给家里 R2S 重新做了一次路由。
刷机后,连网线下载一些软件
apt install pppoconf dnsmasq nftables wide-dhcpv6-client proxychains4配置接口
auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
iface eth0 inet6 auto
auto lan0
allow-hotplug lan0
iface lan0 inet static
address 192.168.5.1/24
iface dummy inet static
address 172.22.183.111/32
pre-up ip l a dummy type dummy
iface dummy inet6 static
address fd93:b89c:b538:1::2/128禁用 NetworkManager
systemctl disable --now NetworkManager配置 dnsmasq,并加入自启
interface=lan0
interface=lo
# DHCP Scope
log-dhcp
dhcp-range=192.168.5.50,192.168.5.240,12h
enable-ra
dhcp-range=::,constructor:lan0,ra-only,slaac
dhcp-option=3,192.168.5.1
dhcp-option=6,192.168.5.1
# DNS Scope
port=5353
server=/dn42/172.23.0.53
server=172.22.183.98 # 我 dn42 的 dns 服务器,节点在日本,用作 post 查询其他配置见: dnsmasq-chinalist
配置 clash
useradd -M clashservice 如下
[Unit]
Description=clash service
After=network.target
[Service]
Type=simple
User=clash
Group=clash
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
ExecStart=/opt/router/clash/clash -d /opt/router/clash
Restart=on-failure
ExecStartPre=+/usr/bin/bash /opt/router/clash/scripts/start.sh
ExecStopPost=+/usr/bin/bash /opt/router/clash/scripts/stop.sh
[Install]
WantedBy=multi-user.target拔线,wan 直连光猫,lan 接 AP,ssh 登陆后进行下一步
pppoeconf根据提示配置开机自启等
接下来配置 nftables
#!/usr/sbin/nft -f
# flush ruleset
include "/opt/router/nft/private.nft"
include "/opt/router/nft/private6.nft"
include "/opt/router/nft/chnroute.nft"
include "/opt/router/nft/chnroute6.nft"
table inet filter
delete table inet filter
table inet filter {
chain input {
type filter hook input priority 0;
iifname ppp0 tcp dport { 0-10000 } drop;
iifname ppp0 udp dport { 546, 547 } accept; # IPv6 PD
iifname ppp0 udp dport { 0-10000 } drop;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
table inet route
delete table inet route
table inet route {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.5.0/24 oifname "mesh_*" snat ip to 172.22.183.111
ip6 saddr ::/0 oifname "mesh_*" snat ip6 to fd93:b89c:b538:1::2
oifname { eth0, ppp0 } masquerade
}
}
table inet gfw
delete table inet gfw
table inet gfw {
chain skiplocal {
fib daddr type local counter accept
ip daddr $private_list accept
ip6 daddr $private6_list accept
# ip daddr $chnroute_list accept
# ip6 daddr $chnroute6_list accept
}
chain prenat {
type nat hook prerouting priority dstnat; policy accept;
jump skiplocal
ip protocol tcp redirect to :7892
}
chain pretp {
type filter hook prerouting priority mangle; policy accept;
jump skiplocal
meta skuid clash counter return
udp dport { 53, 5353 } counter return
ip protocol tcp return
meta l4proto { tcp, udp } meta mark set 0x233 tproxy to :7893 accept
}
chain output {
# type route hook output priority filter; policy accept;
# jump skiplocal
# meta skuid clash counter return
# meta l4proto { tcp, udp } meta mark set 0x233
}
chain divert {
type filter hook prerouting priority mangle; policy accept;
meta l4proto tcp socket transparent 1 meta mark set 0x233 accept
}
}chroute 可以用如下方式获取
echo "define chnroute_list = {" > chnroute.nft
echo "define chnroute6_list = {" > chnroute6.nft
cat raw | grep ipv4 | grep CN | awk -F\| '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' | sed s/$/,/g >> chnroute.nft
cat raw | grep ipv6 | grep CN | awk -F\| '{ printf("%s/%d\n", $4, $5) }' | sed s/$/,/g >> chnroute6.nft
echo "}" >> chnroute.nft
echo "}" >> chnroute6.nft配置 SLAAC,加入自启
interface ppp0 {
send ia-pd 0;
};
id-assoc pd 0 {
prefix-interface lan0 {
sla-len 8; # PD 为 /56 的情况
ifid 0;
};
};后记
IPv6 PD 使用 546 UDP 端口,记得放行,折腾老子 2h,真的是