我正在尝试将 mt300a 路由器配置为笔记本电脑和平板电脑的 LTE 热点(均连接到设备的 wifi/lan 桥接接口br-lan
)。
由于某种原因,nftables
不遵守在接口wwan0
(LTE 棒的接口)上对传出数据包执行 NAT 伪装的指令。我已经用尽了所有故障排除选项。
为什么nft
不对来自LAN端的数据包进行NAT伪装,而是将其当做来自本网172.16.0.0/20
段的数据包呢?
复制 MT300A 上的 LTE 调制解调器路由错误。
手动将 IP 地址设置为 192.168.1.2 并 FlashLEDE 版本 17.01.4
设置路由器的用户名和密码(暂时不要连接 LTE 加密狗)。
使用以下命令进行配置:
uci set dhcp.@dnsmasq[0].domain='gopher.io'
uci set system.@system[0].hostname='gopher'
uci set network.lan.ipaddr='172.16.0.1'
uci set network.lan.netmask='255.255.240.0'
uci set wireless.radio0=wifi-device
uci set wireless.radio0.channel='8'
uci set wireless.radio0.disabled='0'
uci set wireless.default_radio0.ssid='gopherwifi'
uci set wireless.default_radio0.encryption='psk2'
uci set wireless.default_radio0.key='iamthegopher'
uci commit
reboot now
重新启动并将 WAN 以太网端口连接到上游网关(网络配置现在不应该发生冲突)。安装 QMI 支持包。
opkg update
opkg install \
usb-modeswitch \
kmod-mii kmod-usb-net kmod-usb-wdm kmod-usb-net-qmi-wwan \
kmod-usb-serial-option kmod-usb-serial kmod-usb-serial-wwan \
uqmi luci-proto-qmi \
libustream-openssl ca-certificates
停止调制解调器尝试自动连接,然后检查调制解调器是否可以连接到目标 apn(用 SIM 卡的 apn 设置替换)并在重启之间保持该设置。
uqmi -d /dev/cdc-wdm0 --stop-network 4294967295 --autoconnect
uqmi -d /dev/cdc-wdm0 --start-network simple --autoconnect
添加Linux接口wwan
支持的接口wwan0
。
uci set network.wwan=interface
uci set network.wwan.ifname='wwan0'
uci set network.wwan.proto='dhcp'
关闭openwrt的防火墙
/etc/init.d/firewall stop
/etc/init.d/firewall disable
安装基于 nftables 路由的支持包。
opkg update
opkg install nftables tcpdump
rmmod iptable_nat
将 nftables 恢复到原始状态
nft flush ruleset
配置nft
执行nat路由。
# firewall
table ip filter {
# allow all packets sent by the firewall machine itself
chain output {
type filter hook output priority 100; policy accept;
}
# allow LAN to firewall, disallow WAN to firewall
chain input {
type filter hook input priority 0; policy accept;
iifname "br-lan" accept
iifname "wwan0" drop
}
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
chain forward {
type filter hook forward priority 0; policy accept;
iifname "br-lan" oifname "wwan0" accept
iifname "wwan0" oifname "br-lan" ct state established accept
iifname "wwan0" oifname "br-lan" ct state related accept
iifname "wwan0" oifname "br-lan" drop
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain input {
type nat hook input priority 0; policy accept;
counter comment "count accepted packets"
}
chain output {
type nat hook output priority 0; policy accept;
counter comment "count accepted packets"
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wwan0" masquerade
}
}
配置nftables
日志记录。
nft add rule filter output log
nft add rule filter input log
nft add rule filter forward log
nft add rule nat prerouting log
nft add rule nat postrouting log
此时,路由器本身通过 LTE 调制解调器保持与互联网的连接,但来自br-lan
接口的任何传入数据包都无法得到正确伪装,并且路由器的局域网侧无法访问互联网,因为来自局域网侧的所有数据包仍然持有局域网的源 IP 地址,因此无法从外部路由。
ping www.google.com
PING www.google.com (172.217.9.4): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Syslog 输出
kern.warn kernel: [ 685.079875] IN= OUT=wwan0 SRC=172.16.0.237 DST=172.217.9.4 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=45659 PROTO=ICMP TYPE=8 CODE=0 ID=24842 SEQ=0