Przejdź do treści forum
eko.one.pl
OpenWrt, Linux, USB, notebooki i inne ciekawe rzeczy
Nie jesteś zalogowany. Proszę się zalogować lub zarejestrować.
Aktywne tematy Tematy bez odpowiedzi
Opcje wyszukiwania (Strona 10 z 13)
Post generalnie nawiązuje do tego tematu http://eko.one.pl/forum/viewtopic.php?id=8727
Zmieniła się adresacja sieci ale koncepcja ta sama.
Moja obecna konfiguracja :
network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option ipaddr '10.1.1.1'
option netmask '255.255.255.0'
config interface 'lan2'
option ifname 'eth0.3'
option type 'bridge'
option proto 'static'
option ipaddr '10.1.2.1'
option netmask '255.255.255.0'
config interface 'guest'
option proto 'static'
option ipaddr '10.1.3.1'
option netmask '255.255.255.0'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option peerdns '0'
option dns '208.67.222.222 208.67.220.220'
option macaddr '1c:6f:65:a4:07:1e'
config switch
option name 'eth0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'eth0'
option vlan '1'
option ports '0t 3 4 5'
config switch_vlan
option device 'eth0'
option vlan '2'
option ports '0t 1'
config switch_vlan
option device 'eth0'
option vlan '3'
option ports '0t 2'
dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'mojadomena.pl'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option noresolv '1'
option logqueries '0'
list server '127.0.0.1#2053'
list server '/pool.ntp.org/208.67.222.222'
config dhcp 'lan'
option interface 'lan'
option start '150'
option limit '51'
option leasetime '12h'
config dhcp 'lan2'
option interface 'lan2'
option start '150'
option limit '51'
option leasetime '12h'
config dhcp 'guest'
option interface 'guest'
option start '10'
option limit '11'
option leasetime '1h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
# LAN
...
config host
option name 'NAS'
option mac '00:11:32:0f:a1:26'
option ip '10.1.1.60'
...
# LAN2
...
config host
option name 'NAS2'
option mac '00:11:32:13:d9:d5'
option ip '10.1.2.60'
config host
option name 'Linbox'
option mac '00:09:34:3b:25:ef'
option ip '10.1.2.101'
...
firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan2'
option network 'lan2'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'lan2'
option dest 'wan'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'LAN2 DNS'
option src 'lan2'
option dest_port '53'
option proto 'tcpudp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'LAN2 DHCP'
option src 'lan2'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Guest DNS'
option src 'guest'
option dest_port '53'
option proto 'tcpudp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Guest DHCP'
option src 'guest'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config include
option path '/etc/firewall.user'
config rule
option name 'NAS2->NAS'
option src 'lan2'
option src_ip '10.1.2.60'
option proto 'tcpudp'
option dest 'lan'
option dest_ip '10.1.1.60'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'NAS->LAN2'
option src 'lan'
option src_ip '10.1.1.60'
option proto 'tcpudp'
option dest 'lan2'
option target 'ACCEPT'
option family 'ipv4'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_port '80'
option dest_ip '10.1.1.60'
option name 'Syno HTTP'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_ip '10.1.1.60'
option dest_port '443'
option name 'Syno HTTPs'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '25'
option dest_ip '10.1.1.60'
option dest_port '25'
option name 'Syno SMTP'
Sieci są odseparowane, pozwoliłem na ruch pomiędzy NAS-ami w LAN i LAN2
W LAN stoi NAS z przekierowanymi portami 25,80,443
Teraz zauważyłem problem i nie wiem jak sobie poradzić.
W LAN2 mam np. tuner SAT, który ściąga paczki z repo opkg znajdującego się na NAS-ie
ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=46 time=39.5 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=39.9 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=39.3 ms
/tmp > ping mojadomena.pl
PING mojadomena.pl (xx.xx.xx.244): 56 data bytes
--- mojadomena.pl ping statistics ---
14 packets transmitted, 0 packets received, 100% packet loss
/tmp > wget http://mojadomena.pl/e2/mipsel/Packages.gz
Connecting to mojadomena.pl[xx.xx.xx.244]:80
wget: Unable to connect to remote host (xx.xx.xx.244): Connection refused
Zrób co kazał @Cezary
touch /etc/mc/sfs.ini
mkdir -p /usr/lib/mc/extfs.d
Ja mam krzaki w mc jak w putty przy łączeniu w "Translation" mam ustawione UTF-8
Zmieniam na ISO-8859-2 i nie ma problemu.
pijak6666 napisał/a:Własnie jest podłączony internet do portu WAN ..... z modemu netii
Podłączyłeś a skonfigurowałeś połączenie ppoe dla WAN ?
http://eko.one.pl/?p=openwrt-trybypracy
http://wiki.openwrt.org/doc/uci/network
To więcej to aktualizacja pakietów doinstalowanych na extroot przez opkg upgrade ?
Dziękuję @Cezary
Jestem właśnie w tej samej sytuacji.
Od ostatniego wydania AA niewiele się zmieniło także wydaje mi się, że mogę zrobić sysupgrade bez "-n"
Rozumiem, że po tym wystarczy usunąć z pena
Po restarcie router wystartuje z flasha i teraz wystarczy :
/etc/init.d/fstab overlay_enable
reboot
Nie przepraszaj tylko pisz dokładniej następnym razem 
W cronie nie ma co kolidować, on po prostu wykonuje coś w zadanym czasie.
W twoim przypadku będzie archiwizował logi co 2 godziny, o to ci chodziło ?
Zrób porządek z tym co napisałem, bo skrypt start/stop ci nie działa !
stop() {
pkill urlsnarf
}
zmień na
stop() {
killall -9 urlsnarf
}
lub doinstaluj jak masz miejsce
opkg update && opkg install procps --force-overwrite
Wiesz co, piszesz że nie wiadomo o co ci chodzi.
W twoim wcześniejszym skrypcie nie ma śladu "arch" ?
Forumowa szklana kula jest w serwisie, więc pisz dokładniej.
Po drugie w moim skrypcie nie ma ":" więc jakim cudem miałeś błąd ?
Po trzecie podstawy angielskiego :
/etc/rc.common: line 85: pkill: not found
Inaczej zabijaj urlsnarf albo doinstaluj
opkg update && opkg install procps --force-overwrite
#!/bin/sh
NOW=`date +%Y.%m.%d_%H.%M.%S`
WDIR='/tmp/usb_mount/dev_sda1/logwww'
FILE='log_www.txt'
/etc/init.d/log_www stop
gzip -c $WDIR/$FILE > $WDIR/$FILE_$NOW.gz
rm $WDIR/$FILE
/etc/init.d/log_www start
exit 0
Zobacz czy działa
Do tego musisz jeszcze wymusić działanie LuCI na porcie 8080
Edytuj /etc/config/uhttpd - dodaj lub zamień linijkę
list listen_http 0.0.0.0:8080
i w konsoli
/etc/init.d/uhttpd restart
Zastanów się czy na pewno chcesz otworzyć ten port.
Bezpieczniej zarządzać przez SSH lub jak już bardzo chcesz przez LuCI, to https.
Dokładnie o to mi chodzi.
Zmieniłem sprawdzanie IP z zewnętrznych serwisów na :
option ip_source 'network'
option ip_network 'wan'
Skrypt łączy się z changeip.com i wysyła co podałem w logu powyżej.
Ja to rozumiem jako interwał między sprawdzeniem czy zmieniło się IP w OpenWrt.
Widocznie źle zrozumiałem mechanizm działania tego skryptu.
Z ciekawości zerknąłem sobie w logi na changeip.com
Konfigurację mam następującą :
config service 'CHANGEIP'
option interface 'wan'
option check_interval '10'
option check_unit 'minutes'
option force_interval '72'
option force_unit 'hours'
option retry_interval '60'
option retry_unit 'seconds'
option service_name 'changeip.com'
option domain 'xxx'
option username 'xxx'
option password 'xxx'
option ip_source 'network'
option ip_network 'wan'
option use_https '1'
option cacert '/etc/ssl/certs/cacert.pem'
option enabled '1'
Czy to normalne,że skrypt łączy się z dostawcą usługi co 10 minut ?
Powinien chyba tylko w momencie zmiany IP ?
06/10/2014 7:26:38 UTC D:0 R:0 S:1 200 /nic/update?u=xxx&p=***&cmd=update&hostname=xxx&ip=xx.xx.xx.244 xx.xx.xx.244 1 curl/7.29.0
06/10/2014 7:16:36 UTC D:0 R:0 S:1 200 /nic/update?u=xxx&p=***&cmd=update&hostname=xxx&ip=xx.xx.xx.244 xx.xx.xx.244 1 curl/7.29.0
06/10/2014 7:06:34 UTC D:0 R:0 S:1 200 /nic/update?u=xxx&p=***&cmd=update&hostname=xxx&ip=xx.xx.xx.244 xx.xx.xx.244 1 curl/7.29.0
06/10/2014 6:56:32 UTC D:0 R:0 S:1 200 /nic/update?u=xxx&p=***&cmd=update&hostname=xxx&ip=xx.xx.xx.244 xx.xx.xx.244 1 curl/7.29.0
06/10/2014 6:46:29 UTC D:0 R:0 S:1 200 /nic/update?u=xxx&p=***&cmd=update&hostname=xxx&ip=xx.xx.xx.244 xx.xx.xx.244 1 curl/7.29.0
06/10/2014 6:36:27 UTC D:0 R:0 S:1 200 /nic/update?u=xxx&p=***&cmd=update&hostname=xxx&ip=xx.xx.xx.244 xx.xx.xx.244 1 curl/7.29.0
Na 150m to nie będzie przerost formy nad treścią ?
Ja też mam linka na około 150m i przy locoM5 skręcenie mocy na minimum to i tak za dużo.
Jako most polecam, działa u mnie już prawie rok bez żadnych problemów.
Uptime kilka miesięcy praktycznie do padu zasilania.
Przez LuCI nie dasz rady.
Zobacz /etc/sysctl.conf
...
net.netfilter.nf_conntrack_max=16384
...
Dziękuję @Cezary za zainteresowanie tematem i pomoc.
lan z adresacją 10.0.0.1 będzie u mnie
lan2 z adresacją 10.0.1.1 u matki.
Generalnie lan2 ma mieć internet i tylko kilka urządzeń będzie miało dostęp do lan1.
Natomiast z lan chcę mieć dostęp do lan2 w razie jakby trzeba było się połączyć np. z NAS-em i coś skonfigurować.
@Cezary sądzisz, że bezpieczniej będzie zrobić to regułką analogiczną jak udało mi się przepuścić ruch z lan2 do lan ?
config rule
option name 'LAN->LAN2'
option target 'ACCEPT'
option src 'lan'
option src_ip '10.0.0.XX'
option dest 'lan2'
option proto 'all'
option family 'ipv4'
Dobra działa, źle się zabrałem do testowania.
Przemęczenie robi swoje, do problemu trzeba podejść na świeżo 
Postawiłem na laptopie w LAN serwer SSH i udało mi się z nim połączyć z LAN2 regułką, którą stosowałem wcześniej.
config rule
option name 'NAS2->LAN'
option target 'ACCEPT'
option src 'lan2'
option src_ip '10.0.1.60'
option dest 'lan'
option proto 'all'
option family 'ipv4'
Teraz mam jeszcze pytanie, jeżeli chcę mieć dostęp z LAN do LAN2 wystarczy, że zmienię ? :
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT' -> 'ACCEPT' ?
Testowałem i działa ale jak ma to się do bezpieczeństwa?
Domyślnie forward jest 'reject'.
Zmiana proto nie przyniosła efektu.
Sprawdzałem już wcześniej.
Nie jestem pewien czy o to ci chodziło @Cezary
Ja nic z tego nie potrafię wywnioskować 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1792 134K delegate_input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1359 599K delegate_forward all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1615 450K delegate_output all -- any any anywhere anywhere
Chain delegate_forward (1 references)
pkts bytes target prot opt in out source destination
1359 599K forwarding_rule all -- any any anywhere anywhere /* user chain for forwarding */
1302 596K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 zone_lan_forward all -- br-lan any anywhere anywhere
57 3212 zone_lan2_forward all -- br-lan2 any anywhere anywhere
0 0 zone_guest_forward all -- wlan0-1 any anywhere anywhere
0 0 zone_wan_forward all -- eth0.2 any anywhere anywhere
0 0 reject all -- any any anywhere anywhere
Chain delegate_input (1 references)
pkts bytes target prot opt in out source destination
150 12274 ACCEPT all -- lo any anywhere anywhere
1642 121K input_rule all -- any any anywhere anywhere /* user chain for input */
1200 80001 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
6 360 syn_flood tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
0 0 zone_lan_input all -- br-lan any anywhere anywhere
334 28614 zone_lan2_input all -- br-lan2 any anywhere anywhere
0 0 zone_guest_input all -- wlan0-1 any anywhere anywhere
108 12713 zone_wan_input all -- eth0.2 any anywhere anywhere
Chain delegate_output (1 references)
pkts bytes target prot opt in out source destination
150 12274 ACCEPT all -- any lo anywhere anywhere
1465 438K output_rule all -- any any anywhere anywhere /* user chain for output */
1405 429K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 zone_lan_output all -- any br-lan anywhere anywhere
0 0 zone_lan2_output all -- any br-lan2 anywhere anywhere
0 0 zone_guest_output all -- any wlan0-1 anywhere anywhere
60 8796 zone_wan_output all -- any eth0.2 anywhere anywhere
Chain forwarding_guest_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_lan2_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_guest_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan2_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_guest_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan2_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (5 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
412 39383 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
6 360 RETURN tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
0 0 DROP all -- any any anywhere anywhere
Chain zone_guest_dest_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any wlan0-1 anywhere anywhere
Chain zone_guest_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_guest_rule all -- any any anywhere anywhere /* user chain for forwarding */
0 0 zone_wan_dest_ACCEPT all -- any any anywhere anywhere /* forwarding guest -> wan */
0 0 zone_guest_src_REJECT all -- any any anywhere anywhere
Chain zone_guest_input (1 references)
pkts bytes target prot opt in out source destination
0 0 input_guest_rule all -- any any anywhere anywhere /* user chain for input */
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain /* Guest_DNS */
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain /* Guest_DNS */
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc /* Guest_DHCP */
0 0 zone_guest_src_REJECT all -- any any anywhere anywhere
Chain zone_guest_output (1 references)
pkts bytes target prot opt in out source destination
0 0 output_guest_rule all -- any any anywhere anywhere /* user chain for output */
0 0 zone_guest_dest_ACCEPT all -- any any anywhere anywhere
Chain zone_guest_src_REJECT (2 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- wlan0-1 any anywhere anywhere
Chain zone_lan2_dest_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any br-lan2 anywhere anywhere
Chain zone_lan2_forward (1 references)
pkts bytes target prot opt in out source destination
57 3212 forwarding_lan2_rule all -- any any anywhere anywhere /* user chain for forwarding */
57 3212 zone_lan_dest_ACCEPT all -- any any NAS_NETBOOK.lan anywhere /* @rule[11] */
57 3212 zone_wan_dest_ACCEPT all -- any any anywhere anywhere /* forwarding lan2 -> wan */
0 0 zone_lan2_src_REJECT all -- any any anywhere anywhere
Chain zone_lan2_input (1 references)
pkts bytes target prot opt in out source destination
334 28614 input_lan2_rule all -- any any anywhere anywhere /* user chain for input */
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain /* LAN2_DNS */
24 1584 ACCEPT udp -- any any anywhere anywhere udp dpt:domain /* LAN2_DNS */
0 0 ACCEPT udp -- any any anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc /* LAN2_DHCP */
310 27030 zone_lan2_src_REJECT all -- any any anywhere anywhere
Chain zone_lan2_output (1 references)
pkts bytes target prot opt in out source destination
0 0 output_lan2_rule all -- any any anywhere anywhere /* user chain for output */
0 0 zone_lan2_dest_ACCEPT all -- any any anywhere anywhere
Chain zone_lan2_src_REJECT (2 references)
pkts bytes target prot opt in out source destination
310 27030 reject all -- br-lan2 any anywhere anywhere
Chain zone_lan_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any br-lan anywhere anywhere
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_lan_rule all -- any any anywhere anywhere /* user chain for forwarding */
0 0 zone_wan_dest_ACCEPT all -- any any anywhere anywhere /* forwarding lan -> wan */
0 0 zone_lan_src_REJECT all -- any any anywhere anywhere
Chain zone_lan_input (1 references)
pkts bytes target prot opt in out source destination
0 0 input_lan_rule all -- any any anywhere anywhere /* user chain for input */
0 0 zone_lan_src_ACCEPT all -- any any anywhere anywhere
Chain zone_lan_output (1 references)
pkts bytes target prot opt in out source destination
0 0 output_lan_rule all -- any any anywhere anywhere /* user chain for output */
0 0 zone_lan_dest_ACCEPT all -- any any anywhere anywhere
Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br-lan any anywhere anywhere
Chain zone_lan_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- br-lan any anywhere anywhere
Chain zone_wan_dest_ACCEPT (4 references)
pkts bytes target prot opt in out source destination
117 12008 ACCEPT all -- any eth0.2 anywhere anywhere
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_wan_rule all -- any any anywhere anywhere /* user chain for forwarding */
0 0 zone_wan_src_REJECT all -- any any anywhere anywhere
Chain zone_wan_input (1 references)
pkts bytes target prot opt in out source destination
108 12713 input_wan_rule all -- any any anywhere anywhere /* user chain for input */
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:bootpc /* Allow-DHCP-Renew */
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request /* Allow-Ping */
6 360 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www /* LuCI */
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh /* SSH */
102 12353 zone_wan_src_REJECT all -- any any anywhere anywhere
Chain zone_wan_output (1 references)
pkts bytes target prot opt in out source destination
60 8796 output_wan_rule all -- any any anywhere anywhere /* user chain for output */
60 8796 zone_wan_dest_ACCEPT all -- any any anywhere anywhere
Chain zone_wan_src_REJECT (2 references)
pkts bytes target prot opt in out source destination
102 12353 reject all -- eth0.2 any anywhere anywhere
Zdecydowałem się na OpenWRT od @Cezary , doinstalowałem LuCI i inne pakiety które potrzebowałem.
Wziąłem się za konfigurację, wcześniej nie miałem do czynienia z VLAN.
Tak jak pisałem rozdzieliłem sieci, zrobiłem u siebie sieć gościnną WiFi.
NETWORK
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
config interface 'lan2'
option ifname 'eth0.3'
option type 'bridge'
option proto 'static'
option ipaddr '10.0.1.1'
option netmask '255.255.255.0'
config interface 'guest'
option proto 'static'
option ipaddr '10.0.2.1'
option netmask '255.255.255.0'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option peerdns '0'
option dns '208.67.222.222 208.67.220.220'
config switch
option name 'eth0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'eth0'
option vlan '1'
option ports '0t 3 4 5'
config switch_vlan
option device 'eth0'
option vlan '2'
option ports '0t 1'
config switch_vlan
option device 'eth0'
option vlan '3'
option ports '0t 2'
DHCP
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option noresolv '1'
list server '127.0.0.1#2053'
list server '/pool.ntp.org/208.67.222.222'
config dhcp 'lan'
option interface 'lan'
option start '10'
option limit '200'
option leasetime '12h'
config dhcp 'lan2'
option interface 'lan2'
option limit '200'
option leasetime '12h'
option start '10'
config dhcp 'guest'
option interface 'guest'
option start '10'
option limit '10'
option leasetime '1h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config host
option name 'NAS_NETBOOK'
option mac '80:c1:6e:3c:86:f6'
option ip '10.0.1.60'
WIRELESS
...
config wifi-iface
option device 'radio0'
option network 'guest'
option mode 'ap'
option ssid 'xxx_guest'
option encryption 'psk2+ccmp'
option key 'xxx'
...
FIREWALL
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan2'
option network 'lan2'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'guest'
option network 'guest'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'lan2'
option dest 'wan'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'LAN2_DNS'
option src 'lan2'
option dest_port '53'
option proto 'tcpudp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'LAN2_DHCP'
option src 'lan2'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Guest_DNS'
option src 'guest'
option dest_port '53'
option proto 'tcpudp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Guest_DHCP'
option src 'guest'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config include
option path '/etc/firewall.user'
config rule
option target 'ACCEPT'
option src 'lan2'
option src_ip '10.0.1.60'
option dest 'lan'
option proto 'all'
option family 'ipv4'
Narazie testuję całość "na sucho"
Generalnie osiągnąłem co chciałem.
Moja sieć 10.0.0.1 z WiFi i gościnną 10.0.2.1 odizolowaną od lan - tylko internet.
Druga sieć 10.0.1.1 na pierwszym porcie switcha odizolowana, tylko internet.
Problem w tym, że chcę dać dostęp kilku urządzeniom z lan2 do lan1.
Próbowałem ale niestety bez skutku.
config rule
option target 'ACCEPT'
option src 'lan2'
option src_ip '10.0.1.60'
option dest 'lan'
option proto 'all'
option family 'ipv4'
Czy konfiguracja jest poprawna ?
Co robię źle ?
HD ci tnie bo sieciówka w NBOX-ie jest do d... ekhm pupy
Większą prędkość osiągniesz na karcie WiFi po USB.
Wejdź w ustawienia pluginu WebIf
Włącz uwierzytelnianie, ustaw w tunerze jakieś skomplikowane hasło.
Przekieruj na routerze port 8001 do streamingu i 443 do połączenia z WebIf.
Najlepiej 443 przekieruj na jakiś inny znany tylko tobie, żeby ograniczyć próby włamań.
Zmienne IP to przecież nie problem, załóż domenę w jakimś darmowym serwisie np. changeip.com
Ustaw w LuCI i będzie działać, ogranicza cię tylko twój UPLOAD na łączu.
Znalezione posty: 226 do 250 z 304