DD-WRT链路聚合教程.doc

DD-WRT链路聚合教程Part 1：确定自己的Router是否支持链路聚合SETP 1 大家装好DD-WRT V23以上的版本.如何查询自己的Router是否被DD-WRT所支持可以登陆/dd-wrtv3/dd-wrt/hardware.html 输入相关的厂商或路由的型号即可查到.建议将路由器刷到V24以后的版本。我自己就喜欢使用V24的SP2，V24 SP2的USB支持比之前的版本要好。我这里就使用DD-WRT v24-sp2 (02/18/09) mega (SVN revision 11650M NEWD Eko)作为示范。SETP2登陆Router的Web管理页面,来到设置(index)页面,看一下是否能找到vlan的配置页面。或者用telnet登陆路由器的CLI，使用命令ifconfig 查看当前路由器的接口情况。如果找到若个个vlan的接口，恭喜你，你的路由器支持链路聚合。这里就以我的WRT350N为例，最多可以支持4Wan甚至5Wan哦新增的Wan口支持DHCP做双Wan口链路聚合。像我的WRT300N由于CPU不支持Vlan所以只有另作他用了。Part 2：划分VlanSETP 1：执行30/30/30 硬复位，确保相关的配置是默认状态。硬复位，在通电的状态下按下Reset按钮 30秒，保持按住状态断电30秒，按住按钮通电30秒，之后断电1分钟再通电。当路由器启动成功后，重新设定相关的设定，设定包括激活SSH远程管理和JFFS支持，这些设置如果使用脱机下载的朋友应该非常之熟悉。SETP 2：使用telnet或SSH连接到路由器的CLI，运行指令：ifconfig参看当前的vlan状态，找到当前最大的vlan ID。当前最大的vlan ID+1将要是我们使用的vlan. 输入ifconfig后，将会看到下面相似的信息！rootDD-WRT:# ifconfig br0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX inet addr:54 Bcast:55 Mask: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2324944 errors:0 dropped:0 overruns:0 frame:0 TX packets:2631133 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:446767529 (426.0 MiB) TX bytes:2311217676 (2.1 GiB)br0:0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX inet addr: Bcast:55 Mask: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:2 dropped:0 overruns:0 frame:1341435 TX packets:0 errors:83 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Interrupt:6 Base address:0x4000 eth1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:13187390 errors:0 dropped:0 overruns:0 frame:0 TX packets:6709994 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1080756377 (1.0 GiB) TX bytes:3148476041 (2.9 GiB) Interrupt:5 Memory:18010000-18020000 lo Link encap:Local Loopback inet addr: Mask: UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1 RX packets:55265 errors:0 dropped:0 overruns:0 frame:0 TX packets:55265 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:13093697 (12.4 MiB) TX bytes:13093697 (12.4 MiB)vlan1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2322311 errors:0 dropped:0 overruns:0 frame:0 TX packets:2631133 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:446478350 (425.7 MiB) TX bytes:2311217676 (2.1 GiB)vlan2 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX inet addr: Bcast:55 Mask: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:10149390 errors:0 dropped:0 overruns:0 frame:0 TX packets:3328410 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:91675334 (87.4 MiB) TX bytes:685472650 (653.7 MiB)wl0.1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)回到路由器的Web Gui，来到http:/你的路由IP/vlan.asp 下面，将Lan4划到vlan3下面，并保存。图所示回到CLI使用nvram show|grep vlan|grep ports 查看当前的端口划分情况。Wan是0。Lan1是1，如此类推。最后的5或8是CPU接口。像WRT310N、WRT350N等新型号的路由器便是以8结尾的，像WRT54G/GS/GL等旧型号的路由器便是以5结尾的。rootDD-WRT:# nvram show|grep vlan|grep ports size: 24358 bytes (8410 left) vlan2ports=0 8 vlan1ports=1 2 3 4 8*Wan是0。Lan1是1，如此类推。最后的5或8是CPU接口。使用下列指令将Lan4划入Vlan3中。有些路由器是的接口顺序是到序的，开头第一个数就是Lan1的，如此类推。使用下列指令将Lan4划入到Vlan3中nvram set vlan1ports=1 2 3 8* nvram set vlan3ports=4 8 nvram set vlan3hwname=et0 nvram commit rebootSETP 3：当路由器回来后，使用ifconfig和nvram show|grep vlan|grep ports验证Vlan是否正常激活，端口划分是否正确。Part 3：复制脚本并调试SETP 1：使用Winscp将相关的脚本传至/jffs/script/下，并将脚本权限调整至0755。这里要用到3个相关的脚本。这些脚本分别是udhcpc-wan2.script、routes.firewall、firewall.firewall。udhcpc-wan2.script配置Wan2的ip配置信息。routes.firewall配置IP路由规则firewall.firewall配置防火墙规则这里感谢jbarbieri 提供相关的脚本,以下为脚本的源码！Code of udhcpc-wan2.script：#!/bin/sh# udhcpc script edited by Tim Riker -z $1 & echo Error: should be called from udhcpc & exit 1ifconfig $interface upRESOLV_CONF=/etc/resolv.conf -n $broadcast & BROADCAST=broadcast $broadcast -n $subnet & NETMASK=netmask $subnetcase $1 in deconfig) /sbin/ifconfig $interface ; renew|bound) # /sbin/ifconfig $interface $ip $BROADCAST $NETMASK echo $ip $BROADCAST $NETMASK if -n $router ; then echo deleting routers # while route del default gw dev $interface ; do # : # done # for i in $router ; do # route add default gw $i dev $interface # done echo $router fi echo -n $RESOLV_CONF -n $domain & echo search $domain $RESOLV_CONF for i in $dns ; do echo adding dns $i echo nameserver $i $RESOLV_CONF done nvram set wan2_ifname=$interface nvram set wan2_gateway=$router nvram set wan2_ipaddr=$ip nvram set wan2_netmask=$subnet nvram set wan2_broadcast=$broadcast nvram commit ifconfig $(nvram get wan2_ifname) $(nvram get wan2_ipaddr) netmask $(nvram get wan2_netmask) up ;esac exit 0 code of routes.firewall:#!/bin/sh echo Flushing rules /var/log/messagesip rule flush ip rule add lookup main prio 32766 ip rule add lookup default prio 32767 ip rule add from $(nvram get wan_ipaddr) table 100 prio 100 ip rule add fwmark 0x100 table 100 prio 101 ip rule add from $(nvram get wan2_ipaddr) table 200 prio 200 ip rule add fwmark 0x200 table 200 prio 201 ip route flush table 100 ip route flush table 200 for TABLE in 100 200 do ip route | grep link | while read ROUTE do ip route add table $TABLE to $ROUTE done done ip route add table 100 default via $(nvram get wan_gateway) ip route add table 200 default via $(nvram get wan2_gateway) ip route delete defaultecho Adding in equalized route /var/log/messages ip route add default scope global equalize nexthop via $(nvram get wan_gateway) dev $(nvram get wan_ifname) nexthop via $(nvram get wan2_gateway) dev $(nvram get wan2_ifname) echo routes.firewall completed /var/log/messagescode of firewall.firewall:#!/bin/sh insmod ipt_CONNMARK insmod ipt_mark echo date Flushing and adding new firewall rules /var/log/messages IPTABLES=/usr/sbin/iptables for RULE in $(nvram get forward_spec) do FROM=echo $RULE | cut -d -f 1 TO=echo $RULE | cut -d -f 2 STATE=echo $FROM | cut -d : -f 2 PROTO=echo $FROM | cut -d : -f 3 SPORT=echo $FROM | cut -d : -f 4 DEST=echo $TO | cut -d : -f 1 DPORT=echo $TO | cut -d : -f 2 if $STATE = on ; then if $PROTO = both ; then iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) -dport $SPORT -j DNAT -to $DEST:$DPORT iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) -dport $SPORT -j DNAT -to $DEST:$DPORT else iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) -dport $SPORT -j DNAT -to $DEST:$DPORT fi fi done for RULE in $(nvram get forward_port) do FROM=echo $RULE | cut -d -f 1 TO=echo $RULE | cut -d -f 2 STATE=echo $FROM | cut -d : -f 2 PROTO=echo $FROM | cut -d : -f 3 SPORT=echo $FROM | cut -d : -f 4 EPORT=echo $FROM | cut -d : -f 5 if $STATE = on ; then if $PROTO = both ; then iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) -dport $SPORT:$EPORT -j DNAT -to $TO iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) -dport $SPORT:$EPORT -j DNAT -to $TO else iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) -dport $SPORT:$EPORT -j DNAT -to $TO fi fi done iptables -A PREROUTING -t nat -p icmp -d $(nvram get wan2_ipaddr) -j DNAT -to $(nvram get lan_ipaddr) if $(nvram get remote_management) -eq 1 ; then iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) -dport $(nvram get http_wanport) -j DNAT -to $(nvram get lan_ipaddr):$(nvram get http_lanport) fi if $(nvram get dmz_enable) -eq 1 ; then DMZ_IP=$(nvram get lan_ipaddr | sed -r s/0-9+$/)$(nvram get dmz_ipaddr) iptables -A PREROUTING -t nat -d $(nvram get wan2_ipaddr) -j DNAT -to $DMZ_IP fi iptables -A PREROUTING -t nat -dest $(nvram get wan2_ipaddr) -j TRIGGER -trigger-type dnat iptables -A FORWARD -i $(nvram get wan2_ifname) -o $(nvram get lan_ifname) -j TRIGGER -trigger-type in $IPTABLES -t mangle -F PREROUTING $IPTABLES -t mangle -F OUTPUT $IPTABLES -F POSTROUTING -t nat $IPTABLES -t mangle -N ETH1 $IPTABLES -t mangle -F ETH1 $IPTABLES -t mangle -A ETH1 -j MARK -set-mark 0x100 $IPTABLES -t mangle -A ETH1 -j CONNMARK -save-mark $IPTABLES -t mangle -N ETH2 $IPTABLES -t mangle -F ETH2 $IPTABLES -t mangle -A ETH2 -j MARK -set-mark 0x200 $IPTABLES -t mangle -A ETH2 -j CONNMARK -save-mark $IPTABLES -t mangle -N RANDOM $IPTABLES -t mangle -F RANDOM $IPTABLES -t mangle -A RANDOM -m random -average 50 -j ETH1 $IPTABLES -t mangle -A RANDOM -m random -average 50 -j ETH2 $IPTABLES -t nat -N SPOOF_ETH1 $IPTABLES -t nat -F SPOOF_ETH1 $IPTABLES -t nat -A SPOOF_ETH1 -j SNAT -to $(nvram get wan_ipaddr) $IPTABLES -t nat -N SPOOF_ETH2 $IPTABLES -t nat -F SPOOF_ETH2 $IPTABLES -t nat -A SPOOF_ETH2 -j SNAT -to $(nvram get wan2_ipaddr) $IPTABLES -t filter -N keep_state $IPTABLES -t filter -A keep_state -m state -state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -t filter -A keep_state -j RETURN $IPTABLES -t nat -N keep_state $IPTABLES -t nat -A keep_state -m state -state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -t nat -A keep_state -j RETURN $IPTABLES -t nat -I PREROUTING -j keep_state $IPTABLES -t nat -I OUTPUT -j keep_state $IPTABLES -t filter -I INPUT -j keep_state $IPTABLES -t filter -I FORWARD -j keep_state $IPTABLES -t filter -I OUTPUT -j keep_state $IPTABLES -t nat -I POSTROUTING -j keep_state $IPTABLES -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j SPOOF_ETH1 $IPTABLES -t nat -A POSTROUTING -o $(nvram get wan2_ifname) -j SPOOF_ETH2 $IPTABLES -t mangle -A FORWARD -j CONNMARK -restore-mark $IPTABLES -t mangle -A FORWARD -i vlan2 -j ETH1 $IPTABLES -t mangle -A FORWARD -i vlan3 -j ETH2 $IPTABLES -t mangle -A PREROUTING -i br0 -p tcp -m state -state ESTABLISHED -j CONNMARK -restore-mark $IPTABLES -t mangle -A PREROUTING -i br0 -m state -state NEW -j RANDOM $IPTABLES -t mangle -A PREROUTING -m mark -mark 0x100 -j ACCEPT $IPTABLES -t mangle -A PREROUTING -m mark -mark 0x200 -j ACCEPT $IPTABLES -t mangle -A PREROUTING -i vlan2 -j ETH1 $IPTABLES -t mangle -A PREROUTING -i vlan3 -j ETH2 # Rate Limit $IPTABLES -N rate_limit $IPTABLES -F rate_limit $IPTABLES -A rate_limit -p tcp -dport 22 -m limit -limit 3/min -limit-burst 3 -j ACCEPT $IPTABLES -A rate_limit -p udp -dport 1194 -m limit -limit 3/min -limit-burst 3 -j ACCEPT $IPTABLES -A rate_limit -p ICMP -icmp-type echo-request -m limit -limit 3/sec -j ACCEPT $IPTABLES -A rate_limit -p ! ICMP -j LOG -log-prefix Connection dropped! $IPTABLES -A rate_limit -p tcp -j REJECT -reject-with tcp-reset $IPTABLES -A rate_limit -p udp -j REJECT -reject-with icmp-port-unreachable $IPTABLES -A rate_limit -j DROP # Add Limits $IPTABLES -I INPUT -p ICMP -icmp-type echo-request -j rate_limit $IPTABLES -I INPUT -p tcp -dport 22 -m state -state NEW -j rate_limit RP_PATH=/proc/sys/net/ipv4/conf for IFACE in ls $RP_PATH; do echo 0 $RP_PATH/$IFACE/rp_filter done 上面标红那里为Wan口所在的Vlan ID，请大家如实修改！大家可以登陆/dd-wrt/scripts/ 下载相关的脚本。SETP 5：连接相关硬件并调试脚本！ 硬件连接，其中一部Modem像平常一样接到路由器的Wan口，另外一部Modem介入到我们刚刚划分的Lan口。 会到CLI下，使用指令启动脚本！udhcpc -s /jffs/scripts/udhcpc-wan2.script -i vlan3/jffs/scripts/routes.firewall/jffs/scripts/firewall.firewalludhcpc -s /jffs/scripts/udhcpc-wan2.script -i vlan3 后面的vlan3为你需要启动的Wan口所在的vlan。当运行udhcpc-wan2.script成功将会返回相关的IP等网络参数。使用ip route 、ip route show table 100 、ip route show table 200和ip rule查看路由表和IP规则是否正确。运行ip rule将返回和下面相似的结果：rootDD-WRT:# ip rule0: from all lookup local 100: from lookup 100 101: from all fwmark 0x100 lookup 100 200: from lookup 200 201: from all fwmark 0x200 lookup 200 32766: from all lookup main 32767: from all lookup default运行ip route 将返回下面相似的结果：rootDD-WRT:# ip route/24 dev vlan3 proto kernel scope link src /24 dev br0 proto kernel scope link src 54 /19 dev vlan2 proto kernel scope link src /16 dev br0 proto kernel scope link src /8 dev lo scope link default equalize nexthop via dev vlan2 weight 1 nexthop via dev vlan3 weight 1运行ip route show table 100 将返回下面相似的结果：rootDD-WRT:# ip route show table 100/24 dev vlan3 proto kernel scope link src /24 dev br0 proto kernel scope link src 54 /19 dev vlan2 proto kernel scope link src /16 dev br0 proto kernel scope link src /8 dev lo scope link default via dev vlan2运行ip route show table 200 将返回下面相似的结果：rootDD-WRT:# ip route show table 200/24 dev vlan3 proto kernel scope link src /24 dev br0 proto kernel scope link src 54 /19 dev vlan2 proto kernel scope link src /16 dev br0 proto kernel scope link src /8 dev lo scope link default via 54 dev vlan3接着，就测试Http是否正常，正常的话当然就是测试下载是否