Route | @sskaje

EdgeRouter + SoftEther Policy-based Routing Error

By @sskaje
Link: https://sskaje.me/2017/06/edgerouter-softether-policy-based-routing-error/

I have protocol config like

protocols {
  static {
    table 4 {
      route 0.0.0.0/0 {
        next-hop 192.168.10.1 {
        }
      }
    }
  }
}

protocols {

static {

table 4 {

route 0.0.0.0/0 {

next-hop 192.168.10.1 {

}

SoftEther TAP device name is tap_se, local ip is 192.168.10.2, remote ip 192.168.10.1.

Internet is connected via pppoe0.

Policy-based routing modified to table 4 route traffic to pppoe0 rather than tap_se.

Check current route table:

root@ubnt:/home/ubnt# show ip route table 4
default via 192.168.10.1 dev pppoe0

1 2	root@ubnt:/home/ubnt# show ip route table 4 default via 192.168.10.1 dev pppoe0

In my previous post, I added a softether start-up script in /config/scripts/post-config.d/.
I guess vpnserver is launched after policy-based routing rules been applied, that causes policy-based routing find no device/connected routes for 192.168.10.1, then pppoe0 is picked.

I don’t have any good idea (add custom config template is a good choice, but i’m lazy zzZZ..), just disable and re-enable that route table after router is booted.

configure
set protocols static table 4 route 0.0.0.0/0 next-hop 192.168.10.1 disable
commit
delete protocols static table 4 route 0.0.0.0/0 next-hop 192.168.10.1 disable
commit

configure

set protocols static table 4 route 0.0.0.0/0 next-hop 192.168.10.1 disable

commit

delete protocols static table 4 route 0.0.0.0/0 next-hop 192.168.10.1 disable

commit

EdgeRouter + SoftEther Policy-based Routing Error by @sskaje: https://sskaje.me/2017/06/edgerouter-softether-policy-based-routing-error/

Incoming search terms:

SNIProxy 绑定设备后连接超时

By @sskaje
Link: https://sskaje.me/2017/02/sniproxy-bind-device-connection-timeout/

edgerouter lite

我之前是tun模式的openvpn site-to-site，网络拓扑很简单，local tun <-> remote tun，简单配个ip就行，edgerouter上直接使用interface-route 跳转到local tun就行了。

后来换用了softether，tap模式，于是需要自己配置IP和路由表。我简单地把firewall modify的地址组切到新的设备上，但是之前的 google dns 和 sniproxy 都保留在openvpn侧。但是最近openvpn被查的厉害，ssh也是被盯上了，所以不得不切换设备到 softether 的 tap 上。

listen 192.168.12.2:3543 {
    proto tls
    table https_hosts
    device tap_vbr
}

listen 192.168.12.2:3543 {

proto tls

table https_hosts

device tap_vbr

}

测试，发现连接超时。测试使用的域名是 download.oracle.com，解析的ip是 106.187.61.57。

路由上tcpdump

tcpdump -n -i tap_vbr

1	tcpdump -n -i tap_vbr

看到的请求却是：

14:22:04.471223 ARP, Request who-has 106.187.61.57 tell 192.168.99.50, length 28
14:22:05.471221 ARP, Request who-has 106.187.61.57 tell 192.168.99.50, length 28
14:22:06.475322 ARP, Request who-has 106.187.61.57 tell 192.168.99.50, length 28
...

14:22:04.471223 ARP, Request who-has 106.187.61.57 tell 192.168.99.50, length 28

14:22:05.471221 ARP, Request who-has 106.187.61.57 tell 192.168.99.50, length 28

14:22:06.475322 ARP, Request who-has 106.187.61.57 tell 192.168.99.50, length 28

...

所以。。。加路由吧。

因为公司是固定IP，所以之前配的是 system gateway-address。
这个时候直接配静态路由会报错：

root@ubnt# set protocols static route 0.0.0.0/0 next-hop 192.168.99.1 distance 100
Error: can not combine system gateway and static default route

1 2	root@ubnt# set protocols static route 0.0.0.0/0 next-hop 192.168.99.1 distance 100 Error: can not combine system gateway and static default route

先删后加

root@ubnt# delete system gateway-address 
[edit]
root@ubnt# commit
[edit]
root@ubnt# set protocols static route 0.0.0.0/0 next-hop my.static.gateway.address distance 10
[edit]
root@ubnt# set protocols static route 0.0.0.0/0 next-hop 192.168.99.1 distance 100
[edit]
root@uebnt# commit
[edit]
root@ubnt# save 
Saving configuration to '/config/config.boot'...
Done

root@ubnt# delete system gateway-address

[edit]

root@ubnt# commit

[edit]

root@ubnt# set protocols static route 0.0.0.0/0 next-hop my.static.gateway.address distance 10

[edit]

root@ubnt# set protocols static route 0.0.0.0/0 next-hop 192.168.99.1 distance 100

[edit]

root@uebnt# commit

[edit]

root@ubnt# save

Saving configuration to '/config/config.boot'...

Done

注意一下，delete执行完后需要先commit，否则还会报错。

验证一下

root@ubnt# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         my.st.gw.addr   0.0.0.0         UG        0 0          0 eth1
0.0.0.0         192.168.99.1    0.0.0.0         UG        0 0          0 tap_vbr

root@ubnt# netstat -nr

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

0.0.0.0 my.st.gw.addr 0.0.0.0 UG 0 0 0 eth1

0.0.0.0 192.168.99.1 0.0.0.0 UG 0 0 0 tap_vbr

如果执行命令前会纠结是否生效，简单 route add 测试一下即可。无比保证vpn的metric比默认网关的大。

另，interface-route + route 的混合模式没测试。

SNIProxy 绑定设备后连接超时 by @sskaje: https://sskaje.me/2017/02/sniproxy-bind-device-connection-timeout/

EdgeRouter Lite: Source Based Routing

By @sskaje
Link: https://sskaje.me/2016/03/edgerouter-lite-source-based-routing/

I have 192.168.1.1/24 on my eth0 as LAN, VPN set up.
For some cases, I want to visit some web site via VPN, I set up a socks 5 proxy.
But socks 5 is not an option for iPhone & Android by default.

So I added 192.168.10.1/24 to eth0 at the same time, traffic from 192.168.10.0/24 are all forwarded to VPN interface.

set interfaces ethernet eth0 address 192.168.10.1/24

set firewall group network-group VPN_SRC_ZONE description 'network for full vpn route'
set firewall group network-group VPN_SRC_ZONE network 192.168.10.0/24

set firewall modify AUTO_VPN rule 700 action modify
set firewall modify AUTO_VPN rule 700 description 'src based routing'
set firewall modify AUTO_VPN rule 700 modify table 2
set firewall modify AUTO_VPN rule 700 source group network-group VPN_SRC_ZONE

set interfaces ethernet eth0 address 192.168.10.1/24

set firewall group network-group VPN_SRC_ZONE description 'network for full vpn route'

set firewall group network-group VPN_SRC_ZONE network 192.168.10.0/24

set firewall modify AUTO_VPN rule 700 action modify

set firewall modify AUTO_VPN rule 700 description 'src based routing'

set firewall modify AUTO_VPN rule 700 modify table 2

set firewall modify AUTO_VPN rule 700 source group network-group VPN_SRC_ZONE

If I want my iPhone traffic fully routed to VPN, I just need to change my iPhone WiFi addresses.

EdgeRouter Lite: Source Based Routing by @sskaje: https://sskaje.me/2016/03/edgerouter-lite-source-based-routing/