zhangguanzhang's Blog

proxmox x86软路由笔记

字数统计: 1.6k阅读时长: 7 min
2020/05/13 Share

由来

办公室有台式机,不想整天带着N1上下班,整下x86的软路由,exsi性能会比pve好,但是pve毕竟Linux,兼容性和对接很多场景方便,这里我使用pve开机器安装openwrt。pve已经安装好系统,并且台式机的口子接主路由的lan口

导入img

虚机准备

先去恩山论坛x86版块下一个固件
pve上开台机器

  • 一般-高级-开机自启动勾上,有必要的话手动设置下vmID,后面有用
  • 操作系统不适用任何介质
  • 系统默认,下一步
  • 硬盘随便设置,后面会删除
  • cpu按照实际,我给2核,内存我给的2g
  • 网络,模型选intel E1000防火墙的勾去掉
  • 完成
  • 选中虚机,硬件-选中硬盘,点击分离,删除

导入img

把固件上传到pve的机器上,一般是gz,解压成img后用命令转成qcow2文件

1
qemu-img convert -f raw  -O qcow2 openwrt-x86-64-generic-squashfs-combined-efi.img op.qcow2

检查下,应该输出No errors

1
qemu-img check op.qcow2

导入成硬盘,这里vm的id是对应前面的vmid,前面没设置的话web控制台上看下openwrt的虚机的vmid

1
qm importdisk 200 op.qcow2 local-lvm

旁路由的配置

路由静态ip配置

这里我是主路由192.168.2.1/24作为二级路由接办公网的口子上的,还提供wifi,openwrt的虚机作为旁路由,ip规划为192.168.2.3,主路由不开DHCP,旁路由开DHCP(有的路由器不支持dhcp设置网关的ip,所以我这里旁路由作为DHCP server)

开机后大概36秒后按回车进入终端。更改旁路由的网络配置文件

1
2
cp /etc/config/network /etc/config/network.bak
vi /etc/config/network

192.168.1.1改为预期的配置,没网关的话就也加上预期的主路由的ip

1
2
3
4
5
6
config interface 'eth0'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.2.3'
option netmask '255.255.255.0'
option gateway '192.168.2.1'

重启网卡

1
/etc/init.d/network restart

然后按下回车,ping下114测下

1
ping 114.114.114.114

然后浏览器进192.168.2.3,默认密码admin password啥的试试

web配置

DHCP

我的固件只有一个LAN接口,不确定其他的是不是这样(推荐此处到最后都先看一遍完后再跟着操作)
网络-接口,进入LAN修改,下面的DHCP,开启动了。然后高级设置,动态DHCP+强制,写上掩码,下面的DHCP选项两行

1
2
3,192.168.2.3                    # 配置dhcp的网关,指向旁路由自己
6,192.168.2.3 # 配置dhcp获取到的dns,如果稳定则旁路由自己的IP

IPv6设置里前三个全部选禁用
保存应用

DNS

网络-DHCP/DNS-常规设置,有必要的话配置下DNS转发,屏蔽一些激活码请求域名啥的,丢弃 RFC1918 上行响应数据这个取消了,我这儿是不然某些上游dns的域名无法访问到
最下面的写hosts列表,例如单独的指定公网ip下载jetbrains家的插件和软件,绕过前面配置的屏蔽

网络-DHCP/DNS-高级设置-DNS 服务器端口写0,不使用dnsmasq的dns功能,因为dnsmasq经常在加配置的时候卡死,而且解析不稳定,回到web上保存应用

因为这里关闭了dnsmasq的dns解析,我们打算使用adguardhome来做路由器的dns服务。我们需要在自己pc上下载adguardhome的二进制文件在web-系统-文件传输传上去。下载网页,记得下载linux-amd64的

1
2
3
cd /usr/bin/AdGuardHome
cp -a /tmp/upload/AdGuardHome .
chmod 755 AdGuardHome

服务-AdGuard Home-手动设置,下面是我用的配置文件,web登录的密码是root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
bind_host: 0.0.0.0
bind_port: 3000
users:
- name: root
password: $2y$05$8h.LpbIR7U50.qbV7ynCtOvS9szcqu2lFk6J86Oabnz1J5BtLpVni
http_proxy: ""
language: ""
rlimit_nofile: 0
debug_pprof: false
web_session_ttl: 720
dns:
bind_host: 0.0.0.0
port: 53
statistics_interval: 1
querylog_enabled: false
querylog_interval: 1
querylog_size_memory: 1000
anonymize_client_ip: false
protection_enabled: true
blocking_mode: nxdomain
blocking_ipv4: ""
blocking_ipv6: ""
blocked_response_ttl: 10
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
ratelimit: 0
ratelimit_whitelist: []
refuse_any: false
upstream_dns:
- sdns://AwAAAAAAAAAAAAANdGxzOi8vOC44LjguOA
- sdns://AAAAAAAAAAAACTc3Ljg4LjguOA
- sdns://AAAAAAAAAAAACjc3Ljg4LjguODg
- sdns://AQMAAAAAAAAAFDE4NS4yMjguMTY4LjE2ODo4NDQzILysMvrVQ2kXHwgy1gdQJ8MgjO7w6OmflBjcd2Bl1I8pEWNsZWFuYnJvd3Npbmcub3Jn
- sdns://AgcAAAAAAAAABzEuMC4wLjGgENk8mGSlIfMGXMOlIlCcKvq7AVgcrZxtjon911-ep0cg63Ul-I8NlFj4GplQGb_TTLiczclX57DvMV8Q-JdjgRgSZG5zLmNsb3VkZmxhcmUuY29tCi9kbnMtcXVlcnk
- sdns://AwAAAAAAAAAAAAANdGxzOi8vOS45LjkuOQ
# - https://dns10.quad9.net/dns-query
- tcp://223.5.5.5
- sdns://AgUAAAAAAAAAACAe9iTP_15r07rd8_3b_epWVGfjdymdx-5mdRZvMAzBuQ5kbnMuZ29vZ2xlLmNvbQ0vZXhwZXJpbWVudGFs
- sdns://AQQAAAAAAAAAEDc3Ljg4LjguNzg6MTUzNTMg04TAccn3RmKvKszVe13MlxTUB7atNgHhrtwG1W1JYyciMi5kbnNjcnlwdC1jZXJ0LmJyb3dzZXIueWFuZGV4Lm5ldA
# - https://1.1.1.1/dns-query
- sdns://AQAAAAAAAAAADjIwOC42Ny4yMjAuMjIwILc1EUAgbyJdPivYItf9aR6hwzzI1maNDL4Ev6vKQ_t5GzIuZG5zY3J5cHQtY2VydC5vcGVuZG5zLmNvbQ
- sdns://AAAAAAAAAAAADTEzMC41OS4zMS4yNDg
bootstrap_dns:
- 223.5.5.5
- 223.6.6.6
- 1.1.1.1
- 8.8.4.4
- 9.9.9.10
- 114.114.114.114
- 149.112.112.10
all_servers: true
fastest_addr: false
allowed_clients: []
disallowed_clients: []
blocked_hosts: []
cache_size: 4194304
cache_ttl_min: 0
cache_ttl_max: 0
bogus_nxdomain: []
aaaa_disabled: true
enable_dnssec: false
edns_client_subnet: false
filtering_enabled: true
filters_update_interval: 24
parental_enabled: false
safesearch_enabled: false
safebrowsing_enabled: false
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
rewrites:
- domain: plugins.jetbrains.com
answer: 13.32.53.109
- domain: mini.ffnews.cn
answer: 127.0.0.1
- domain: tongji.flash.cn
answer: 127.0.0.1
- domain: mini.flash.2144.com
answer: 127.0.0.1
- domain: download.jetbrains.com
answer: 52.30.174.243
- domain: harbor.zhangguanzhang.com
answer: 192.168.2.111
- domain: www.jetbrains.com
answer: 127.0.0.1
- domain: jetbrains.com
answer: 0.0.0.0
- domain: harbor-local.unicloudsrv.com
answer: 10.0.6.181
- domain: www.atlium.com
answer: 0.0.0.0
- domain: atlium.com
answer: 0.0.0.0
blocked_services: []
tls:
enabled: false
server_name: ""
force_https: false
port_https: 443
port_dns_over_tls: 853
allow_unencrypted_doh: false
strict_sni_check: false
certificate_chain: ""
private_key: ""
certificate_path: ""
private_key_path: ""
filters:
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
name: AdGuard Simplified Domain Names filter
id: 1
- enabled: true
url: https://adaway.org/hosts.txt
name: AdAway
id: 2
- enabled: false
url: https://hosts-file.net/ad_servers.txt
name: hpHosts - Ad and Tracking servers only
id: 3
- enabled: true
url: https://www.malwaredomainlist.com/hostslist/hosts.txt
name: MalwareDomainList.com Hosts List
id: 4
- enabled: false
url: https://raw.githubusercontent.com/vokins/yhosts/master/data/tvbox.txt
name: tvbox
id: 1575018007
- enabled: true
url: https://hosts.nfz.moe/full/hosts
name: neoHosts full
id: 1575618240
- enabled: false
url: https://hosts.nfz.moe/basic/hosts
name: neoHosts basic
id: 1575618241
- enabled: false
url: http://sbc.io/hosts/hosts
name: StevenBlack host basic
id: 1575618242
- enabled: false
url: http://sbc.io/hosts/alternates/fakenews-gambling-porn-social/hosts
name: StevenBlack host+fakenews + gambling + porn + social
id: 1575618243
- enabled: false
url: https://cdn.jsdelivr.net/gh/privacy-protection-tools/anti-AD/anti-ad-easylist.txt
name: anti-AD(Adblock+neohosts+yhosts+cjxlist+adhlist)
id: 1577113202
whitelist_filters: []
user_rules: []
dhcp:
enabled: false
interface_name: ""
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
clients: []
log_file: ""
verbose: false
schema_version: 6

保存应用后打开web:3000就可以看到了,默认root/root
设置-常规设置里保留时间之类的不要设置成30天90天之类的,特别是你接入设备多,日志记录了可能把路由器容量撑满,配置成24小时就够了

放行转发

设备连上wifi后无法访问外网,看了下到旁路由上能通,旁路由上也能ping公网,猜测iptables缺少放行,网络-防火墙-自定义规则,添加下面内容,cidr根据自己实际情况写

1
iptables -I forwarding_rule --src 192.168.2.0/24 -j ACCEPT

安装tcpdump

1
https://archive.openwrt.org/releases/packages-18.06/aarch64_generic/base/

参考

CATALOG
  1. 1. 由来
    1. 1.1. 导入img
      1. 1.1.1. 虚机准备
      2. 1.1.2. 导入img
    2. 1.2. 旁路由的配置
      1. 1.2.1. 路由静态ip配置
      2. 1.2.2. web配置
        1. 1.2.2.1. DHCP
        2. 1.2.2.2. DNS
        3. 1.2.2.3. 放行转发
      3. 1.2.3. 安装tcpdump
  2. 2. 参考