-
转载自:http://www.2cto.com/net/201306/223534.html
-
OpenWrt的两种模式:桥接模式与路由模式1、桥接模式(Bridged AP Mode ):通过OpenWrt 设备做桥,连接到OpenWrt的无线设备是由此网段192.168.1.0网段中的路由来分配IP地址的,所以此网段中的所有设备都是互通互连的!OpenWrt设备的桥接配置方式:[plain]root@OpenWrt:~# cat /etc/config/networkconfig interface 'loopback'option ifname 'lo'option proto 'static'option ipaddr '127.0.0.1'option netmask '255.0.0.0'config interface 'lan'option ifname 'eth0'option type 'bridge'option proto 'static'option ipaddr '192.168.1.129'option netmask '255.255.255.0'option gateway '192.168.1.1'option dns '202.101.172.46'root@OpenWrt:~# cat /etc/config/wirelessconfig wifi-device radio0option type mac80211option channel 11option hwmode 11ngoption path 'platform/ar933x_wmac'option htmode HT20list ht_capab SHORT-GI-20list ht_capab SHORT-GI-40list ht_capab RX-STBC1list ht_capab DSSS_CCK-40# REMOVE THIS LINE TO ENABLE WIFI:# option disabled 1config wifi-ifaceoption device radio0option network lanoption mode apoption ssid OpenWrtoption encryption noneroot@OpenWrt:~# cat /etc/config/firewallconfig defaultsoption syn_flood 1option input ACCEPToption output ACCEPToption forward REJECT# Uncomment this line to disable ipv6 rules# option disable_ipv6 1config zoneoption name lanoption network 'lan'option input ACCEPToption output ACCEPToption forward REJECTconfig zoneoption name wanoption network 'wan'option input REJECToption output ACCEPToption forward REJECToption masq 1option mtu_fix 1config forwardingoption src lanoption dest wan# We need to accept udp packets on port 68,# see https://dev.openwrt.org/ticket/4108config ruleoption name Allow-DHCP-Renewoption src wanoption proto udpoption dest_port 68option target ACCEPToption family ipv4# Allow IPv4 pingconfig ruleoption name Allow-Pingoption src wanoption proto icmpoption icmp_type echo-requestoption family ipv4option target ACCEPT# Allow DHCPv6 replies# see https://dev.openwrt.org/ticket/10381config ruleoption name Allow-DHCPv6option src wanoption proto udpoption src_ip fe80::/10option src_port 547option dest_ip fe80::/10option dest_port 546option family ipv6option target ACCEPT# Allow essential incoming IPv6 ICMP trafficconfig ruleoption name Allow-ICMPv6-Inputoption src wanoption proto icmplist icmp_type echo-requestlist icmp_type echo-replylist icmp_type destination-unreachablelist icmp_type packet-too-biglist icmp_type time-exceededlist icmp_type bad-headerlist icmp_type unknown-header-typelist icmp_type router-solicitationlist icmp_type neighbour-solicitationlist icmp_type router-advertisementlist icmp_type neighbour-advertisementoption limit 1000/secoption family ipv6option target ACCEPT# Allow essential forwarded IPv6 ICMP trafficconfig ruleoption name Allow-ICMPv6-Forwardoption src wanoption dest *option proto icmplist icmp_type echo-requestlist icmp_type echo-replylist icmp_type destination-unreachablelist icmp_type packet-too-biglist icmp_type time-exceededlist icmp_type bad-headerlist icmp_type unknown-header-typeoption limit 1000/secoption family ipv6option target ACCEPT# Block ULA-traffic from leaking outconfig ruleoption name Enforce-ULA-Border-Srcoption src *option dest wanoption proto alloption src_ip fc00::/7option family ipv6option target REJECTconfig ruleoption name Enforce-ULA-Border-Destoption src *option dest wanoption proto alloption dest_ip fc00::/7option family ipv6option target REJECT# include a file with users custom iptables rulesconfig includeoption path /etc/firewall.user### EXAMPLE CONFIG SECTIONS# do not allow a specific ip to access wan#config rule# option src lan# option src_ip 192.168.45.2# option dest wan# option proto tcp# option target REJECT# block a specific mac on wan#config rule# option dest wan# option src_mac 00:11:22:33:44:66# option target REJECT# block incoming ICMP traffic on a zone#config rule# option src lan# option proto ICMP# option target DROP# port redirect port coming in on wan to lan#config redirect# option src wan# option src_dport 80# option dest lan# option dest_ip 192.168.16.235# option dest_port 80# option proto tcp# port redirect of remapped ssh port (22001) on wan#config redirect# option src wan# option src_dport 22001# option dest lan# option dest_port 22# option proto tcp# allow IPsec/ESP and ISAKMP passthrough#config rule# option src wan# option dest lan# option protocol esp# option target ACCEPT#config rule# option src wan# option dest lan# option src_port 500# option dest_port 500# option proto udp# option target ACCEPT### FULL CONFIG SECTIONS#config rule# option src lan# option src_ip 192.168.45.2# option src_mac 00:11:22:33:44:55# option src_port 80# option dest wan# option dest_ip 194.25.2.129# option dest_port 120# option proto tcp# option target REJECT#config redirect# option src lan# option src_ip 192.168.45.2# option src_mac 00:11:22:33:44:55# option src_port 1024# option src_dport 80# option dest_ip 194.25.2.129# option dest_port 120# option proto tcp2、路由模式(Routed AP Mode):OpenWrt 设备做路由时,连接到OpenWrt的无线设备是由OpenWrt路由设备本身来分配IP地址的,所以通过无线连接到OpenWrt网段中的所有设备都与原来的192.168.1.0网段的设备不通(OpenWrt设备本身除外)!OpenWrt设备的路由配置方式:[plain]root@OpenWrt:/# vi /etc/config/networkconfig interface 'loopback'option ifname 'lo'option proto 'static'option ipaddr '127.0.0.1'option netmask '255.0.0.0'config interface 'wan'option ifname 'eth0'option proto 'static'option ipaddr '192.168.1.129'option netmask '255.255.255.0'option gateway '192.168.1.1'option dns '202.101.172.46'config 'interface' 'wifi'option 'proto' 'static'option 'ipaddr' '192.168.2.1'option 'netmask' '255.255.255.0'root@OpenWrt:/# vi /etc/config/wirelessconfig wifi-device radio0option type mac80211option channel 11option hwmode 11ngoption path 'platform/ar933x_wmac'option htmode HT20list ht_capab SHORT-GI-20list ht_capab SHORT-GI-40list ht_capab RX-STBC1list ht_capab DSSS_CCK-40# REMOVE THIS LINE TO ENABLE WIFI:config wifi-ifaceoption device radio0option network wifioption mode apoption ssid OpenWrtoption encryption noneroot@OpenWrt:/# vi /etc/config/dhcpconfig dnsmasqoption domainneeded 1option boguspriv 1option filterwin2k 0 # enable for dial on demandoption localise_queries 1option rebind_protection 1 # disable if upstream must serve RFC1918 addressesoption rebind_localhost 1 # enable for RBL checking and similar services#list rebind_domain example.lan # whitelist RFC1918 responses for domainsoption local '/lan/'option domain 'lan'option expandhosts 1option nonegcache 0option authoritative 1option readethers 1option leasefile '/tmp/dhcp.leases'option resolvfile '/tmp/resolv.conf.auto'#list server '/mycompany.local/1.2.3.4'#option nonwildcard 1#list interface br-lan#list notinterface lo#list bogusnxdomain '64.94.110.11'config dhcp lanoption interface lanoption start 100option limit 150option leasetime 12hconfig dhcp wanoption interface wanoption ignore 1config dhcp wifioption interface wifioption start 100option limit 150option leasetime 12hroot@OpenWrt:/# vi /etc/config/firewallconfig defaultsoption syn_flood '1'option input 'ACCEPT'option output 'ACCEPT'option forward 'REJECT'config zoneoption name 'wifi'option input 'ACCEPT'option output 'ACCEPT'option forward 'ACCEPT'config zoneoption name 'lan'option network 'lan'option input 'ACCEPT'option output 'ACCEPT'option forward 'ACCEPT'config zoneoption name 'wan'option network 'wan'option output 'ACCEPT'option masq '1'option mtu_fix '1'option input 'REJECT'option forward 'REJECT'config forwardingoption src 'lan'option dest 'wan'config forwardingoption src 'wifi'option dest 'wan'config forwardingoption src 'lan'option dest 'wifi'config forwardingoption src 'wifi'option dest 'lan'config ruleoption name 'Allow-DHCP-Renew'option src 'wan'option proto 'udp'option dest_port '68'option target 'ACCEPT'option family 'ipv4'config ruleoption name 'Allow-Ping'option src 'wan'option proto 'icmp'option icmp_type 'echo-request'option family 'ipv4'option target 'ACCEPT'config ruleoption name 'Allow-DHCPv6'option src 'wan'option proto 'udp'option src_ip 'fe80::/10'option src_port '547'option dest_ip 'fe80::/10'option dest_port '546'option family 'ipv6'option target 'ACCEPT'config ruleoption name 'Allow-ICMPv6-Input'option src 'wan'option proto 'icmp'list icmp_type 'echo-request'list icmp_type 'echo-reply'list icmp_type 'destination-unreachable'list icmp_type 'packet-too-big'list icmp_type 'time-exceeded'list icmp_type 'bad-header'list icmp_type 'unknown-header-type'list icmp_type 'router-solicitation'list icmp_type 'neighbour-solicitation'list icmp_type 'router-advertisement'list icmp_type 'neighbour-advertisement'option limit '1000/sec'option family 'ipv6'option target 'ACCEPT'config ruleoption name 'Allow-ICMPv6-Forward'option src 'wan'option dest '*'option proto 'icmp'list icmp_type 'echo-request'list icmp_type 'echo-reply'list icmp_type 'destination-unreachable'list icmp_type 'packet-too-big'list icmp_type 'time-exceeded'list icmp_type 'bad-header'list icmp_type 'unknown-header-type'option limit '1000/sec'option family 'ipv6'option target 'ACCEPT'config ruleoption name 'Enforce-ULA-Border-Src'option src '*'option dest 'wan'option proto 'all'option src_ip 'fc00::/7'option family 'ipv6'option target 'REJECT'config ruleoption name 'Enforce-ULA-Border-Dest'option src '*'option dest 'wan'option proto 'all'option dest_ip 'fc00::/7'option family 'ipv6'option target 'REJECT'config includeoption path '/etc/firewall.user'重启相应配置:[ html]root@OpenWrt:/# /etc/init.d/network restartConfiguration file: /var/run/hostapd-phy0.confUsing interface wlan0 with hwaddr ec:17:2f:9e:12:f2 and ssid "OpenWrt"root@OpenWrt:/# /etc/init.d/dnsmasq restart
-
OpenWrt的两种模式:桥接模式与路由模式
最新推荐文章于 2024-07-25 17:54:04 发布