Edgerouter | @sskaje

北京联通EdgeRouter开启IPv6

By @sskaje
Link: https://sskaje.me/2018/12/china-unicom-beijing-edgerouter-enable-ipv6-pppoe/

看到说北京联通的pppoe也开始启用ipv6了，在EdgeRouter Lite上开了一下设置。

联通给了个 /56 的prefix。

我的eth1接了上行，pppoe拨号，eth0是lan。

set interfaces ethernet eth1 pppoe 0 ipv6 address autoconf
set interfaces ethernet eth1 pppoe 0 ipv6 enable
set interfaces ethernet eth1 pppoe 0 ipv6 dup-addr-detect-transmits 1 

set interfaces ethernet eth1 pppoe 0 dhcpv6-pd pd 0 interface eth0 service slaac
set interfaces ethernet eth1 pppoe 0 dhcpv6-pd pd 0 prefix-length /56

set interfaces ethernet eth1 pppoe 0 ipv6 address autoconf

set interfaces ethernet eth1 pppoe 0 ipv6 enable

set interfaces ethernet eth1 pppoe 0 ipv6 dup-addr-detect-transmits 1

set interfaces ethernet eth1 pppoe 0 dhcpv6-pd pd 0 interface eth0 service slaac

set interfaces ethernet eth1 pppoe 0 dhcpv6-pd pd 0 prefix-length /56

lan

interface {
  ethernet eth0 {
    ipv6 {
      router-advert {
          cur-hop-limit 64
          link-mtu 0
          managed-flag false
          max-interval 600
          other-config-flag false
          prefix ::/64 {
              autonomous-flag true
              on-link-flag true
              valid-lifetime 2592000
          }
          reachable-time 0
          retrans-timer 0
          send-advert false
      }
    }
  }
}

interface {

ethernet eth0 {

ipv6 {

router-advert {

cur-hop-limit 64

link-mtu 0

managed-flag false

max-interval 600

other-config-flag false

prefix ::/64 {

autonomous-flag true

on-link-flag true

valid-lifetime 2592000

}

reachable-time 0

retrans-timer 0

send-advert false

}

记住配置防火墙

北京联通EdgeRouter开启IPv6 by @sskaje: https://sskaje.me/2018/12/china-unicom-beijing-edgerouter-enable-ipv6-pppoe/

Incoming search terms:

EdgeRouter X 安装KMS服务

By @sskaje
Link: https://sskaje.me/2018/10/install-kms-on-edgerouter/

注意：以下内容仅供已购买 Microsoft Office Volume Licensing 的机构的网络管理员参考。个人用户请购买零售版或Office 365订阅。
由于非法使用KMS服务带来的法律风险请自担。

我看到很多地方都有人给了各种教程，安装KMS服务。但是，总违背了我的一个原则，不执行未知来源的可执行文件。

而且，可能大多数人都不知道用root跑这些程序意味着什么，尤其是在路由器上。

所以我找了一个python的版本，github地址在 https://github.com/SystemRage/py-kms 。

由于ERX的存储空间限制，大部分操作都没法直接在路由上执行。所以接下来的笔记分两部分，第一部分在本地电脑上，第二部分在路由器上。

环境

路由器 Ubnt EdgeRouter X，IP 192.168.1.1，SSH端口 2345
EdgeRouter X, 固件 1.10.5

假设网络里没有配置domain，临时设置成 beijing.local

Continue reading “EdgeRouter X 安装KMS服务” »

EdgeRouter X 安装KMS服务 by @sskaje: https://sskaje.me/2018/10/install-kms-on-edgerouter/

Incoming search terms:

EdgeRouter 部署 WireGuard

By @sskaje
Link: https://sskaje.me/2017/06/deploy-wireguard-on-edgerouter/

安装

从 https://github.com/Lochnair/vyatta-wireguard/releases 下载对应的包
ERL, ER等 mips架构的，下载 octeon 版本
ERX 下载 ralink版本。

可以选择上传到路由上，或者ssh登录路由，sudo su到root，执行类似如下的命令

curl https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20170612-2/wireguard-octeon-0.0.20170612-2.deb -o wireguard-octeon-0.0.20170612-2.deb

1	curl https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20170612-2/wireguard-octeon-0.0.20170612-2.deb -o wireguard-octeon-0.0.20170612-2.deb

或

curl https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20170612-2/wireguard-ralink-0.0.20170612-2.deb -o wireguard-ralink-0.0.20170612-2.deb

1	curl https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20170612-2/wireguard-ralink-0.0.20170612-2.deb -o wireguard-ralink-0.0.20170612-2.deb

下载完成后

dpkg -i xxx.deb

1	dpkg -i xxx.deb

配置

执行下列命令生成私钥、共享密钥，公钥

wg genkey > /config/auth/wg.private
wg genpsk > /config/auth/wg.psk
chmod 0600 /config/auth/wg.*
wg pubkey < /config/auth/wg.private

wg genkey > /config/auth/wg.private

wg genpsk > /config/auth/wg.psk

chmod 0600 /config/auth/wg.*

wg pubkey < /config/auth/wg.private

将最后一个命令的输出复制下来，配置到服务器端

获取服务器端的公钥，替换下文的“公钥”并执行命令

configure
set interfaces wireguard wg0 address 192.168.10.40/24
set interfaces wireguard wg0 listen-port 本地端口
set interfaces wireguard wg0 peer 公钥 allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer 公钥 endpoint '服务器IP:端口'
set interfaces wireguard wg0 peer 公钥 preshared-key /config/auth/wg-eos.psk
set interfaces wireguard wg0 private-key /config/auth/wg.private
set interfaces wireguard wg0 route-allowed-ips false
commit
save

configure

set interfaces wireguard wg0 address 192.168.10.40/24

set interfaces wireguard wg0 listen-port 本地端口

set interfaces wireguard wg0 peer 公钥 allowed-ips 0.0.0.0/0

set interfaces wireguard wg0 peer 公钥 endpoint '服务器IP:端口'

set interfaces wireguard wg0 peer 公钥 preshared-key /config/auth/wg-eos.psk

set interfaces wireguard wg0 private-key /config/auth/wg.private

set interfaces wireguard wg0 route-allowed-ips false

commit

save

配置好设备后，配置nat服务

configure
set service nat rule 5032 outbound-interface wg0
set service nat rule 5032 type masquerade
commit 
save

configure

set service nat rule 5032 outbound-interface wg0

set service nat rule 5032 type masquerade

commit

save

剩下就是配置路由规则了，可以参考我的其他blog.

EdgeRouter 部署 WireGuard by @sskaje: https://sskaje.me/2017/06/deploy-wireguard-on-edgerouter/

Incoming search terms:

EdgeRouter 策略路由实现分析

By @sskaje
Link: https://sskaje.me/2017/06/edgerouter-policy-based-routing-analysis/

最近家里的路由规则越来越复杂，而且越来越好用。正好昨天跟朋友讨论他的家用路由改造方案，所以研究了一下EdgeRouter的策略路由（Policy-based Routing，PBR）的实现。

我家里的路由是EdgeRouter Lite，固件1.9.1.1，这个实现跟固件关系不大。

首先，我们可以参考一下官方的文档：EdgeRouter – Policy-based routing (source address based)

Continue reading “EdgeRouter 策略路由实现分析” »

EdgeRouter 策略路由实现分析 by @sskaje: https://sskaje.me/2017/06/edgerouter-policy-based-routing-analysis/

Incoming search terms:

EdgeRouter + SoftEther Policy-based Routing Error

By @sskaje
Link: https://sskaje.me/2017/06/edgerouter-softether-policy-based-routing-error/

I have protocol config like

protocols {
  static {
    table 4 {
      route 0.0.0.0/0 {
        next-hop 192.168.10.1 {
        }
      }
    }
  }
}

protocols {

static {

table 4 {

route 0.0.0.0/0 {

next-hop 192.168.10.1 {

}

SoftEther TAP device name is tap_se, local ip is 192.168.10.2, remote ip 192.168.10.1.

Internet is connected via pppoe0.

Policy-based routing modified to table 4 route traffic to pppoe0 rather than tap_se.

Check current route table:

root@ubnt:/home/ubnt# show ip route table 4
default via 192.168.10.1 dev pppoe0

1 2	root@ubnt:/home/ubnt# show ip route table 4 default via 192.168.10.1 dev pppoe0

In my previous post, I added a softether start-up script in /config/scripts/post-config.d/.
I guess vpnserver is launched after policy-based routing rules been applied, that causes policy-based routing find no device/connected routes for 192.168.10.1, then pppoe0 is picked.

I don’t have any good idea (add custom config template is a good choice, but i’m lazy zzZZ..), just disable and re-enable that route table after router is booted.

configure
set protocols static table 4 route 0.0.0.0/0 next-hop 192.168.10.1 disable
commit
delete protocols static table 4 route 0.0.0.0/0 next-hop 192.168.10.1 disable
commit

configure

set protocols static table 4 route 0.0.0.0/0 next-hop 192.168.10.1 disable

commit

delete protocols static table 4 route 0.0.0.0/0 next-hop 192.168.10.1 disable

commit

EdgeRouter + SoftEther Policy-based Routing Error by @sskaje: https://sskaje.me/2017/06/edgerouter-softether-policy-based-routing-error/