done
   
    # If the chain still doesn't exist, fail
    if ! /usr/sbin/nft list chain $TABLE_NAME $CHAIN_NAME >/dev/null 2>&1; then
        echo "Error: firewalld chain $CHAIN_NAME not found after timeout"
        exit 1
    fi
   
    /usr/sbin/nft add rule inet firewalld filter_IN_allstarlink_allow ip saddr <your net address>/<your subnet i.e. 24> tcp dport 3000 accept
    EOF
   
    chmod +x /usr/local/bin/nft-allow-allstarlink.sh
   
    mkdir -p /etc/systemd/system/firewalld.service.d
   
    cat <<EOF > /etc/systemd/system/firewalld.service.d/99-add-allstarlink-rules.conf
    [Service]
    ExecStartPost=/usr/local/bin/nft-allow-allstarlink.sh
    EOF
   
    systemctl daemon-reexec
   

   Access the portal via http://<your_ip_address>:3000. Again, be sure to connect to node 1999 first! You can edit your favorite digital talkgroups by editing the /opt/dvswitch_mode_switcher/configs/tg_alias.yml file. For example:

    - tgid: "yourbrandmeisterpasswordhere@3102.repeater.net:62031!91"
      alias: Brandmeister Worldwide
   

   Again, be sure not to use the !TG suffix for private calls ending in #. Instead, configure and execute two commands to connect via a private call:

    - tgid: "yourbrandmeisterpasswordhere@3102.repeater.net:62031"
      alias: Brandmeister Master
    - tgid: "9990#"
      alias: Brandmeister Parrot Test (Connect to master first)
   

Step 4: Install and Configure Supermon

1. Install Supermon:

   cd /usr/local/sbin
   wget "http://2577.asnode.org:43856/supermonASL_fresh_install" -O supermonASL_fresh_install
   chmod +x supermonASL_fresh_install
   ./supermonASL_fresh_install
   

2. Configure Supermon:
   • Edit allmon.ini and global.inc in /var/www/html/supermon/.

   • Set up .htpasswd for authentication:

     htpasswd -cB /var/www/html/supermon/.htpasswd admin
     

3. Enable automatic database updates:

   systemctl enable asl3-update-astdb.service asl3-update-astdb.timer
   systemctl start asl3-update-astdb.timer
   

4. Access Supermon at http://<your_ip_address>/supermon.

5. Update supermon with /usr/local/sbin/supermonASL_latest_update

6. Edit /var/www/html/supermon/almon.ini to modify the top menu. For example, you can add links to all the URLs from the tools in this document for easy access.

Step 5: Configure Skywarn Plus

bash -c "$(curl -fsSL https://raw.githubusercontent.com/Mason10198/SkywarnPlus/main/swp-install)"

Configuration

1. Configure /usr/local/bin/SkywarnPlus/config.yaml file according to readme instructions.

2. Add these lines to enable weather alert tail messages at a certain interval of activity:

   tailmessagetime=60000
   tailsquashedtime=30000
   tailmessagelist=/tmp/SkywarnPlus/wx-tail
   

3. Add to root crontab:

   * * * * * /usr/bin/python3 /usr/local/bin/SkywarnPlus/ASL3_Supermon_Workaround.py
   * * * * * /usr/local/bin/SkywarnPlus/SkywarnPlus.py
   * * * * * chown -R asterisk:asterisk /tmp/SkywarnPlus 
   

4. Follow these instructions to add time and weather hourly announcements. Add or modify your root crontab as follows:

   00 00-23 * * * /usr/bin/perl /usr/local/sbin/saytime.pl 19320 62933 > /dev/null
   

Allscan

Follow these instructions.

sudo apt update; sudo apt install php unzip -y
cd ~
wget 'https://raw.githubusercontent.com/davidgsd/AllScan/main/AllScanInstallUpdate.php'
chmod 755 AllScanInstallUpdate.php
sudo ./AllScanInstallUpdate.php

Edit /etc/php/8.2/cli/php.ini and uncomment extension=pdo_sqlite and extension=sqlite3.

Test at http://<your-ip-address>/allscan (set up initial user). You can now use allscan to connect/disconnect instead of allmon3 or DTMF.

Edit favorite nodes at /var/www/html/supermon/favorites.ini:

label[] = "Label"
cmd[] = "rpt cmd %node% ilink 3 <node number>"
label[] = "Echolink Label"
cmd[] = "rpt cmd %node% ilink 3 3<0 prepadded 6 digit node number>"

Alltune

Follow the instructions at the download provided here. Extract the web files to /var/www/html/alltune and access at http://<your-ip-address>/alltune.

IAX Configuration

You can access your AllStarNode from an Android device or other IAX connection by adding the following stanza to /etc/asterisk/iax.conf:

[iaxclient]                      ; Connect from iax client (Zoiper...)
type = friend                    ; Notice type here is friend <--------------
context = iax-client             ; Context to jump to in extensions.conf
auth = md5
secret = your-secret-password-here
host = dynamic
disallow = all
allow = ulaw
allow = adpcm
allow = gsm
transfer = no
requirecalltoken=no ; to allow all connections
;calltokenoptional=0.0.0.0/0.0.0.0 ; to connect from a particular IP address

And add this in the /etc/asterisk/extensions.conf file:

[iax-client]                            ; for IAX VoIP clients.
exten => ${NODE},1,Ringing()
        same => n,Wait(10)
        same => n,Answer()
        same => n,Set(CALLSIGN=${CALLERID(name)})
        same => n,NoOp(Caller ID name is ${CALLSIGN})
        same => n,NoOp(Caller ID number is ${CALLERID(number)})
        same => n,GotoIf(${ISNULL(${CALLSIGN})}?hangit)
        same => n,Playback(rpt/connected-to&rpt/node)
        same => n,SayDigits(${NODE})
        same => n,rpt(${NODE}|P|${CALLSIGN}-P)
        same => n(hangit),NoOp(No Caller ID Name)
        same => n,Playback(connection-failed)
        same => n,Wait(1)
        same => n,Hangup

You can then configure DroidStar by adding the following in the Hosts section: IAX <your node number> <your node IP address> 4569 iaxclient your-secret-password-here, and choose your node under the IAX hosts section on the main tab. You might have to update your databases and hosts with the buttons under Settings prior to use. Once connected, you can issue DTMF codes to connect/disconnect, and use the PTT button to transmit.

Digital Link DTMF Tuning

To send DTMF tones to switch digital modes, servers/reflectors, and talkgroups, visit https://github.com/BillJr99/digital_link and follow the installation instructions there.

Enabling a ThumbDV AMBE Device

I have a USB vocoder, which I enabled by editing /opt/Analog_Bridge/Analog_Bridge.ini and setting:

[General]
decoderFallBack = true
userEmulator = false

[DV3000]
; address = 127.0.0.1
; rxPort = 2460
address = /dev/ttyUSB0
baud=460800
serial = true

References

• DVSwitch Installation Guide
• Supermon for ASL3
• DVSwitch Mode Changer
• ASL3 Installation Guide by Ham Radio and Networking
• ASL3 Installation Video by Ham Radio and Networking on Youtube
• Ham Radio Crusader Youtube Channel for Information on ASL3, DVSwitch, Supermon, SkywarnPlus, and more
• Installing Supermon on ASL3
• DVSwitch Installation
• Allmon3 and EchoLink on ASL3 by Ham Radio and Networking on Youtube
• DVSwitch and ClearNode on AllStar by Ham Radio and Networking on Youtube
• DVSwitch on AllStarLink 3 by Ham Radio and Networking on Youtube
• DVSwitch Server Part 1 and Part 2 by Ham Radio Crusader on Youtube
• ASL3 Cockpit Firewall
• SkywarnPlus on ASL3 by Ham Radio Crusader
• Supermon 7.4+ on ASL3 by Ham Radio Crusader
• Supermon for ASL3
• Time and Weather Announcements on SkywarnPlus by Ham Radio Crusader
• AllScan Setup Instructions
• Alltune

Step 1: Install Dependencies

1. Create and Activate a Virtual Environment:

   python3 -m venv venv
   source ./venv/bin/activate
   

2. Install Required Python Libraries:

   ./venv/bin/pip install dmr_utils3 dmr_utils twisted
   

3. Clone the HBLink Repository:

   git clone https://github.com/HBLink-org/hblink3 /opt/hblink/hblink3
   

4. Navigate to the Cloned Directory:

   cd /opt/hblink/hblink3
   

Step 2: Configure HBLink

Copy the _SAMPLE files and remove the _SAMPLE from the filename. Where stock configuration items are replicated by configuration text below, that stock configuration text can be commented out with the # character at the beginning of each line, or removed.

Main Configuration (hblink.cfg)

The hblink.cfg file defines your DMR systems and how they interact. For each system:

• Name: Must match across configurations.
• Port: Assign unique ports for each system.
• Talkgroup and Timeslot Settings:
  • TG9 for local traffic on Timeslot 1.
  • TG9999 for Parrot on Timeslot 2.

[GLOBAL]
PATH: ./
PING_TIME: 5
MAX_MISSED: 3
USE_ACL: True
REG_ACL: PERMIT:ALL
SUB_ACL: DENY:1
TGID_TS1_ACL: PERMIT:ALL
TGID_TS2_ACL: PERMIT:ALL

[REPORTS]
REPORT: True
REPORT_INTERVAL: 60
REPORT_PORT: 4321
REPORT_CLIENTS: 127.0.0.1

[LOGGER]
LOG_FILE: /var/log/hblink/hblink.log
LOG_HANDLERS: file-timed
LOG_LEVEL: DEBUG
LOG_NAME: HBlink

[ALIASES]
TRY_DOWNLOAD: True
PATH: ./
PEER_FILE: peer_ids.json
SUBSCRIBER_FILE: subscriber_ids.json
TGID_FILE: talkgroup_ids.json
PEER_URL: https://www.radioid.net/static/rptrs.json
SUBSCRIBER_URL: https://www.radioid.net/static/users.json
STALE_DAYS: 7

[MASTER-1]
MODE: MASTER
ENABLED: True
REPEAT: True
MAX_PEERS: 10
EXPORT_AMBE: False
IP: 
PORT: 62030
PASSPHRASE: xxx
GROUP_HANGTIME: 5
USE_ACL: True
REG_ACL: DENY:1
SUB_ACL: DENY:1
TGID_TS1_ACL: PERMIT:ALL
TGID_TS2_ACL: PERMIT:ALL

[PARROT]
MODE: PEER
ENABLED: True
LOOSE: False
EXPORT_AMBE: False
IP: 
PORT: 62031
MASTER_IP: 127.0.0.1
MASTER_PORT: 54100
PASSPHRASE: xxx
CALLSIGN: ECHO
RADIO_ID: 9999
RX_FREQ: 000000000
TX_FREQ: 000000000
TX_POWER: 1
COLORCODE: 1
SLOTS: 2
LATITUDE: 0
LONGITUDE: 0
HEIGHT: 0
LOCATION: Server Echo: TG 9999
DESCRIPTION: Echo server
URL: 
SOFTWARE_ID: DMRGateway-20190702
PACKAGE_ID: MMDVM_HBlink
GROUP_HANGTIME: 5
OPTIONS:
USE_ACL: False
SUB_ACL: DENY:1
TGID_TS1_ACL: PERMIT:ALL
TGID_TS2_ACL: PERMIT:ALL

Rules Configuration (rules.py)

The rules.py file specifies conference bridges and how systems interact. Here, I bridge TG9 over timeslots 1 and 2, so that connections can be made from either timeslot. To force a single timeslot, comment out the timeslot under PRIVATE_TG that you do not wish to connect to TG9, and/or comment out the entire bridge block PARROT_TS1 and/or PARROT_TS2 to eliminate that timeslot. In this example, the parrot bridges are each made on individual timeslots, so they won’t cross over. This increases the performance of the echo replies, but prevents echos being heard on the opposite timeslot from which they arrived (this is generally expected with parrot systems).

BRIDGES = {
    # Local/private: TG 9 on both slots. Traffic on either slot is forwarded to the other.
    'PRIVATE_TG': [
        {'SYSTEM': 'MASTER-1', 'TS': 1, 'TGID': 9, 'ACTIVE': True, 'TIMEOUT': 2, 'TO_TYPE': 'NONE', 'ON': [9], 'OFF': []},
        {'SYSTEM': 'MASTER-1', 'TS': 2, 'TGID': 9, 'ACTIVE': True, 'TIMEOUT': 2, 'TO_TYPE': 'NONE', 'ON': [9], 'OFF': []},
    ],

    # Parrot: TG 9999 on one or both slots individually.
    'PARROT_TS1': [
        {'SYSTEM': 'MASTER-1', 'TS': 1, 'TGID': 9999, 'ACTIVE': True, 'TIMEOUT': 2, 'TO_TYPE': 'NONE', 'ON': [9999], 'OFF': []},
        {'SYSTEM': 'PARROT',   'TS': 1, 'TGID': 9999, 'ACTIVE': True, 'TIMEOUT': 2, 'TO_TYPE': 'NONE', 'ON': [9999], 'OFF': []},
    ],    
    'PARROT_TS2': [
        {'SYSTEM': 'MASTER-1', 'TS': 2, 'TGID': 9999, 'ACTIVE': True, 'TIMEOUT': 2, 'TO_TYPE': 'NONE', 'ON': [9999], 'OFF': []},
        {'SYSTEM': 'PARROT',   'TS': 2, 'TGID': 9999, 'ACTIVE': True, 'TIMEOUT': 2, 'TO_TYPE': 'NONE', 'ON': [9999], 'OFF': []},
    ]
}

UNIT = [] #['ONE', 'TWO']

Replace MASTER-1 and PARROT with the names of your systems as defined in hblink.cfg.

Playback Configuration (playback.cfg)

Configure the Parrot repeater as described in the GitHub HBLink3 Parrot Config.

• Talkgroup: 9999
• Timeslot: 2
• Color Code: 1

[GLOBAL]
PATH: ./
PING_TIME: 10
MAX_MISSED: 5
USE_ACL: True
REG_ACL: PERMIT:ALL
SUB_ACL: DENY:1
TGID_TS1_ACL: PERMIT:ALL
TGID_TS2_ACL: PERMIT:ALL

[REPORTS]
REPORT: False
REPORT_INTERVAL: 60
REPORT_PORT: 4322
REPORT_CLIENTS: 127.0.0.1

[LOGGER]
LOG_FILE: /var/log/hblink/parrot.log
LOG_HANDLERS: file-timed
LOG_LEVEL: INFO
LOG_NAME: Parrot

[ALIASES]
TRY_DOWNLOAD: False
PATH: ./
PEER_FILE: peer_ids.json
SUBSCRIBER_FILE: subscriber_ids.json
TGID_FILE: talkgroup_ids.json
PEER_URL: https://database.radioid.net/static/rptrs.json
SUBSCRIBER_URL: https://database.radioid.net/api/dmr/user/?country=United+States
STALE_DAYS: 7

[PARROT]
MODE: MASTER
ENABLED: True
REPEAT: True
MAX_PEERS: 10
EXPORT_AMBE: False
IP:  
PORT: 54100
PASSPHRASE: xxx
GROUP_HANGTIME: 5
USE_ACL: True
REG_ACL: DENY:1
SUB_ACL: DENY:1
TGID_TS1_ACL: PERMIT:9999
TGID_TS2_ACL: PERMIT:9999

Testing Configuration

To test the configuration, run the rules.py file:

mkdir /var/log/hblink
python3 rules.py

Step 3: Start Services

Set up /lib/systemd/system/hblink.service to run python bridge.py (in your relevant directories) and /lib/systemd/system/parrot.service files to run python playback.py playback.cfg (again, with the relevant directory paths). For example:

hblink.service

[Unit]
Description=Start HBlink
After=multi-user.target

[Service]
ExecStart=/home/w1clk/.venv/bin/python /home/w1clk/bin/hblink3/bridge.py

parrot.service

[Unit]
Description=HB bridge all Service
After=network-online.target syslog.target
Wants=network-online.target

[Service]
StandardOutput=null
WorkingDirectory=/home/w1clk/bin/hblink3
RestartSec=3
ExecStart=/home/w1clk/.venv/bin/python /home/w1clk/bin/hblink3/playback.py -c /home/w1clk/bin/hblink/playback.cfg
Restart=on-abort

[Install]
WantedBy=multi-user.target

systemctl enable parrot.service
systemctl enable hblink

systemctl start parrot.service
systemctl start hblink

1. Enable and Start HBLink:

   systemctl start hblink
   

2. Enable and Start Parrot:

   systemctl start parrot.service
   

Step 4: Set Up Your Radio

• Talkgroups:
  • TG9 for local communication.
  • TG9999 for Parrot playback.
• Timeslots:
  • TG9 on Timeslot 1.
  • TG9999 on Timeslot 2.
• Color Code: 1.
• Monitor Mode: Enable monitor mode or add the talkgroups to a receive group to hear responses.

Talkgroup Forawrding with a pi-star

If you are using a pi-star or wpsd device for DMR, you can configure an additional DMR master network with talkgroup forwarding, which will enable you to program unique talkgroup numbers into your radio for use with the pi-star, and the pi-star will forward those talkgroup numbers to the ones we configured on the HBlink server. Add a DMR network with the following settings, or add the following stanza to the DMR configuration file (using the passphrase you chose in the configuration files):

[DMR Network 4]
Enabled=1
Name=HBlink
Id=<your DMR ID here>
Address=<IP address of your HBlink server>
Port=62030
TGRewrite0=1,60009,1,9,1
TGRewrite1=1,69999,2,9999,1 
TGRewrite2=2,60009,1,9,1 
TGRewrite3=2,69999,2,9999,1
Password="xxx"
Location=0
Debug=0

Substitue “DMR Network #” for the appropriate network number - generally one higher than the other stanzas. This rewrites talkgroups 60009 to HBlink talkgroup 9, and 69999 to HBlink talkgroup 9999. You can adjust 60009 and 69999 to whatever you’d like to use on your radio, and adjust 9 and 9999 to the ones you configured when you set up the HBlink server configuration files above.

Notes

I set the password in this guide to xxx, but you can replace this with a password of your choosing. Be sure to replace it in all config files! In addition, the primary port for the HBlink server in this configuration is 62030, while the parrot repeater uses ports 62031 and 54001 behind the scenes. These can be adjusted in the configuration files as well.

References

• HBLink GitHub Repository
• DMR Configuration Guide
• HBlink self-contained forked repository and configuration details

Prerequisites

• A Raspberry Pi with a supported operating system.
• An AREDN node with MeshPhone support.
• A 44net allocation (optional).

Step 1: Install FreePBX

I installed FreePBX version 17.0.19.17 with Asterisk 21.5.0 using a script. You can also flash a prebuilt FreePBX Raspberry Pi image to your SD card.

Step 2: Configure FreePBX

Use the configuration instructions provided on this mesh page (AREDN mesh connection required to view): MeshPhone FreePBX Configuration

Configuration Steps

1. Create an Extension:
   • Note the secret, which will be provisioned on your phone.
   • Configure your phone with the server IP and port (default: 5060).
2. Firewall Configuration: If using 44net, set up your router and FreePBX node firewall.

Step 3: Router and Firewall Configuration

On the 44net Router:

If your AREDN router is behind a 44net router, forward traffic for SIP (port 5060) as follows:

/ip firewall filter add chain=input protocol=tcp port=5060 src-address=<your 44net cloud IP> action=accept comment="Allow TCP 5060 from specific IP"
/ip firewall filter add chain=input protocol=udp port=5060 src-address=<your 44net cloud IP> action=accept comment="Allow UDP 5060 from specific IP"

Move these rules above any default drop rules in WebFig.

On the AREDN Node:

Forward port 5060 (TCP/UDP) to the FreePBX server.

On the FreePBX Node:

If using 44net, add your allocation to SIP Settings as a local network:

• Under SIP Settings: Add your 44net allocation.

Add firewall rules via SSH to allow traffic:

sudo iptables -A INPUT -p udp --dport 5060 -s <your AMPR 44net allocation>/<subnet> -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 5060 -s <your AMPR 44net allocation>/<subnet> -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 5060 -s <your 44net cloud IP>/32 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 5060 -s <your 44net cloud IP>/32 -j ACCEPT

Make these rules persistent:

sudo iptables-save > /etc/iptables/rules.v4

Step 4: Trunk Configuration

Modify the following files to set up trunking with MeshPhone. Retrieve example files from: MeshPhone FreePBX Configuration

File Modifications

iax_custom.conf

[<your peer's callsign here>]    ; must match username coming from far end
type=friend                      ; peer=outgoing; user=incoming; friend=both way
host=<your peer's PBX IP address here>  ; send calls to this host IP address at far end
username=<your callsign here>   ; username sent to far end
secret=<a shared password here> ; shared secret between both ends
auth=plaintext                   ; plaintext; rsa; md5
context=MeshPhone                ; destination context for incoming calls
disallow=all                     ; disallow all incoming codecs
allow=ulaw                       ; allow ulaw codec
allow=alaw                       ; allow alaw codec
allow=gsm                        ; allow gsm codec
qualify=yes                      ; constantly ping far end to determine trunk status
transfer=no                      ; do not directly connect endpoints
trunk=yes                        ; allow multiple simultaneous calls

globals_custom.conf

NEIGHBOR=<your peer's callsign here>
; [globals] line commented out (if necessary)

meshphone.conf

Add below the first local extension rule, if not already present. Replace XXXXXXX with the peer’s phone number range (e.g., 55512xx for numbers starting with 55512):

; NEIGHBOR=<your peer's callsign here>
exten => _XXXXXXX,1,Dial(IAX2/${NEIGHBOR}/${EXTEN})
exten => _XXXXXXX,n,GoTo(Utilities,Sorry,1)

extensions_custom.conf

Add below access codes to create 4-digit dialing rules. Replace XXXX with the dialing plan and YYY with the area code to prepend:

exten => _XXXX,1,GoTo(MeshPhone,YYY${EXTEN},1)

And to get the office code to echo by overriding the default error response, add this to the bottom of extensions_custom.conf:

[ext-local-custom]
exten => _X.,1,NoOp(Custom Bad-Number Handling)
exten => _X.,n,ResetCDR()
exten => _X.,n,Set(CDR_PROP(disable)=true)
exten => _X.,n,Progress()
exten => _X.,n,Wait(1)
exten => _X.,n,Goto(Utilities,Sorry,1) ; Redirect to custom "Sorry" message
exten => _X.,n,Hangup()

exten => i,1,NoOp(Custom Invalid Number Handling)
exten => i,n,ResetCDR()
exten => i,n,Set(CDR_PROP(disable)=true)
exten => i,n,Progress()
exten => i,n,Wait(1)
exten => i,n,Goto(Utilities,Sorry,1) ; Redirect to custom "Sorry" message
exten => i,n,Hangup()

Optional: Public Availability via 44net

To connect a phone via Groundwire using your 44net allocation:

1. Set up a WireGuard connection from your mobile phone to the 44net allocation.
2. Configure Groundwire to connect to your PBX over the 44net address (making sure to allow that 44net address through your 44net firewall, your PBX firewall, and port forwarding from the AREDN router).

Installing WireGuard

To install Wireguard (if needed to make a connection to 44net), run the following from your PBX:

sudo apt install wireguard -y
sudo modprobe wireguard resolvconf

Configure WireGuard

Then, save your public and private key to /etc/wireguard/publickey and /etc/wireguard/privatekey, respectively, and enter your Wireguard configuration and peer information into /etc/wireguard/wg0.conf. Set their permissions:

chmod 600 /etc/wireguard/privatekey
chmod 600 /etc/wireguard/wg0.conf

I removed the IPv6 address from my Wireguard configuration because my pbx does not support IPv6.

Starting the Wireguard Tunnel

Start the tunnel to test, and set it to start at startup, via:

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Allow SIP Port(s) through the Wireguard Interface

Modify iptables as follows to allow port 5060 (and/or others) through the wg0 interface:

sudo iptables -A INPUT -i wg0 -p udp --dport 5060 -j ACCEPT
sudo iptables -A INPUT -i wg0 -p tcp --dport 5060 -j ACCEPT
sudo cp /etc/iptables/rules.v4 /etc/iptables/rules.v4.bak
sudo iptables-save >/etc/iptables/rules.v4

Set the Outside IP Address and Local Networks on the FreePBX Configuration Portal

Log into the FreePBX webpage, and go to Settings - Asterisk SIP Settings. Set your external address to your tunnel address (or other outside address), and add the subnet of that address to your list of local networks.

Enabling Multiple Registrations Per line

To allow pjsip extension users to have multiple registrations (i.e., phones) on their line, you can go to Connectivity - Extensions - Advanced and set Max Connections to 5. You can also set Outbound Concurrency Limit to 3. Then, under Connectivity - Extensions - Find Me/Follow Me, enable this feature and set the rule to ringallv2-prim.

Optional: fail2ban

To auto-reject invalid registration attempts, you can install fail2ban via:

apt install fail2ban

Save and apply all changes to FreePBX and your network configurations.

So I propose that we acknowledge these as guidance systems, and provide some mentorship and coaching regarding the risks in using them, and ways to mitigate that risk. In particular, I see an opportunity to motivate and to teach software testing as even more critical as we rely more heavily on automatically generated code (or, for that matter, code that one finds from anonymous sources on the Internet!).

To try this out, I provided the following prompt to ChatGPT:

Write a python program that extracts N bits from an IPv4 address given a netmask N

And I got the following response:

def extract_bits(ip_address, netmask_bits):
    # Convert IP address to a list of integers
    ip_list = [int(x) for x in ip_address.split(".")]

    # Create a binary string of the netmask
    netmask = "1" * netmask_bits + "0" * (32 - netmask_bits)

    # Convert the binary netmask to a list of integers
    netmask_list = [int(netmask[i:i+8], 2) for i in range(0, 32, 8)]

    # Apply the netmask to the IP address
    masked_ip = [ip_list[i] & netmask_list[i] for i in range(4)]

    # Convert the masked IP address to a binary string
    masked_ip_str = "".join(format(byte, "08b") for byte in masked_ip)

    # Extract the first N bits from the masked IP address
    extracted_bits = masked_ip_str[:netmask_bits]

    # Convert the extracted bits to an integer
    extracted_int = int(extracted_bits, 2)

    return extracted_int

It even provided me with an example on how to invoke this function:

# In this example, the function extracts the first 24 bits (corresponding to the first three octets) from the IP address "192.168.1.100" using a netmask of 24 bits. The resulting value is 192.

ip_address = "192.168.1.100"
netmask_bits = 24
extracted_bits = extract_bits(ip_address, netmask_bits)
print(extracted_bits)  # Output: 192

Pretty impressive, even if it is simply mining the Internet for text to synthesize as a response. The problem is that it is not clear that this program is generating the correct output. When I call this function according to the example it gave, I get 12625921 as the output. Incidentally, that’s 0b0b110000001010100000000001 in binary. That does correspond to the first 24 bits of the address. But the comment says to expect the output to be 192, which is not quite right. Even still, it would be nice to report the network address in the typical a.b.c.d format, or at least as a list of octets, such as [192, 168, 1, 0]. Perhaps this was the result of ambiguity in the question I posed to ChatGPT, but regardless, I’m curious as to whether we could continue to use ChatGPT prompts to finish this program.

I decided to ask ChatGPT to write another program to help me to do this, by converting a 32-bit integer (that the original function was returning to me) into a list of 4 octets, like a typical IPv4 network address:

Write a program to convert an integer containing 32 bits to a list of four 8-bit values in python

To which it wrote:

def int_to_bytes(n):
    # Convert integer to binary string
    binary_str = format(n, "032b")

    # Split binary string into four 8-bit chunks
    byte_strs = [binary_str[i:i+8] for i in range(0, 32, 8)]

    # Convert each 8-bit chunk to an integer
    bytes = [int(byte_str, 2) for byte_str in byte_strs]

    return bytes

It provided the following example invocation:

# In this example, the function converts the integer 4278190080 to a binary string ("11111111000000000000000011111111") and then splits it into four 8-bit chunks ("11111111", "00000000", "00000000", and "11111111"). Finally, it converts each 8-bit chunk to an integer ([255, 0, 0, 255]). The resulting value is a list of four 8-bit values that represent the number 4278190080 in binary.

n = 4278190080
bytes = int_to_bytes(n)
print(bytes)  # Output: [255, 0, 0, 255]

Interesting, it got the comment wrong in the example again. [255, 0, 0, 0] is the expected output for this example.

To combine these two programs, I called int_to_bytes from the original extract_bits function, right before the return statement. To do this, I had to shift the network address to the left, since the network address bits are the uppermost bits of an IPv4 address. Then, I called int_to_bytes with this resulting value. Although I did this manually, I think it would be an interesting assignment to ask students to continue to prompt ChatGPT until it came up with this solution, sort of like a coding version of the game “Taboo.” Here’s the solution, now ask the right question to get an AI to generate it. It’s a little more challenging that it sounds. For example, one wouldn’t know to ask the AI to shift the bits of the network address without an understanding of IP address formats.

    # PAD 0's ON THE LEAST SIGNIFICANT (COMPUTER ADDRESS) BITS
    extracted_int = extracted_int << (32 - netmask_bits)
        
    # CONVERT BACK TO OCTETS
    extracted_int = int_to_bytes(extracted_int)

Additionally, we should take care to validate this program. We always say this is a best practice, but students are usually pretty confident in their solutions. Perhaps they’d be more convinced that some arbitrary code shouldn’t be trusted, especially if the output does not make sense, and if it does not align with the generated comment. Another fun exercise is to generate unit tests for AI generated code, and to revise the prompts until the tests pass. Using pytest, here are a few brief tests for the code that my prompts generated here:

# pip install pytest
# run with: pytest

from to_octets import int_to_bytes 
from netmask2 import extract_bits 

def test_netmask():
    assert extract_bits("192.168.1.100", 24) == [192, 168, 1, 0]

def test_int_to_bytes():
    assert int_to_bytes(4278190080) == [255, 0, 0, 0]

Impressively, ChatGPT got this program nearly correct on the first prompt. However, it took a little massaging to get things quite right. This is arguably due to unclear wording in the question itself, but that’s the point: how would you know? Beyond this, the commenting of the code itself wasn’t quite right, which doesn’t inspire confidence! I think this leads to a fun game, of sorts, in which you propose a problem statement, ask an AI to generate a solution, test it, and refine the prompt. There’s a lot to learn about how these generative AI systems work, about how we can leverage them in healthy ways, and, perhaps most importantly, about the limitations of these systems and how the “human-in-the-loop” is expected to contribute to the solution.

If we have a VarIOT ThingsBoard gateway (which can be installed on a Raspberry Pi), we can connect it with a ThingsBoard server (one of which is hosted at Drexel Univesrity) to send telemetry data from IoT sensors that we can collect and evaluate using a micro:bit. For example, we could send environmental data like temperature or humidity, or biomedical data like one’s respiratory rate (or anything else you can imagine!).

Configuring a VarIOT Gateway

You can install VarIOT and the ThingsBoard software on a Raspberry Pi by following these instructions. These steps also describe how to connect a gateway to a ThingsBoard server.

Enabling Web Access to the Gateway

I edited the ~/thingsboard-gateway/thingsboard-gateway/thingsboard_gateway/config/tb-gateway.yaml configuration file on my Raspberry Pi and un-commented the code in the REST block to allow REST access from the micro:bit.

ThingsBoard provides an article describing how to configure the gateway and, specifically, how to configure RESTful access. You can add your own endpoints here following the template provided in the ~/thingsboard-gateway/thingsboard-gateway/thingsboard_gateway/config/rest.json file.

One thing that is required is to change the host name from 127.0.0.1 to 0.0.0.0 so that the endpoints are available from the outside world. I did not enable SSL, since I don’t have SSL built into the code of the HTTP extension driver. For this reason, I’m also not using a username or password, since these would be sent in clear text, but these are prototyping practices only (and not for production use!).

Connecting to a VPN

If needed, you can VPN to the ThingsBoard server by running: sudo openconnect -u <your user name> -b <vpn server name> on your Gateway Raspberry Pi. This will allow your gateway to connect to a server that is behind a VPN.

Testing the RESTful Configuration

In my rest.json file, I see that I have an endpoint called my_devices. This is not the most descriptive name, since it’s just a template, but rather than modify it, I’ll use it for this demo so that we have a proof of concept with minimal configuration effort. We can test this endpoint using a curl command from a terminal:

curl http://rpi4-variot:5000/my_devices -H "Content-Type: application/json" -X POST --data '{"temp": 25, "sensorName": "Mongan Gateway", "sensorType": "default", "sensorModel": "testmodel"}'

This endpoint is configured to map the temp parameter to the temperature telemetry value. For fun, I also send an attribute called model that is mapped to the sensorModel parameter in the configuration, and I will send the value testmodel. This can be left out. When I configured my Gateway, I called my gateway sensor Mongan Gateway, and so I will configure this as the sensorName as well.

Connecting the micro:bit to WiFi

Next, we will connect the micro:bit to WiFi so that we can connect to the Internet and send telemetry data to the gateway. The instructions and diagrams provided by these instructions for a ThingSpeak board are exactly what we need. I did not bother connecting an LED or the USB, so only the connections to the ESP8266 WiFi module was needed.

I used a breadboard, jumper wires, and an ESP8266 WiFi Module to do this, as well as a breadboard power supply. I also used a micro:bit breakout board so that I can connect jumper cables to the pins of the micro:bit from the breadboard, rather than needing to use the allegator clips to clamp to the metal pads. I’ll include links to the items I used.

• MB-102 Breadboard Power Supply
• MB-102 Breadboard
• Jumper Cables
• Microbit Breakout Board

I connected the Rx pin of the WiFi module to P0 of the micro:bit, the Tx pin to P1, VCC and CH_EN to the 3V pin for power, and ground to the ground pin, as shown in the diagrams of the wiring diagram and pinout (shown below; image credit Alan Krantas via the alankrantis/pxt-ESP8266_ThingSpeak GitHub repository under an MIT License):

Following these diagrams, I wired my WiFi module to the micro:bit as follows:

Writing the micro:bit Program

Finally, we can import this extension into a micro:bit project. To do this, create a micro:bit project at makecode.microbit.org and click the settings cog at the top right. Choose Extensions, and search for VarIOT. Alternatively, you can import this URL directly to import the extension from GitHub: https://github.com/BillJr99/pxt-ESP8266_VarIOT.

That’s it! You can now use VarIOT blocks to send data to the VarIOT gateway. There are three basic steps (and blocks) to do this:

1. on start: add an Initialize ESP8266 block. The RX and TX pins should be set to P0 and P1, respectively (this seems backwards from the pinout wiring we did earlier, and that’s OK, because the Rx of the WiFi is the Tx of the micro:bit, and vice-versa!). Set your WiFi SSID and password here.
2. Also on start, but after connecting to WiFi, add a Configure VarIOT gateway location block and set the IP address and port of the VarIOT gateway. For me, that is rpi4-variot and 5000, but this will depend on the IP address of the Raspberry Pi and the port used when configuring the gateway above.
3. Whenever you’d like, add an Upload data to VarIOT block and fill in the details. For me, I used the following settings from when I configured the gateway:
   • Endpoint: my_devices
   • Device Name: Mongan Gateway
   • Label: temp
   • Value: 55

That should do it! When you view your gateway dashboard on the server, you should see this value appear. Here is the code:

Programming the micro:bit Extension to Connect to VarIOT

You don’t have to do this step, but if you’re interested, this section describes how I created the micro:bit extension blocks for use in your micro:bit program (to connect to VarIOT).

To do this, I forked the alankrantas/pxt-ESP8266_ThingSpeak repository into my own extension, which I call BillJr99/pxt-ESP8266_VarIOT, under an MIT license.

All of the original repository’s WiFi connection and TCP connection code applies here, so I was able to re-use that. In effect, we will run our cURL command that we saw above to send telemetry data to the Gateway, but we’ll get these values from a micro:bit! I moved this code into a function called doHTTP, and created blocks that send an HTTP request to post data from the micro:bit as follows:

    /**
    * Connect to VarIOT and upload data. It would not upload anything if it failed to connect to Wifi or VarIOT.
    */
    //% block="Upload data to VarIOT|Endpoint = %endpoint|Label = %label|Value = %value"
    //% endpoint.defl=mongan
    //% label.defl=temp
    //% value.defl=45
    export function sendVarIOTTelemetry(endpoint: string, label: string, value: number) {
        let body: string = "{\"" + label + "\": " + value + "}"
        let str: string = "POST /" + endpoint + " HTTP/1.1\r\n" + "Content-Type: application/json" + "\r\n" + "Content-Length: " + body.length + "\r\n\r\n" + body + "\r\n\r\n"
        doHTTP(str)
    }

    /**
    * Connect to VarIOT and upload data given a device name. It would not upload anything if it failed to connect to Wifi or VarIOT.
    */
    //% block="Upload data to VarIOT|Endpoint = %endpoint|Device Name = %devicename|Label = %label|Value = %value"
    //% endpoint.defl=mongan
    //% devicename.defl="Mongan Gateway"
    //% label.defl=temp
    //% value.defl=45
    export function sendVarIOTTelemetryByDeviceName(endpoint: string, devicename: string, label: string, value: number) {
        let body: string = "{\"" + label + "\": " + value + ", \"sensorName\": \"" + devicename + "\"}"
        let str: string = "POST /" + endpoint + " HTTP/1.1\r\n" + "Content-Type: application/json" + "\r\n" + "Content-Length: " + body.length + "\r\n\r\n" + body + "\r\n\r\n"
        doHTTP(str)
    }

    /**
    * Configure VarIOT gateway location
    */
    //% block="Configure VarIOT gateway location|URL/IP = %ip|Port = %port"
    //% ip.defl=rpi4-variot
    //% port.defl=5000
    export function configureVarIOT(ip: string, port: string) {
        variot_configured = true
        variot_ip = ip
        variot_port = port
    }

We will sample some tools that have been developed and used in Southeastern Pennsylvania to enable students to explore computing concepts and discover solutions to authentic problems, with an aim toward building their confidence in creatively applying technology to workforce-relevant application domains. We will connect these tools to potential careers and career pathways, and conclude with a survey of industry-grade no-code (or ubiquitous-code) platforms for further exploration.

Sections

1. Bridging the Classroom and Workforce through Design Thinking
2. Platforms and Activities
   1. Lost-and-Found with the BBC Microbit
   2. R and SQL in the Browser
   3. Replit in the Classroom
   4. The Internet-of-Things (IoT): Analyzing Live Medical and Environmental Sensors with the VarIOT Platform at Drexel University
3. Authentic Problems between Industry and K-20 for Broad Careers and Skills

Bridging the Classroom and the Workforce through Design Thinking

Some problems are hard to approach because we lack the complete worldview required to solve them entirely. These are problems that are larger than any one of us, and require collaborative and often multidisciplinary teams. There is no “perfect” textbook solution, and so an iterative cycle of planning, trial, evaluation, and feedback is needed. These authentic problems provide opportunities to develop and apply design thinking skills.

Design Thinking seeks to understand the problem domain, which requires discussion with a variety of stakeholders [¹, ²]. We’re not likely to know all the right stakeholder groups until we “live and learn,” and so this is an iterative and perhaps never-ending process. One way to approach this is to experiment and prototype with potential solutions, and then “shop them” to your stakeholder groups for feedback. Learning a new concept, whether it is a lesson on the Federalist Papers, the Pythagorean Theorem, or computer programming, can be considered an opportunity to learn and explore in-context through the Design Thinking process. No-code platforms provide a mechanism to express those designs in an automated and collaborative environment. In essence, we are applying inquiry and discovery learning through the use of technology platforms that are accessible to students across any discipline (in other words, not just the computer class). By viewing problems through the lense of the stakeholder, we bring empathy into the problem space, incorporate a “backwards design” by approaching problems from an outcomes perspective, and facilitate creative innovation in the classroom setting through role playing activities.

This approach enables collaboration across different classroom environments - not just between the STEM students and the context disciplines, but between entire environments. For example, a rural school district familiar with regional challenges (for example, an agricultural or healthcare need) could engage with suburban and urban school districts with their own regional challenges (for example, traffic or environmental needs) to exchange broader perspectives and diversity of thought. Often, the technology and platforms required to approach these challenges is similar across these problem spaces, and exchanging common ideas creates new pathways to collaboration as well as a diversification of perspectives.

Platforms and Activities

Lost-and-Found with the BBC Microbit

If you’ve ever lost your backpack, glasses, or other items, you might be aware of tools designed to help find those items by playing a sound and letting you see how close you are to the missing item. By listening to the sound, you can track down where the missing item is. As you get closer to the source, the sound becomes louder. Sometimes, devices like these emit a radio signal - not an audible sound, but an invisible wave of light, that computers can sense with a radio antenna. As you get closer to the source of the signal, the intensity of the signal increases, just like the sound did. Using the BBC Microbit no-code platform, we will develop a system to communicate a radio signal between two devices to play a game of “hide and seek” where the goal is to locate the source of the invisible signal [³].

First, students should plan a solution together: what steps are required to play a game of Marco Polo? Without requiring a technical background, some insights can emerge: every so often, the “source” generates a signal that the players can hear (but can’t see); this sound has a direction and intensity that helps the players move closer to the source. As this repeats, if the sound becomes louder, we can infer that we are getting closer.

Let’s make a flow-chart of this idea and lay out the building blocks in the software environment.

We can build each of these steps in the Microbit Makecode environment [³]. We will build this from scratch, but you can import it by clicking the Import button and importing from this URL: https://github.com/billjr99/hide-and-seek. This environment includes a simulator that will run the project without physical hardware, but if you have the devices, they can be downloaded to a physical Microbit by clicking the three dots next to the Download button, and choosing “Connect to Device” from the menu that appears. You’ll need two divices for this project (one to “hide” and one to “seek”).

Getting Started: Sending a Signal

The project opens with two “functions” or slots that we can fill in with behaviors: “on start” and “forever.” The “on start” function will allow us to set up items that we’d like to keep track of during the program, while the “forever” function will dictate what happens over and over. From the flowchart, we can see that everything happens in this “over and over” loop - and is kicked off by sending a signal to our partner. Under the “Radio” section of blocks on the left, there is a “radio send number” behavior that we can drag into the “forever” function. We’re just measuring how loud the signal is: when playing “Marco Polo” the “signal” is to shout the word “Marco,” but in reality, it doesn’t matter what the word is! We’re really listening for the intensity of the sound. So, any number will do here.

In the “on start” section, use the “radio set group” to set what is called the “radio group” - this is like setting the channel on a walkie talkie so that each pair of radios can communicate in isolation. Choose any number here, as it will be the same for both devices.

Finally, if you’re using a real physical Microbit device, using the radio continuously in the “forever” function will drain your batteries very quickly. You can add a “pause” behavior in the “forever” loop to stop in between signals (imagine yelling “Marco” over and over continuously! It’s OK to put a little break in between). I put a 1000 millisecond pause into my loop, so it will send a signal every second. Feel free to adjust this as you like.

Getting Warmer or Colder?

Whenever we receive a signal, we want to ask ourselves whether that signal is “louder” or “softer” than the last time we received it. To do this, we will introduce the concept of “variables.” These are values that we can remember over time. We’re interested in remembering the intensity or “received signal strength indicator” (RSSI) of the last wireless radio signal we received, so we’ll create a variable called lastRSSI. In the “on start” function, add a “set variable” behavior and create this lastRSSI variable. You can give it any starting value that you like, since it will update over time.

We’ll compare this value to the new signal each time we receive one. We’ll set the variable value to the current signal strength as well, so that next time, we can compare that, too. This is like remembering in your mind how loud the “Marco” shout was the last time you heard it, and comparing it to what you’re hearing now. Next time, you’ll compare it to what you just heard, and so on.

You can drag other functions into the canvas; under the “Radio” section, there is a function called “on radio received.” This function will execute any time a new signal is received. It comes with its own variable (known as a “parameter”), called receivedNumber. This is the number that you sent during the “radio send number” behavior. We don’t really need it: it doesn’t matter what the signal was (“Marco” or “Hello” or anything else!), but rather how loud it was!

On our flowchart, we want to ask whether this signal is louder or softer than the last one. The current signal strength can be found in the “received packet: signal strength” behavior under the “Radio” section on the left. Since we’re asking a question about this value, we can use the “if - else” behavior found under the “Logic” section. In the if block, drag the “X > Y” behavior from the “Logic” section and place it inside the diamond shaped space of the if behavior. Inside that, you can place the “received packet: signal strength” value, and the lastRSSI variable.

If the current signal strength is greater than the last one, we’re getting closer! I used the “show arrow: North” behavior to show this on the LED display, and dragged that inside the if block. In the else block, we know that the signal is not stronger, so it is either weaker or the same. I used the “show arrow: South” behavior to show this, and dragged it into the else portion of the if behavior.

Finally, after the if block, I added a “set lastRSSI to” behavior. We want to set this variable to the current signal strength. We checked this value just a moment ago, and itw as called “received packet: signal strength.” Let’s set lastRSSI to the received packet signal strength.

And that’s it! If you run this, you should see arrows on the two devices showing if they are getting “warmer” or “colder.” With physical devices, you can walk around to see this in action. On the simulator, there is a square “wave” in the top right simulating the radio activity. You can click and drag left or right to increase or decrease the signal strength, and you should see the arrows update accordingly.

Optional: What if the Signal Strength Hasn’t Changed?

The if behavior has a cousin called the “if - else if - else” block. This allows us to ask multiple questions in the same if statement. Previously, we asked if the signal was stronger than the previous one, and showed a “North” arrow if it was, and a “South” arrow if it was not. But what if the signals are equal? This if statement can ask if the new signal strength is stronger, and otherwise (“else”) ask if the new signal strength is weaker. In the final “else,” we now know that the signal is neither stronger nor weaker, and must be the same. I displayed a heart icon on the LED display if this was the case, indicating that we’re not getting closer or farther from the target right now.

Optional: Seeing the Signal Strength

You may have seen the concept of RSSI when you choose a wireless network on your phone or computer. Often, you’ll see the classic “bars” of signal strength, which is really just a visualization of the signal strength number that we’ve been comparing in this program. To a computer, everything is a number, and sometimes, you might see the actual number on your computer or on your phone. It’s measured in decibels, and these radio signals are often pretty weak (likely a numeric value between -40 and -100). It’s still amazing to me that these faint invisible signals allow us to carry data over the internet, send music to our radios, and even communicate wirelessly around the world. Even right now, there could be dozens or hundreds (or more!) waves of invisible light energy bouncing around you carrying wireless data by radio signal.

Let’s add a variable to store this value each time we receive a signal. Based on what we’ve done already, where should we create this variable, and when should we update it?

Once you’ve added this variable to the “on start” function and set its value each time the “on radio received” function executes, you can drag another function to the canvas called “on button pressed” that we will use to show the current signal strength value whenever the A button is pressed. Its behavior is just a single step: show the currentRSSI variable value.

Optional: Setting Multiple Radio Groups

Finally, if you’d like a whole class to use this at once, it is helpful to put each pair of radios into a unique radio group, so that two people can play together without “hearing” and displaying the signals from everyone else’s device. To do this, you can change the number in the “radio set group” behavior to a unique value for each pair of devices. Although that change alone is sufficient, I created a variable called radioNumber to do this, just for fun. I had my radio send the radio group number in the “forever” loop, and added an if statement in the “on radio received” function to check that the receivedNumber parameter was equal to the radioNumber variable before checking the signal strength - almost like a little passcode to help ensure that the radio is hearing the correct partner.

The Finished Project

Here’s my finished product:

Extension: How Far Away?

The signal strength will vary based on the distance between the two devices, although walls and other items in the room will also cause the signal strength to change. Roughly speaking, though, the signal strength can be thought of as a proxy to the distance, just like the number of “bars” of signal strength is a rough estimate of how far you are from the cell phone tower or wireless access point (although other artifacts, such as being indoors, will also lower the signal strength and make it appear that you are even farther away).

Older or more experienced students could display the RSSI at a few known distances from their partner, and fit a linear function to those points to get a rough estimate of how changes in the signal strength correspond to distance. Admittedly, the relationship is not truly linear and there are other variables involved, but it is a reasonable estimate using things we can measure.

Add a variable to the “on radio received” function that calculates the distance using the linear equation on the signal strength. Change the “on button pressed” function to display this value instead!

R and SQL in the Browser

During the pandemic, my colleague Chris Tralie developed a Javascript system that allows students to write code in their web browser, which is transpiled to JavaScript from their language of choice (for example, Java and Python) or compiles to WebAssembly and executes in the browser (for example, C++). We connected these modules to our Learning Management System to assign class warmup exercises that are autograded, and that provide “hints” through automated feedback about incorrect answers.

Using Dr. Tralie’s framework, I added support for the R statistical processing language [⁴] and the SQL database language.

The addition of R and SQL allows students to experiment with database management and data analysis without requiring software installations on their local computer. We will explore the classic Iris flower dataset from R.A. Fisher in 1936 using R [⁵].

Classifying Data from Features

Imagine holding some coins in your hand. Can you tell what they are without looking at them? How can you tell? You might look for some common “features” like the thickness or the diameter of the coin, or the weight, or even the ridges along the outside of the coin. If the coin is in rough shape, there might be some variance in the data that causes you to guess incorrectly from time to time, but the idea is that we can predict a classification of data by evaluating some known features against examples we’ve seen in the past.

We will use the Iris flower dataset to predict the species of a flower using a few features such as the length and width of the petal. To try this out, navigate to this flower classifier page which is embedded below[⁶]:

Fill in some numbers for the petal length, petal width, and sepal length for some imaginary flowers. You can select the species for each flower click “Add” each time to plot the flowers by species on the 3D plot (which you can click to rotate and zoom). Take a look at the plot: do your flowers group in a way that makes sense? If the species data points are far away from each other when the species is different, but close together with those of the same species, there’s a good chance you can classify a “mystery flower” between these species choices. Enter numbers for a “mystery flower,” select the species that you think it is, and click “Guess” to see if you can correctly predict them! If not, try refreshing the page, and adding new example flowers whose measurements “group together” by species a bit more closely. Do you have an easier time classifying between them now?

Exploring the Iris Dataset Using R in the Browser

R.A. Fisher’s Iris flower data is built into the R platform, and we have embedded an R webassembly compiler [⁷] into a webpage [⁴] for exploration in our courses that use the R language (embedded below).

We will begin by viewing the the Iris dataset for analysis, which is described in detail in this article [⁵]. To do this, you can type this command into the R console: head(iris), which displays the first few rows of the dataset. It contains columns for the sepal length and width, and the petal length and width, as well as the species of that flower. There are 50 Setosa flowers, 50 Versicolor flowers, and 50 Virginica flowers in the example dataset.

The species column is not numeric, so we can’t plot that. However, we will use the species later to color code our plots. For now, let’s extract the first four columns (the numeric features) into a “dataframe” variable, by typing: df <- iris[, 1:4].

You can graph the columns of this dataset against each other. We’ll use two features at a time so we can more easily view the data on a 2D plot. You can do this by typing: plot(iris$Petal.Length, iris$Petal.Width, col=iris$Species), which plots the petal length against the petal width, and color codes them by species. To see which color represents which species, you can add a legend to the plot by typing: legend("topleft", levels(iris$Species), fill=1:3). How well do you think the Petal Length and Petal Width can help you predict the species of a flower, and why?

Run these commands to see 2D plots of all of the columns against each other (this is called a “pairs plot”). Type this command to generate it: pairs(df, col = rainbow(3)[speciesID], labels=c("PetalLength", "PetalWidth", "SepalLength", "SepalWidth")). Which features do the best job separating the flowers by species?

Replit in the Classroom

Another free platform that I have come to like for web-based pair programming in a variety of languages is replit. I wrote an article describing some helpful tools built into replit, including external library support, unit testing, version control, basic graphics, and a data store [⁸].

The Internet-of-Things (IoT): Analyzing Live Medical and Environmental Sensors with the VarIOT Platform at Drexel University

I work with a broadly multidisciplinary team on developing textile-based wearable computing systems. Imagine if the “radio” you experimented with earlier using the Microbit could be embedded into your shirt, or into a baby’s onesie, and it was so small that you didn’t know you were wearing it! These ubiquitous computing systems are generally known as the “Internet of Things” (IoT), and are interconnected smart devices that we can use to measure physiological functions like heart or respiratory rate, environmental measurements like air quality, or highway sensors for traffic management. Here, computer scientists team up with physicians, sociologists, designers, engineers, and more, to create solutions that no one group could do on their own. My colleagues at Drexel University run a program using the Vertically Integrated Projects model to provide opportunities for students across majors to blend their classroom experience with authentic problem solving and research skills. In my faculty role at Ursinus College, my students and Drexel’s students collaborate virtually, develop solutions, conduct experiments, and present results, by bringing their own unique classroom and major experiences to the team.

The National Science Foundation (NSF) Science Nation series featured Drexel’s smart fabric Bellyband and the team. The video can be found by clicking below:

Authentic Problems between Industry and K-20 for Broad Careers and Skills

By approaching computing education from a Design Thinking perspective, we can reinforce the “human in the loop” and promote empathetic design choices early in the educational journey. However, this approach also enables viewing problems through a broader lens in which technology is a means rather than an end. Authentic problems can be shared from industry partners, who can participate in a low-committment way by serving as project stakeholders, providing user perspectives to students who can work in multidisciplinary teams to develop solutions.

Another benefit to this approach is that it celebrates the variety of skills inherent in computing; we often think of “programming” as the fundamental skill of computing. And although computer programming is a ubiquitious tool that should be universally understood to facilitate communication about how the computer solves problems, it is not necessary to write code as part of a computing career. One could imagine software design as a core aspect of problem solving with technology, by designing user-centric workflows and determining the basic steps and modules required within a software system, or user experience (UX) design, which centers on interfacing with humans to develop systems that are optimally usable within the constraints of our physiology and psychology, or quality assurance and software testing which plans how to validate that software works correctly, and identifies deficiencies in the software. Information Technology (IT) specialists and systems administrators (and database administrators) ensure that the operational aspects of managing and maintaining the development environment, and front end developers create graphical user interfaces and web-based designs that allow one to engage with the software. Project Managers coordinate the team and ensure that these groups are collaborating efficiently. On top of this, each of these experts must also coordinate with domain experts who understand the target applications of computing systems. All of these people work together to solve problems collaboratively, and each brings a unique and essential skillset to the team. Just as the Vertically Integrated Projects model allows for the integration of and collaboration among a diverse set of technological and domain skillsets, computing and design thinking allow and encourage people to consider problems that are “bigger than themselves.”

You can find out more about these career paths and more here!

References

Using External Libraries

Using Replit, you can add external library support with many languages. For example, if you import a package, Replit will automatically download and import the corresponding library when you compile or run the project. However, if you have your own custom library that you’d like to import, you can do this as well.

If you are using a Java project, you can upload a jar file to your project (in my example, I uploaded a file called rsamath.jar to a directory called lib). You will have to tell Replit how to compile your project with this library in your CLASSPATH, and we can do this by creating a configuration file within the project called .replit. Add the following text to this file [¹]:

run = "export CLASSPATH=\".:lib/rsamath.jar\"; javac -d . Main.java; java Main"

This adds the jar to your classpath along with the current project directory, so that your Main.java can compile (in the main project directory) while also loading the library from the rsamath.jar file. The remaining javac and java commands are the standard compilation and execution commands that replit would use by default.

Here is an example project [²] that computes a value and its modular inverse from prime number inputs:

Database Access

While we’re at it, Replit provides a key/value data store to each project that we can use to store those generated keys, in case you’d like some values to persist in between runs of a student’s project. Replit provides a few web API endpoints via an environment variable that it maintains for your project, including:

• GET $REPL_DB_URL: Insert a key and value into the datastore. The data passed with the body of this HTTP request is key=value.
• GET $REPL_DB_URL/key: Retrieve the value associated with the key.
• DELETE $REPL_DB_URL/key: Delete the key from the datastore.

I have encapsulated these web calls [³] into a class called ReplDb that are provided in the following example project:

Version Control

Replit maintains a history of the revisions made to each project, but integrating with git provides an opportunity to teach the fundamentals and mechanics of version control. Under the Version Control left menu of the Replit project page, you can create a git repository as follows:

When the repository is created, you will see something like this:

As you revise the project, you’ll have an opportunity to click to create a new revision, including a log message, that you can use to revert your project to any commit that you’ve made.

Finally, you can connect this repository to your GitHub account. This may not be appropriate for homework assignments so that they aren’t inadvertantly made public (more on this below!), but is a nice way to create a public portfolio of independent study projects and final course projects.

Using Graphics

Replit supports graphical displays through the browser! You can download Robert Sedgewick’s algs4.jar library [⁴] and add it to your project as we described above. Running the project will display the output window as a frame within your web browser.

Here is an example project demonstrating this [⁵].

Animations

You can use animations with this library as well! It’s a little slow through the browser, but you can clear the screen and draw lines iteratively to create fun animations. Here’s an example:

Unit Testing

We will see later that you can add your own unit tests and input/output tests in order to autograde a Replit project, but you can encourage students to create their own unit tests, too.

Click the checkmark on the left menu, and click the setup button to initialize your tests. It will prompt you to add these imports:

import org.junit.Before;
import org.junit.After;
import org.junit.Test;
import static org.junit.Assert.*;

Then, click “Add Test” under the same checkmark menu. Add your test code, for example:

We will create the following test:

Main tester = new Main();
int result = tester.squareIt(-2);
assertEquals(4, result);

Finally, click Run Tests under the checkmark menu for a report. I have not found a way to export these tests for submission, but you could ask students to copy their test code snippets and a screenshot of their report for a low-tech solution.

Here is a quick example project demonstrating how to create and run a unit test:

If you are using a custom .replit file with external libraries, you can add this jar to your CLASSPATH in your .replit project: /run_dir/junit-4.12.jar.

Code Formatting

My students often miss the “auto-format” button on their Replit projects. This is a nice way to clean up things like indentation, and to demonstrate best practices. The button is located on the top right of the code window for the project.

Pair Programming

Another often overlooked feature is project sharing functionality. Click the “Share” button on the top left of the Replit project to invite other users to pair program with you simultaneously. Note that this button might disappear if an ad-blocker plugin is used on the browser.

Embedding Replit into POGIL Style Activities

In my classes, I use a POGIL style method to facilitate class discussion. Instead of lecture notes, each class features some guiding questions, as well as some examples or materials to spark some curiosity and discussion. As you have seen in this article, I also embed Replit project examples that students can view, fork, modify, and share with me from within the activity page. You can do this by embedding an iframe in your web pages with a src tag indicating your Replit project URL (with ?lite=true at the end of the URL), as follows:

<iframe height="600px" width="100%" src="https://repl.it/@BillJr99/MiniCrypto?lite=true" scrolling="no" frameborder="no" allowtransparency="true" allowfullscreen="true" sandbox="allow-forms allow-pointer-lock allow-popups allow-same-origin allow-scripts allow-modals"></iframe> 

There is a button at the top right of the frame to open the example in a new browser tab. Here is an example lesson.

Integrating Replit with GitHub Classroom

In addition to creating a version control repository, you can configure your assignments to automatically create repositories linked to your students’ Replit projects that are shared with you for grading and auto-grading. One nice feature of GitHub Classroom integration is that you can configure these repositories to be private (although making the underlying Replit projects private may require a paid subscription). I created a short video demonstrating how to set this up in a prior article.