问题[openwrt](server)

当我尝试使用在 OpenWRT 上运行的 WPA 请求者连接到 AT&T 时，我得到，

10g-2: CTRL-EVENT-EAP-FAILURE EAP authentication failed
10g-2: CTRL-EVENT-EAP-FAILURE EAP authentication failed
10g-2: CTRL-EVENT-EAP-STARTED EAP authentication started
10g-2: CTRL-EVENT-EAP-FAILURE EAP authentication failed
10g-2: CTRL-EVENT-EAP-STARTED EAP authentication started
10g-2: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
OpenSSL: pending error: error:0A00018E:SSL routines::ca md too weak
TLS: Failed to set TLS connection parameters
EAP-TLS: Failed to initialize SSL.
10g-2: CTRL-REQ-PASSPHRASE-0:Private key passphrase needed for SSID
10g-2: EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)

我该如何解决这个错误？

在我的 OpenWrt 框中，我只想将特定协议（tcp:1888）路由到一台 PC（192.168.28.2）的 tun 接口，所以我执行以下操作：

ip rule add from 192.168.28.2 dport 1888 lookup 123

ip route add default via 10.8.0.2 dev tun0 table 123

但它不起作用！

当我检查规则列表时ip rule，我得到：

0：从所有本地查找

32765：从 192.168.28.2 查找 123

32766：来自所有查找主

32767：从所有查找默认值

我客人说 dport SELECTOR 没有生效。

我应该怎么做？

谢谢！！！

解决方案：在 Nikita Kipriyanov 的帮助下，我得到了它，但是 mangle 表的 FORWARD 链不起作用，我使用了 PREROUTING instaed。

请任何人解释为什么我应该使用 PREROUTING 而不是 FORWARD 的 mangle？

我已经为我的 OpenWRT WiFi 路由器配置了两个无线接口：wlan0和wlan0-1. 我的 WAN 以太网接口是eth0.2.

如何防止连接到wlan0-1的设备访问互联网，例如使用iptables？

我的情况是我有一些设备（空气过滤器）可以通过 WiFi 访问以支持监控和控制，但是它们也将数据上传到云服务器，我想阻止这种情况。

br-lan    Link encap:Ethernet  HWaddr 70:4F:57:00:51:AE
          inet addr:192.168.1.254  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fd76:9521:f357::1/60 Scope:Global
          inet6 addr: fe80::724f:57ff:fe00:51ae/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:380362 errors:0 dropped:9 overruns:0 frame:0
          TX packets:1678139 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:128540610 (122.5 MiB)  TX bytes:1235755098 (1.1 GiB)

br-wan    Link encap:Ethernet  HWaddr 70:4F:57:00:51:AF
          inet addr:192.168.178.20  Bcast:192.168.178.255  Mask:255.255.255.0
          inet6 addr: fe80::724f:57ff:fe00:51af/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1684381 errors:0 dropped:10354 overruns:0 frame:0
          TX packets:369066 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1209960142 (1.1 GiB)  TX bytes:132041857 (125.9 MiB)

eth0      Link encap:Ethernet  HWaddr 70:4F:57:00:51:AE
          inet6 addr: fe80::724f:57ff:fe00:51ae/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1809158 errors:0 dropped:16 overruns:0 frame:0
          TX packets:1611603 errors:1 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1276777715 (1.1 GiB)  TX bytes:1193854987 (1.1 GiB)
          Interrupt:5

eth0.1    Link encap:Ethernet  HWaddr 70:4F:57:00:51:AE
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:106729 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1218251 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:33390921 (31.8 MiB)  TX bytes:1054045465 (1005.2 MiB)

eth0.2    Link encap:Ethernet  HWaddr 70:4F:57:00:51:AF
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1689922 errors:0 dropped:349 overruns:0 frame:0
          TX packets:393339 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1210230806 (1.1 GiB)  TX bytes:133360867 (127.1 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:642 errors:0 dropped:0 overruns:0 frame:0
          TX packets:642 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:56074 (54.7 KiB)  TX bytes:56074 (54.7 KiB)

wlan0     Link encap:Ethernet  HWaddr 70:4F:57:00:51:AC
          inet6 addr: fe80::724f:57ff:fe00:51ac/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:293895 errors:0 dropped:0 overruns:0 frame:0
          TX packets:383702 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:99486914 (94.8 MiB)  TX bytes:194289752 (185.2 MiB)

wlan0-1   Link encap:Ethernet  HWaddr 72:4F:57:00:51:AC
          inet6 addr: fe80::704f:57ff:fe00:51ac/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15014 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12335 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1962975 (1.8 MiB)  TX bytes:2056310 (1.9 MiB)

到目前为止，我只能阻止来自单个 IP 地址的流量，但这很笨拙：

$ iptables -A forwarding_rule --source 192.168.1.110  --jump reject

使用输入和输出接口，br-wan或者eth0.2，都不起作用：

$ iptables -A forwarding_rule -i wlan0-1 -o br-wan --jump reject

编辑：添加输出iptables-save

# Generated by iptables-save v1.8.3 on Thu Oct  7 21:18:59 2021
*nat
:PREROUTING ACCEPT [29740:1906622]
:INPUT ACCEPT [1917:191180]
:OUTPUT ACCEPT [9468:913173]
:POSTROUTING ACCEPT [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i br-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o br-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Oct  7 21:18:59 2021
# Generated by iptables-save v1.8.3 on Thu Oct  7 21:18:59 2021
*mangle
:PREROUTING ACCEPT [408155:279582022]
:INPUT ACCEPT [31411:6614761]
:FORWARD ACCEPT [376252:272911158]
:OUTPUT ACCEPT [51318:6113468]
:POSTROUTING ACCEPT [402428:277911525]
-A FORWARD -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Oct  7 21:18:59 2021
# Generated by iptables-save v1.8.3 on Thu Oct  7 21:18:59 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A forwarding_rule -s 192.168.1.110/32 -j reject
-A forwarding_rule -s 192.168.1.111/32 -j reject
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o br-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o br-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Zone wan to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i br-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Oct  7 21:18:59 2021

编辑：添加输出uci export firewall

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'ACCEPT'
        option network 'wan wan6 wwan1 wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'lan'
        option src 'wan'

编辑：添加输出ip link：

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether 70:4f:57:00:51:ae brd ff:ff:ff:ff:ff:ff
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 70:4f:57:00:51:ae brd ff:ff:ff:ff:ff:ff
6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 70:4f:57:00:51:ae brd ff:ff:ff:ff:ff:ff
7: br-wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 70:4f:57:00:51:af brd ff:ff:ff:ff:ff:ff
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-wan state UP qlen 1000
    link/ether 70:4f:57:00:51:af brd ff:ff:ff:ff:ff:ff
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 70:4f:57:00:51:ac brd ff:ff:ff:ff:ff:ff
10: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 72:4f:57:00:51:ac brd ff:ff:ff:ff:ff:ff

编辑：添加输出brctl show：

bridge name     bridge id               STP enabled     interfaces
br-lan          7fff.704f570051ae       no              eth0.1
                                                        wlan0
                                                        wlan0-1
br-wan          7fff.704f570051af       no              eth0.2

我需要在我的 C++ Linux 应用程序中检测 IP 地址更新，并检查新地址是否与旧地址不同。我可以访问运行 OpenWrt 的路由器。我可以更改租用时间，但我找不到在每次续订过程中强制更改地址的方法。这甚至可能吗？也许一旦分配IP地址在续订时永远不会改变，唯一的方法是在租用时间之后获得地址而不续订并希望我的旧地址分配给另一个客户？

提前感谢您的任何建议。

我有一个 OpenWRT 路由器设置，192.168.1.1带有搜索域local（与默认设置相反lan）。

我有一个服务器设置192.168.1.200，带有主机名，server.local。

我有一个工作站，192.168.1.10，主机名，workstation.local。

server.local还运行 NGINX 反向代理，以提供子域，例如sub.server.local.

如果我的工作站尝试访问 ，server.local它会正确解析为指向192.168.1.200。

但是，如果我的工作站尝试访问sub.server.local，它无法解析为192.168.1.200。

如果我的工作站有192.168.1.200 sub.server.local, 添加到它的 hosts 文件中，它会正确解析，并且服务器反向代理将传入连接路由到正确的端口。

我该如何解决这个问题，以便所有子域都server.local解析为192.168.1.200？不必为服务器上的每个子域为每个工作站添加主机记录，这显然是不可持续的。

我假设我需要更改我的 OpenWRT 路由器上的一些 DNS 记录，但是查看 Luci（Web 界面）中的设置，没有任何东西能够实现这一点。

有任何想法吗？

我正在解决我的无线网络（OpenWrt 19.x 和移动设备）的一些问题，我遇到了这个问题： https ://dot11.exposed/2017/09/20/violation-of-802-11-standard-intel -无线卡发送 40mhz 不容忍位在 5ghz/

最值得注意的是，这张特殊的抓拍照片：

这正是我正在寻找的，但我不知道如何捕获该信息。
ssh root@myRouter tcpdump -i wlan1 -U -e -s0 -w - 'not port 22' | "C:\Program Files\Wireshark\Wireshark.exe" -k -i - 只给我基本的握手后信息（四个 IEEE802.11x 消息），然后它直接跳转到 DHCP。但是我需要获取有关路由器和设备相互发送的功能的完整信息，以查看发生了什么。

我想从一台主机（运行 Dropbear 的 OpenWrt）SSH 到同一 LAN 上运行 open-ssh 服务器和客户端的另一台主机。

我将另一台主机的私有open-ssh密钥转换为dropbear格式，并保存到OpenWrt主机上的~/.ssh/ncp_key_dropbear。

现在我可以像这样从 OpenWrt SSH 到另一个主机：

# ssh -i ncp_key_dropbear root@192.168.1.124 -p 22

我还在 OpenWrt 主机上创建了一个 ~/.ssh/config 文件，如下所示：

Host ncp
        User root
        Port 22
        IdentityFile ~/.ssh/ncp_key_dropbear
        HostName 192.168.1.124

但是当我现在尝试使用此命令进行 ssh 时：

# ssh ncp

我得到这个错误...

root@OpenWrt:~/.ssh# ssh ncp

ssh: Connection to root@ncp:22 exited: Connect failed: Error resolving 'ncp' port '22'. Name does not resolve

实际上，即使我将端口更改为 1022，即使远程主机上的 sshd 也在侦听该端口，我也会遇到同样的错误。

我如上所述在另一台主机上设置了一个 ~/.ssh/config 文件，除了我在该主机上使用了一个 open-ssh 客户端，并且可以像这样从它 ssh 到 OpenWrt：

# ssh openwrt

那么为什么我的配置文件不能在 OpenWrt 上运行呢？Dropbear 对 ~/.ssh/config 文件一无所知吗？这是 2009 年的一篇文章，似乎暗示但情况确实发生了变化？

干杯，

柔性

我正在自动化一些涉及 IPSec 和 StrongSwan 的软件测试。这些测试基本上将 swanctl.conf 文件应用于两台网关机器，然后在它们之间建立隧道。然后它会检查隧道是否已加密并报告性能。但是，它并没有那么好清理。结果是我的测试框在运行时出现了一堆未使用的安全关联，ipsec statusall我无法弄清楚如何摆脱它们。我不想等待它们过期，但我不知道手动过期/删除它们的方法。这样的方法存在吗？

我希望通过拦截其 HTTPS 流量来对在各种设备上运行的产品进行漏洞研究，但除了安装自定义证书之外，我不想修改这些设备。

似乎SSLsplit做了我想要的，因为它允许“通过网络地址转换引擎透明地拦截连接并重定向到 SSLsplit ”。据我了解，这些 NAT 规则不必在运行 MITM-ed 应用程序的设备上定义，我可以自定义iptables以通过运行Fruity Wifi或OpenWRT的设备上的SSLsplit重定向路由器流量。

SSLsplit与修改后的 iptables 规则是否足够和合理的方式来解决这个问题，或者我是否也必须修改 Linux 网络系统的其他部分？

注意：我正在尝试构建的系统要求设备将证书安装到受信任的根存储以“选择加入”此拦截。我不是想建立一个系统来拦截来自不情愿的设备的任意流量。

如何阻止任何私有网络目标 IP（10.0.0.0/8. 172.16.0.0/12、192.168.0.0/16）转发到 WAN？

当我忘记连接 VPN 工作时，我不想将此包转发到 WAN，它应该拒绝这些包，所以我会立即知道它（不必等待超时）。