22 / 03 / 10

解决小米AX6端口转发失效问题

  • AX6固件版本:1.1.10,目前最新版本

  • 已通过另一台Openwrt路由器解锁ssh,AX6内只运行了shellclash,并未修改其他任何文件

  • 在端口转发页面设置自定义规则后,点击保存并生效,尝试用公网IP+端口访问不通

  • ssh登录AX6,手动执行/etc/init.d/firewall -reload

root@XiaoQiang:~# /etc/init.d/firewall reload Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6' Warning: Section 'ready_zone' cannot resolve device of network 'ready' Warning: Section 'guest_8999' refers to not existing zone 'guest' Warning: Section 'guest_8300' refers to not existing zone 'guest' Warning: Section 'guest_7080' refers to not existing zone 'guest' Warning: Option 'wan15001rdr1'.ftype is unknown Warning: Option 'wan15000rdr1'.ftype is unknown Warning: Section @zone[2] (ready) has no device, network, subnet or extra options * Clearing IPv4 filter table * Clearing IPv4 nat table * Clearing IPv4 mangle table * Populating IPv4 filter table * Rule 'Allow-DHCP-Renew' * Rule 'Allow-Ping' * Rule 'DHCP for ready' * Rule 'DHCP for ready' * Rule 'minet ready' * Rule 'minet ready' * Redirect 'nas5001' * Redirect 'nas5000' * Forward 'lan' -> 'wan' * Zone 'lan' * Zone 'wan' * Zone 'ready' * Populating IPv4 nat table * Redirect 'nas5001' * Redirect 'nas5000' * Zone 'lan' * Zone 'wan' * Zone 'ready' * Populating IPv4 mangle table * Zone 'lan' * Zone 'wan' * Zone 'ready' * Set tcp_ecn to off * Set tcp_syncookies to on * Set tcp_window_scaling to on * Running script '/lib/firewall.sysapi.loader webinitrdr' * Running script '/lib/firewall.sysapi.loader dnsmiwifi' * Running script '/lib/firewall.sysapi.loader macfilter' * Running script '/lib/firewall.sysapi.loader ipv6_masq' * Running script '/lib/firewall.sysapi.loader set_tcpmss' * Running script '/lib/firewall.sysapi.loader miot' * Running script '/lib/firewall.sysapi.loader parentalctl' * Running script '/usr/share/miniupnpd/firewall.include' * Running script '/etc/firewall.d/qca-nss-ecm' ! Failed with exit code 1

发现在跑到qca-nss-ecm时报错,查了一下这个nss是给无线加速相关的,以下是防火墙内关于nss的配置:

ecm_type=`uci -q get ecm.global.acceleration_engine` if [ $ecm_type = "nss" -o $ecm_type = "auto" ]; then chk=$(iptables -L FORWARD 2>/dev/null | grep -c 'PHYSDEV') if [ $chk -lt 1 ]; then iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT fi ipv6_fw_disable=$(uci -q get firewall.@defaults[0].disable_ipv6) chk6=$(ip6tables -L FORWARD 2>/dev/null | grep -c 'PHYSDEV') if [ $chk6 -lt 1 -a "$ipv6_fw_disable" = "0" ]; then ip6tables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT elif [ "$ipv6_fw_disable" = "1" ]; then ip6tables -D FORWARD -m physdev --physdev-is-bridged -j ACCEPT 2>/dev/null fi else iptables -D FORWARD -m physdev --physdev-is-bridged -j ACCEPT 2>/dev/null ip6tables -D FORWARD -m physdev --physdev-is-bridged -j ACCEPT 2>/dev/null fi

暂时不想多研究,就直接在/etc/config/firewall里找到nss相关的规则注释掉,重启防火墙:

root@XiaoQiang:~# vi /etc/config/firewall root@XiaoQiang:~# /etc/init.d/firewall reload Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6' Warning: Section 'ready_zone' cannot resolve device of network 'ready' Warning: Section 'guest_8999' refers to not existing zone 'guest' Warning: Section 'guest_8300' refers to not existing zone 'guest' Warning: Section 'guest_7080' refers to not existing zone 'guest' Warning: Option 'wan15001rdr1'.ftype is unknown Warning: Option 'wan15000rdr1'.ftype is unknown Warning: Section @zone[2] (ready) has no device, network, subnet or extra options * Clearing IPv4 filter table * Clearing IPv4 nat table * Clearing IPv4 mangle table * Populating IPv4 filter table * Rule 'Allow-DHCP-Renew' * Rule 'Allow-Ping' * Rule 'DHCP for ready' * Rule 'DHCP for ready' * Rule 'minet ready' * Rule 'minet ready' * Redirect 'nas5001' * Redirect 'nas5000' * Forward 'lan' -> 'wan' * Zone 'lan' * Zone 'wan' * Zone 'ready' * Populating IPv4 nat table * Redirect 'nas5001' * Redirect 'nas5000' * Zone 'lan' * Zone 'wan' * Zone 'ready' * Populating IPv4 mangle table * Zone 'lan' * Zone 'wan' * Zone 'ready' * Set tcp_ecn to off * Set tcp_syncookies to on * Set tcp_window_scaling to on * Running script '/lib/firewall.sysapi.loader webinitrdr' * Running script '/lib/firewall.sysapi.loader dnsmiwifi' * Running script '/lib/firewall.sysapi.loader macfilter' * Running script '/lib/firewall.sysapi.loader ipv6_masq' * Running script '/lib/firewall.sysapi.loader set_tcpmss' * Running script '/lib/firewall.sysapi.loader miot' * Running script '/lib/firewall.sysapi.loader parentalctl' * Running script '/usr/share/miniupnpd/firewall.include' root@XiaoQiang:~#
  • 此时尝试访问转发的端口,公网IP+端口可以正常访问内网的NAS了:
Powered by Gridea