一直在玩Lede路由器,需要进行双wan分流
- 配置好多个wan口,并调通,本例的路由目的是
1.1 192.168.2.0/24 走wan2
1.2 默认走wan1
1.3 命中ipset gfw的走vpn-ocs
- 安装依赖包
opkg update
opkg install ipset iptables iptables-mod-conntrack-extra iptables-mod-u32 kmod-ipt-raw kmod-ipt-conntrack
opkg remove dnsmasq && opkg install dnsmasq-full
- 创建ipset
ipset create gfw hash:ip netmask 24
- 创建ip rule,对于mark 88的packet走路由table 88
/sbin/ip rule add fwmark 88 table 88
- 自动给路由表填充规则
编辑创建文件/etc/hotplug.d/iface/30-cus
#!/bin/sh
[ ifup = $ACTION ] && [ ocs = $INTERFACE ] && {
ip route replace 192.168.0.0/24 dev br-lan table 88
ip route replace 8.8.8.8 dev vpn-ocs
ip route replace default dev vpn-ocs table 88
exit 0}
[ ifup = $ACTION ] && [ wan2 = $INTERFACE ] && {
ip route replace 192.168.2.0/24 dev eth1.3 table 88
exit 0}
[ ifup = $ACTION ] && [ wan = $INTERFACE ] && {
ip route replace 192.168.1.0/24 dev eth1 table 88
exit 0}
chmod +x 30-cus
- 利用iptables进行路由识别
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
#ipset里面gfw命中的流量(dnsmasq标记)
iptables -t mangle -A PREROUTING -i br-lan -m set --match-set gfw dst -j MARK --set-mark 88
#Telegram的纯ip流量
iptables -t mangle -A PREROUTING -i br-lan -d 149.154.160.0/20 -j MARK --set-mark 88
iptables -t mangle -A PREROUTING -i br-lan -d 91.108.0.0/21 -j MARK --set-mark 88
iptables -t mangle -A PREROUTING -i br-lan -d 91.108.56.0/22 -j MARK --set-mark 88
#Resilio的纯ip流量
iptables -t mangle -A PREROUTING -i br-lan -d 173.244.192.0/19 -j MARK --set-mark 88
iptables -t mangle -A PREROUTING -i br-lan -d 209.95.32.0/19 -j MARK --set-mark 88
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
#路由器自己的流量命中ipset gfw
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -m set --match-set gfw dst -j MARK --set-mark 88
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
- dnsmasq的配置
7.1 修改/etc/dnsmasq.conf文件
创建/etc/dnsmasq.d目录
文件末尾增加conf-dir=/etc/dnsmasq.d
7.2 创建/etc/dns.sh文件
sort -u gfw.lst >/tmp/gfw.tmp
sed '/./{s/^/server=\//;s/$/\/8.8.8.8/}' /tmp/gfw.tmp>/etc/dnsmasq.d/gfw.conf
sed '/./{s/^/ipset=\//;s/$/\/gfw/}' /tmp/gfw.tmp>/etc/dnsmasq.d/gfwset.conf
rm /tmp/gfw.tmp
/etc/init.d/dnsmasq restart
7.3 创建/etc/gfw.lst文件
in-addr.arpa
91porn.com
ablwang.com
aboluowang.com
appspot.com
areyoucereal.com
bannedbook.org
bbc.co.uk
bbc.com
bbc.in
bit.ly
blogger.com
blogspot.com
boxun.com
ccache.org
cdninstagram.com
creaders.net
dlvr.it
doub.io
dropbox.com
dropboxstatic.com
dropboxusercontent.com
dwnews.com
facebook.com
fastpic.ru
fb.com
fb.me
fbcdn.net
freeimage.us
fungames-forfree.com
gameloft.com
gfw.press
ggpht.com
github.com
githubusercontent.com
g.co
gmail.com
goo.gl
google.ca
google.com
google.com.au
google.com.hk
googleadservices.com
googleapis.com
googleusercontent.com
googlevideo.com
gstatic.com
gvt1.com
gvt2.com
gvt3.com
heyzo.com
huaglad.com
ift.tt
imgdream.net
instagram.com
ipoock.com
letscorp.net
lvv2.com
m-team.cc
medium.com
mingjingnews.com
mingjingtimes.com
mobile01.com
ntdtv.com
nyti.ms
nytimes.com
pincong.rocks
resilio.com
rfa.org
rfi.fr
seatguru.com
secretchina.com
shadowsocks.org
soundofhope.org
steamcommunity.com
t.co
t.me
t66y.com
telegram.me
telegram.org
telegra.ph
textnow.com
textnow.me
tfgapps.com
theinitium.com
trello.com
tumblr.com
twimg.com
twitter.com
wenxuecity.com
wikipedia.org
wordpress.com
worldjournal.com
wsj.com
wsj.net
xteko.com
xvideos.com
youtu.be
youtube.com
ytimg.com
voachinese.com
值得一提的是in-addr.arpa,可以避免dns反查地址时泄露访问记录。
7.4 执行dns.sh生成/etc/dnsmasq.d/目录下的gfw.conf gfwset.conf,并重启dnsmasq
Comments