You are not logged in.
What I want:
Internet
│
Modem(192.168.1.1)
│
Router 1(192.168.31.1)
│
Archlinux
├─(192.168.31.131) no proxy
├─(127.0.0.1:8007) Clash Transparent Proxy
└─(192.168.21.1) proxy
│
└───Rouer 2
├─(192.168.21.100)
└─(192.168.2.1)
├─...
├─...
└─...What I have:
# ip route
default via 192.168.31.1 dev ens33 proto dhcp metric 100
192.168.21.0/24 dev enp3s4 proto kernel scope link src 192.168.21.1
192.168.31.0/24 dev ens33 proto kernel scope link src 192.168.31.131 metric 100# systemctl status dhcpd4.service
Active: active (running)
Sep 14 17:33:01 one systemd[1]: Started IPv4 DHCP server.
Sep 14 17:33:01 one dhcpd: Server starting service.
Sep 14 17:33:02 one dhcpd: DHCPDISCOVER from fc:7c:02:10:2e:b0 via enp3s4
Sep 14 17:33:03 one dhcpd: DHCPOFFER on 192.168.21.100 to fc:7c:02:10:2e:b0 via enp3s4
Sep 14 17:33:03 one dhcpd: DHCPREQUEST for 192.168.21.100 (192.168.21.1) from fc:7c:02:10:2e:b0 via enp3s4
Sep 14 17:33:03 one dhcpd: DHCPACK on 192.168.21.100 to fc:7c:02:10:2e:b0 via enp3s4# iptables -t nat -vnL
Chain OUTPUT (policy ACCEPT 6 packets, 530 bytes)
pkts bytes target prot opt in out source destination
5 472 clash tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain clash (1 references)
pkts bytes target prot opt in out source destination
1 60 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 5003
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 169.254.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 172.16.0.0/12
1 232 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16
0 0 RETURN all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 RETURN all -- * * 0.0.0.0/0 240.0.0.0/4
3 180 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 redir ports 8007# systemctl status clash.service
Active: active (running)
Sep 14 18:29:09 one clash: level=info msg="Start initial compatible provider"
Sep 14 18:29:09 one clash: level=info msg="Redirect proxy listening at: 127.0.0.1:8007"# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0My Problem
When I connect to the Router 2, there is no internet.
I can see the ip of the Router 2, which is 192.168.21.100.
While connecting to Router 2, I can successfully ping 192.168.2.1, 192.168.21.1 and 192.168.31.131, but NOT 192.168.31.1.
What should I do?
Last edited by 1ndeed (2021-09-14 11:11:05)
Offline
While connecting to Router 2, I can successfully ping 192.168.2.1, 192.168.21.1 and 192.168.31.131, but NOT 192.168.31.1.
It means yet another NAT is required to forward packet between 192.168.21.0/24 and 192.168.31.0/24 ?
Mtr is a better tool then ping/tracepath
# pacman -S mtr
# mtr 8.8.8.8Offline
While connecting to Router 2, I can successfully ping 192.168.2.1, 192.168.21.1 and 192.168.31.131, but NOT 192.168.31.1.
It means yet another NAT is required to forward packet between 192.168.21.0/24 and 192.168.31.0/24 ?
Mtr is a better tool then ping/tracepath# pacman -S mtr # mtr 8.8.8.8
# mtr -4n 192.168.31.1
Host Loss% Snt Last Avg Best Wrst StDev
1. 192.168.2.1 0.0% 13 1.8 13.8 1.4 94.2 29.9
2. 192.168.21.1 0.0% 13 1.4 4.5 1.4 31.0 8.1
3. (waiting for reply)But how? Networking is not my thing... Can you show me the steps?
Offline
Let me try and understand your goal:
To use clash as an http/socks5 proxy server for your client on 192.168.2.0/24 network? In that case, what is the purpose of router2? the clash proxy is capable of serving multiple clients isn't it?
If both router1 and router2 are required, what if you place your clash proxy server behind router2 instead?
Why can't archlinux uses a single NIC for ingress and egress, which is much more efficient then routing or NAT between two NICs. Something like the following is much simpler and easier to maintain.
Internet
│
Modem(192.168.1.1) NAT
│
Router 1(192.168.31.1) NAT
│
│--Archlinux
│ ├─(192.168.31.254:8007) Clash Proxy with static assigned address
│--PC1
│ ├─(192.168.31.100) firefox socks5 client
│--Mobile1
│ ├─(192.168.31.101) safari https proxy client
...When proxy is desired:
The proxy traffic from firefox/safari will go through clash, since all clients are on the same subnet, no routing/NAT is required, the fast switching ASIC on the router is used.
When none proxy is desired:
E.g: pacman -Syu. The traffic will go direct through Router, no traffic will be generated on clash server.
Last edited by solskog (2021-09-15 05:36:36)
Offline
Let me try and understand your goal:
To use clash as an http/socks5 proxy server for your client on 192.168.2.0/24 network? In that case, what is the purpose of router2? the clash proxy is capable of serving multiple clients isn't it?
If both router1 and router2 are required, what if you place your clash proxy server behind router2 instead?
Why can't archlinux uses a single NIC for ingress and egress, which is much more efficient then routing or NAT between two NICs. Something like the following is much simpler and easier to maintain.Internet │ Modem(192.168.1.1) NAT │ Router 1(192.168.31.1) NAT │ Archlinux ├─(192.168.31.254:8007) Clash Proxy with static assigned address PC1 ├─(192.168.31.100) firefox socks5 client Mobile1 ├─(192.168.31.101) safari https proxy client ...
No, not http/socks5, but transparent proxy.
You see, I can do this to get all traffic on Archlinux transparently proxied without having to export https_proxy=....
# curl -4 ident.me
my_ip
# systemctl start clash
# sudo iptables -t nat -N clash
# sudo iptables -t nat -A clash -m owner --uid-owner 5003 -j RETURN
# sudo iptables -t nat -A clash -d 0.0.0.0/8 -j RETURN
# sudo iptables -t nat -A clash -d 127.0.0.0/8 -j RETURN
# sudo iptables -t nat -A clash -d 10.0.0.0/8 -j RETURN
# sudo iptables -t nat -A clash -d 169.254.0.0/16 -j RETURN
# sudo iptables -t nat -A clash -d 172.16.0.0/12 -j RETURN
# sudo iptables -t nat -A clash -d 192.168.0.0/16 -j RETURN
# sudo iptables -t nat -A clash -d 224.0.0.0/4 -j RETURN
# sudo iptables -t nat -A clash -d 240.0.0.0/4 -j RETURN
# sudo iptables -t nat -A clash -p tcp -j REDIRECT --to-ports 8007
# sudo iptables -t nat -A OUTPUT -p tcp -j clash
# curl -4 ident.me
proxied_ipBefore I only have one network interface(192.168.31.1/24). Now I have another network interface(192.168.21.1/24).
So what I really want is to get all traffic on Archlinux proxied like I did before. So when I plugin Router 2 to the second network interface, all clients of the Router 2 will be proxied without they even knowing it. And all clients under Router 1 are not proxied.
When I want to use the proxy, I just connect to the Wi-Fi of the Router 2. When I don't, I just switch to the Wi-Fi of the Router 1.
Also, it would be better if the Archlinux machine only proxy the Router 2 rather that all its traffic so I can save bandwidth.
The reason I use Archlinux machine to run clash rather than the Router 2 or 1 is because they have poor performance.
Offline
Before I only have one network interface(192.168.31.1/24). Now I have another network interface(192.168.21.1/24).
Your router is not capable of doing VLAN with separate SSID? A investment on a better router will save your hair and headache later on :-).
Well, you can still accomplish your goal with current equipment, but you may have to make the archlinux as yet another router/NAT. In that case, every packet through proxy have to go through 4 or 5 times of NAT.
Last edited by solskog (2021-09-15 06:22:29)
Offline
Before I only have one network interface(192.168.31.1/24). Now I have another network interface(192.168.21.1/24).
Your router is not capable of doing VLAN with separate SSID? A investment on a better router will save your hair and headache later on :-).
Well, you can still accomplish your goal with current equipment, but you may have to make the archlinux as yet another router/NAT. In that case, every packet through proxy have to go through 4 or 5 times of NAT.
I've heard of this kind of solution before. But right now I just want to reach the bottom of this rabbit hole because it's so interesting. Please tell me how to do it.
PS: Actually, there are issues with the Router 1. Its internal storage somehow becomes very slow and running clash on it sometimes becomes unusable. I can't manage to install a 3rd party ROM to the Router 2. That is A LOT of headache. I happen to have this Archlinux server at home. So why not?
Offline
I've heard of this kind of solution before. But right now I just want to reach the bottom of this rabbit hole because it's so interesting. Please tell me how to do it.
No, I don't have direct answer/commands to turn a archlinux into a router, the reason is written on the arch wiki
To strengthen its security it should NOT run any services available to the outside world. Towards the LAN, run only gateway specific services; especially do NOT run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN since they introduce security risks.
But, if you are insist for experiments, go ahead.
Last edited by solskog (2021-09-15 07:42:30)
Offline