10

proxmox x86软路由笔记

 3 years ago
source link: https://zhangguanzhang.github.io/2020/05/13/x86-router-flash/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

proxmox x86软路由笔记



字数统计: 2.2k阅读时长: 10 min
 2020/05/13  278  Share

办公室有台式机,不想整天带着N1上下班,整下x86的软路由,exsi性能会比pve好,但是pve毕竟Linux,兼容性和对接很多场景方便,这里我使用pve开机器安装openwrt。

pve已经安装好系统(如果你还没安装且打算安装,安装完后可以看看我这个文章安装完proxmox的一些设置),并且台式机的口子接主路由的lan口。主路由是我的路由器,它wan口接办公室的网口,台式机只有一个口子,所以软路由作为旁路由使用。

先去恩山论坛x86版块下一个固件,如果你有办公室—> ecs <— 个人家里组网的要求的话,推荐你去找个带wireguard的固件
pve上开台机器

  • 一般-高级-开机自启动勾上,有必要的话手动设置下vmID,后面有用
  • 操作系统不适用任何介质
  • 系统默认,下一步
  • 硬盘随便设置,后面会删除
  • cpu按照实际,我给2核,内存我给的2g
  • 网络,模型选intel E1000防火墙的勾去掉
  • 选中虚机,硬件-选中硬盘,点击分离,删除

导入img

把固件上传到pve的机器上,一般是gz,解压成img后用命令转成qcow2文件

1
qemu-img convert -f raw  -O qcow2 openwrt-x86-64-generic-squashfs-combined-efi.img op.qcow2

检查下,应该输出No errors

1
qemu-img check op.qcow2

导入成硬盘,这里vm的id是对应前面的vmid,前面没设置的话web控制台上看下openwrt的虚机的vmid

1
qm importdisk 200 op.qcow2 local-lvm

导入后在界面上,选中创建机器带的硬盘,点击上面的分离,然后点击这个硬盘,点击删除。双击我们导入的硬盘,点击右下角的添加

旁路由的配置

路由静态ip配置

这里我是主路由192.168.2.1/24作为二级路由接办公网的口子上的,还提供wifi,openwrt的虚机作为旁路由,ip规划为192.168.2.3,主路由不开DHCP,旁路由开DHCP(有的路由器不支持dhcp设置网关的ip,所以我这里旁路由作为DHCP server)

开机后大概36秒后按回车进入终端。更改旁路由的网络配置文件

1
2
cp /etc/config/network /etc/config/network.bak
vi /etc/config/network

192.168.1.1改为预期的配置,没网关的话就也加上预期的主路由的ip

1
2
3
4
5
6
config interface 'eth0'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr '192.168.2.3'
	option netmask '255.255.255.0'
	option gateway '192.168.2.1'
1
/etc/init.d/network restart

然后按下回车,ping下114测下

1
ping 114.114.114.114

然后浏览器进192.168.2.3,默认密码admin password啥的试试

web配置

我的固件只有一个LAN接口,不确定其他的是不是这样(推荐此处到最后都先看一遍完后再跟着操作)
网络-接口,进入LAN修改,下面的DHCP,开启动了。然后高级设置,动态DHCP+强制,写上掩码,下面的DHCP选项两行

1
2
3,192.168.2.3                    # 配置dhcp的网关,指向旁路由自己
6,192.168.2.3    # 配置dhcp获取到的dns,如果稳定则旁路由自己的IP

IPv6设置里前三个全部选禁用
保存应用

这里分为使用dnsmasqadguard home,我个人是使用adguard home的,我遇到过了dnsmasq经常在加配置的时候卡死,而且解析不稳定

dnsmasq作为dns server

网络-DHCP/DNS-常规设置,有必要的话配置下DNS转发,屏蔽一些激活码请求域名啥的,丢弃 RFC1918 上行响应数据这个取消了,我这儿是不然某些上游dns的域名无法访问到
最下面的写hosts列表,例如单独的指定公网ip下载jetbrains家的插件和软件,绕过前面配置的屏蔽

adguard home 作为dns server

如果固件没有的话去下载ipk文件 https://github.com/rufengsuixing/luci-app-adguardhome/releases 下载后在 web-系统-文件传输传上去, 然后ssh执行命令

1
opkg install /tmp/upload/luci-app-adguardhome_*

如果你当前的网络是已经连在这个旁路由上,那这步的关闭先别做,因为关闭了dnsmasq的dns就会无法解析域名导致无法下载后面的adguard home二进制文件,如果不是则先关闭dnsmasq的dns server功能,网络-DHCP/DNS-高级设置-DNS 服务器端口写0,不使用dnsmasq的dns功能,回到web上保存应用

大多数固件都不会自带adgurad home的二进制文件的,我们需要在自己pc上下载adguardhome的二进制文件在web-系统-文件传输传上去。下载网页,记得下载linux-amd64的

1
2
3
# 压缩包带了目录,所以直接解压到/usr/bin
tar zxf /tmp/upload/AdGuardHome_linux_amd64.tar.gz -C /usr/bin/
rm -f /tmp/upload/AdGuardHome_linux_amd64.tar.gz

服务-AdGuard Home-手动设置,下面是我用的配置文件,web登录的密码是root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
bind_host: 0.0.0.0
bind_port: 3000
users:
- name: root
  password: $2y$05$8h.LpbIR7U50.qbV7ynCtOvS9szcqu2lFk6J86Oabnz1J5BtLpVni
http_proxy: ""
language: ""
rlimit_nofile: 0
debug_pprof: false
web_session_ttl: 720
dns:
  bind_host: 0.0.0.0
  port: 53
  statistics_interval: 1
  querylog_enabled: false
  querylog_file_enabled: true
  querylog_interval: 1
  querylog_size_memory: 1000
  anonymize_client_ip: false
  protection_enabled: true
  blocking_mode: nxdomain
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_response_ttl: 10
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  ratelimit: 0
  ratelimit_whitelist: []
  refuse_any: false
  upstream_dns:
  - sdns://AwAAAAAAAAAAAAANdGxzOi8vOC44LjguOA
  - https://dns.google/dns-query
  - sdns://AAAAAAAAAAAACTc3Ljg4LjguOA
  - https://dns.adguard.com/dns-query
  - https://dns-family.adguard.com/dns-query
  - sdns://AAAAAAAAAAAACjc3Ljg4LjguODg
  - sdns://AQMAAAAAAAAAFDE4NS4yMjguMTY4LjE2ODo4NDQzILysMvrVQ2kXHwgy1gdQJ8MgjO7w6OmflBjcd2Bl1I8pEWNsZWFuYnJvd3Npbmcub3Jn
  - sdns://AgcAAAAAAAAABzEuMC4wLjGgENk8mGSlIfMGXMOlIlCcKvq7AVgcrZxtjon911-ep0cg63Ul-I8NlFj4GplQGb_TTLiczclX57DvMV8Q-JdjgRgSZG5zLmNsb3VkZmxhcmUuY29tCi9kbnMtcXVlcnk
  - sdns://AwAAAAAAAAAAAAANdGxzOi8vOS45LjkuOQ
  - tcp://223.5.5.5
  - sdns://AgUAAAAAAAAAACAe9iTP_15r07rd8_3b_epWVGfjdymdx-5mdRZvMAzBuQ5kbnMuZ29vZ2xlLmNvbQ0vZXhwZXJpbWVudGFs
  - sdns://AQQAAAAAAAAAEDc3Ljg4LjguNzg6MTUzNTMg04TAccn3RmKvKszVe13MlxTUB7atNgHhrtwG1W1JYyciMi5kbnNjcnlwdC1jZXJ0LmJyb3dzZXIueWFuZGV4Lm5ldA
  - sdns://AQAAAAAAAAAADjIwOC42Ny4yMjAuMjIwILc1EUAgbyJdPivYItf9aR6hwzzI1maNDL4Ev6vKQ_t5GzIuZG5zY3J5cHQtY2VydC5vcGVuZG5zLmNvbQ
  - sdns://AAAAAAAAAAAADTEzMC41OS4zMS4yNDg
  bootstrap_dns:
  - 223.5.5.5
  - 223.6.6.6
  - 1.1.1.1
  - 8.8.4.4
  - 9.9.9.10
  - 114.114.114.114
  - 149.112.112.10
  all_servers: true
  fastest_addr: false
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts: []
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  bogus_nxdomain: []
  aaaa_disabled: true
  enable_dnssec: false
  edns_client_subnet: false
  filtering_enabled: true
  filters_update_interval: 24
  parental_enabled: false
  safesearch_enabled: false
  safebrowsing_enabled: false
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  rewrites:
  - domain: plugins.jetbrains.com
    answer: 13.32.53.109
  - domain: mini.ffnews.cn
    answer: 127.0.0.1
  - domain: tongji.flash.cn
    answer: 127.0.0.1
  - domain: mini.flash.2144.com
    answer: 127.0.0.1
  - domain: download.jetbrains.com
    answer: 52.30.174.243
  - domain: harbor.zhangguanzhang.com
    answer: 192.168.2.111
  - domain: www.jetbrains.com
    answer: 127.0.0.1
  - domain: jetbrains.com
    answer: 0.0.0.0
  - domain: www.atlium.com
    answer: 0.0.0.0
  - domain: atlium.com
    answer: 0.0.0.0
  blocked_services: []
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  allow_unencrypted_doh: false
  strict_sni_check: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
filters:
- enabled: false
  url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
  name: AdGuard Simplified Domain Names filter
  id: 1
- enabled: false
  url: https://adaway.org/hosts.txt
  name: AdAway
  id: 2
- enabled: false
  url: https://hosts-file.net/ad_servers.txt
  name: hpHosts - Ad and Tracking servers only
  id: 3
- enabled: false
  url: https://www.malwaredomainlist.com/hostslist/hosts.txt
  name: MalwareDomainList.com Hosts List
  id: 4
- enabled: false
  url: https://raw.githubusercontent.com/vokins/yhosts/master/data/tvbox.txt
  name: tvbox
  id: 1575018007
- enabled: false
  url: https://hosts.nfz.moe/full/hosts
  name: neoHosts full
  id: 1575618240
- enabled: false
  url: https://hosts.nfz.moe/basic/hosts
  name: neoHosts basic
  id: 1575618241
- enabled: false
  url: http://sbc.io/hosts/hosts
  name: StevenBlack host basic
  id: 1575618242
- enabled: false
  url: http://sbc.io/hosts/alternates/fakenews-gambling-porn-social/hosts
  name: StevenBlack host+fakenews + gambling + porn + social
  id: 1575618243
- enabled: false
  url: https://cdn.jsdelivr.net/gh/privacy-protection-tools/anti-AD/anti-ad-easylist.txt
  name: anti-AD(Adblock+neohosts+yhosts+cjxlist+adhlist)
  id: 1577113202
whitelist_filters:
- enabled: true
  url: https://zhangguanzhang.github.io/adguard/whitelist.txt
  name: white
  id: 1599614146
user_rules: []
dhcp:
  enabled: false
  interface_name: ""
  gateway_ip: ""
  subnet_mask: ""
  range_start: ""
  range_end: ""
  lease_duration: 86400
  icmp_timeout_msec: 1000
clients: []
log_compress: false
log_localtime: false
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_file: ""
verbose: false
schema_version: 6

确保关闭了dnsamsq的dns server功能,保存应用后打开web:3000就可以看到了,默认root/root
设置-常规设置里保留时间之类的不要设置成30天90天之类的,特别是你接入设备多,日志记录了可能把路由器容量撑满,配置成24小时就够了

设备连上wifi后无法访问外网,看了下到旁路由上能通,旁路由上也能ping公网,猜测iptables缺少放行,网络-防火墙-自定义规则,添加下面内容,cidr根据自己实际情况写

1
iptables -I forwarding_rule --src 192.168.2.0/24 -j ACCEPT

我笔记本经常宿舍到公司,经常遇到到了公司后连不上局域网下面其他机器,抓包发现arp无响应,查看arp表项错误,cmd管理员arp -d删除,例如192.168.2.111不通

1
arp -d 192.168.2.111

web上系统-软件包-配置里, 发行版软件源全部注释了,最下面追加

1
2
3
4
5
6
src/gz openwrt_core http://mirrors.ustc.edu.cn/lede/releases/19.07.4/targets/x86/64/packages
src/gz openwrt_base http://mirrors.ustc.edu.cn/lede/releases/19.07.4/packages/x86_64/base
src/gz openwrt_luci http://mirrors.ustc.edu.cn/lede/releases/19.07.4/packages/x86_64/luci
src/gz openwrt_packages http://mirrors.ustc.edu.cn/lede/releases/19.07.4/packages/x86_64/packages
src/gz openwrt_routing http://mirrors.ustc.edu.cn/lede/releases/19.07.4/packages/x86_64/routing
src/gz openwrt_telephony http://mirrors.ustc.edu.cn/lede/releases/19.07.4/packages/x86_64/telephony

安装tcpdump

1
https://archive.openwrt.org/releases/packages-18.06/aarch64_generic/base/

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK