主页 / server / 问题

问题[ubiquiti-edgerouter](server)

Martin Hope
Nicolò
Asked: 2022-02-04 06:45:39 +0800 CST
  • 0

我已将我的 EdgeRouter-X 设置为 WireGuard 客户端(使用 IPv6),以便我的公共 IP 显示为 WireGuard 服务器的公共 IP。

这是因为我想使用 OVH 的 IP 和 Anti-DDoS 来托管家庭服务器,而不是我自己的不受保护的公共 ip。

我有 4 个公共 IP:

22.22.22.22

33.33.33.33

44.44.44.44

55.55.55.55

我的连接图是这样的:

OVH VPS Wireguard Server WG0 Tunnel (LOCAL Tunnel 10.0.0.1) [Port forwarding with IPTables] <-----> (LOCAL Tunnel 10.0.0.2) EdgeRouter X

EdgeRouter-X (LOCAL 192.168.1.1) [Port forwarding with EdgeRouter] <-----> (LOCAL 192.168.1.10) HOME-SERVER

我正在通过 wg0 隧道将 OVH 的 VPS (1-65535) 的所有端口与 IPTables 转发到我的 EdgeRouter,然后转发到我的家庭服务器,这样就可以了。

问题是当用户连接到 22.22.22.22:80 时,他成功显示了网页,但他到服务器的 IP 是 10.0.0.1 而不是用户公共 IP。

这是我的 WG 服务器配置:

[Interface]

Address = 10.0.0.1/30

ListenPort = 51821

PrivateKey = CENSORED




### Client vpn

[Peer]

PublicKey = CENSORED

PresharedKey = CENSORED

AllowedIPs = 10.0.0.2/30

这是我的 WG 服务器 IPTables 配置,用于通过 WG0 将端口转发到 EdgeRouter:

# Generated by iptables-save v1.8.7 on Sun Jan  9 11:04:33 2022
*filter
:INPUT ACCEPT [971:145912]
:FORWARD ACCEPT [920:137172]
:OUTPUT ACCEPT [637:108812]
:f2b-sshd - [0:0]
COMMIT
# Completed on Sun Jan  9 11:04:33 2022
# Generated by iptables-save v1.8.7 on Sun Jan  9 11:04:33 2022
*nat
:PREROUTING ACCEPT [133:6792]
:INPUT ACCEPT [61:2272]
:OUTPUT ACCEPT [3:228]
:POSTROUTING ACCEPT [66:4011]
-A PREROUTING -i ens3 -p udp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i ens3 -p udp -m multiport --dports 51822:65534 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i ens3 -p tcp -m multiport --dports 51822:65534 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i ens3 -p tcp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i ens3 -p tcp -m multiport --dports 80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i ens3 -p udp -m multiport --dports 80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.0.0.2
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Sun Jan  9 11:04:33 2022

这是我的 EdgeRouter-X 配置,带有 WG0 客户端和端口转发到家庭服务器:

 firewall {
     all-ping enable
     broadcast-ping disable
     group {
         address-group MY_PUBLIC {
             address 22.22.22.22
             address 33.33.33.33
             address 44.44.44.44
             address 55.55.55.55
         }
     }
     ipv6-name WANv6_IN {
         default-action drop
         description "WAN inbound traffic forwarded to LAN"
         enable-default-log
         rule 10 {
             action accept
             description "Allow established/related sessions"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     ipv6-name WANv6_LOCAL {
         default-action drop
         description "WAN inbound traffic to the router"
         enable-default-log
         rule 10 {
             action accept
             description "Allow established/related sessions"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
         rule 30 {
             action accept
             description "Allow IPv6 icmp"
             protocol ipv6-icmp
         }
         rule 40 {
             action accept
             description "allow dhcpv6"
             destination {
                 port 546
             }
             protocol udp
             source {
                 port 547
             }
         }
     }
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     modify wireguard_route {
         rule 5 {
             action modify
             destination {
                 group {
                     address-group MY_PUBLIC
                 }
             }
             modify {
                 table main
             }
         }
         rule 10 {
             action modify
             description wireguard-vpn
             modify {
                 table 1
             }
             source {
                 address 192.168.1.0/24
             }
         }
     }
     name WAN_IN {
         default-action drop
         description "WAN to internal"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to router"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }
 interfaces {
     ethernet eth0 {
         address dhcp
         description Internet
         dhcpv6-pd {
             pd 0 {
                 interface eth1 {
                     service dhcpv6-stateful
                 }
                 interface eth2 {
                     service dhcpv6-stateful
                 }
                 interface eth3 {
                     service dhcpv6-stateful
                 }
                 interface switch0 {
                     host-address ::1
                     service slaac
                 }
                 prefix-length /64
             }
             rapid-commit enable
         }
         duplex auto
         firewall {
             in {
                 ipv6-name WANv6_IN
                 name WAN_IN
             }
             local {
                 ipv6-name WANv6_LOCAL
                 name WAN_LOCAL
             }
         }
         ipv6 {
             address {
                 autoconf
             }
             dup-addr-detect-transmits 1
         }
         speed auto
     }
     ethernet eth1 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth2 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth3 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth4 {
         description Local
         duplex auto
         poe {
             output off
         }
         speed auto
     }
     loopback lo {
     }
     switch switch0 {
         address 192.168.1.1/24
         description Local
         firewall {
             in {
                 modify wireguard_route
             }
         }
         mtu 1500
         switch-port {
             interface eth1 {
             }
             interface eth2 {
             }
             interface eth3 {
             }
             interface eth4 {
             }
             vlan-aware disable
         }
     }
     wireguard wg0 {
         address 10.0.0.2/30
         description Wireguard
         listen-port 51821
         mtu 1420
         peer CENSORED {
             allowed-ips 0.0.0.0/0
             endpoint [2001:41d0:52:400::6e3]:51821
             persistent-keepalive 25
             preshared-key /config/auth/wg-preshared.key
         }
         private-key /config/auth/wg.key
         route-allowed-ips false
     }
 }
 port-forward {
     auto-firewall enable
     hairpin-nat enable
     lan-interface switch0
     rule 1 {
         description "Allow ALL"
         forward-to {
             address 192.168.1.10
         }
         original-port 1-65535
         protocol tcp_udp
     }
     wan-interface wg0
 }
 protocols {
     static {
         table 1 {
             description "table to force wg0:aws"
             interface-route 0.0.0.0/0 {
                 next-hop-interface wg0 {
                 }
             }
             route 0.0.0.0/0 {
                 blackhole {
                     distance 255
                 }
             }
         }
     }
 }
 service {
     dhcp-server {
         disabled false
         hostfile-update disable
         shared-network-name LAN {
             authoritative enable
             subnet 192.168.1.0/24 {
                 default-router 192.168.1.1
                 dns-server 192.168.1.1
                 lease 86400
                 start 192.168.1.38 {
                     stop 192.168.1.243
                 }
                 static-mapping Node2 {
                     ip-address 192.168.1.10
                     mac-address 90:b1:1c:44:f6:da
                 }
                 static-mapping iDRAC {
                     ip-address 192.168.1.120
                     mac-address E0:DB:55:06:2D:14
                 }
             }
         }
         static-arp disable
         use-dnsmasq disable
     }
     dns {
         forwarding {
             cache-size 150
             listen-on switch0
         }
     }
     gui {
         http-port 80
         https-port 443
         older-ciphers enable
     }
     nat {
         rule 5002 {
             description wireguard-nat
             log disable
             outbound-interface wg0
             protocol all
             source {
                 address 192.168.1.0/24
             }
             type masquerade
         }
         rule 5003 {
             description "masquerade for WAN"
             log disable
             outbound-interface eth0
             protocol all
             type masquerade
         }
     }
     ssh {
         port 22
         protocol-version v2
     }
     unms {
     }
 }
 system {
     analytics-handler {
         send-analytics-report false
     }
     crash-handler {
         send-crash-report false
     }
     host-name EdgeRouter-X-5-Port
     login {
         user ubnt {
             authentication {
                 encrypted-password 
             }
             level admin
         }
     }
     ntp {
         server 0.ubnt.pool.ntp.org {
         }
         server 1.ubnt.pool.ntp.org {
         }
         server 2.ubnt.pool.ntp.org {
         }
         server 3.ubnt.pool.ntp.org {
         }
     }
     offload {
         hwnat enable
         ipsec enable
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone UTC
 }
vpn networking tunneling wireguard ubiquiti-edgerouter
Martin Hope
Andreas
Asked: 2021-04-17 03:03:52 +0800 CST
  • 0

我有一个 edgerouter x sfp 作为互联网的主路由器。到此路由器,服务器与运行称为 swag 的反向代理 docker 连接,例如。我用来从互联网访问 nextcloud 和几个 ngnix docker 的letsencrypt。

这几乎很好用。因此,导航这些站点和 nextcloud 可以工作,但是当我开始下载大文件时,问题就开始了。

当我通过网络浏览器从 nextcloud 下载 20GB 文件时,根据 chrome,它由于“网络故障”而失败。我可以重新启动下载,并且可以在多次重新启动后完成下载(从下载菜单中的 kontext 菜单)。当我从 nginx 站点下载相同的文件时也会发生同样的情况,因此它与 nextcloud 没有直接关系。

但是,当我通过 OpenVPN 连接到我的网络并通过内部 LAN IP 下载文件时,我可以成功下载文件。因此,通过 OpenVPN 使用服务器的直接 IP 不会导致 chrome 中出现“网络故障”消息。

所以有人可以帮我找出问题所在:

  1. 是不是edgerouter x sfp配置错了(我只是加了端口转发位)
  2. 反向代理是问题吗(这里我从 docker 本身获取了建议的代理配置)
  3. 或者是其他东西?

编辑 1:nginx 配置文件:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name shop.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Username and Password Required";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_grafana nginx;
        proxy_pass http://$upstream_grafana;
    }
}

nextcloud 配置文件:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name nextcloud.*;
    
    include /config/nginx/ssl.conf;
    
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
            

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud nextcloud;
        proxy_max_temp_file_size 2048m;
        
        proxy_pass https://$upstream_nextcloud;         
    }
    
    
    location ^~ /.well-known {
        # The following 6 rules are borrowed from `.htaccess`

        location = /.well-known/carddav     { return 301 /remote.php/dav/; }
        location = /.well-known/caldav      { return 301 /remote.php/dav/; }
        # Anything else is dynamically handled by Nextcloud
        location ^~ /.well-known            { return 301 /index.php$uri; }

        try_files $uri $uri/ =404;
    }       
}
troubleshooting reverse-proxy ubiquiti-edgerouter
Martin Hope
Sherlock
Asked: 2020-04-15 07:21:31 +0800 CST
  • 1

我们有一个用于登录存储、主机等的 OOB/管理网络。我们使用 VLAN 将存储与主机、摄像机等分开。

我们想用以前的配置替换这个开关,但我们想知道 Xen 是否正在运行哪些进程(如果有的话)会利用 OOB 网络,例如池通信?

如果我们取出当前的 OOB 路由器来替换它,并且 Xen 主机在一段时间内(比如 5 分钟?)无法访问 OOB 网络,这会导致 Xen 出现问题吗?

xen networking citrix xenserver ubiquiti-edgerouter
Martin Hope
cyberquarks
Asked: 2020-02-21 12:11:38 +0800 CST
  • 2

所以我设法通过以下方式安装了带有 Ubiquiti Edge Router X 的 ZeroTier:

admin@edgerouter# sudo -i
root@edgerouter:~# curl -s https://install.zerotier.com | sudo bash

并通过 ZeroTier 全球 IP 访问 Edge OS (Edge Max) 接口,因此我可以在世界任何地方访问我的路由器,这很棒。

但是,如何访问连接到路由器的 LAN 设备?例如,我在路由器中有一台具有本地 IP 的设备,192.168.1.39

如何使用 ZeroTier 网络访问它?

router networking ubiquiti ubiquiti-edgerouter