Nie jesteś zalogowany. Proszę się zalogować lub zarejestrować.
eko.one.pl → Posty przez abanczak
Strony 1
Kupiłeś gdzieś c7 v4? Podaj mi linka bo sprzedawcom nie chce się sprawdzać wersji.
Z x-kom:
https://www.x-kom.pl/p/173726-router-tp … lband.html
Jeżeli potrzebujesz sznurek koniecznie na allegro to podrzucę Ci jutro na PW.
C7 to v2 lub v4. v1 ma nieobsługiwane radio
Cezary, gdzie popełniam błąd? W twojej szukajce nie widzę obrazu dla v4 a niestety tylko takie teraz są na allegro.
https://eko.one.pl/?p=openwrt-archerc57 <- tutaj tez pisze, że jest niewspierany
Hm, faktycznie, ze zdalnego hosta działa. Z lokalnego już nie.
Poszukam, popatrzę.
Mimo wszystko Cezary, jest jakieś alternatywne repo?
Nie mogę się połączyć w tym momencie ze swojego urządzenia - jeżeli mnie operator przyblokował to i tak tego teraz nie przeskoczę, a potrzebuję coś doładować do routera.
Jak wcześniej downloads.openwrt.org padło.
Downloading http://downloads.openwrt.org/chaos_calm … ckages.gz.
wget: can't connect to remote host (78.24.191.177): Connection timed out
Alternatywa - czy można pobrać pakiety z innego repo.
Hej,
Jest jakaś alternatywa dla
OpenWrt Chaos Calmer 15.05.1 r49474 / LuCI for-15.05 branch (git-16.313.39362-9047456) ?
openwrt.org teraz też nie działa.
Próbowałem go używać ale to chyba porażka. Potwierdza to jeden z ostatnich postów które czytałem.
Możesz rozwinąć wypowiedź? Od jakiś 3 tygodni używam pyLoad na raspberry pi (raspbmc + pyLoad), i.. nie mogę mu nic zarzucić. Wcześniej sporo korzystałem z jDownloader`a i wydaje mi się że oprogramowanie jest podobne. jedyny problem jaki napotkałem to rozpakowywanie plików .part01.rar (czy jakoś tak). pyload sobie z tym nie radzi ale to może być problem raspbian`a bo nawet z konsoli "unrar x" ma problemy.
Witam
Chciałem wymienić oprogramowanie w WRT160NL. W tym momencie używam ostatniej wersji Backfire ale mam z nią pewne problemy. Pytanie brzmi, czy jeżeli odłączę nośnik zewnętrzny i zaktualizuje router do wersji Attitude Adjustment a np. braknie mi czasu na konfigurację (vpn, ebtables, nagios itp) to mogę wystartować normalnie z zewnętrznego nośnika? De facto jeżeli dobrze rozumiem extroot "przykrywa" oryginalny firmware ale czy te wersje muszą być zgodne? Czy mogę mieć inną wersję, kompilację openwrt na routerze a inną na nośniku zewnętrznym?
Witam
Czy komuś udało się zainstalować nagiosa v 3.x na openwrt? Niestety opkg instaluje wersję 2.10, która ma co najmniej 1 poważny (jak dla mnie) błąd.
Czy robił ktoś może paczkę ipk lub może coś poradzić?
Jeżeli chodzi o firewalla to wydałem tylko komendy, które podałeś w poście #21, reszta jest praktycznie defaultowa, nie licząc portów dla ssh, luci itp. poniżej wklejam wyniki o które prosiłeś. Trzeba jednak pamiętać, że jak sam próbowałem rozwiązać problem to mogłem grubo namieszać w firewallu i część rzeczy może być niepotrzebna. W najbliższym czasie będę z tym robił porządki wtedy mogę wstawić nową, "czystą konfigurację".
Stróża:
root@Stroza:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.1.6 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.0.1.0 10.0.1.6 255.255.255.0 UG 0 0 0 tun0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.1.0 10.0.1.6 255.255.255.0 UG 0 0 0 tun0
192.168.138.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.138.1 0.0.0.0 UG 0 0 0 eth1root@Stroza:~$ iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 71 packets, 6371 bytes)
pkts bytes target prot opt in out source destination
71 6371 prerouting_rule all -- any any anywhere anywhere
0 0 zone_lan_prerouting all -- br-lan any anywhere anywhere
68 6183 zone_wan_prerouting all -- eth1 any anywhere anywhere
Chain POSTROUTING (policy ACCEPT 25 packets, 3008 bytes)
pkts bytes target prot opt in out source destination
205 16042 postrouting_rule all -- any any anywhere anywhere
9 2048 zone_lan_nat all -- any br-lan anywhere anywhere
180 13034 zone_wan_nat all -- any eth1 anywhere anywhere
Chain OUTPUT (policy ACCEPT 190 packets, 15442 bytes)
pkts bytes target prot opt in out source destination
Chain nat_reflection_in (1 references)
pkts bytes target prot opt in out source destination
Chain nat_reflection_out (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
205 16042 nat_reflection_out all -- any any anywhere anywhere
Chain prerouting_lan (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
71 6371 nat_reflection_in all -- any any anywhere anywhere
Chain prerouting_wan (1 references)
pkts bytes target prot opt in out source destination
Chain zone_lan_nat (1 references)
pkts bytes target prot opt in out source destination
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
0 0 prerouting_lan all -- any any anywhere anywhere
Chain zone_wan_nat (1 references)
pkts bytes target prot opt in out source destination
180 13034 MASQUERADE all -- any any anywhere anywhere
Chain zone_wan_prerouting (1 references)
pkts bytes target prot opt in out source destination
68 6183 prerouting_wan all -- any any anywhere anywhere root@Stroza:~$ iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
68 5770 ACCEPT all -- tun+ any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere state INVALID
619 56042 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
16 960 ACCEPT all -- lo any anywhere anywhere
17 828 syn_flood tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
121 14586 input_rule all -- any any anywhere anywhere
121 14586 input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun+ any anywhere anywhere
0 0 ACCEPT all -- any tun+ anywhere anywhere
0 0 DROP all -- any any anywhere anywhere state INVALID
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 forwarding_rule all -- any any anywhere anywhere
0 0 forward all -- any any anywhere anywhere
0 0 reject all -- any any anywhere anywhere
0 0 ACCEPT all -- tun+ any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
53 11530 ACCEPT all -- any tun+ anywhere anywhere
0 0 DROP all -- any any anywhere anywhere state INVALID
454 47408 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
16 960 ACCEPT all -- any lo anywhere anywhere
224 21162 output_rule all -- any any anywhere anywhere
224 21162 output all -- any any anywhere anywhere
Chain forward (1 references)
pkts bytes target prot opt in out source destination
0 0 zone_lan_forward all -- br-lan any anywhere anywhere
0 0 zone_wan_forward all -- eth1 any anywhere anywhere
Chain forwarding_lan (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
0 0 nat_reflection_fwd all -- any any anywhere anywhere
Chain forwarding_wan (1 references)
pkts bytes target prot opt in out source destination
Chain input (1 references)
pkts bytes target prot opt in out source destination
52 8298 zone_lan all -- br-lan any anywhere anywhere
69 6288 zone_wan all -- eth1 any anywhere anywhere
Chain input_lan (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan (1 references)
pkts bytes target prot opt in out source destination
Chain nat_reflection_fwd (1 references)
pkts bytes target prot opt in out source destination
Chain output (1 references)
pkts bytes target prot opt in out source destination
224 21162 zone_lan_ACCEPT all -- any any anywhere anywhere
172 12864 zone_wan_ACCEPT all -- any any anywhere anywhere
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (5 references)
pkts bytes target prot opt in out source destination
15 732 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
52 5460 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
17 828 RETURN tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
0 0 DROP all -- any any anywhere anywhere
Chain zone_lan (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn
52 8298 input_lan all -- any any anywhere anywhere
52 8298 zone_lan_ACCEPT all -- any any anywhere anywhere
Chain zone_lan_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
52 8298 ACCEPT all -- any br-lan anywhere anywhere
52 8298 ACCEPT all -- br-lan any anywhere anywhere
Chain zone_lan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any br-lan anywhere anywhere
0 0 DROP all -- br-lan any anywhere anywhere
Chain zone_lan_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- any br-lan anywhere anywhere
0 0 reject all -- br-lan any anywhere anywhere
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 zone_wan_ACCEPT all -- any any anywhere anywhere
0 0 forwarding_lan all -- any any anywhere anywhere
0 0 zone_lan_REJECT all -- any any anywhere anywhere
Chain zone_wan (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:bootpc
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
2 96 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:21
67 6192 input_wan all -- any any anywhere anywhere
67 6192 zone_wan_REJECT all -- any any anywhere anywhere
Chain zone_wan_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
172 12864 ACCEPT all -- any eth1 anywhere anywhere
0 0 ACCEPT all -- eth1 any anywhere anywhere
Chain zone_wan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any eth1 anywhere anywhere
0 0 DROP all -- eth1 any anywhere anywhere
Chain zone_wan_REJECT (2 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- any eth1 anywhere anywhere
67 6192 reject all -- eth1 any anywhere anywhere
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_wan all -- any any anywhere anywhere
0 0 zone_wan_REJECT all -- any any anywhere anywhere Serafin:
root@Serafin:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.1.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.0.1.0 10.0.1.2 255.255.255.0 UG 0 0 0 tun0
192.168.2.0 10.0.1.2 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.12.1 0.0.0.0 UG 0 0 0 eth1root@Serafin:~$ iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 1662 packets, 178K bytes)
pkts bytes target prot opt in out source destination
1662 178K prerouting_rule all -- any any anywhere anywhere
78 10530 zone_lan_prerouting all -- br-lan any anywhere anywhere
1584 168K zone_wan_prerouting all -- eth1 any anywhere anywhere
Chain POSTROUTING (policy ACCEPT 30 packets, 3777 bytes)
pkts bytes target prot opt in out source destination
193 15733 postrouting_rule all -- any any anywhere anywhere
11 2629 zone_lan_nat all -- any br-lan anywhere anywhere
163 11956 zone_wan_nat all -- any eth1 anywhere anywhere
Chain OUTPUT (policy ACCEPT 183 packets, 15333 bytes)
pkts bytes target prot opt in out source destination
Chain nat_reflection_in (1 references)
pkts bytes target prot opt in out source destination
Chain nat_reflection_out (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
193 15733 nat_reflection_out all -- any any anywhere anywhere
Chain prerouting_lan (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
1662 178K nat_reflection_in all -- any any anywhere anywhere
Chain prerouting_wan (1 references)
pkts bytes target prot opt in out source destination
Chain zone_lan_nat (1 references)
pkts bytes target prot opt in out source destination
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
78 10530 prerouting_lan all -- any any anywhere anywhere
Chain zone_wan_nat (1 references)
pkts bytes target prot opt in out source destination
163 11956 MASQUERADE all -- any any anywhere anywhere
Chain zone_wan_prerouting (1 references)
pkts bytes target prot opt in out source destination
1584 168K prerouting_wan all -- any any anywhere anywhere root@Serafin:~$ iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
399 54842 ACCEPT all -- tun+ any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere state INVALID
1990 217K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
16 960 ACCEPT all -- lo any anywhere anywhere
14 708 syn_flood tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
1696 490K input_rule all -- any any anywhere anywhere
1696 490K input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun+ any anywhere anywhere
0 0 ACCEPT all -- any tun+ anywhere anywhere
0 0 DROP all -- any any anywhere anywhere state INVALID
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
7 1665 forwarding_rule all -- any any anywhere anywhere
7 1665 forward all -- any any anywhere anywhere
1 336 reject all -- any any anywhere anywhere
0 0 ACCEPT all -- tun+ any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
505 40266 ACCEPT all -- any tun+ anywhere anywhere
0 0 DROP all -- any any anywhere anywhere state INVALID
2032 221K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
16 960 ACCEPT all -- any lo anywhere anywhere
210 21083 output_rule all -- any any anywhere anywhere
210 21083 output all -- any any anywhere anywhere
Chain forward (1 references)
pkts bytes target prot opt in out source destination
6 1329 zone_lan_forward all -- br-lan any anywhere anywhere
0 0 zone_wan_forward all -- eth1 any anywhere anywhere
Chain forwarding_lan (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
5 1155 nat_reflection_fwd all -- any any anywhere anywhere
Chain forwarding_wan (1 references)
pkts bytes target prot opt in out source destination
Chain input (1 references)
pkts bytes target prot opt in out source destination
56 9475 zone_lan all -- br-lan any anywhere anywhere
1639 480K zone_wan all -- eth1 any anywhere anywhere
Chain input_lan (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan (1 references)
pkts bytes target prot opt in out source destination
Chain nat_reflection_fwd (1 references)
pkts bytes target prot opt in out source destination
Chain output (1 references)
pkts bytes target prot opt in out source destination
210 21083 zone_lan_ACCEPT all -- any any anywhere anywhere
154 11624 zone_wan_ACCEPT all -- any any anywhere anywhere
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (5 references)
pkts bytes target prot opt in out source destination
10 492 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
1620 478K REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
14 708 RETURN tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
0 0 DROP all -- any any anywhere anywhere
Chain zone_lan (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn
56 9475 input_lan all -- any any anywhere anywhere
56 9475 zone_lan_ACCEPT all -- any any anywhere anywhere
Chain zone_lan_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
56 9459 ACCEPT all -- any br-lan anywhere anywhere
56 9475 ACCEPT all -- br-lan any anywhere anywhere
Chain zone_lan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any br-lan anywhere anywhere
0 0 DROP all -- br-lan any anywhere anywhere
Chain zone_lan_REJECT (1 references)
pkts bytes target prot opt in out source destination
6 1329 reject all -- any br-lan anywhere anywhere
0 0 reject all -- br-lan any anywhere anywhere
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
6 1329 zone_wan_ACCEPT all -- any any anywhere anywhere
6 1329 forwarding_lan all -- any any anywhere anywhere
6 1329 zone_lan_REJECT all -- any any anywhere anywhere
Chain zone_wan (1 references)
pkts bytes target prot opt in out source destination
8 2624 ACCEPT udp -- any any anywhere anywhere udp dpt:bootpc
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
4 216 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www
4 168 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:21
1623 477K input_wan all -- any any anywhere anywhere
1623 477K zone_wan_REJECT all -- any any anywhere anywhere
Chain zone_wan_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
154 11624 ACCEPT all -- any eth1 anywhere anywhere
0 0 ACCEPT all -- eth1 any anywhere anywhere
Chain zone_wan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any eth1 anywhere anywhere
0 0 DROP all -- eth1 any anywhere anywhere
Chain zone_wan_REJECT (2 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- any eth1 anywhere anywhere
1623 477K reject all -- eth1 any anywhere anywhere
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_wan all -- any any anywhere anywhere
0 0 zone_wan_REJECT all -- any any anywhere anywhere Dopiero teraz byłem w stanie konkretnie sprawdzić działanie sieci po zmianach.
zamiast
client-config-dir ccdmusiałem użyć:
client-config-dir /etc/openvpn/ccdinaczej nie mógł znaleźć konfiguracji.
Poza tym wszystko zaczęło działać. Hosty z sieci Serafin.lan i Stróża.lan pingują się wzajemnie, pingi również lataj na każdy interfejs routerów.
Pozostało powiedzieć dzięki!
Wysłałem przez PW
Zmieniłem w openvpn verb na 10 i w logach było coś takiego:
Mon Mar 26 17:37:25 2012 us=806422 stroza.localhost/91.X.Y.Z:1194 UDPv4 write returned 77
Mon Mar 26 17:37:27 2012 us=855732 event_wait returned 0
Mon Mar 26 17:37:28 2012 us=464339 event_wait returned 1
Mon Mar 26 17:37:28 2012 us=464635 UDPv4 read returned 85
Mon Mar 26 17:37:28 2012 us=465515 stroza.localhost/91.X.Y.Z:1194 UDPv4 READ [85] from 91.X.Y.Z:1194: P_DATA_V1 kid=0 DATA 8c592396 a5762364 cbfb211f 68852e0a c8246d8d 5517df35 f803afa2 e058d35[more...]
Mon Mar 26 17:37:28 2012 us=465810 stroza.localhost/91.X.Y.Z:1194 MULTI: bad source address from client [192.168.2.243], packet dropped192.168.2.243 to jest drukarka w sieci Stroza.lan
wywal dwie linijki
push "route 10.0.1.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
openvpn wstaje?
pokaż logread
W logread nie pokazuje nic na temat openvpn, natomiast openvpn wstaje i nawiązują się połączenia między Serafin a Stróża, jednak bez routingu nie ma pingu z Stróża na Serafin.lan
Wycofałem zmiany.
W zasadzie Serafin ma adres zewnętrzny więc się do niego zawsze dostane, w przyszłości będę musiał dołożyć trzeciego OpenWRT.
Nasuwa mi się pytanie. W zasadzie szukamy problemu w routingu, ale on (chyba) od samego początku był ustawiony dobrze (moje skrypty w init.d). Zastanawia mnie fakt że w takiej konfiguracji jaka jest teraz, skoro Stróża pinguje całą sieć 192.168.1.0 to dlaczego hosty w Stroza.lan tego nie robią? To chyba jest tak, że jak router posiada odpowiednie trasy a host pcha pakiety na default gw to już router powinien wiedzieć jak to rozesłać.
Dodatkowo jak na Stróży robię nasłuch tcpdump`em na Stroza.tun a z Serafin pcham ping to tcpdump nic mi nie pokazuje. Być może problem jest w konfiguracji openvpn? Niby używam przełącznika "client-to-client", ale niestety z openvpn mam małe doświadczenie i mogłem tam się pomylić.
Nie bardzo rozumiem
pokaż jeszcze trasę z Serafina
Moje skrypty właśnie dodawały routing ręcznie, jednak:
root@Serafin:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.1.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.2.0 10.0.1.2 255.255.255.0 UG 0 0 0 tun0
10.0.1.0 10.0.1.2 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.12.1 0.0.0.0 UG 0 0 0 eth1I nie działa. Nie jestem w stanie puścić pinga z Serafin na Stróża.lan
Poprawiłem.
root@Stroza:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.1.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.0.1.0 10.0.1.5 255.255.255.0 UG 0 0 0 tun0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.1.0 10.0.1.5 255.255.255.0 UG 0 0 0 tun0
192.168.138.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.138.1 0.0.0.0 UG 0 0 0 eth1Pingi latają z Stróża do Serafin.tun, Serafin.lan i hosty w sieci Serafin.lan. Jesteśmy więc w punkcie wyjścia tyle że troszkę posprzątaliśmy.
zrób tak ja pisałem wywal routing i wpisz na dwóch routerach
iptables -I FORWARD -i br-lan -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br-lan -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
Zrobiłem jak poradziłeś, niestety nic to nie dało.
Zamieniłeś gateway specjalnie czy literówka? Serafin nie powinien mieć gw 10.0.1.1 a Stróża 10.0.1.6?
root@Serafin:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.1.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.0.1.0 10.0.1.2 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.12.1 0.0.0.0 UG 0 0 0 eth1root@Stroza:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.1.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.0.1.0 10.0.1.5 255.255.255.0 UG 0 0 0 tun0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.138.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.138.1 0.0.0.0 UG 0 0 0 eth1Czyli routing nie ustawił się. Ja dlatego użyłem skryptów z timeoutem, bo zastanawiałem się co się stanie gdy router wyda komendę route add a połączenie vpn jeszcze nie zdąży się ustawić?
Po ręcznym dodaniu routingów:
Serafin:
root@Serafin:~$ route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.0.1.6
route: SIOCADDRT: No such process
root@Serafin:~$ route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.0.1.1
root@Serafin:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.1.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.2.0 10.0.1.1 255.255.255.0 UG 0 0 0 tun0
10.0.1.0 10.0.1.2 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.12.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.12.1 0.0.0.0 UG 0 0 0 eth1Stróża:
root@Stroza:~$ route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.0.1.1
route: SIOCADDRT: No such process
root@Stroza:~$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.1.6
root@Stroza:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.1.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.0.1.0 10.0.1.5 255.255.255.0 UG 0 0 0 tun0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.1.0 10.0.1.6 255.255.255.0 UG 0 0 0 tun0
192.168.138.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.138.1 0.0.0.0 UG 0 0 0 eth1dalej nie działa
Z routera Serafin:
root@Serafin:~$ ping 10.0.1.6
PING 10.0.1.6 (10.0.1.6): 56 data bytes
64 bytes from 10.0.1.6: seq=0 ttl=64 time=9.562 ms
64 bytes from 10.0.1.6: seq=1 ttl=64 time=15.048 ms
^C
--- 10.0.1.6 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 9.562/12.305/15.048 ms
root@Serafin:~$ ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
^C
--- 192.168.2.1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@Serafin:~$ cat /etc/config/network
config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'
config 'interface' 'lan'
option 'type' 'bridge'
option 'proto' 'static'
option 'ipaddr' '192.168.1.1'
option 'netmask' '255.255.255.0'
option 'ifname' 'eth0'
config 'interface' 'wan'
option 'ifname' 'eth1'
option '_orig_ifname' 'eth1'
option '_orig_bridge' 'false'
option 'proto' 'static'
option 'ipaddr' '192.168.12.185'
option 'netmask' '255.255.255.0'
option 'gateway' '192.168.12.1'
option 'dns' '8.8.8.8 91.222.116.2'
config 'switch'
option 'name' 'eth0'
option 'reset' '1'
option 'enable_vlan' '1'
config 'switch_vlan'
option 'device' 'eth0'
option 'vlan' '1'
option 'ports' '0 1 2 3 4 5'
Z routera Stroza:
root@Stroza:~$ ping 10.0.1.1
PING 10.0.1.1 (10.0.1.1): 56 data bytes
64 bytes from 10.0.1.1: seq=0 ttl=64 time=8.904 ms
64 bytes from 10.0.1.1: seq=1 ttl=64 time=9.112 ms
^C
--- 10.0.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 8.904/9.008/9.112 ms
root@Stroza:~$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=9.745 ms
64 bytes from 192.168.1.1: seq=1 ttl=64 time=9.794 ms
^C
--- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 9.745/9.769/9.794 ms
root@Stroza:~$ cat /etc/config/network
config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'
config 'interface' 'lan'
option 'ifname' 'eth0'
option 'type' 'bridge'
option 'proto' 'static'
option 'ipaddr' '192.168.2.1'
option 'netmask' '255.255.255.0'
config 'interface' 'wan'
option 'ifname' 'eth1'
option '_orig_ifname' 'eth1'
option '_orig_bridge' 'false'
option 'proto' 'static'
option 'ipaddr' '192.168.138.2'
option 'netmask' '255.255.255.0'
option 'gateway' '192.168.138.1'
option 'dns' '8.8.8.8 192.168.12.1'
config 'switch'
option 'name' 'eth0'
option 'reset' '1'
option 'enable_vlan' '1'
config 'switch_vlan'
option 'device' 'eth0'
option 'vlan' '1'
option 'ports' '0 1 2 3 4 5'
Serafin pinguje Stróże tylko po adresie Stróża.vpn, Stróża z kolei pinguje Serafina po adresie Serafin.lan i Serafin.vpn. Hosty z sieci Serafin.lan i Stróża.lan nie pingują się wzajemnie. Na schemacie użyłem strzałek żeby pokazać kierunek ping.
Witam
Potrzebuję wykonać konfigurację VPN pomiędzy dwoma routerami WRT160NL, do tej pory skonfigurowałem:
WRT160NL-serwer, hostname Serafin:
root@Serafin:~$ ifconfig
br-lan inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
eth1 inet addr:192.168.12.185 Bcast:192.168.12.255 Mask:255.255.255.0
tun0 inet addr:10.0.1.1 P-t-P:10.0.1.2 Mask:255.255.255.255
root@Serafin:~$ cat /etc/openvpn/openvpn.conf
dev tun
port 1194
proto udp
keepalive 10 120
persist-key
persist-tun
mode server
server 10.0.1.0 255.255.255.0
ifconfig-pool-persist /tmp/ipp.txt
verb 3
tls-server
push "route 10.0.1.0 255.255.255.0"
client-to-client
#logowanie
log-append /tmp/log/openvpn.log
status /tmp/log/openvpn.status
#certyfikaty
dh /etc/ssl/dh1024.pem
ca /etc/ssl/cacert.pem
cert /etc/ssl/servercert.pem
key /etc/ssl/private/serverkey.pem_wp
root@Serafin:~$ cat /etc/config/firewall
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'drop_invalid' '1'
config 'zone'
option 'name' 'lan'
option 'network' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'wan'
option 'network' 'wan'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
option 'mtu_fix' '1'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan'
config 'rule'
option 'name' 'Allow-DHCP-Renew'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
option 'family' 'ipv4'
config 'rule'
option 'name' 'Allow-Ping'
option 'src' 'wan'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'family' 'ipv4'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-DHCPv6'
option 'src' 'wan'
option 'proto' 'udp'
option 'src_ip' 'fe80::/10'
option 'src_port' '547'
option 'dest_ip' 'fe80::/10'
option 'dest_port' '546'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-ICMPv6-Input'
option 'src' 'wan'
option 'proto' 'icmp'
list 'icmp_type' 'echo-request'
list 'icmp_type' 'destination-unreachable'
list 'icmp_type' 'packet-too-big'
list 'icmp_type' 'time-exceeded'
list 'icmp_type' 'bad-header'
list 'icmp_type' 'unknown-header-type'
list 'icmp_type' 'router-solicitation'
list 'icmp_type' 'neighbour-solicitation'
option 'limit' '1000/sec'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-ICMPv6-Forward'
option 'src' 'wan'
option 'dest' '*'
option 'proto' 'icmp'
list 'icmp_type' 'echo-request'
list 'icmp_type' 'destination-unreachable'
list 'icmp_type' 'packet-too-big'
list 'icmp_type' 'time-exceeded'
list 'icmp_type' 'bad-header'
list 'icmp_type' 'unknown-header-type'
option 'limit' '1000/sec'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'include'
option 'path' '/etc/firewall.user'
config 'rule'
option '_name' 'ssh'
option 'src' 'wan'
option 'target' 'ACCEPT'
option 'proto' 'tcp'
option 'dest_port' '22'
config 'rule'
option '_name' 'www_luci'
option 'src' 'wan'
option 'target' 'ACCEPT'
option 'proto' 'tcp'
option 'dest_port' '80'
config 'rule'
option '_name' 'openvpn'
option 'src' 'wan'
option 'target' 'ACCEPT'
option 'proto' 'udp'
option 'dest_port' '1194'
config 'rule'
option '_name' 'ftp'
option 'src' 'wan'
option 'target' 'ACCEPT'
option 'proto' 'udp'
option 'dest_port' '21'
config 'rule'
option '_name' 'openvpn_lan'
option 'src' 'lan'
option 'target' 'ACCEPT'
option 'proto' 'udp'
option 'dest_port' '1194'
root@Serafin:~$ cat /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
iptables -I OUTPUT -o tap+ -j ACCEPT
iptables -I INPUT -i tap+ -j ACCEPT
iptables -I FORWARD -o tap+ -j ACCEPT
iptables -I FORWARD -i tap+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
root@Serafin:~$ cat /etc/init.d/routing
#!/bin/sh /etc/rc.common
# routing potrzebny do komunikacji pomiedzy hostami w VPN
START=99
start() {
sleep 100
route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.0.1.2
}
WRT160NL, hostname Stroza:
root@Stroza:~$ ifconfig
br-lan inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
eth1 inet addr:192.168.138.2 Bcast:192.168.138.255 Mask:255.255.255.0
tun0 inet addr:10.0.1.6 P-t-P:10.0.1.5 Mask:255.255.255.255
root@Stroza:~$ cat /etc/openvpn/openvpn.conf
client
dev tun
proto udp
remote 91.X.Y.Z 1194
persist-key
persist-tun
ca /etc/openvpn/cacert.pem
cert /etc/openvpn/strozacert.pem
key /etc/openvpn/strozakey.pem_wp
#logowanie
log-append /tmp/log/openvpn.log
status /tmp/log/openvpn.status
verb 3
root@Stroza:~$ cat /etc/config/firewall
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'drop_invalid' '1'
config 'zone'
option 'name' 'lan'
option 'network' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'wan'
option 'network' 'wan'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
option 'mtu_fix' '1'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan'
config 'rule'
option 'name' 'Allow-DHCP-Renew'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
option 'family' 'ipv4'
config 'rule'
option 'name' 'Allow-Ping'
option 'src' 'wan'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'family' 'ipv4'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-DHCPv6'
option 'src' 'wan'
option 'proto' 'udp'
option 'src_ip' 'fe80::/10'
option 'src_port' '547'
option 'dest_ip' 'fe80::/10'
option 'dest_port' '546'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-ICMPv6-Input'
option 'src' 'wan'
option 'proto' 'icmp'
list 'icmp_type' 'echo-request'
list 'icmp_type' 'destination-unreachable'
list 'icmp_type' 'packet-too-big'
list 'icmp_type' 'time-exceeded'
list 'icmp_type' 'bad-header'
list 'icmp_type' 'unknown-header-type'
list 'icmp_type' 'router-solicitation'
list 'icmp_type' 'neighbour-solicitation'
option 'limit' '1000/sec'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-ICMPv6-Forward'
option 'src' 'wan'
option 'dest' '*'
option 'proto' 'icmp'
list 'icmp_type' 'echo-request'
list 'icmp_type' 'destination-unreachable'
list 'icmp_type' 'packet-too-big'
list 'icmp_type' 'time-exceeded'
list 'icmp_type' 'bad-header'
list 'icmp_type' 'unknown-header-type'
option 'limit' '1000/sec'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'include'
option 'path' '/etc/firewall.user'
config 'rule'
option '_name' 'ssh'
option 'src' 'wan'
option 'target' 'ACCEPT'
option 'proto' 'tcp'
option 'dest_port' '22'
config 'rule'
option '_name' 'www_luci'
option 'src' 'wan'
option 'target' 'ACCEPT'
option 'proto' 'tcp'
option 'dest_port' '80'
config 'rule'
option '_name' 'openvpn'
option 'src' 'wan'
option 'target' 'ACCEPT'
option 'proto' 'udp'
option 'dest_port' '1194'
config 'rule'
option '_name' 'ftp'
option 'src' 'wan'
option 'target' 'ACCEPT'
option 'proto' 'udp'
option 'dest_port' '21'
config 'rule'
option '_name' 'openvpn_lan'
option 'src' 'lan'
option 'target' 'ACCEPT'
option 'proto' 'udp'
option 'dest_port' '1194'
root@Stroza:~$ cat /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
iptables -I OUTPUT -o tap+ -j ACCEPT
iptables -I INPUT -i tap+ -j ACCEPT
iptables -I FORWARD -o tap+ -j ACCEPT
iptables -I FORWARD -i tap+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
root@Stroza:~$ cat /etc/init.d/routing
#!/bin/sh /etc/rc.common
# routing potrzebny do komunikacji pomiedzy hostami w VPN
START=99
start() {
sleep 150
route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.1.5
}
Efekt jest taki jak na schemacie:
Potrzebuje uzyskać połączenie z każdego hosta w sieci 192.168.1.0 do 192.168.2.0 i odwrotnie
Wydaje Mi się że coś jest nie tak z routingiem, niestety nie mogę dojść dlaczego nie działa. Próbowałem kłaść firewalla na obydwóch urządzeniach, niestety efekt taki sam.
W razie niejasności ze schematem proszę o pytania.
Bardzo proszę o "świeże spojrzenie na problem".
Strony 1
eko.one.pl → Posty przez abanczak
Forum oparte o PunBB, wspierane przez Informer Technologies, Inc