Search Results for ubnt edge os

UBNT EdgeOS 配置设备路由(interface-route)的方法

之前 EdgeOS PPTP VPN客户端配置里，配置VPN后，需要按需配置路由。由于自用的路由下一跳IP不确定，所以用了 interface-route。配置命令如下：

set protocols static interface-route 10.1.1.0/24 next-hop-interface pptpc0

1	set protocols static interface-route 10.1.1.0/24 next-hop-interface pptpc0

按这种方式配置路由的麻烦在于，每次输入都需要把目标网段后边配上一个interface，万一哪天需要改这个interface，要不一个一个改，要不重新导入配置文件。另外一个方法是用路由表＋防火墙路由表如下：

root@ubnt# show protocols static table 
 table 1 {
     description "route table via eth1: default internet access"
     interface-route 0.0.0.0/0 {
         next-hop-interface eth1 {
         }
     }
 }
 table 2 {
     description "route table via vtun0: openvpn  access"
     interface-route 0.0.0.0/0 {
         next-hop-interface vtun0 {
         }
     }
 }
[edit]

root@ubnt# show protocols static table

table 1 {

description "route table via eth1: default internet access"

interface-route 0.0.0.0/0 {

next-hop-interface eth1 {

}

table 2 {

description "route table via vtun0: openvpn access"

interface-route 0.0.0.0/0 {

next-hop-interface vtun0 {

}

[edit]

防火墙里配置一个地址组，并配好modify规则

firewall {
     group {
         network-group FORBIDDEN_ZONE {
             network 8.8.0.0/16
             network 8.25.0.0/16
         }
     }

     modify AUTO_VPN {
         description "Auto route to vpn based on destination"
         enable-default-log
         rule 1 {
             action modify
             description "route to table 2"
             destination {
                 group {
                     network-group FORBIDDEN_ZONE
                 }
             }
             log enable
             modify {
                 table 2
             }
         }
         rule 2 {
             action modify
             description "default route to table 1 "
             disable
             log enable
             modify {
                 table 1
             }
         }
     }
 }

firewall {

group {

network-group FORBIDDEN_ZONE {

network 8.8.0.0/16

network 8.25.0.0/16

}

modify AUTO_VPN {

description "Auto route to vpn based on destination"

enable-default-log

rule 1 {

action modify

description "route to table 2"

destination {

group {

network-group FORBIDDEN_ZONE

}

log enable

modify {

table 2

}

rule 2 {

action modify

description "default route to table 1 "

disable

log enable

modify {

table 1

}

再把内外网口的防火墙规则改一下

set interfaces ethernet eth0 firewall in modify AUTO_VPN

1	set interfaces ethernet eth0 firewall in modify AUTO_VPN

就行了。这里我的eth1连的外网，eth0是LAN。不过这里有个case我没试过，直接配置interface-route的方法，如果目标网段的interface掉了，会回落到默认的出口上，不知道modify的效果如何。 EdgeOS 1.8b3下firewall的log记录在 /var/log/messages 里，可以看到请求命中了哪个规则。 Incoming search terms:EDGEOSset firewall on ubntset interfaces ethernet eth0 firewall in modify balanceubnt edgeos su rootubnt 防火墙禁pingLink to this post!

EdgeRouter 部署 WireGuard

安装从 https://github.com/Lochnair/vyatta-wireguard/releases 下载对应的包 ERL, ER等 mips架构的，下载 octeon 版本 ERX 下载 ralink版本。可以选择上传到路由上，或者ssh登录路由，sudo su到root，执行类似如下的命令

curl https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20170612-2/wireguard-octeon-0.0.20170612-2.deb -o wireguard-octeon-0.0.20170612-2.deb

1	curl https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20170612-2/wireguard-octeon-0.0.20170612-2.deb -o wireguard-octeon-0.0.20170612-2.deb

或

curl https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20170612-2/wireguard-ralink-0.0.20170612-2.deb -o wireguard-ralink-0.0.20170612-2.deb

1	curl https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20170612-2/wireguard-ralink-0.0.20170612-2.deb -o wireguard-ralink-0.0.20170612-2.deb

下载完成后

dpkg -i xxx.deb

1	dpkg -i xxx.deb

配置执行下列命令生成私钥、共享密钥，公钥

wg genkey > /config/auth/wg.private
wg genpsk > /config/auth/wg.psk
chmod 0600 /config/auth/wg.*
wg pubkey < /config/auth/wg.private

wg genkey > /config/auth/wg.private

wg genpsk > /config/auth/wg.psk

chmod 0600 /config/auth/wg.*

wg pubkey < /config/auth/wg.private

将最后一个命令的输出复制下来，配置到服务器端获取服务器端的公钥，替换下文的“公钥”并执行命令

configure
set interfaces wireguard wg0 address 192.168.10.40/24
set interfaces wireguard wg0 listen-port 本地端口
set interfaces wireguard wg0 peer 公钥 allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer 公钥 endpoint '服务器IP:端口'
set interfaces wireguard wg0 peer 公钥 preshared-key /config/auth/wg-eos.psk
set interfaces wireguard wg0 private-key /config/auth/wg.private
set interfaces wireguard wg0 route-allowed-ips false
commit
save

configure

set interfaces wireguard wg0 address 192.168.10.40/24

set interfaces wireguard wg0 listen-port 本地端口

set interfaces wireguard wg0 peer 公钥 allowed-ips 0.0.0.0/0

set interfaces wireguard wg0 peer 公钥 endpoint '服务器IP:端口'

set interfaces wireguard wg0 peer 公钥 preshared-key /config/auth/wg-eos.psk

set interfaces wireguard wg0 private-key /config/auth/wg.private

set interfaces wireguard wg0 route-allowed-ips false

commit

save

配置好设备后，配置nat服务

configure
set service nat rule 5032 outbound-interface wg0
set service nat rule 5032 type masquerade
commit 
save

configure

set service nat rule 5032 outbound-interface wg0

set service nat rule 5032 type masquerade

commit

save

剩下就是配置路由规则了，可以参考我的其他blog. Incoming search terms:wg genkey > /config/auth/wg private wg genpsk > /config/auth/wg psk chmod 0600 /config/auth/wg * wg pubkey < /config/auth/wg privatewireguardwireguard address 192 168 10 40/24 set … Continue reading “EdgeRouter 部署 WireGuard”

WireGuard wg-quick PostUp的高级玩法

真的很高级。 wg-quick是WireGuard用来启动网络设备的**脚本**。注意了，迄今为止，wg-quick是用bash写的一个脚本，不知道未来会不会变，至少目前shebang是

!#/bin/bash

1	!#/bin/bash

Link to this post!

EdgeRouter 策略路由实现分析

最近家里的路由规则越来越复杂，而且越来越好用。正好昨天跟朋友讨论他的家用路由改造方案，所以研究了一下EdgeRouter的策略路由（Policy-based Routing，PBR）的实现。我家里的路由是EdgeRouter Lite，固件1.9.1.1，这个实现跟固件关系不大。首先，我们可以参考一下官方的文档：EdgeRouter – Policy-based routing (source address based) Link to this post!

EdgeRouter + SoftEther Policy-based Routing Error

I have protocol config like

protocols {
  static {
    table 4 {
      route 0.0.0.0/0 {
        next-hop 192.168.10.1 {
        }
      }
    }
  }
}

protocols {

static {

table 4 {

route 0.0.0.0/0 {

next-hop 192.168.10.1 {

}

SoftEther TAP device name is tap_se, local ip is 192.168.10.2, remote ip 192.168.10.1. Internet is connected via pppoe0. Policy-based routing modified to table 4 route traffic to pppoe0 rather than tap_se. Check current route table:

root@ubnt:/home/ubnt# show ip route table 4
default via 192.168.10.1 dev pppoe0

1 2	root@ubnt:/home/ubnt# show ip route table 4 default via 192.168.10.1 dev pppoe0

In my previous post, I added a softether start-up script in /config/scripts/post-config.d/. I … Continue reading “EdgeRouter + SoftEther Policy-based Routing Error”