OpenWrt的两种模式:桥接模式与路由模式

admin管理员组

文章数量:1534217

2024年6月26日发(作者：)

OpenWrt的两种模式：桥接模式与路由模式

1、桥接模式（Bridged AP Mode ）：

通过OpenWrt 设备做桥，连接到OpenWrt的无线设备是由此网段192.168.1.0网段中的路

由来分配IP地址的，所以此网段中的所有设备都是互通互连的！

OpenWrt设备的桥接配置方式：

[plain]

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'

option ifname 'lo'

option proto 'static'

option ipaddr '127.0.0.1'

option netmask '255.0.0.0'

config interface 'lan'

option ifname 'eth0'

option type 'bridge'

option proto 'static'

option ipaddr '192.168.1.129'

option netmask '255.255.255.0'

option gateway '192.168.1.1'

option dns '202.101.172.46'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device radio0

option type mac80211

option channel 11

option hwmode 11ng

option path 'platform/ar933x_wmac'

option htmode HT20

list ht_capab SHORT-GI-20

list ht_capab SHORT-GI-40

list ht_capab RX-STBC1

list ht_capab DSSS_CCK-40

# REMOVE THIS LINE TO ENABLE WIFI:

# option disabled 1

config wifi-iface

option device radio0

option network lan

option mode ap

option ssid OpenWrt

option encryption none

root@OpenWrt:~# cat /etc/config/firewall

config defaults

option syn_flood 1

option input ACCEPT

option output ACCEPT

option forward REJECT

# Uncomment this line to disable ipv6 rules

# option disable_ipv6 1

config zone

option name lan

option network 'lan'

option input ACCEPT

option output ACCEPT

option forward REJECT

config zone

option name wan

option network 'wan'

option input REJECT

option output ACCEPT

option forward REJECT

option masq 1

option mtu_fix 1

config forwarding

option src lan

option dest wan

# We need to accept udp packets on port 68,

# see /ticket/4108

config rule

option name Allow-DHCP-Renew

option src wan

option proto udp

option dest_port 68

option target ACCEPT

option family ipv4

# Allow IPv4 ping

config rule

option name Allow-Ping

option src wan

option proto icmp

option icmp_type echo-request

option family ipv4

option target ACCEPT

# Allow DHCPv6 replies

# see /ticket/10381

config rule

option name Allow-DHCPv6

option src wan

option proto udp

option src_ip fe80::/10

option src_port 547

option dest_ip fe80::/10

option dest_port 546

option family ipv6

option target ACCEPT

# Allow essential incoming IPv6 ICMP traffic

config rule

option name Allow-ICMPv6-Input

option src wan

option proto icmp

list icmp_type echo-request

list icmp_type echo-reply

list icmp_type destination-unreachable

list icmp_type packet-too-big

list icmp_type time-exceeded

list icmp_type bad-header

list icmp_type unknown-header-type

list icmp_type router-solicitation

list icmp_type neighbour-solicitation

list icmp_type router-advertisement

list icmp_type neighbour-advertisement

option limit 1000/sec

option family ipv6

option target ACCEPT

# Allow essential forwarded IPv6 ICMP traffic

config rule

option name Allow-ICMPv6-Forward

option src wan

option dest *

option proto icmp

list icmp_type echo-request

list icmp_type echo-reply

list icmp_type destination-unreachable

list icmp_type packet-too-big

list icmp_type time-exceeded

list icmp_type bad-header

list icmp_type unknown-header-type

option limit 1000/sec

option family ipv6

option target ACCEPT

# Block ULA-traffic from leaking out

config rule

option name Enforce-ULA-Border-Src

option src *

option dest wan

option proto all

option src_ip fc00::/7

option family ipv6

option target REJECT

config rule

option name Enforce-ULA-Border-Dest

option src *

option dest wan

option proto all

option dest_ip fc00::/7

option family ipv6

option target REJECT

# include a file with users custom iptables rules

config include

option path /etc/

### EXAMPLE CONFIG SECTIONS

# do not allow a specific ip to access wan

#config rule

# option src lan

# option src_ip 192.168.45.2

# option dest wan

# option proto tcp

# option target REJECT

# block a specific mac on wan

#config rule

# option dest wan

# option src_mac 00:11:22:33:44:66

# option target REJECT

# block incoming ICMP traffic on a zone

#config rule

# option src lan

# option proto ICMP

# option target DROP

# port redirect port coming in on wan to lan

#config redirect

# option src wan

# option src_dport 80

# option dest lan

# option dest_ip 192.168.16.235

# option dest_port 80

# option proto tcp

# port redirect of remapped ssh port (22001) on wan

#config redirect

# option src wan

# option src_dport 22001

# option dest lan

# option dest_port 22

# option proto tcp

# allow IPsec/ESP and ISAKMP passthrough

#config rule

# option src wan

# option dest lan

# option protocol esp

# option target ACCEPT

#config rule

# option src wan

# option dest lan

# option src_port 500

# option dest_port 500

# option proto udp

# option target ACCEPT

### FULL CONFIG SECTIONS

#config rule

# option src lan

# option src_ip 192.168.45.2

# option src_mac 00:11:22:33:44:55

# option src_port 80

# option dest wan

# option dest_ip 194.25.2.129

# option dest_port 120

# option proto tcp

# option target REJECT

#config redirect

# option src lan

# option src_ip 192.168.45.2

# option src_mac 00:11:22:33:44:55

# option src_port 1024

# option src_dport 80

# option dest_ip 194.25.2.129

# option dest_port 120

# option proto tcp

2、路由模式（Routed AP Mode）：

OpenWrt 设备做路由时，连接到OpenWrt的无线设备是由OpenWrt路由设备本身来分配IP

地址的，所以通过无线连接到OpenWrt网段中的所有设备都与原来的192.168.1.0网段的

设备不通（OpenWrt设备本身除外）！

OpenWrt设备的路由配置方式：

[plain]

root@OpenWrt:/# vi /etc/config/network

config interface 'loopback'

option ifname 'lo'

option proto 'static'

option ipaddr '127.0.0.1'

option netmask '255.0.0.0'

config interface 'wan'

option ifname 'eth0'

option proto 'static'

option ipaddr '192.168.1.129'

option netmask '255.255.255.0'

option gateway '192.168.1.1'

option dns '202.101.172.46'

config 'interface' 'wifi'

option 'proto' 'static'

option 'ipaddr' '192.168.2.1'

option 'netmask' '255.255.255.0'

root@OpenWrt:/# vi /etc/config/wireless

config wifi-device radio0

option type mac80211

option channel 11

option hwmode 11ng

option path 'platform/ar933x_wmac'

option htmode HT20

list ht_capab SHORT-GI-20

list ht_capab SHORT-GI-40

list ht_capab RX-STBC1

list ht_capab DSSS_CCK-40

# REMOVE THIS LINE TO ENABLE WIFI:

config wifi-iface

option device radio0

option network wifi

option mode ap

option ssid OpenWrt

option encryption none

root@OpenWrt:/# vi /etc/config/dhcp

config dnsmasq

option domainneeded 1

option boguspriv 1

option filterwin2k 0 # enable for dial on demand

option localise_queries 1

option rebind_protection 1 # disable if upstream must serve

RFC1918 addresses

option rebind_localhost 1 # enable for RBL checking and similar

services

#list rebind_domain # whitelist RFC1918 responses for

domains

option local '/lan/'

option domain 'lan'

option expandhosts 1

option nonegcache 0

option authoritative 1

option readethers 1

option leasefile '/tmp/'

option resolvfile '/tmp/'

#list server '//1.2.3.4'

#option nonwildcard 1

#list interface br-lan

#list notinterface lo

#list bogusnxdomain '64.94.110.11'

config dhcp lan

option interface lan

option start 100

option limit 150

option leasetime 12h

config dhcp wan

option interface wan

option ignore 1

config dhcp wifi

option interface wifi

option start 100

option limit 150

option leasetime 12h

root@OpenWrt:/# vi /etc/config/firewall

config defaults

option syn_flood '1'

option input 'ACCEPT'

option output 'ACCEPT'

option forward 'REJECT'

config zone

option name 'wifi'

option input 'ACCEPT'

option output 'ACCEPT'

option forward 'ACCEPT'

config zone

option name 'lan'

option network 'lan'

option input 'ACCEPT'

option output 'ACCEPT'

option forward 'ACCEPT'

config zone

option name 'wan'

option network 'wan'

option output 'ACCEPT'

option masq '1'

option mtu_fix '1'

option input 'REJECT'

option forward 'REJECT'

config forwarding

option src 'lan'

option dest 'wan'

config forwarding

option src 'wifi'

option dest 'wan'

config forwarding

option src 'lan'

option dest 'wifi'

config forwarding

option src 'wifi'

option dest 'lan'

config rule

option name 'Allow-DHCP-Renew'

option src 'wan'

option proto 'udp'

option dest_port '68'

option target 'ACCEPT'

option family 'ipv4'

config rule

option name 'Allow-Ping'

option src 'wan'

option proto 'icmp'

option icmp_type 'echo-request'

option family 'ipv4'

option target 'ACCEPT'

config rule

option name 'Allow-DHCPv6'

option src 'wan'

option proto 'udp'

option src_ip 'fe80::/10'

option src_port '547'

option dest_ip 'fe80::/10'

option dest_port '546'

option family 'ipv6'

option target 'ACCEPT'

config rule

option name 'Allow-ICMPv6-Input'

option src 'wan'

option proto 'icmp'

list icmp_type 'echo-request'

list icmp_type 'echo-reply'

list icmp_type 'destination-unreachable'

list icmp_type 'packet-too-big'

list icmp_type 'time-exceeded'

list icmp_type 'bad-header'

list icmp_type 'unknown-header-type'

list icmp_type 'router-solicitation'

list icmp_type 'neighbour-solicitation'

list icmp_type 'router-advertisement'

list icmp_type 'neighbour-advertisement'

option limit '1000/sec'

option family 'ipv6'

option target 'ACCEPT'

config rule

option name 'Allow-ICMPv6-Forward'

option src 'wan'

option dest '*'

option proto 'icmp'

list icmp_type 'echo-request'

list icmp_type 'echo-reply'

list icmp_type 'destination-unreachable'

list icmp_type 'packet-too-big'

list icmp_type 'time-exceeded'

list icmp_type 'bad-header'

list icmp_type 'unknown-header-type'

option limit '1000/sec'

option family 'ipv6'

option target 'ACCEPT'

config rule

option name 'Enforce-ULA-Border-Src'

option src '*'

option dest 'wan'

option proto 'all'

option src_ip 'fc00::/7'

option family 'ipv6'

option target 'REJECT'

config rule

option name 'Enforce-ULA-Border-Dest'

option src '*'

option dest 'wan'

option proto 'all'

option dest_ip 'fc00::/7'

option family 'ipv6'

option target 'REJECT'

config include

option path '/etc/'

重启相应配置：

[html]

root@OpenWrt:/# /etc/init.d/network restart

Configuration file: /var/run/

Using interface wlan0 with hwaddr ec:17:2f:9e:12:f2 and ssid "OpenWrt"

root@OpenWrt:/# /etc/init.d/dnsmasq restart

/net/201306/

本文标签： 设备模式路由桥接配置