EdgeRouter Policy Based Routing Using DNSMASQ IPSET

之前用SNIProxy按域名区分流量,着实麻烦。尤其是后期发现路由表莫名其妙出问题。

EdgeRouter的Policy Based Routing(PBR)使用的是自带配置语法的firewall modify功能。
官方有两篇教程:
EdgeRouter – Policy-based routing for destination port
EdgeRouter – Policy-based routing (source address based)

第二篇文章顺带提了network-group。之前在配置VPN时,使用过network-group,还比较过使用firewall modify + network-group 与配置一堆interface-route的区别。

而,这里的network-group的实现,使用了netfilter的ipset。Man pages可以看这里,命令在edgerouter上也附带了。

dnsmasq支持 ‘–ipset‘ 参数,把对配置域名解析的IP存入到指定的ipset。具体细节可以看dnsmasq的文档

dnsmasq配置的语法比较简单。

domain 部分参考 address 的语法。例如:

配置好所有自己需要的域名,重启dnsmasq即可。

ipset本身支持timeout,但是edge os的network-group不支持,所以在配置dnsmasq之前,最好创建一个新的network-group。

假定新建的ipset名叫 MY_SET,edge router的主要相关配置如下:

其他诸如配置 static table, interface firewall 可以参考最前边的文档。

EdgeRouter Policy Based Routing Using DNSMASQ IPSET by @sskaje: https://sskaje.me/2017/04/edgerouter-policy-based-routing-dnsmasq-ipset/

Incoming search terms:

EdgeRouter PPTP/L2TP Firewall Modify

AUTO_VPN 是我的规则名称
/config/scripts/post-config.d/auto_vpn_fw_modify 需要加执行权限

EdgeRouter PPTP/L2TP Firewall Modify by @sskaje: https://sskaje.me/2017/02/edgerouter-pptpl2tp-firewall-modify/

SoftEther between VPS and UBNT EdgeRouter

This is a placeholder. And, this article won’t be public.

You are not authorised to read all content in this post.

Please login…

SoftEther between VPS and UBNT EdgeRouter by @sskaje: https://sskaje.me/2017/01/softether-vps-ubnt-edgerouter/

SoftEther Error 13 with HAProxy or SNIProxy

I set up an HAProxy (also tried SNIProxy) on my EdgeRouter, sharing port 443 for internal port forwarding and SoftEther Server on Router.

When I connect to port 443 from another SoftEther Server, I got a Timeout error, my error message was in Simplified Chinese on my Windows box, I googled and found other ppl meet same error, English message like:

Error (Error Code 13):
Time-out occurred during VPN session communication. It is possible the connection from the client to the VPN Server has been disconnected.

In my case, external SE connect to RouterIP:443, HAProxy(SNIProxy) listens on 443 and split SE connections to localhost:24443 which is listened by SoftEther on Router.

Since HAProxy/SNIProxy does not handles UDP packets, I tried to set up an port forwarding for UDP 443, not working.

The only solution is TICK the ‘Disable UDP Acceleration / 禁用 UDP 加速功能功能 / UDP 高速化機能を無効にする’ from:
Manage Virtual Hub -> Manage Cascade Connections -> Edit -> Advanced Settings -> Disable UDP Acceleration

SoftEther Error 13 with HAProxy or SNIProxy by @sskaje: https://sskaje.me/2017/01/softether-error-13-haproxy-sniproxy/

Setup WPAD on EdgeRouter

Previously, I wrote Setup WPAD on Asus Merlin.

Similar on EdgeRouter.

1 Configure Domain name.

System

DHCP service

2 Prepare wpad.dat

I don’t have wpad.dat deployed on my router, but an internal Ubuntu server with nginx as httpd, IP 192.168.36.20.
wpad.dat is located to default server root, if you have your custom, make sure you have wpad.int.sskaje.name in your server_name directive.

/etc/nginx/site-enable/default

3 Configure Domain

I’ve moved all my dnsmasq configurations out of EdgeRouter’s configure mode, save under /config/etc and linked to /etc.

I added following line to any .conf under /etc/dnsmasq.d/

And restart dnsmasq

4 Configure DHCP Options

And my dhcp-server configure looks like

DO NOT try use-dnsmasq if you have a subnet with CIDR not in {8,16,24}.

Setup WPAD on EdgeRouter by @sskaje: https://sskaje.me/2016/11/setup-wpad-edgerouter/

Incoming search terms: