路由、设备 |

WireGuard wg-quick PostUp的高级玩法

By
Link: https://sskaje.me/2017/06/wireguard-wg-quick-postup%e7%9a%84%e9%ab%98%e7%ba%a7%e7%8e%a9%e6%b3%95/

真的很高级。

wg-quick是WireGuard用来启动网络设备的**脚本**。

注意了，迄今为止，wg-quick是用bash写的一个脚本，不知道未来会不会变，至少目前shebang是

!#/bin/bash

1	!#/bin/bash

Continue reading “WireGuard wg-quick PostUp的高级玩法” »

WireGuard wg-quick PostUp的高级玩法 by : https://sskaje.me/2017/06/wireguard-wg-quick-postup%e7%9a%84%e9%ab%98%e7%ba%a7%e7%8e%a9%e6%b3%95/

Incoming search terms:

EdgeRouter 策略路由实现分析

By
Link: https://sskaje.me/2017/06/edgerouter-policy-based-routing-analysis/

最近家里的路由规则越来越复杂，而且越来越好用。正好昨天跟朋友讨论他的家用路由改造方案，所以研究了一下EdgeRouter的策略路由（Policy-based Routing，PBR）的实现。

我家里的路由是EdgeRouter Lite，固件1.9.1.1，这个实现跟固件关系不大。

首先，我们可以参考一下官方的文档：EdgeRouter – Policy-based routing (source address based)

Continue reading “EdgeRouter 策略路由实现分析” »

EdgeRouter 策略路由实现分析 by : https://sskaje.me/2017/06/edgerouter-policy-based-routing-analysis/

Incoming search terms:

EdgeRouter + SoftEther Policy-based Routing Error

By
Link: https://sskaje.me/2017/06/edgerouter-softether-policy-based-routing-error/

I have protocol config like

protocols {
  static {
    table 4 {
      route 0.0.0.0/0 {
        next-hop 192.168.10.1 {
        }
      }
    }
  }
}

protocols {

static {

table 4 {

route 0.0.0.0/0 {

next-hop 192.168.10.1 {

}

SoftEther TAP device name is tap_se, local ip is 192.168.10.2, remote ip 192.168.10.1.

Internet is connected via pppoe0.

Policy-based routing modified to table 4 route traffic to pppoe0 rather than tap_se.

Check current route table:

root@ubnt:/home/ubnt# show ip route table 4
default via 192.168.10.1 dev pppoe0

1 2	root@ubnt:/home/ubnt# show ip route table 4 default via 192.168.10.1 dev pppoe0

In my previous post, I added a softether start-up script in /config/scripts/post-config.d/.
I guess vpnserver is launched after policy-based routing rules been applied, that causes policy-based routing find no device/connected routes for 192.168.10.1, then pppoe0 is picked.

I don’t have any good idea (add custom config template is a good choice, but i’m lazy zzZZ..), just disable and re-enable that route table after router is booted.

configure
set protocols static table 4 route 0.0.0.0/0 next-hop 192.168.10.1 disable
commit
delete protocols static table 4 route 0.0.0.0/0 next-hop 192.168.10.1 disable
commit

configure

set protocols static table 4 route 0.0.0.0/0 next-hop 192.168.10.1 disable

commit

delete protocols static table 4 route 0.0.0.0/0 next-hop 192.168.10.1 disable

commit

EdgeRouter + SoftEther Policy-based Routing Error by : https://sskaje.me/2017/06/edgerouter-softether-policy-based-routing-error/

EdgeRouter Policy Based Routing Using DNSMASQ IPSET

By
Link: https://sskaje.me/2017/04/edgerouter-policy-based-routing-dnsmasq-ipset/

之前用SNIProxy按域名区分流量，着实麻烦。尤其是后期发现路由表莫名其妙出问题。

EdgeRouter的Policy Based Routing(PBR)使用的是自带配置语法的firewall modify功能。
官方有两篇教程：
EdgeRouter – Policy-based routing for destination port
EdgeRouter – Policy-based routing (source address based)

第二篇文章顺带提了network-group。之前在配置VPN时，使用过network-group，还比较过使用firewall modify + network-group 与配置一堆interface-route的区别。

而，这里的network-group的实现，使用了netfilter的ipset。Man pages可以看这里，命令在edgerouter上也附带了。

dnsmasq支持 ‘–ipset‘ 参数，把对配置域名解析的IP存入到指定的ipset。具体细节可以看dnsmasq的文档。

dnsmasq配置的语法比较简单。

--ipset=/<domain>/[domain/]<ipset>[,<ipset>]

1	--ipset=/<domain>/[domain/]<ipset>[,<ipset>]

domain 部分参考 address 的语法。例如：

ipset=/.sskaje.me/MY_SET
ipset=/test.com/MY_SET

1 2	ipset=/.sskaje.me/MY_SET ipset=/test.com/MY_SET

配置好所有自己需要的域名，重启dnsmasq即可。

ipset本身支持timeout，但是edge os的network-group不支持，所以在配置dnsmasq之前，最好创建一个新的network-group。

假定新建的ipset名叫 MY_SET，edge router的主要相关配置如下：

set firewall group network-group MY_SET

set firewall modify AUTO_VPN rule 20 action modify
set firewall modify AUTO_VPN rule 20 destination group network-group MY_SET
set firewall modify AUTO_VPN rule 20 modify table 4
set firewall modify AUTO_VPN rule 20 protocol all

set firewall group network-group MY_SET

set firewall modify AUTO_VPN rule 20 action modify

set firewall modify AUTO_VPN rule 20 destination group network-group MY_SET

set firewall modify AUTO_VPN rule 20 modify table 4

set firewall modify AUTO_VPN rule 20 protocol all

其他诸如配置 static table, interface firewall 可以参考最前边的文档。

EdgeRouter Policy Based Routing Using DNSMASQ IPSET by : https://sskaje.me/2017/04/edgerouter-policy-based-routing-dnsmasq-ipset/

Incoming search terms:

SNIProxy 绑定设备后连接超时

By
Link: https://sskaje.me/2017/02/sniproxy-bind-device-connection-timeout/

edgerouter lite

我之前是tun模式的openvpn site-to-site，网络拓扑很简单，local tun <-> remote tun，简单配个ip就行，edgerouter上直接使用interface-route 跳转到local tun就行了。

后来换用了softether，tap模式，于是需要自己配置IP和路由表。我简单地把firewall modify的地址组切到新的设备上，但是之前的 google dns 和 sniproxy 都保留在openvpn侧。但是最近openvpn被查的厉害，ssh也是被盯上了，所以不得不切换设备到 softether 的 tap 上。

listen 192.168.12.2:3543 {
    proto tls
    table https_hosts
    device tap_vbr
}

listen 192.168.12.2:3543 {

proto tls

table https_hosts

device tap_vbr

}

测试，发现连接超时。测试使用的域名是 download.oracle.com，解析的ip是 106.187.61.57。

路由上tcpdump

tcpdump -n -i tap_vbr

1	tcpdump -n -i tap_vbr

看到的请求却是：

14:22:04.471223 ARP, Request who-has 106.187.61.57 tell 192.168.99.50, length 28
14:22:05.471221 ARP, Request who-has 106.187.61.57 tell 192.168.99.50, length 28
14:22:06.475322 ARP, Request who-has 106.187.61.57 tell 192.168.99.50, length 28
...

14:22:04.471223 ARP, Request who-has 106.187.61.57 tell 192.168.99.50, length 28

14:22:05.471221 ARP, Request who-has 106.187.61.57 tell 192.168.99.50, length 28

14:22:06.475322 ARP, Request who-has 106.187.61.57 tell 192.168.99.50, length 28

...

所以。。。加路由吧。

因为公司是固定IP，所以之前配的是 system gateway-address。
这个时候直接配静态路由会报错：

root@ubnt# set protocols static route 0.0.0.0/0 next-hop 192.168.99.1 distance 100
Error: can not combine system gateway and static default route

1 2	root@ubnt# set protocols static route 0.0.0.0/0 next-hop 192.168.99.1 distance 100 Error: can not combine system gateway and static default route

先删后加

root@ubnt# delete system gateway-address 
[edit]
root@ubnt# commit
[edit]
root@ubnt# set protocols static route 0.0.0.0/0 next-hop my.static.gateway.address distance 10
[edit]
root@ubnt# set protocols static route 0.0.0.0/0 next-hop 192.168.99.1 distance 100
[edit]
root@uebnt# commit
[edit]
root@ubnt# save 
Saving configuration to '/config/config.boot'...
Done

root@ubnt# delete system gateway-address

[edit]

root@ubnt# commit

[edit]

root@ubnt# set protocols static route 0.0.0.0/0 next-hop my.static.gateway.address distance 10

[edit]

root@ubnt# set protocols static route 0.0.0.0/0 next-hop 192.168.99.1 distance 100

[edit]

root@uebnt# commit

[edit]

root@ubnt# save

Saving configuration to '/config/config.boot'...

Done

注意一下，delete执行完后需要先commit，否则还会报错。

验证一下

root@ubnt# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         my.st.gw.addr   0.0.0.0         UG        0 0          0 eth1
0.0.0.0         192.168.99.1    0.0.0.0         UG        0 0          0 tap_vbr

root@ubnt# netstat -nr

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

0.0.0.0 my.st.gw.addr 0.0.0.0 UG 0 0 0 eth1

0.0.0.0 192.168.99.1 0.0.0.0 UG 0 0 0 tap_vbr

如果执行命令前会纠结是否生效，简单 route add 测试一下即可。无比保证vpn的metric比默认网关的大。

另，interface-route + route 的混合模式没测试。

SNIProxy 绑定设备后连接超时 by : https://sskaje.me/2017/02/sniproxy-bind-device-connection-timeout/