Наконец-то я попытался заставить OpenWRT работать на роутере, к сожалению, кажется, что это больше, чем стоит.
Я установил OpenWRT на TP-LINK 1043ND v1.
Версия OpenWRT: OpenWrt 18.06.1, r7258-5eb055306f
Все выглядит нормально, за исключением сбоя брандмауэра NAT (и это не так с конфигурацией OpenWRT по умолчанию).
Правила iptable на роутере:
root@OpenWrt:~# iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
930 106K ACCEPT all -- lo any anywhere anywhere /* !fw3 */
8761 1438K input_rule all -- any any anywhere anywhere /* !fw3: Custom input rule chain */
3077 877K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
344 33307 zone_lan_input all -- br-lan any anywhere anywhere /* !fw3 */
5340 528K zone_wan_input all -- eth0.2 any anywhere anywhere /* !fw3 */
Chain FORWARD (policy ACCEPT 713 packets, 38793 bytes)
pkts bytes target prot opt in out source destination
3466 377K forwarding_rule all -- any any anywhere anywhere /* !fw3: Custom forwarding rule chain */
2753 338K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
713 38793 zone_lan_forward all -- br-lan any anywhere anywhere /* !fw3 */
0 0 zone_wan_forward all -- eth0.2 any anywhere anywhere /* !fw3 */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
930 106K ACCEPT all -- any lo anywhere anywhere /* !fw3 */
5884 1665K output_rule all -- any any anywhere anywhere /* !fw3: Custom output rule chain */
5627 1646K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
12 3236 zone_lan_output all -- any br-lan anywhere anywhere /* !fw3 */
245 16234 zone_wan_output all -- any eth0.2 anywhere anywhere /* !fw3 */
Chain forwarding_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (2 references)
pkts bytes target prot opt in out source destination
137 5675 REJECT tcp -- any any anywhere anywhere /* !fw3 */ reject-with tcp-reset
5164 521K REJECT all -- any any anywhere anywhere /* !fw3 */ reject-with icmp-port-unreachable
Chain zone_lan_dest_ACCEPT (5 references)
pkts bytes target prot opt in out source destination
12 3236 ACCEPT all -- any br-lan anywhere anywhere /* !fw3 */
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
713 38793 forwarding_lan_rule all -- any any anywhere anywhere /* !fw3: Custom lan forwarding rule chain */
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
713 38793 zone_lan_dest_ACCEPT all -- any any anywhere anywhere /* !fw3 */
Chain zone_lan_input (1 references)
pkts bytes target prot opt in out source destination
344 33307 input_lan_rule all -- any any anywhere anywhere /* !fw3: Custom lan input rule chain */
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
344 33307 zone_lan_src_ACCEPT all -- any any anywhere anywhere /* !fw3 */
Chain zone_lan_output (1 references)
pkts bytes target prot opt in out source destination
12 3236 output_lan_rule all -- any any anywhere anywhere /* !fw3: Custom lan output rule chain */
12 3236 zone_lan_dest_ACCEPT all -- any any anywhere anywhere /* !fw3 */
Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
344 33307 ACCEPT all -- br-lan any anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_wan_dest_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
8 320 DROP all -- any eth0.2 anywhere anywhere ctstate INVALID /* !fw3: Prevent NAT leakage */
237 15914 ACCEPT all -- any eth0.2 anywhere anywhere /* !fw3 */
Chain zone_wan_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- any eth0.2 anywhere anywhere /* !fw3 */
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_wan_rule all -- any any anywhere anywhere /* !fw3: Custom wan forwarding rule chain */
0 0 zone_lan_dest_ACCEPT esp -- any any anywhere anywhere /* !fw3: Allow-IPSec-ESP */
0 0 zone_lan_dest_ACCEPT udp -- any any anywhere anywhere udp dpt:isakmp /* !fw3: Allow-ISAKMP */
0 0 zone_lan_dest_ACCEPT all -- any any anywhere anywhere /* !fw3: Zone wan to lan forwarding policy */
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_wan_dest_REJECT all -- any any anywhere anywhere /* !fw3 */
Chain zone_wan_input (1 references)
pkts bytes target prot opt in out source destination
5340 528K input_wan_rule all -- any any anywhere anywhere /* !fw3: Custom wan input rule chain */
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
1 30 ACCEPT icmp -- any any anywhere anywhere icmp echo-request /* !fw3: Allow-Ping */
38 1064 ACCEPT igmp -- any any anywhere anywhere /* !fw3: Allow-IGMP */
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
5301 527K zone_wan_src_REJECT all -- any any anywhere anywhere /* !fw3 */
Chain zone_wan_output (1 references)
pkts bytes target prot opt in out source destination
245 16234 output_wan_rule all -- any any anywhere anywhere /* !fw3: Custom wan output rule chain */
245 16234 zone_wan_dest_ACCEPT all -- any any anywhere anywhere /* !fw3 */
Chain zone_wan_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
5301 527K reject all -- eth0.2 any anywhere anywhere /* !fw3 */
Вот также конфиг fw3:
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option output 'ACCEPT'
option forward 'ACCEPT'
option input 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'lan'
option src 'wan'
Я не могу подключиться к внешнему Интернету вообще из локальной сети / локальной сети (т. Е. Даже из-за тайм-аута всех пингов), однако маршрутизатор, похоже, очень хорошо подключен к Интернету (для получения списков пакетов openwrt и подобных).
Для проблемы XY: Да, маршрутизатор имеет хороший IP-адрес в локальной сети. Да, компьютер получает хороший IP, следовательно, я могу связаться с LUCI. Да, WAN имеет правильный IP, соединение с ISP в порядке (следовательно, openwrt может загружать списки пакетов).
DHCPv6 недоступен у провайдера. У меня полуотключен ipv6 по локальной сети. Я потратил слишком много времени на устранение неполадок, и я понятия не имею, что может быть не так. Возможно, кто-то может помочь?
Как примечание, правила fw3 iptable кажутся ужасно грязными.