The correct way to set the bypass route

Hello everyone , I meet you again , I'm your friend, Quan Jun .

Recently, I'm playing side route , Stepped on some pits , I also learned some related knowledge , Specially arrange and record .

One 、 Configuration of side route

The above figure shows the connection mode of side route , Generally, there is only one side route LAN mouth , Think of it as an ordinary computer connected to a router . Let them ip In one network segment , For example, the main routing gateway 192.168.3.1, The side route is configured as 192.168.3.2

1. Primary route configuration ：DHCP In the configuration, the gateway and DNS Change to side route ip Address , Such as 192.168.3.2.

2. Side route configuration ： close DHCP, Change the gateway to the main routing address , Such as 192.168.3.1, Turn off bridging mode , What other subnet masks , Don't say the broadcast address .

explain ： Others turn off the main route dhcp, Turn on the side route dhcp, Personally, this practice is not recommended , although dhcp Just one. ip distributor , The difference is only who distributes ip The problem of , But we use side routing , I want to minimize the impact on the main route . After the above configuration , After the bypass route is removed or there is a problem with the bypass route , Just change the main route dhcp gateway , Just restart , Very convenient .

After this configuration , The network traffic is shown in the figure below ：

Scientific flow is processed , Will be carried out in nat, In this way, both uplink and downlink will follow the bypass route for encryption and decryption .

Ordinary traffic is just forwarded by the upstream route ,ip Will not change ; When going down, the main route is found ip Bag is a computer , Will send it directly .

It is perfect to deal with it in this way , Side route only encrypts and decrypts scientific traffic , But some routers are configured like this , Domestic traffic is not available online , Only foreign ones are ok , You must configure a firewall rule .

iptables -t nat -I POSTROUTING -j MASQUERADE

Why is that ？

Huawei usually has problems , millet ,360 Wait for the main router （ I found that they all have a common feature - Can't configure dhcp gateway ）, The essential reason is , These routers will verify packets ip and mac Correspondence of address . When the uplink of domestic packets is forwarded to the main route through the side route , The primary route finds packets sent by the secondary route ip Not its own , Check failed , So the road of ordinary traffic in the figure is blocked .

Then add firewall rules. Why is it ok , The above rule means to execute SNAT function , The source of the packet ip Change to the current machine , That is, by-pass ip, But also dynamic change （ Prevent side routing ip It's dynamic ？）. After this configuration , The network traffic becomes the following figure ：

In this way, the bypass router is actually a secondary router without routing function , You will find that when you are downloading at a high speed, such as Xunlei, there is a side route cpu Will be abnormally high , All for nat 了 , Not the purpose of the original bypass – Only encrypt and decrypt scientific traffic .

Another setting method is not to add firewall rules , Add one to the side route wan mouth , Share one etho so , In this way, I understand that it is actually single arm routing ？ In fact, it's similar to the above .

It's easy to check whether the correct method is set

1. Watch it when Xunlei waits for high-speed download cpu Is the occupation very high

2. A more reliable one , Look at the upstream and downstream traffic , If configured correctly , The uplink of the side route is greater than the downlink , If the top and bottom are the same and the data flow is large （ It is obvious when downloading at high speed ）, There is a problem with the configuration .

This is the download speed ：

Correctly configured uplink and downlink speeds and cpu Occupy ：

Misconfigured uplink and downlink speeds and cpu Occupy ：

3. The most reliable thing is to go to the main route to see the information of networked devices , You will find the device ip It's computer. , however mac The address is soft routed

Of course , If the main route used is Huawei 、 millet 、360 etc. , There's no way , You can only add firewall rules or wan mouth , use nat The way to avoid its inspection （ In this way, it is better to make secondary routing time-saving and worry saving ）, Or change the main router .

Publisher ： Full stack programmer stack length , Reprint please indicate the source ：https://javaforall.cn/130484.html Link to the original text ：https://javaforall.cn