在路由器上使用Tun模式做透明代理后,内网的服务器无法被外网访问到 #2549
Comments
zlm324
changed the title
|
与 #2167 应该是同一个问题。我也被这个问题困扰很久。 最近跟r1和o1整了半天,想手动打个补丁用起来但是无果。在公网和内网主机上抓包可以看到SYN和ACK记录,现象与你一致。目前能确定的是DNAT正常,即防火墙的端口转发规则实际还是生效的,内网服务器能收到从公网wan侧发来的请求,但返回的数据包似乎又重新进了tun,sing-box开debug级别没有内网主机做出响应返回的连接日志,发起请求的公网侧主机收不到响应不断重连直到超时失败。 另外还有个观察变量不唯一因此不一定对:1.10和早期的1.11-alpha版本IPv4受影响但IPv6正常,在公网侧WireGuard和luci都可以通过IPv6地址正常访问,直到目前1.11.1似乎IPv6也开始受影响了,上述两个场景不再可用。 |
对的,就是像你说的这样。内网服务器能收到请求,但返回的数据就没能到外网,有没有再次进入tun不是很清楚,毕竟debug日志中也没看到有内网机器的连接,这数据包去哪了呢?还有一个情况是,如果我把"route_exclude_address"这一句去掉,整个内网就访问不了外网了,这又是为啥? |
|
我也遇到了,但是v6路由器可以访问。 |
操作系统
Linux
系统版本
openwrt 23.05
安装类型
sing-box 原始命令行程序
如果您使用图形客户端程序,请提供该程序版本。
No response
版本
描述
网络是家里的内网,openwrt做软路由,在openwrt中做了端口转发:
protocol: any, source zone: wan, destination zone: lan, internal ip: 192.168.2.5
内网中有个服务器,ip地址是192.168.2.5,在此设置下,外网是可以访问到内网服务器的。
然后在openwrt中使用sing-box做透明代理,tun模式,运行后代理功能正常,但外网无法访问到内网服务器。
重现方式
配置文件如下:
{ "dns": { "servers": [ { "tag": "dns_direct", "type": "tls", "server": "223.5.5.5", "detour": "out_direct" }, { "tag": "dns_proxy", "type": "tls", "server": "8.8.8.8", "detour": "out_selector" } ] }, "inbounds": [ { "tag": "in_tun", "type": "tun", "address": ["172.19.0.1/30"], "route_exclude_address": ["192.168.2.0/16"], "auto_route": true, "auto_redirect": true, "strict_route": true, "stack": "mixed" } ], "outbounds": [ { "tag": "out_1", "type": "vless" }, { "tag": "out_2", "type": "vless" }, { "tag": "out_3", "type": "vless" }, { "type": "selector", "tag": "out_selector", "outbounds": ["out_urltest", "out_1", "out_2", "out_3"], "default": "out_urltest" }, { "type": "urltest", "tag": "out_urltest", "outbounds": ["out_1", "out_2", "out_3"], "url": "https://connectivitycheck.gstatic.com/generate_204", "interval": "5m", "tolerance": 150 }, { "tag": "out_direct", "type": "direct", "domain_resolver": "dns_direct" } ], "route": { "rule_set": [ { "tag": "geosite-geolocation-cn", "type": "remote", "format": "binary", "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs", "download_detour": "out_selector" }, { "tag": "geosite-cn", "type": "remote", "format": "binary", "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-cn.srs", "download_detour": "out_selector" }, { "tag": "geoip-cn", "type": "remote", "format": "binary", "url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs", "download_detour": "out_selector" }, { "tag": "ads", "type": "remote", "format": "binary", "url": "https://raw.githubusercontent.com/REIJI007/AdBlock_Rule_For_Sing-box/main/adblock_reject.srs", "download_detour": "out_selector" } ], "rules": [ { "action": "resolve", "strategy": "prefer_ipv4" }, { "action": "sniff", "timeout": "500ms" }, { "type": "logical", "mode": "or", "rules": [{"port": 53}, {"protocol": "dns"}], "action": "hijack-dns" }, { "type": "logical", "mode": "or", "rules": [{"protocol": "stun"}, {"protocol": "udp"}, {"protocol": "quic"}], "outbound": "out_direct" }, { "ip_is_private": true, "outbound": "out_direct" }, { "rule_set": ["ads"], "action": "reject" }, { "rule_set": ["geosite-geolocation-cn", "geosite-cn", "geoip-cn"], "outbound": "out_direct" } ], "default_domain_resolver": "dns_direct", "final": "out_selector", "auto_detect_interface": true }, "experimental": { "cache_file": {"enabled": true} } }使用以上配置文件,未对openwrt做其他设置,sing-box运行后代理功能正常,同时外网无法访问到192.168.2.5的内网服务器,停止sing-box后,外网恢复访问。
日志
支持我们
完整性要求
The text was updated successfully, but these errors were encountered: