完整的hAP AX3配置，供参考

mantouboji

这是作为二级路由，ether1口接移动宽带的光猫，在光猫里拨号。

包含了wireguard连接境外VPS，在VPS上还要运行bird2的OSPF协议，控制AX3 IP地址分流。

配置文件里敏感信息已经处理掉了，需要填写你自己参数的地方都是全大写字母。VPS地址写了MY_VPS_IP， 相信你会改成自己的。

更新到了最新状态，添加了container的配置，在container里跑AdGuard Home，不再需要外部小盒子跑DNS

1. # 2024-01-16 16:40:17 by RouterOS 7.13.2
   
2. #
   
3. # model = C53UiG+5HPaxD2HPaxD
   
4. # Network interfaces
   
5. /interface bridge add admin-mac=AA:BB:CC:DD:EE:FF auto-mac=no comment=defconf ingress-filtering=no name=bridge1 port-cost-mode=short vlan-filtering=yes
   
6. /interface bridge add name=dockers
   
7. /interface vlan add comment=Guest interface=bridge1 name=vlan1_iot vlan-id=1003
   
8. # Wifi
   
9. /interface wifi set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country=China .mode=ap .ssid=MYWIFI disabled=no security.authentication-types=wpa2-psk,wpa3-psk .passphrase=MY_WIFI_PASS
   
10. /interface wifi set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=China .mode=ap .ssid=MYWIFI disabled=no security.authentication-types=wpa2-psk,wpa3-psk .passphrase=MY_WIFI_PASS
    
11. /interface wifi security add authentication-types=wpa-psk,wpa2-psk name=Guest passphrase=1234567890
    
12. /interface wifi add comment="Guest wifi 5G" configuration.mode=ap .ssid=MYWIFI_IOT datapath.vlan-id=1003 disabled=no mac-address=4A:A9:8A:11:22:33 master-interface=wifi1 name=wifi3 security=Guest
    
13. /interface wifi add comment="Guest wifi 2.4G" configuration.mode=ap .ssid=MYWIFI_IOT datapath.vlan-id=1003 disabled=no mac-address=4A:A9:8A:11:22:44 master-interface=wifi2 name=wifi4 security=Guest
    
14. /interface list add comment=defconf name=WAN
    
15. /interface list add comment=defconf name=LAN
    
16. # for DHCP
    
17. /ip pool add name=dhcp ranges=192.168.88.100-192.168.88.199
    
18. /ip pool add name=pool_iot ranges=192.168.90.100-192.168.90.200
    
19. /ip pool add name=virtual** ranges=192.168.89.2-192.168.89.255
    
20. /ip dhcp-server add address-pool=dhcp interface=bridge1 lease-time=1w name=defconf
    
21. /ip dhcp-server add address-pool=pool_iot comment=Guest interface=vlan1_iot lease-time=1w name=dhcp-iot
    
22. #
    
23. # Wireguard
    
24. #
    
25. /interface wireguard add comment=VPS listen-port=13231 mtu=1412 name=wg1 private-key="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
    
26. /interface wireguard add comment="My back to home" listen-port=16384 mtu=1412 name=wg2 private-key="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
    
27. /interface wireguard peers add allowed-address=0.0.0.0/0,::/0 comment=MYVPS endpoint-address=MY_VPS_IP endpoint-port=12345 interface=wg1 persistent-keepalive=25s public-key="BBBBBBBBBBBBBBBBBB"
    
28. /interface wireguard peers add allowed-address=192.168.89.100/32,fd80:1111:2222:89::100/128 client-address=192.168.89.100/24,fd80:1111:2222:89::100/64 client-dns=192.168.89.1 client-endpoint=MY_DDNS_NAME client-keepalive=25s comment="Opiz2new z22" interface=wg2 preshared-key="auto" private-key="auto" public-key="auto"
    
29. #
    
30. # OSPF
    
31. #
    
32. /routing ospf instance add comment="VPS OSPF IPv4" disabled=no name=ospf-instance-v4 router-id=10.10.6.30
    
33. /routing ospf instance add comment="VPS OSPF IPv6" disabled=no name=ospf-instance-v6 router-id=10.10.6.30 version=3
    
34. /routing ospf area add comment="VPS IPv4" disabled=no instance=ospf-instance-v4 name=ospf-area-v4
    
35. /routing ospf area add comment="VPS IPv6" disabled=no instance=ospf-instance-v6 name=ospf-area-v6
    
36. /routing table add comment="No VPS" disabled=no fib name=DirectWAN
    
37. #
    
38. /system logging action set 3 remote=MY_RSYSLOG_HOST
    
39. #
    
40. # Coontainer
    
41. #
    
42. /interface veth add address=172.16.88.10/24,fd80:1111:2222:88::10/64 comment="docker mdns-repeater interface for vlan 1 and 1003" gateway=172.16.88.1 gateway6=fd80:1111:2222:88::1 name=veth-trunk
    
43. /interface veth add address=172.16.88.2/24,fd80:1111:2222:88::2/64 gateway=172.16.88.1 gateway6=fd80:1111:2222:88::1 name=veth1
    
44. /container add comment="AdGuard Home" dns=114.114.114.114 interface=veth1 logging=yes root-dir=/usb2-part1/adguardhome start-on-boot=yes workdir=/opt/adguardhome/work
    
45. /container add comment="mdns-repeater for vlan 1 & 1003 " envlist=repeater_envs hostname=mdns-repeater interface=veth-trunk logging=yes root-dir=usb2-part1/mdns-repeater start-on-boot=yes
    
46. /container config set registry-url=https://registry-1.docker.io tmpdir=usb2-part1
    
47. /container envs add comment="mdns-repeater (FLO-254)" key=REPEATER_INTERFACES name=repeater_envs value="eth0 eth0.1003"
    
48. /interface bridge port add bridge=dockers interface=veth1
    
49. /interface bridge port add bridge=bridge1 comment="docker mdns-repeater interface for vlan 1 and 1003 PVID DOESN'T MATTER!" interface=veth-trunk
    
50. #
    
51. # Bridge
    
52. #
    
53. /interface bridge port add bridge=bridge1 comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
    
54. /interface bridge port add bridge=bridge1 comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
    
55. /interface bridge port add bridge=bridge1 comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
    
56. /interface bridge port add bridge=bridge1 comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
    
57. /interface bridge port add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=wifi1 internal-path-cost=10 path-cost=10
    
58. /interface bridge port add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=wifi2 internal-path-cost=10 path-cost=10
    
59. /interface bridge port add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=wifi3 internal-path-cost=10 path-cost=10 pvid=1003
    
60. /interface bridge port add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=wifi4 internal-path-cost=10 path-cost=10 pvid=1003
    
61. /interface bridge port add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=vlan1_iot internal-path-cost=10 path-cost=10 pvid=1003
    
62. /interface bridge vlan add bridge=bridge1 comment=Guest tagged=bridge1,veth-trunk,wifi3,wifi4 vlan-ids=1003
    
63. #
    
64. # Interface list
    
65. #
    
66. /interface list member add comment=defconf interface=bridge1 list=LAN
    
67. /interface list member add comment=defconf interface=ether1 list=WAN
    
68. /interface list member add interface=wg1 list=WAN
    
69. /interface list member add interface=vlan1_iot list=LAN
    
70. /interface list member add interface=wg2 list=LAN
    
71. /interface list member add interface=veth-trunk list=LAN
    
72. /interface list member add interface=veth1 list=LAN
    
73. #
    
74. # IPv4 Address
    
75. #
    
76. /ip address add address=192.168.88.1/24 comment=defconf interface=bridge1 network=192.168.88.0
    
77. /ip address add address=192.168.90.1/24 comment=Guest interface=vlan1_iot network=192.168.90.0
    
78. /ip address add address=192.168.89.1/24 comment="Inner WG" interface=wg2 network=192.168.89.0
    
79. /ip address add address=10.10.6.30/24 comment=VPS interface=wg1 network=10.10.6.0
    
80. /ip address add address=172.16.88.1/24 interface=dockers network=172.16.88.0
    
81. # DHCP
    
82. /ip dhcp-client add comment=defconf interface=ether1 use-peer-dns=no
    
83. /ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
    
84. /ip dhcp-server network add address=192.168.90.0/24 comment=Guest dns-server=192.168.90.1 gateway=192.168.90.1
    
85. # DNS
    
86. /ip dns set allow-remote-requests=yes servers=172.16.88.2
    
87. /ip dns static add address=192.168.88.1 comment=defconf name=router.lan
    
88. /ip dns static add address=159.69.43.243 name=dynv6.com
    
89. #
    
90. # IPv4 firewall
    
91. #
    
92. /ip firewall address-list add address=MY_VPS_IP list=vps
    
93. /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
    
94. /ip firewall filter add action=accept chain=input comment="Allow all from inner" in-interface-list=!WAN
    
95. /ip firewall filter add action=accept chain=input comment="Allow SSH HTTPS" dst-port=22,443 in-interface-list=WAN protocol=tcp
    
96. /ip firewall filter add action=accept chain=input comment=OSPF protocol=ospf
    
97. /ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
    
98. /ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
    
99. /ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
    
100. /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
     
101. /ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
     
102. /ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
     
103. /ip firewall filter add action=accept chain=forward in-interface-list=!WAN
     
104. /ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
     
105. /ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
     
106. /ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface-list=WAN passthrough=yes protocol=tcp tcp-flags=syn
     
107. /ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=vps new-routing-mark=DirectWAN passthrough=yes
     
108. /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
     
109. /ip firewall nat add action=dst-nat chain=dstnat disabled=yes dst-port=3000 protocol=tcp to-addresses=172.16.88.2 to-ports=3000 comment="AdGuard config"
     
110. /ip firewall nat add action=dst-nat chain=dstnat dst-port=8088 protocol=tcp to-addresses=172.16.88.2 to-ports=8088 comment="AdGuard Web"
     
111. #
     
112. #
     
113. #
     
114. /ip nat-pmp set enabled=yes
     
115. /ip nat-pmp interfaces add interface=ether1 type=external
     
116. /ip nat-pmp interfaces add interface=bridge1 type=internal
     
117. /ip nat-pmp interfaces add interface=vlan1_iot type=internal
     
118. /ip route add gateway=ether1 routing-table=DirectWAN
     
119. /ip service set telnet disabled=yes
     
120. /ip service set ftp disabled=yes
     
121. /ip service set www disabled=yes
     
122. /ip service set www-ssl certificate=letsencrypt-autogen_2024-01-11T16:54:10Z disabled=no
     
123. /ip service set api disabled=yes
     
124. /ip service set api-ssl certificate=letsencrypt-autogen_2024-01-11T16:54:10Z
     
125. /ip ssh set host-key-type=ed25519 strong-crypto=yes
     
126. # uPnP
     
127. /ip upnp set enabled=yes
     
128. /ip upnp interfaces add interface=bridge1 type=internal
     
129. /ip upnp interfaces add interface=ether1 type=external
     
130. /ip upnp interfaces add interface=vlan1_iot type=internal
     
131. #
     
132. # IPv6
     
133. /ipv6 settings set accept-router-advertisements=yes
     
134. /ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=v6pool prefix-hint=::/62 request=address,prefix script=dynv6 use-peer-dns=no
     
135. /ipv6 address add address=fd80:1111:2222::30 comment=VPS interface=wg1
     
136. /ipv6 address add address=::1 from-pool=v6pool interface=bridge1
     
137. /ipv6 address add address=::1 from-pool=v6pool interface=vlan1_iot
     
138. /ipv6 address add address=fd80:1111:2222:89::1 interface=wg2
     
139. /ipv6 address add address=fd80:1111:2222:88::1 interface=dockers
     
140. /ipv6 dhcp-server add address-pool=v6pool interface=bridge1 name=local
     
141. #
     
142. # IPv6 Firewall
     
143. #
     
144. /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
     
145. /ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
     
146. /ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
     
147. /ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
     
148. /ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
     
149. /ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
     
150. /ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
     
151. /ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
     
152. /ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
     
153. /ipv6 firewall address-list add address=2409:801e:2000::2/128 list=dns
     
154. /ipv6 firewall address-list add address=2409:801e:2000::1/128 list=dns
     
155. /ipv6 firewall filter add action=accept chain=forward comment="Allow all from LAN" in-interface-list=LAN
     
156. /ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
     
157. /ipv6 firewall filter add action=accept chain=input comment="Accept all from inner" in-interface-list=!WAN
     
158. /ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
     
159. /ipv6 firewall filter add action=accept chain=input comment="allow WWW" disabled=yes dst-port=80 in-interface-list=WAN protocol=tcp
     
160. /ipv6 firewall filter add action=accept chain=input comment="Allow SSH,HTTPS" dst-port=22,443 in-interface-list=WAN protocol=tcp
     
161. /ipv6 firewall filter add action=accept chain=input comment="Inner WG" dst-port=16384 protocol=udp
     
162. /ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
     
163. /ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
     
164. /ipv6 firewall filter add action=accept chain=input comment=OSPF protocol=ospf
     
165. /ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
     
166. /ipv6 firewall filter add action=accept chain=forward comment="Allow SSH WWW HTTPS from WAN" dst-port=22,80,443 in-interface-list=WAN protocol=tcp
     
167. /ipv6 firewall filter add action=drop chain=output comment="block china DNS server" dst-address-list=dns
     
168. /ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
     
169. /ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
     
170. /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
     
171. /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
     
172. /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
     
173. /ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
     
174. /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
     
175. /ipv6 firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface-list=WAN passthrough=yes protocol=tcp tcp-flags=syn
     
176. /ipv6 firewall nat add action=masquerade chain=srcnat out-interface=wg1
     
177. /ipv6 firewall nat add action=masquerade chain=srcnat comment="local WG out" out-interface=ether1 src-address=fd80::/16
     
178. /ipv6 firewall nat add action=dst-nat chain=dstnat dst-port=8088 protocol=tcp to-address=fd80:1111:2222:88::2/128
     
179. /ipv6 nd set [ find default=yes ] advertise-dns=no hop-limit=64 managed-address-configuration=yes reachable-time=10m
     
180. /ipv6 nd prefix add interface=ether1
     
181. #
     
182. # Routing
     
183. #
     
184. /routing igmp-proxy interface add interface=ether1 upstream=yes
     
185. /routing igmp-proxy interface add interface=bridge1
     
186. /routing igmp-proxy interface add interface=vlan1_iot
     
187. /routing ospf interface-template add area=ospf-area-v4 comment="VPS IPv4" disabled=no interfaces=wg1 type=ptp
     
188. /routing ospf interface-template add area=ospf-area-v6 comment="VPS IPv6" disabled=no interfaces=wg1 type=ptp
     
189. /routing rule add action=lookup-only-in-table disabled=no interface=ether1 routing-mark=DirectWAN table=DirectWAN
     
190. #
     
191. # System
     
192. #
     
193. /system clock set time-zone-name=Asia/Shanghai
     
194. /system identity set name=MikroTikAx3
     
195. /system logging add action=remote topics=critical
     
196. /system logging add action=remote topics=warning
     
197. /system logging add action=remote topics=script
     
198. /system logging add action=remote topics=info
     
199. /system logging add action=remote topics=netwatch
     
200. /system scheduler add comment="Change wireguard port to avoid QoS" interval=5h58m name=change-wg on-event=change-port policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-05-12 start-time=12:00:00
     
201. /system scheduler add comment=DynV6 interval=6h name=dynv6 on-event=dynv6 policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-05-25 start-time=11:12:41
     
202. /system scheduler add comment="Auto Backup" interval=12h name=autobackup on-event="/file remove autoback.bak \
     
203.     \n/system/backup save name autoback " policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-05-25 start-time=11:14:22
     
204. /system script add comment="Change WG port to avoid QoS" dont-require-permissions=yes name=change-port owner=MY_USERNAME policy=read,write,policy,test,password,sensitive source="# Change both VPS and local port to avoid UDP QoS\
     
205.     \n\
     
206.     \n:local WGIF    "wg1"\
     
207.     \n\
     
208.     \n:local vpsuser "MY_USERNAME"\
     
209.     \n:local vpsport 22\
     
210.     \n\
     
211.     \n:local logstr\
     
212.     \n\
     
213.     \n:log info "Change WG Port"\
     
214.     \n\
     
215.     \n:if [ /interface get \$WGIF running ] do={\
     
216.     \n    :local peerno [/interface wireguard peers find interface=\$WGIF ]\
     
217.     \n    :local vps [/interface wireguard peers get \$peerno endpoint-address ] \
     
218.     \n    :local newport [ :rndnum from=45000 to=55000 ]\
     
219.     \n\
     
220.     \n    :if ( [ ping count=1 address=\$vps as-value ]->"status"!="timeout" ) do={\
     
221.     \n        :if [ /system/ssh-exec user=\$vpsuser port=\$vpsport address=\$vps command="sudo wg set wg0 listen-port \$newport " as-value ] do={\
     
222.     \n            /interface/wireguard/peers/set \$peerno endpoint-address=\$vps endpoint-port=\$newport\
     
223.     \n            :set logstr "Change \$WGIF wireguard port to \$vps:\$newport"\
     
224.     \n         } else={\
     
225.     \n            :set logstr "Change port failed"\
     
226.     \n        }\
     
227.     \n    } else={\
     
228.     \n        :set logstr "Ping \$vps failed"\
     
229.     \n    }\
     
230.     \n} else={\
     
231.     \n        :set logstr "WG disabled"\
     
232.     \n}\
     
233.     \n\
     
234.     \n:log info \$logstr\
     
235.     \n\
     
236.     \n:put \$logstr\
     
237.     \n"
     
238. /system script add comment="Update dynv6 name" dont-require-permissions=no name=dynv6 owner=MY_USERNAME policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# Change dynv6 ip\
     
239.     \n:local TOKEN        "MY_IPV6_TOKEN"\
     
240.     \n:local DDNSHOST     MY_DDNS.dynv6.net\
     
241.     \n:local theinterface ether1\
     
242.     \n\
     
243.     \n\
     
244.     \n# IPv4\
     
245.     \n:local test [ /ip address get [/ip address find interface=\$theinterface ] address ]\
     
246.     \n:local ipv4 [ :pick \$test 0 [find \$test "/"]]\
     
247.     \n\
     
248.     \n:set   test [/ipv6/address get [:pick [find global interface=\$theinterface ] 0 ] address ]\
     
249.     \n:local ipv6 [:pick \$test 0 [:find \$test "/"]]\
     
250.     \n\
     
251.     \n:if ([ :typeof \$ipv6 ] = nil ) do={\
     
252.     \n   :log info ("Dynv6: No ip address on \$theinterface .")\
     
253.     \n} else={\
     
254.     \n   :local str1 "zone=\$DDNSHOST&token=\$TOKEN&ipv6=\$ipv6"\
     
255.     \n   \
     
256.     \n   :do {\
     
257.     \n       :set test ([/tool fetch url="https://dynv6.com/api/update\?\$str1" as-value output=user]->"data")\
     
258.     \n       :put \$test\
     
259.     \n   } while=( \$test != "addresses updated")\
     
260.     \n\
     
261.     \n   :local logstr  "DynV6: IP updated to \$ipv6 "\
     
262.     \n   :log info \$logstr\
     
263.     \n   :put \$logstr\
     
264.     \n}\
     
265.     \n\
     
266.     \n"
     
267. /tool netwatch add comment=CheckVPS disabled=no down-script=change-port host=10.10.6.1 interval=2m test-script="" type=simple up-script=""
     

复制代码

tr069

不需要小盒子。dns设置为vps端wg的ip地址。vps装最新版本的AdGuardHome，上游208.67.220.220 8.8.8.8 9.9.9.11，别的不要，比如1.1.1.1，不支持ecs。并如图设置edns自定义IP就可以。
不再需要任何域名列表。

mantouboji

tr069 发表于 2023-5-29 12:18
不需要小盒子。dns设置为vps端wg的ip地址。vps装最新版本的AdGuardHome，上游208.67.220.220 8.8.8.8 9.9.9 ...

但是要考虑这样一个问题，DNS返回的结果其实是有地域性的，会根据客户端的IP返回不同的结果，如果简单滴把DNS服务器放到境外VPS上，会有很多国内网站的cdn流量变成访问境外服务器，比如打开淘宝变成国际版等等。

折腾到现在这个结果，也是走了很多弯路填了不少坑的。

当然了，一切仅供参考。

tr069

Edns就是用来解决这个问题的。

mantouboji

tr069 发表于 2023-5-29 14:00
Edns就是用来解决这个问题的。

你这个EDNS是在哪里呢？Windows客户机？我仅仅在AX3上作这些配置，客户机上不做任何特殊设置。甚至于我家一大堆设备，唯独没有任何windows设备，也没有安卓手机。Apple TV都可以直接看YouTube

tr069

vps的AdGuardHome 上如二楼填入家里的宽带的ip段，就等于直接等于在家直连208.67.220.220 8.8.8.8 9.9.9.11来解析。

mantouboji

tr069 发表于 2023-5-29 14:31
vps的AdGuardHome 上如二楼填入家里的宽带的ip段，就等于直接等于在家直连208.67.220.220 8.8.8.8 9.9.9.11 ...

很好。已经安装了，正在测试

mantouboji

tr069 发表于 2023-5-29 14:31
vps的AdGuardHome 上如二楼填入家里的宽带的ip段，就等于直接等于在家直连208.67.220.220 8.8.8.8 9.9.9.11 ...

用下来满舒服的，谢谢了。

抛砖引到玉了。

zsecsqawdx

楼主是懂vps wireguard的，配置文件中变端口最有价值。

mantouboji

zsecsqawdx 发表于 2023-5-31 09:30
楼主是懂vps wireguard的，配置文件中变端口最有价值。

如果是普通Linux主机跑wg，用udp2raw或者phatun套一下就可以躲避UDP QoS，以前在ROS 6年代没有原生wg支持的时候是这么玩的。

ROS7之后原生支持wg，那么再套这些就要外边挂个小盒子，开销略大，不如这样简单粗暴了。好在ROS的脚本功能强大，实现起来很方便。

有了AdGuard Home，这个小盒子都可以彻底撤掉了，更方便了。感谢2楼

daisuki

楼主这个路由器用下来感受如何，尤其是WiFi 信号方面？

mantouboji

daisuki 发表于 2023-5-31 12:53
楼主这个路由器用下来感受如何，尤其是WiFi 信号方面？

不是主力（主力是RB4011），还行吧

daisuki

mantouboji 发表于 2023-5-31 13:49
不是主力（主力是RB4011），还行吧

羡慕俩都有啊。我在ax3跟4011间纠结，不知道选哪个合适

mantouboji

daisuki 发表于 2023-5-31 17:23
羡慕俩都有啊。我在ax3跟4011间纠结，不知道选哪个合适

家里机器很多的话就4011。但是4011的问题是2.4G部分不能wifiwave2。

daisuki

mantouboji 发表于 2023-5-31 21:28
家里机器很多的话就4011。但是4011的问题是2.4G部分不能wifiwave2。

那AX3 2.4G支持wifiwave2吗？