双网口飞牛 NAS 设置二级路由

手里闲置了一台工控机（装了飞牛 NAS），双网口，就想着能不能利用一下搞个旁路由给电脑，第二个网口当交换机，电脑连接第二个网口，初步方案是将两个网口都通过 docker 的 macvlan 映射给 openwrt，但是尝试后发现无论怎么修改电脑最多可以获取 DHCP 下发的 IP，但是无法上网。折腾一番后放弃第二个网口当交换机，直接第二网口接我电脑，当我电脑的主路由，并配置 DMZ 模式，全部请求都转发到我电脑

https://zhwebsite.com/2024/01/28/%E5%9F%BA%E4%BA%8Edebian-12%EF%BC%8C%E5%88%A9%E7%94%A8docker%E7%9A%84openwrt%E6%90%AD%E5%BB%BA/

网络配置

查看当前 IP ip a

gwj@nas:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:e8:4c:69:1b:44 brd ff:ff:ff:ff:ff:ff
    inet 10.20.0.60/16 brd 10.20.255.255 scope global dynamic noprefixroute enp1s0
       valid_lft 83427sec preferred_lft 83427sec
3: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:e8:4c:69:1b:45 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::af03:82d3:bd66:1c89/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
4: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none
    inet 100.64.0.6/32 scope global tailscale0
       valid_lft forever preferred_lft forever
    inet6 fd7a:115c:a1e0::601:e449/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::267f:ca1c:f8d5:975b/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:69:a6:f4:57 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever

开启网卡混杂模式

给这俩网口开启网卡混杂模式

1 2	ip link set enp1s0 promisc on ip link set enp2s0 promisc on

docker 配置

这里 openwrt 使用的是 zzsrv/openwrt 这个镜像，功能较为精简，且仍在更新基于 ImmortalWrt OpenWrt-24.10 (每日更新)

openwrt docker-compose.yml 配置如下

services:
  openwrt:
    image: zzsrv/openwrt:latest
    container_name: openwrt
    privileged: true
    networks:
      macwan:
        ipv4_address: 10.20.0.120
      maclan:
        ipv4_address: 10.30.0.124
    #volumes:
    #  - ./etc:/etc
    entrypoint: /sbin/init
    restart: always

networks:
  macwan:
    driver: macvlan
    driver_opts:
      parent: enp1s0
    ipam:
      config:
        - subnet: 10.20.0.0/16
          gateway: 10.20.0.1

  maclan:
    driver: macvlan
    driver_opts:
      parent: enp2s0
    ipam:
      config:
        - subnet: 10.30.0.0/16

这里可以使用飞牛自带的 UI 启动 docker compose，也可以使用如下命令启动 (启动过程中断网为正常现象)

1	docker compose up -d --build --remove-orphans

网上很多教程都是使用 docker run 运行，网卡也是使用 docker network create 方式去创建，不如使用 docker compose，所有配置均在配置文件中，方便日后调整维护

以上配置中 enp1s0 是我接上级路由的网卡记为 macwan，enp2s0 是我接电脑的网卡记为 maclan, 这两个的网段及 IP 随便配置，不影响后边 openwrt 使用

配置网络接口

进入 docker 修改静态 IP

1 2	docker exec -it openwrt bash vim /etc/config/network


config interface 'loopback'
 option proto 'static'
 option ipaddr '127.0.0.1'
 option netmask '255.0.0.0'
 option device 'lo'

config globals 'globals'
 option packet_steering '1'

config interface 'lan'
 option proto 'dhcp'
 option device 'eth1'
 option peerdns '0'
 option delegate '0'
 list dns '192.168.100.1'

config interface 'lan1'
 option proto 'static'
 option device 'eth0'
 option ipaddr '192.168.22.1'
 option netmask '255.255.255.0'

这里配置了两个 lan，lan 连接上级路由，通过 DHCP 获取上级 IP，我给 lan 设置防火墙区域为 wan（对于当前 openwrt，此接口等同于连接上级的 wan），lan1 开启 DHCP 给笔记本，ip 段为 192.168.22.0/24，防火墙区域设置为 lan（对于当前 openwrt，此接口等同于 lan）

上面 eth0、eth1 可能会因环境的不同而改变，建议先使用 ip a 查看 10.20.0.120(上面 docker compose 配置的地址) 绑定的是哪个网口，这个就是 lan

重启网络

1	/etc/init.d/network restart

电脑插到工控机的空闲网口上，查看是否已经获取到 IP，访问 192.168.22.1 访问后台，调整其他配置（openclash 等）

固化配置

为了防止每次新建 docker 都会导致配置丢失，在第一次配置成功后需要拷贝配置文件到 docker 外，并修改 docker-compose.yml

docker ps

1
2
3

gwj@nas:~$ docker ps
CONTAINER ID   IMAGE                  COMMAND        CREATED        STATUS             PORTS     NAMES
9a0e40b4bb44   zzsrv/openwrt:latest   "/sbin/init"   45 hours ago   Up About an hour             openwrt

打开 docker-compose.yml 所在目录，复制 /etc 到当前目录

1 2	# 使用上边命令的docker id docker cp 9a0e40b4bb44:/etc .

取消上面 docker-compose.yml 的注释部分

1 2	volumes: - ./etc:/etc

修改后需要重新构建 docker

开启端口转发（DMZ）

网络 — 防火墙 — 端口转发

启动后自动开启网卡混杂

由于每次启动系统后网卡混杂模式都会失效，设置启动后自动开启混杂模式
参考 Debian 12 解决 /etc/rc.local 开机启动问题

由于某些软件并没有增加开启启动的服务，很多时候需要手工添加，一般我们都是推荐使用 systemd 写个系统服务，但是对于一些简单的脚本或者懒人来说，添加命令到 /etc/rc.local 文件更方便，但是自从 Debian 9 开始，Debian 默认不带 /etc/rc.local 文件，而 rc.local 服务却还是自带的：

gwj@nas:~$ cat /lib/systemd/system/rc-local.service
#  SPDX-License-Identifier: LGPL-2.1-or-later
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

# This unit gets pulled automatically into multi-user.target by
# systemd-rc-local-generator if /etc/rc.local is executable.
[Unit]
Description=/etc/rc.local Compatibility
Documentation=man:systemd-rc-local-generator(8)
ConditionFileIsExecutable=/etc/rc.local
After=network.target

[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
RemainAfterExit=yes
GuessMainPID=no

并且默认情况下这个服务还是关闭的状态：

gwj@nas:~$ systemctl status rc-local
● rc-local.service - /etc/rc.local Compatibility
     Loaded: loaded (/lib/systemd/system/rc-local.service; static)
    Drop-In: /usr/lib/systemd/system/rc-local.service.d
             └─debian.conf
     Active: inactive (dead)
       Docs: man:systemd-rc-local-generator(8)

为了解决这个问题，我们需要手工添加一个 /etc/rc.local 文件：

cat <<EOF >/etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

ip link set enp1s0 promisc on
ip link set enp2s0 promisc on

exit 0
EOF

然后赋予权限：

1	chmod +x /etc/rc.local

接着启动 rc-local 服务：

1	systemctl enable --now rc-local

此时可能会弹出警告：

The unit files have no installation config (WantedBy=, RequiredBy=, Also=,
Alias= settings in the [Install] section, and DefaultInstance= for template
units). This means they are not meant to be enabled using systemctl.
 
Possible reasons for having this kind of units are:
• A unit may be statically enabled by being symlinked from another unit's
  .wants/ or .requires/ directory.
• A unit's purpose may be to act as a helper for some other unit which has
  a requirement dependency on it.
• A unit may be started when needed via activation (socket, path, timer,
  D-Bus, udev, scripted systemctl call, ...).
• In case of template units, the unit is meant to be enabled with some
  instance name specified.

无视警告，因为这个服务没有任何依赖的系统服务，只是开机启动 /etc/rc.local 脚本而已。

再次查看状态：

gwj@nas:~$ systemctl status rc-local.service 
● rc-local.service - /etc/rc.local Compatibility
     Loaded: loaded (/lib/systemd/system/rc-local.service; enabled-runtime; vendor preset: enabled)
    Drop-In: /usr/lib/systemd/system/rc-local.service.d
             └─debian.conf
     Active: active (exited) since Thu 2022-01-27 18:52:43 UTC; 10s ago
       Docs: man:systemd-rc-local-generator(8)
    Process: 541 ExecStart=/etc/rc.local start (code=exited, status=0/SUCCESS)
        CPU: 3ms

Jan 27 18:52:43 debian systemd[1]: Starting /etc/rc.local Compatibility...
Jan 27 18:52:43 debian systemd[1]: Started /etc/rc.local Compatibility.