给家里 R2S 重新做了一次路由。

刷机后,连网线下载一些软件

apt install pppoconf dnsmasq nftables wide-dhcpv6-client proxychains4

配置接口

auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
iface eth0 inet6 auto

auto lan0
allow-hotplug lan0
iface lan0 inet static
    address 192.168.5.1/24
    
iface dummy inet static
    address 172.22.183.111/32
    pre-up ip l a dummy type dummy

iface dummy inet6 static
    address fd93:b89c:b538:1::2/128

禁用 NetworkManager

systemctl disable --now NetworkManager

配置 dnsmasq,并加入自启

interface=lan0
interface=lo

# DHCP Scope
log-dhcp
dhcp-range=192.168.5.50,192.168.5.240,12h

enable-ra
dhcp-range=::,constructor:lan0,ra-only,slaac
dhcp-option=3,192.168.5.1
dhcp-option=6,192.168.5.1


# DNS Scope
port=5353
server=/dn42/172.23.0.53

server=172.22.183.98   # 我 dn42 的 dns 服务器,节点在日本,用作 post 查询

其他配置见: dnsmasq-chinalist

配置 clash

useradd -M clash

service 如下

[Unit]
Description=clash service
After=network.target

[Service]
Type=simple
User=clash
Group=clash
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
ExecStart=/opt/router/clash/clash -d /opt/router/clash
Restart=on-failure


ExecStartPre=+/usr/bin/bash /opt/router/clash/scripts/start.sh
ExecStopPost=+/usr/bin/bash /opt/router/clash/scripts/stop.sh

[Install]
WantedBy=multi-user.target

拔线,wan 直连光猫,lan 接 AP,ssh 登陆后进行下一步

pppoeconf

根据提示配置开机自启等

接下来配置 nftables

#!/usr/sbin/nft -f

# flush ruleset

include "/opt/router/nft/private.nft"
include "/opt/router/nft/private6.nft"
include "/opt/router/nft/chnroute.nft"
include "/opt/router/nft/chnroute6.nft"

table inet filter
delete table inet filter
table inet filter {
    chain input {
        type filter hook input priority 0;
        iifname ppp0 tcp dport { 0-10000 } drop;
        iifname ppp0 udp dport { 546, 547 } accept;  # IPv6 PD
        iifname ppp0 udp dport { 0-10000 } drop;
    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;
    }
}

table inet route
delete table inet route
table inet route {
    chain postrouting {
        type nat hook postrouting priority srcnat; policy accept;
        ip saddr 192.168.5.0/24 oifname "mesh_*" snat ip to 172.22.183.111
        ip6 saddr ::/0 oifname "mesh_*" snat ip6 to fd93:b89c:b538:1::2
        oifname { eth0, ppp0 } masquerade
    }
}

table inet gfw
delete table inet gfw
table inet gfw {
    chain skiplocal {
        fib daddr type local counter accept
        ip daddr $private_list accept
        ip6 daddr $private6_list accept
        # ip daddr $chnroute_list accept
        # ip6 daddr $chnroute6_list accept
    }

    chain prenat {
        type nat hook prerouting priority dstnat; policy accept;
        jump skiplocal

        ip protocol tcp redirect to :7892
    }

        chain pretp {
                type filter hook prerouting priority mangle; policy accept;
        jump skiplocal

        meta skuid clash counter return
        udp dport { 53, 5353 } counter return
        ip protocol tcp return
                meta l4proto { tcp, udp } meta mark set 0x233 tproxy to :7893 accept
        }

        chain output {
                # type route hook output priority filter; policy accept;
        # jump skiplocal

        # meta skuid clash counter return
        # meta l4proto { tcp, udp } meta mark set 0x233
        }

    chain divert {
                type filter hook prerouting priority mangle; policy accept;
                meta l4proto tcp socket transparent 1 meta mark set 0x233 accept
        }
}

chroute 可以用如下方式获取

echo "define chnroute_list = {" > chnroute.nft
echo "define chnroute6_list = {" > chnroute6.nft
cat raw | grep ipv4 | grep CN | awk -F\| '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' | sed s/$/,/g >> chnroute.nft
cat raw | grep ipv6 | grep CN | awk -F\| '{ printf("%s/%d\n", $4, $5) }' | sed s/$/,/g >> chnroute6.nft
echo "}" >> chnroute.nft
echo "}" >> chnroute6.nft

配置 SLAAC,加入自启

interface ppp0 {
    send ia-pd 0;
};

id-assoc pd 0 {
    prefix-interface lan0 {
        sla-len 8;  # PD 为 /56 的情况
        ifid 0;
    };
};

后记

IPv6 PD 使用 546 UDP 端口,记得放行,折腾老子 2h,真的是

Reference

Last modification:January 5, 2023
如果觉得我的文章对你有用,请随意赞赏