@sskaje

Blog

  • VyOS Set up Port Forwarding for PPPoE to LAN

    Set up PPPoE(WAN) :8022 to LAN host 1921.68.1.119:22

    WAN and LAN are firewall zones.

    Step 1, DNAT

    set nat destination rule 11000 destination port '8022'
set nat destination rule 11000 inbound-interface name 'pppoe0'
set nat destination rule 11000 log
set nat destination rule 11000 protocol 'tcp'
set nat destination rule 11000 translation address '192.168.1.119'
set nat destination rule 11000 translation port '22'

    Step 2, Firewall

    show firewall zone-policy to get firewall policy from WAN to LAN, in my case WAN_IN.

    
set firewall ipv4 name WAN_IN rule 100 action 'accept'
set firewall ipv4 name WAN_IN rule 100 destination address '192.168.1.119'
set firewall ipv4 name WAN_IN rule 100 destination port '22'
set firewall ipv4 name WAN_IN rule 100 protocol 'tcp'

    No need to set WAN_LOCAL

  • VyOS-1x build script on VyOS

    Put vyos/vyos-1x code to /config/build/vyos-1x

    Script as /config/build/build.sh

    #!/bin/sh


cat << 'EOF' > /etc/apt/sources.list.d/debian.sources
Types: deb deb-src
URIs: https://mirrors.tuna.tsinghua.edu.cn/debian
Suites: bookworm bookworm-updates
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

Types: deb deb-src
URIs: https://mirrors.tuna.tsinghua.edu.cn/debian-security
Suites: bookworm-security
Components: main contrib non-free non-free-firmware
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
EOF


podman pull docker.io/vyos/vyos-build:current

mkdir -p /config/build
cd /config/build

rm -f /config/build/vyos-1x-* /config/build/vyos-1x_*

chown -R vyos: /config/build
chmod 777 /config/build

podman run --rm -it --privileged --network host -v /config/build:/vyos -w /vyos/vyos-1x vyos/vyos-build:current dpkg-buildpackage -uc -us -tc -b


dpkg -i vyos-1x_1.5dev0-*_amd64.deb

systemctl restart vyos-configd

chown -R vyos: /config/build
chmod 777 /config/build

  • VyOS Debug PBR & NAT

    As ROOT.

    Keyword: nftrace

    Edit VyOS generated NFT files: /run/nftables*.

    Enable nftrace on full chain 

    table ip vyos_mangle {
    chain VYOS_PBR_PREROUTING {
        type filter hook prerouting priority -150; policy accept;
        meta nftrace set 1
        iifname { eth2,eth0 } counter jump VYOS_PBR_UD_MY_PBR_RULES
    }
}

    Make sure nftrace is enabled before other rules!

    Enable nftrace on SINGLE RULE.

    table ip vyos_mangle {
    chain VYOS_PBR_PREROUTING {
        type filter hook prerouting priority -150; policy accept;
        iifname { eth2,eth0 } counter jump VYOS_PBR_UD_MY_PBR_RULES
    }

    chain VYOS_PBR_UD_MY_PBR_RULES {
        ip saddr  @A_SRC_HIJACK_MITMPROXY counter meta mark set 2147483628 meta nftrace set 1 return comment "ipv4-route-ROUTE_CLASH_TUN-50"
    }
}

    Test & Apply

    # Test
nft --check --file /run/nftables_policy.conf
# Apply
nft --file /run/nftables_policy.conf

    Monitor

    nft monitor trace

    Example Result

    trace id 0abb78f9 ip vyos_mangle VYOS_PBR_PREROUTING packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 192.168.27.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_static_nat PREROUTING packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 192.168.27.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_nat PREROUTING packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 192.168.27.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_conntrack PREROUTING_HELPER packet: iif "eth2" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip raw VYOS_TCP_MSS packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_mangle VYOS_PBR_FORWARD packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 inet mangle FORWARD packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip protocol udp ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_filter VYOS_FORWARD_filter packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_filter VYOS_ZONE_FORWARD packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_mangle VYOS_PBR_POSTROUTING packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip nat VYOS_PRE_SNAT_HOOK packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001
trace id 0abb78f9 ip vyos_static_nat POSTROUTING packet: iif "eth2" oif "pppoe0" ether saddr bc:24:11:27:72:1b ether daddr bc:24:11:35:1c:c5 ip saddr 192.168.27.100 ip daddr 10.0.0.53 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 64190 ip length 68 udp sport 58012 udp dport 53 udp length 48 @th,64,96 0x990701200001000000000001

  • Protected: VyOS MiTMPROXY Using WireGuard

    This content is password protected. To view it please enter your password below:

  • 海康威视 R1 安全迁移 Docker Root

    桌面App 直接迁移,会提示数据要重新下载和配置。

    systemctl stop containerd
mv /drives/raid_a1/.docker /drives/nvme_e1/

# 
cd /tmp/nand_config
cp docker.json docker.json.bak
# 修改 docker.json
# 看后边说明 


# 修改 /etc/docker/daemon.json,配置不能持久化
# 直接修改路径,可以不重启生效,但是务必按说明修改持久化配置
systemctl start containerd

    桌面客户端可以改配置(Docker设置 / 装载目录),建议顺手先改掉。

    固件里 /tmp/nand_config/docker.json 是自动生成的,里边定义了 disk_pathdisk_uuid,前者的值是类似 /drives/raid_a1,后者是用 disk_get_uuid_byfilepath 的函数生成的,有重建逻辑,删掉即可。

  • VyOS 实现LAN 流量劫持

    以前 EdgeRouter 时代,使用的是 DNAT + redsocks + charles/mitmproxy 实现的流量劫持和分析,比较麻烦的点是,redsocks的配置文件需要维护,服务需要重启,每次系统升级(虽然好多年没升级了)都需要重装 redsock,所以当时搞了一套初始化脚本,脱离config tree自动安装deb,自动加载配置,自动symlink配置文件。

    换到 VyOS 之后,本来也想搞这一套,被研发打回来了,他们不接受过分灵活的config tree,让我用 container。

    新方案用 hev-socks5-tunnel,直接把流量转给另外一台主机上的mitmproxy。charles proxy也可以用同样的方法配置

    开 mitmweb,方便web看数据

    mitmweb --web-host 0.0.0.0 --mode socks5 --listen-port 8889

    下列命令创建container,配置PBR

    set container name tun2socks allow-host-networks
set container name tun2socks capability 'net-admin'
set container name tun2socks device dev-net-tun destination '/dev/net/tun'
set container name tun2socks device dev-net-tun source '/dev/net/tun'
set container name tun2socks environment CONFIG_ROUTES value '0'
set container name tun2socks environment IPV4 value '198.51.100.1'
set container name tun2socks environment LOG_LEVEL value 'debug'
set container name tun2socks environment MTU value '8500'
set container name tun2socks environment SOCKS5_ADDR value '192.168.11.19'
set container name tun2socks environment SOCKS5_PORT value '8889'
set container name tun2socks environment SOCKS5_UDP_MODE value 'udp'
set container name tun2socks environment TUN value 'tun9'
set container name tun2socks image 'ghcr.io/heiher/hev-socks5-tunnel:latest'


set protocols static table 19 description 'route to mitmproxy'
set protocols static table 19 route 0.0.0.0/0 interface tun9

set policy route PBR   interface 'eth2'
set policy route PBR rule 50 set table '19'
set policy route PBR rule 50 source group address-group 'SRC_HIJACK_MITMPROXY'


# firewall rules ...

    防火墙规则需要自己搞定,按需NAT。

    nftables 不支持 ipset 那样动态操作成员了,只能在config tree里维护。

    这个方法和以前一样,只能去分析 TCP 协议。如果有 UDP 的需求可以尝试 WireGuard 的方式。

  • VyOS Debug DHCP Server

    Add following to /usr/share/vyos/templates/dhcp-server/kea-dhcp4.conf.j2, node under .Dhcp4

        "loggers": [
      {
        "name": "kea-dhcp4",
        "severity": "DEBUG",
        "debuglevel": 99,
        "output_options": [
          {
            "output": "/var/log/kea/dhcp4.log",
            "maxver": 10
          }
        ]
      },
      {
        "name": "kea-dhcp4.dhcpsrv",
        "severity": "DEBUG",
        "debuglevel": 99,
        "output_options": [
          {
            "output": "/var/log/kea/dhcp4-dhcpsrv.log",
            "maxver": 10
          }
        ]
      },
      {
        "name": "kea-dhcp4.leases",
        "severity": "DEBUG",
        "debuglevel": 99,
        "output_options": [
          {
            "output": "/var/log/kea/dhcp4-leases.log",
            "maxver": 10
          }
        ]
      }
    ],

    Restart VyOS configd

    systemctl restart vyos-configd

    Update config in configure mode.

    View files under /var/log/kea

  • Protected: IDA Pro 9.0 macOS arm patch

    This content is password protected. To view it please enter your password below:

  • Proxmox VE + 海康威视 R1 共享 UPS

    买了个便宜的UPS,想把PVE主机和海康的R1都挂在下边,所以简单折腾一把。

    本来是担心有点麻烦,结果发现海康的UPS已经用了 NUT,那就简单粗暴来了。

    R1 上

    echo "LISTEN 0.0.0.0 3493" >> /etc/nut/upsd.conf
killall upsd

    过一会儿,upsd会自己重启

    cat /etc/nut/upsd.users 读账号密码

    PVE

    apt install nut-client

    执行

    root@pve6:~# upsc -l 192.168.11.111
Init SSL without certificate database
HikUPS
root@pve6:~# upsc HikUPS@192.168.11.111
Init SSL without certificate database
battery.charge: 100
battery.voltage: 13.50
battery.voltage.high: 13.00
battery.voltage.low: 10.40
battery.voltage.nominal: 12.0
device.type: ups
driver.name: nutdrv_qx
driver.parameter.bus: 001
driver.parameter.pollfreq: 30
driver.parameter.pollinterval: 2
driver.parameter.port: auto
driver.parameter.product: USB to Serial
driver.parameter.productid: 5161
driver.parameter.synchronous: auto
driver.parameter.vendor: INNO TECH
driver.parameter.vendorid: 0665
driver.version: 2.8.0
driver.version.data: Voltronic-QS 0.07
driver.version.internal: 0.32
driver.version.usb: libusb-1.0.26 (API: 0x1000109)
input.voltage: 224.4
input.voltage.fault: 224.4
output.current.nominal: 2.0
output.frequency: 50.1
output.frequency.nominal: 50
output.voltage: 224.4
output.voltage.nominal: 220
ups.beeper.status: disabled
ups.delay.shutdown: 30
ups.delay.start: 180
ups.firmware.aux: PM-V
ups.load: 0
ups.productid: 5161
ups.status: OL
ups.type: offline / line interactive
ups.vendorid: 0665

    修改配置 /etc/nut/upsmon.conf

    MONITOR HikUPS@192.168.11.111 1 hikups Aa123456 master

    密码是写死的

    /etc/nut/nut.conf

    MODE=netclient

    重启 

    systemctl restart nut-client

  • Protected: IDA Pro 9 Debug iOS Using Remote-iOS Debugger

    This content is password protected. To view it please enter your password below: