Михаил Лукьянов
-
Posts
201 -
Joined
-
Last visited
-
Days Won
4
Content Type
Profiles
Forums
Gallery
Downloads
Blogs
Events
Posts posted by Михаил Лукьянов
-
-
Существует вероятность когда-нибудь починить это? Просто когда два года назад для 2.08 выкатили fwmark - это позиционировалось как временный баг. А теперь он заматерел и превратился в "особенность работы".
-
Прошивка 2.14.C.0.0-4. При включении через веб интерфейс openvpn корректно срабатывает скрипт в /opt/etc/ndm/openvpn-up.d, однако при выключении через веб интерфейс openvpn скрипт расположенный в /opt/etc/ndm/openvpn-down.d не запускается.
-
Прошивка 2.14.C.0.0-4. Правило вида
iptables -t mangle -I PREROUTING -d 195.201.201.32/32 -j MARK --set-mark 9
Маркирует не все пакеты пока не отключить принудительно fastnat. Подробности тут: https://forum.keenetic.net/topic/5210-выборочный-роутинг-через-openvpn/?do=findComment&comment=68413 .
-
В логах полезли ошибки:
Скрытый текстНоя 17 14:23:26ndmAcme::Client: retry after 62 s, retry 3.Ноя 17 14:24:24ndhcpcGigabitEthernet0/Vlan2: received ACK for 176.15.183.133 from 78.107.145.13.Ноя 17 14:24:29ndmHttp::SslServer: security level changed to public.Ноя 17 14:24:29ndmHttp::Manager: security level changed to public.Ноя 17 14:24:29ndmAcme::Client: obtaining certificate for domain "23d13ce43b32a3933a9eb296.keenetic.io" is started.Ноя 17 14:24:31ndmAcme::Runner: perform HTTP sanity checks for domain "23d13ce43b32a3933a9eb296.keenetic.io".Ноя 17 14:24:31ndmIo::TcpSocket: connected to 23.105.235.71:80.Ноя 17 14:24:31ndmAcme::Runner: obtaining registration from ACMEv2 server...Ноя 17 14:24:31ndmAcme::Tools: requesting "https://acme-v02.api.letsencrypt.org/directory"...Ноя 17 14:24:32ndmAcme::Tools: requesting "https://acme-v02.api.letsencrypt.org/acme/new-nonce"...Ноя 17 14:24:33ndmAcme::Tools: requesting "https://acme-v02.api.letsencrypt.org/acme/new-acct"...Ноя 17 14:24:34ndmAcme::V2: already registered.Ноя 17 14:24:34ndmAcme::Runner: generating domain RSA key (2048 bits) ...Ноя 17 14:24:41ndmAcme::Runner: generating domain RSA key completed.Ноя 17 14:24:42ndmAcme::Runner: pushing new certificate order...Ноя 17 14:24:42ndmAcme::Tools: requesting "https://acme-v02.api.letsencrypt.org/directory"...Ноя 17 14:24:42ndmAcme::Tools: requesting "https://acme-v02.api.letsencrypt.org/acme/new-nonce"...Ноя 17 14:24:44ndmAcme::Tools: requesting "https://acme-v02.api.letsencrypt.org/acme/new-order"...Ноя 17 14:24:44ndmAcme::Runner: obtaining challenges...Ноя 17 14:24:44ndmAcme::Tools: requesting "https://acme-v02.api.letsencrypt.org/acme/authz/1PLf48q40UW6EiVNRnCKY2Xp0G6_rmUpmPmW3Ahv1II"...Ноя 17 14:24:45ndmAcme::Runner: challenges obtained.Ноя 17 14:24:45ndmAcme::Runner: triggering checks from ACME server...Ноя 17 14:24:45ndmAcme::Tools: requesting "https://acme-v02.api.letsencrypt.org/directory"...Ноя 17 14:24:45ndmAcme::Tools: requesting "https://acme-v02.api.letsencrypt.org/acme/new-nonce"...Ноя 17 14:24:46ndmAcme::Tools: requesting "https://acme-v02.api.letsencrypt.org/acme/challenge/1PLf48q40UW6EiVNRnCKY2Xp0G6_rmUpmPmW3Ahv1II/9376060834"...Ноя 17 14:24:48ndmAcme::V2: attempt #1...Ноя 17 14:24:48ndmAcme::Tools: requesting "https://acme-v02.api.letsencrypt.org/acme/authz/1PLf48q40UW6EiVNRnCKY2Xp0G6_rmUpmPmW3Ahv1II"...Ноя 17 14:24:49ndmAcme::V2: result is not ready, retry after 5 s.Ноя 17 14:24:54ndmAcme::V2: attempt #2...Ноя 17 14:24:54ndmAcme::Tools: requesting "https://acme-v02.api.letsencrypt.org/acme/authz/1PLf48q40UW6EiVNRnCKY2Xp0G6_rmUpmPmW3Ahv1II"...Ноя 17 14:24:54ndmAcme::V2: result is not ready, retry after 5 s.Ноя 17 14:24:59ndmAcme::V2: attempt #3...Ноя 17 14:24:59ndmAcme::Tools: requesting "https://acme-v02.api.letsencrypt.org/acme/authz/1PLf48q40UW6EiVNRnCKY2Xp0G6_rmUpmPmW3Ahv1II"...Ноя 17 14:25:00ndmAcme::V2: result is not ready, retry after 5 s.Ноя 17 14:25:05ndmAcme::V2: attempt #4...Ноя 17 14:25:05ndmAcme::Tools: requesting "https://acme-v02.api.letsencrypt.org/acme/authz/1PLf48q40UW6EiVNRnCKY2Xp0G6_rmUpmPmW3Ahv1II"...Ноя 17 14:25:05ndmAcme::V2: result is not ready, retry after 5 s.Ноя 17 14:25:10ndmAcme::V2: attempt #5...Ноя 17 14:25:10ndmAcme::Tools: requesting "https://acme-v02.api.letsencrypt.org/acme/authz/1PLf48q40UW6EiVNRnCKY2Xp0G6_rmUpmPmW3Ahv1II"...Ноя 17 14:25:11ndmAcme::V2: result is not ready, retry after 5 s.Ноя 17 14:25:16ndmAcme::V2: system failed [0xcffd014a], no more tries, timed out.Ноя 17 14:25:16ndmHttp::SslServer: security level changed to private.Ноя 17 14:25:16ndmHttp::Manager: security level changed to private.Ноя 17 14:25:16ndmAcme::Client: retry after 126 s, retry 4.Ноя 17 14:27:22ndmHttp::SslServer: security level changed to public.Ноя 17 14:27:22ndmHttp::Manager: security level changed to public.И так по кругу. Я так понимаю пытается провериться сертификат служебного домена (с которого обновление происходит). Прошивка 2.13.C.0.0-4
P.S. В итоге всё закончилось вот так, но наверное это не то что предполагалось:
Ноя 17 14:32:47 ndm Acme::Tools: [378] "response body": "{ "type": "urn:ietf:params:acme:error:rateLimited", "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/", "status": 429 }".
Policy based routing для IPv6
in 3.1
Posted · Edited by Михаил Лукьянов
очепятка
Не работает PBR для IPv6, проверялось правда только на 6to4. Что хочется:
Что получаю:
Вывод ip -6 a, ip -6 ru, ip -6 ro sh ta all:
~ # ip -6 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
8: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 2000
inet6 fe80::52ff:20ff:fe11:6dfb/64 scope link
valid_lft forever preferred_lft forever
9: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 2000
inet6 fe80::52ff:20ff:fe11:6dfc/64 scope link
valid_lft forever preferred_lft forever
11: rai0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::52ff:20ff:fe11:6dfd/64 scope link
valid_lft forever preferred_lft forever
20: eth2.1@eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP
inet6 fe80::52ff:20ff:fe11:6dfb/64 scope link
valid_lft forever preferred_lft forever
21: eth2.3@eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP
inet6 fe80::52ff:20ff:fe11:6dfb/64 scope link
valid_lft forever preferred_lft forever
22: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP
inet6 2002:6dab:11aa:0:52ff:20ff:fe11:6dfb/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::52ff:20ff:fe11:6dfb/64 scope link
valid_lft forever preferred_lft forever
23: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP
inet6 fe80::52ff:20ff:fe11:6dfb/64 scope link
valid_lft forever preferred_lft forever
24: tun6to4_1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 state UNKNOWN qlen 1
inet6 2002:6dab:11aa::6dab:11aa/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::a01:1e01/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::c0a8:101/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::4e2f:7db4/64 scope link
valid_lft forever preferred_lft forever
~ # ip -6 ru
~ # ip -6 ro sh ta al
Error: argument "al" is wrong: table id value is invalid
~ # ip -6 ro sh ta all
local ::1 dev lo proto none metric 0 pref medium
local 2002:6dab:11aa::6dab:11aa dev lo proto none metric 0 pref medium
2002:6dab:11aa::6dab:11aa dev tun6to4_1 proto kernel metric 256 pref medium
local 2002:6dab:11aa:0:52ff:20ff:fe11:6dfb dev lo proto none metric 0 pref medium
2002:6dab:11aa:0:52ff:20ff:fe11:6dfb dev br0 proto kernel metric 256 pref medium
2002:6dab:11aa::/64 dev br0 metric 1024 pref medium
local fe80:: dev lo proto none metric 0 pref medium
local fe80:: dev lo proto none metric 0 pref medium
local fe80:: dev lo proto none metric 0 pref medium
local fe80:: dev lo proto none metric 0 pref medium
local fe80:: dev lo proto none metric 0 pref medium
local fe80:: dev lo proto none metric 0 pref medium
local fe80:: dev lo proto none metric 0 pref medium
local fe80:: dev lo proto none metric 0 pref medium
local fe80::a01:1e01 dev lo proto none metric 0 pref medium
local fe80::4e2f:7db4 dev lo proto none metric 0 pref medium
local fe80::c0a8:101 dev lo proto none metric 0 pref medium
local fe80::52ff:20ff:fe11:6dfb dev lo proto none metric 0 pref medium
local fe80::52ff:20ff:fe11:6dfb dev lo proto none metric 0 pref medium
local fe80::52ff:20ff:fe11:6dfb dev lo proto none metric 0 pref medium
local fe80::52ff:20ff:fe11:6dfb dev lo proto none metric 0 pref medium
local fe80::52ff:20ff:fe11:6dfb dev lo proto none metric 0 pref medium
local fe80::52ff:20ff:fe11:6dfc dev lo proto none metric 0 pref medium
local fe80::52ff:20ff:fe11:6dfd dev lo proto none metric 0 pref medium
fe80::/64 dev eth2 proto kernel metric 256 pref medium
fe80::/64 dev eth2.1 proto kernel metric 256 pref medium
fe80::/64 dev eth2.3 proto kernel metric 256 pref medium
fe80::/64 dev eth3 proto kernel metric 256 pref medium
fe80::/64 dev br0 proto kernel metric 256 pref medium
fe80::/64 dev br1 proto kernel metric 256 pref medium
fe80::/64 dev tun6to4_1 proto kernel metric 256 pref medium
fe80::/64 dev rai0 proto kernel metric 256 pref medium
ff00::/8 dev eth2 metric 256 pref medium
ff00::/8 dev eth2.1 metric 256 pref medium
ff00::/8 dev eth2.3 metric 256 pref medium
ff00::/8 dev eth3 metric 256 pref medium
ff00::/8 dev br0 metric 256 pref medium
ff00::/8 dev br1 metric 256 pref medium
ff00::/8 dev tun6to4_1 metric 256 pref medium
ff00::/8 dev rai0 metric 256 pref medium
default dev tun6to4_1 metric 1024 pref medium
unreachable default dev lo proto kernel metric 4294967295 error -128 pref medium
Подробности тут: https://forum.keenetic.net/topic/3078-обход-блокировок-на-роутере/?do=findComment&comment=75555