iStoreOS 24.10 多线运营商分流+负载均衡,兼容IPv6
本帖最后由 Outsider 于 2025-12-22 00:00 编辑以下仅供参考,请按需修改成自身实际的接口信息
众所周知,目前mwan3 对于 nftable 的支持还遥遥无期,所以针对个人现状手撸了一份规则应急
目前的网络拓扑分别有三个WAN口:
[*]wanct:对应IPv6 网口为 wanct_6
[*]wancu:对应IPv6 网口为 wancu_6
[*]wancm:对应IPv6 网口为 wancm_6
static/image/hrline/line3.png
在/etc/iproute2/rt_tables追加如下内容:
101wan_ct
102wan_cu
103wan_cmstatic/image/hrline/line3.png
在/etc/config/firewall追加以下内容,以便自动更新ipset给nft规则用于分流使用,这部分也可以通过控制台来操作:网络 - 防火墙 - IP集
需要注意的是首次需要把相应的文件下载到对应的目录,文件下载地址:https://ispip.clang.cn/
config ipset
option name 'local_addr_v4'
option comment 'Local_IPv4_List'
option family 'ipv4'
option counters '1'
list match 'net'
list entry '0.0.0.0/8'
list entry '10.0.0.0/8'
list entry '100.64.0.0/10'
list entry '127.0.0.0/8'
list entry '169.254.0.0/16'
list entry '172.16.0.0/12'
list entry '192.0.0.0/24'
list entry '192.0.2.0/24'
list entry '192.31.196.0/24'
list entry '192.52.193.0/24'
list entry '192.88.99.0/24'
list entry '192.168.0.0/16'
list entry '192.175.48.0/24'
list entry '198.18.0.0/15'
list entry '198.51.100.0/24'
list entry '203.0.113.0/24'
list entry '224.0.0.0/4'
list entry '240.0.0.0/4'
config ipset
option name 'local_addr_v6'
option comment 'Local_IPv6_List'
option family 'ipv6'
option counters '1'
list match 'net'
list entry '::/128'
list entry '::1/128'
list entry '::ffff:0:0/96'
list entry '100::/64'
list entry '64:ff9b::/96'
list entry '2001::/32'
list entry '2001:10::/28'
list entry '2001:20::/28'
list entry '2001:db8::/28'
list entry '2002::/16'
list entry 'fc00::/7'
list entry 'fe80::/10'
list entry 'ff00::/8'
config ipset
option name 'cn_ipv4'
option comment 'CN_IPv4_Address_List'
option family 'ipv4'
option counters '1'
option loadfile '/etc/multiwan/resource/manual_nftset/all_cn.txt'
list match 'net'
config ipset
option name 'cn_ipv6'
option comment 'CN_IPv6_Address_List'
option family 'ipv6'
option counters '1'
option loadfile '/etc/multiwan/resource/manual_nftset/all_cn_ipv6.txt'
list match 'net'
config ipset
option name 'ct_ipv4'
option comment 'CT_IPv4_Address_List'
option family 'ipv4'
option counters '1'
option loadfile '/etc/multiwan/resource/manual_nftset/chinatelecom.txt'
list match 'net'
config ipset
option name 'ct_ipv6'
option comment 'CT_IPv6_Address_List'
option family 'ipv6'
option counters '1'
option loadfile '/etc/multiwan/resource/manual_nftset/chinatelecom_ipv6.txt'
list match 'net'
config ipset
option name 'cu_ipv4'
option comment 'CU_IPv4_Address_List'
option family 'ipv4'
option counters '1'
option loadfile '/etc/multiwan/resource/manual_nftset/unicom_cnc.txt'
list match 'net'
config ipset
option name 'cu_ipv6'
option comment 'CU_IPv6_Address_List'
option family 'ipv6'
option counters '1'
option loadfile '/etc/multiwan/resource/manual_nftset/unicom_cnc_ipv6.txt'
list match 'net'
config ipset
option name 'cm_ipv4'
option comment 'CM_IPv4_Address_List'
option family 'ipv4'
option counters '1'
option loadfile '/etc/multiwan/resource/manual_nftset/cmcc.txt'
list match 'net'
config ipset
option name 'cm_ipv6'
option comment 'CM_IPv6_Address_List'
option family 'ipv6'
option counters '1'
option loadfile '/etc/multiwan/resource/manual_nftset/cmcc_ipv6.txt'
list match 'net'
config include 'multiwan'
option type 'nftables'
option path '/etc/multiwan/resource/nftables/multiwan_base.nft'
option position 'table-post'
config include 'multiwan_snat'
option type 'nftables'
option path '/etc/multiwan/resource/nftables/multiwan_snat.nft'
option position 'table-post'
static/image/hrline/line3.png
在/etc/config/network后面追加如下内容,主要是添加路由表规则、以及静态路由,这部分也可以通过控制台来操作:网络 - 路由
把 32-bit mark 分段使用:
[*]高 8 bit(mask = 0xff000000):只表示出口 WAN。CT:0x01000000,CU:0x02000000,CM:0x03000000
[*]低 24 bit(mask = 0x00ffffff):留给其它系统共存(比如 nikki 的 0x80/0x81 等)
config rule
option priority '1101'
option lookup 'wan_ct'
option mark '0x01000000/0xff000000'
config rule
option priority '1111'
option lookup 'wan_ct'
option out 'wanct'
config rule
option priority '1102'
option lookup 'wan_cu'
option mark '0x02000000/0xff000000'
config rule
option priority '1112'
option lookup 'wan_cu'
option out 'wancu'
config rule
option priority '1103'
option lookup 'wan_cm'
option mark '0x03000000/0xff000000'
config rule
option priority '1113'
option lookup 'wan_cm'
option out 'wancm_6'
config rule6
option priority '1101'
option lookup 'wan_ct'
option mark '0x01000000/0xff000000'
config rule6
option priority '1111'
option lookup 'wan_ct'
option out 'wanct_6'
config rule6
option priority '1102'
option lookup 'wan_cu'
option mark '0x02000000/0xff000000'
config rule6
option priority '1112'
option lookup 'wan_cu'
option out 'wancu_6'
config rule6
option priority '1103'
option lookup 'wan_cm'
option mark '0x03000000/0xff000000'
config rule6
option priority '1113'
option lookup 'wan_cm'
option out 'wancm_6'
config route
option interface 'wanct'
option target '0.0.0.0/0'
option table 'wan_ct'
config route
option interface 'wancu'
option target '0.0.0.0/0'
option table 'wan_cu'
config route
option interface 'wancm'
option target '0.0.0.0/0'
option table 'wan_cm'
config route6
option interface 'wanct_6'
option target '::/0'
option table 'wan_ct'
config route6
option interface 'wancu_6'
option target '::/0'
option table 'wan_cu'
config route6
option interface 'wancm_6'
option target '::/0'
option table 'wan_cm'static/image/hrline/line3.png
把热拔插脚本附件放入目录: /etc/hotplug.d/iface/
static/image/hrline/line3.png
新建目录
mkdir -p /etc/multiwan/resource/nftables/
mkdir -p /etc/multiwan/tools/nftable文件放入/etc/multiwan/resource/nftables/
[*]multiwan_base 是分流主策略,按实际情况修改,pppoe对应接口通过ip link 命令即可查询
[*]multiwan_snat 是 ipv6 snat表占位,避免防火墙重新加载异常,后续会被脚本接管,主要用于IPv6出口进行 prefix snat
static/image/hrline/line3.png
脚本文件放入/etc/multiwan/tools/
[*]multiwan_gen_snat.sh 用于动态生成 IPv6 PrefixSNAT 表,并注入multiwan_snat.nft
[*]multiwan_ipset_update.sh 用于自动更新大陆地区、电信、联通、移动这些 IP CIDR 文件,可自行按需修改,建议生成之后先手动执行一次,避免无文件防火墙无法生成ipset。
感谢分享{:jie:}
页:
[1]