打造属于自己的定制化路由器
- 网络配置全部通过 systemd-networkd 和 iproute2 实现
- DHCP/DNS 服务器通过 dnsmasq 实现
连接 WAN 侧
先让自己获取网络
1# /etc/systemd/network/dhcp.network
2[Match]
3Name=e*
4
5[Network]
6DHCP=yes
[选] 修改网卡名称
例子:将 MAC 为 00:e2:69:27:da:a3 的网卡改名为 eth0
1# /etc/systemd/network/00-eth0.link
2[Match]
3MACAddress=00:e2:69:27:da:a3
4
5[Link]
6Name=eth0
创建 LAN 侧
创建网桥
所有 LAN 侧端口都会接入到网桥上
1# /etc/systemd/network/br-lan.netdev
2[NetDev]
3Name = br-lan
4Kind = bridge
5MACAddress = 00:16:3e:27:da:a7
6
7[Bridge]
8STP = yes
配置网桥
设置 IP 以及启动策略
1# /etc/systemd/network/br-lan.network
2[Match]
3Name = br-lan
4
5[Link]
6RequiredForOnline = no
7ActivationPolicy = always-up
8
9[Network]
10Address = 10.1.0.1/16
11ConfigureWithoutCarrier = yes
12
13[Bridge]
14UseBPDU = yes
绑定端口至网桥
将 eth2、eth3 绑定到 br-lan
1# /etc/systemd/network/br-lan-bind.network
2[Match]
3Name = eth2
4Name = eth3
5
6[Network]
7Bridge = br-lan
以上更改建议重启使其生效
DHCP/DNS 服务
安装 dnsmasq
sudo pacman -Sy dnsmasq
配置 dnsmasq 服务
1# /etc/dnsmasq.conf 2port=53 3server=1.2.4.8 4server=119.29.29.29 5server=223.5.5.5 6local=/lan/ 7bogus-priv 8no-resolv 9all-servers 10cache-size=4096 11bind-interfaces 12 13interface=br-lan 14# IP 范围和租期 15dhcp-range=10.1.1.1,10.1.255.254,2h 16# 指定网关 17dhcp-option=option:router,10.1.0.1 18# 指定 DNS 服务器 19dhcp-option=option:dns-server,10.1.0.1 20# 指定 WINS 域名 21dhcp-option=15,lan 22# DHCP 地址池大小 23dhcp-lease-max=65535 24dhcp-leasefile=/var/lib/misc/dnsmasq.leases 25 26# SRV 记录 27srv-host=_vlmcs._tcp.lan,kms.lan,1688,0,0 28address=/kms.lan/10.1.0.1 # A 记录 29 30# MAC 绑定 31dhcp-host=00:16:3e:03:d2:5d,10.1.0.20,infinite启动 dnsmasq
sudo systemctl enable --now dnsmasq
启用网络转发
开启转发
1# /etc/sysctl.d/10-net_forward.conf
2net.ipv4.ip_forward = 1
3net.ipv6.conf.default.forwarding = 1
4net.ipv6.conf.all.forwarding = 1
[选] 开启 BBR 和 TCP fast open
1# /etc/modules-load.d/tcp_bbr.conf
2tcp_bbr
3
4# /etc/sysctl.d/10-net_bbr.conf
5net.ipv4.tcp_fastopen = 3
6net.core.default_qdisc = cake
7net.ipv4.tcp_congestion_control = bbr
[选] 修改最大连接数
1# /etc/sysctl.d/10-net_conntrack.conf
2net.netfilter.nf_conntrack_max = 65535
开启 NAT 功能以及防火墙功能
1# NAT
2nft add table ip nat
3nft add chain ip nat postrouting "{ type nat hook postrouting priority srcnat; }"
4nft add rule ip nat postrouting oifname "ppp*" masquerade fully-random
5# 防火墙
6nft add table inet filter
7nft add chain inet filter input "{ type filter hook input priority filter; }"
8nft add rule inet filter input iifname "ppp*" ct state related,established accept
9nft add rule inet filter input iifname "ppp*" ct state invalid drop
10nft add rule inet filter input iifname "ppp*" drop
如需持久化,将配置写入 /etc/nftables.conf 并启用 nftables.service
1table ip nat {
2 chain postrouting {
3 type nat hook postrouting priority srcnat; policy accept;
4 oifname "ppp*" masquerade fully-random
5 }
6}
7table inet filter {
8 chain input {
9 type filter hook input priority filter; policy accept;
10 iifname "ppp*" ct state established,related accept
11 iifname "ppp*" ct state invalid drop
12 iifname "ppp*" drop
13 }
14}