对于终端网关是vyos的,通过mosdns来分流realip和fakeip的流量, 可这样配置:
(vyos的group分为address-group,network-group等)
定义组 IP例:
set firewall group address-group Telegram-v4 address '157.148.47.204'
set firewall group address-group Telegram-v4 address '182.43.124.6'
...定义组网段V4例:
set firewall group network-group Telegram-v4 network '91.108.56.0/22'
set firewall group network-group Telegram-v4 network '91.108.4.0/22'
...定义组telegram V4:
set firewall group network-group Telegram-v4 network '91.108.56.0/22'
set firewall group network-group Telegram-v4 network '91.108.4.0/22'
set firewall group network-group Telegram-v4 network '91.108.8.0/22'
set firewall group network-group Telegram-v4 network '91.108.16.0/22'
set firewall group network-group Telegram-v4 network '91.108.12.0/22'
set firewall group network-group Telegram-v4 network '149.154.160.0/20'
set firewall group network-group Telegram-v4 network '91.105.192.0/23'
set firewall group network-group Telegram-v4 network '91.108.20.0/22'
set firewall group network-group Telegram-v4 network '185.76.151.0/24'定义组ip-V6例:
set firewall group ipv6-address-group Telegram-v6 address '2a00:1098:80:2::1004'
set firewall group ipv6-address-group Telegram-v6 address '2a00:1098:80:2::1001'
...定义组网段V6例:
set firewall group ipv6-network-group Telegram-v6 network '2001:b28:f23d::/48'
set firewall group ipv6-network-group Telegram-v6 network '2001:b28:f23f::/48'
...定义组V6 Telegram-V6
set firewall group ipv6-network-group Telegram-v6 network '2001:b28:f23d::/48'
set firewall group ipv6-network-group Telegram-v6 network '2001:b28:f23f::/48'
set firewall group ipv6-network-group Telegram-v6 network '2001:67c:4e8::/48'
set firewall group ipv6-network-group Telegram-v6 network '2001:b28:f23c::/48'
set firewall group ipv6-network-group Telegram-v6 network '2a0a:f280::/32'定义组fakeip:
set firewall group network-group FAKEIP-v4 network '198.18.0.0/15' # fakeip
set firewall group ipv6-network-group FAKEIP-v6 network 'f2b0::/18' # fakeip6配置策略路由:(类似ros中mangle部分) IPV4
set policy route Route-to-SB interface 'eth0' # eth0是lan口
set policy route Route-to-SB rule 10 set table '100' # table 100是to-sb的表
set policy route Route-to-SB rule 10 destination group network-group 'Telegram-v4'
set policy route Route-to-SB rule 20 set table '100' # table 100是to-sb的表
set policy route Route-to-SB rule 20 destination group network-group 'FAKEIP-v4'IPV6
set policy route6 FAKE6-to-SB interface 'eth0'
set policy route6 FAKE6-to-SB rule 10 set table '106' # table 106是to-sb的表 (v6)
set policy route6 FAKE6-to-SB rule 10 destination group network-group 'FAKEIP-v6'
set policy route6 FAKE6-to-SB rule 20 set table '106' # table 106是to-sb的表 (v6)
set policy route6 FAKE6-to-SB rule 20 destination group network-group 'Telegram-v6'配置路由表
set protocols static table 100 route 0.0.0.0/0 next-hop 192.168.100.9 # sb的内网ip
set protocols static table 106 route6 ::/0 next-hop fd88::9999 # sb的ulavoys自己如要科学上网, 一般是在pull容器镜像, 下载更新的ios等情形下, 可以这样配置,
set system name-server '192.168.10.90' # 192.168.10.90是sb的ip, 或mosdns的ip, based on your topology.注意这里的name-server, 只需要一个, 就是能区分fakeip的.
set policy local-route rule 10 destination address '198.18.0.0/15'
set policy local-route rule 10 set table '100'可以了科学了,下面测试
curl www.google.com乱码,搞定 ping是ping不通外网的。用上面的curl看
配不配ipv6的local-route, 取决于你的需要, 不配置也行, 因为vyos自己的需要, 较为简单
done!
tips:
- 在’#‘状态下 可用run show config, 来运行’$‘状态下的命令
- 我常用的命令 还有 ‘monitor’ (’$‘下), 监视动态变化 ‘compare’ (’#‘下), 未commit前比较edit的变化