2025-08-12

局域网 DHCP 主机名 DNS 解析时灵时不灵

在路由器和终端设备抓包发现几个奇怪现象

路由器出口会往 114.114.114.114 发 DNS 请求，可我整个链路没有设置过这个 DNS 地址
路由器看到的 DNS 请求来源是不认识的 IPv6 地址，确认是中间的桥接路由器的 DNS 缓存

有时候稍显正常，取得了结果，但还是把 PTR 向上发了

25	0.783262	192.168.9.49	192.168.9.1	DNS	73	Standard query 0x0f42 A www.baidu.com
26	0.783456	192.168.9.1	192.168.9.49	DNS	135	Standard query response 0x0f42 A www.baidu.com CNAME www.a.shifen.com A 36.152.44.132 A 36.152.44.93
27	0.835163	192.168.9.6	192.168.9.1	DNS	132	Standard query 0xbd23 PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.e.5.1.7.e.6.e.1.a.8.9.0.4.2.ip6.arpa
28	0.835206	192.168.9.6	114.114.114.114	DNS	132	Standard query 0xbd23 PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.e.5.1.7.e.6.e.1.a.8.9.0.4.2.ip6.arpa
29	0.835264	2409:8a1e:6e71:5eb0::e8b	2409:8a1e:6e71:5eb0::1	DNS	152	Standard query 0xbd23 PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.e.5.1.7.e.6.e.1.a.8.9.0.4.2.ip6.arpa
30	0.835322	2409:8a1e:6e71:5eb0::e8b	240c::6666	DNS	152	Standard query 0xbd23 PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.e.5.1.7.e.6.e.1.a.8.9.0.4.2.ip6.arpa
31	0.835474	2409:8a1e:6e71:5eb0::1	2409:8a1e:6e71:5eb0::e8b	DNS	184	Standard query response 0xbd23 PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.e.5.1.7.e.6.e.1.a.8.9.0.4.2.ip6.arpa PTR RT-AX86U-CE58-IPv6
32	0.835567	192.168.9.1	192.168.9.6	DNS	164	Standard query response 0xbd23 PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.e.5.1.7.e.6.e.1.a.8.9.0.4.2.ip6.arpa PTR RT-AX86U-CE58-IPv6
33	0.841120	2409:8a1e:6e71:5eb0::e8b	2409:8a1e:6e71:5eb0::1	DNS	100	Standard query 0xaec1 A pve.home.kokomi.site
34	0.841251	2409:8a1e:6e71:5eb0::1	2409:8a1e:6e71:5eb0::e8b	DNS	116	Standard query response 0xaec1 A pve.home.kokomi.site A 192.168.9.17
35	0.846574	2409:8a1e:6e71:5eb0::e8b	2409:8a1e:6e71:5eb0::1	DNS	100	Standard query 0xd361 AAAA pve.home.kokomi.site
36	0.846637	2409:8a1e:6e71:5eb0::1	2409:8a1e:6e71:5eb0::e8b	DNS	156	Standard query response 0xd361 AAAA pve.home.kokomi.site AAAA fe80::1e1b:dff:fe95:90d1 AAAA 2409:8a1e:6e71:5eb1:1e1b:dff:fe95:90d1

有时候自作主张又加一次 domain 导致查不到结果

54	17.520955	192.168.9.6	192.168.9.1	DNS	132	Standard query 0xc8ed PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.e.5.1.7.e.6.e.1.a.8.9.0.4.2.ip6.arpa
55	17.521012	192.168.9.6	114.114.114.114	DNS	132	Standard query 0xc8ed PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.e.5.1.7.e.6.e.1.a.8.9.0.4.2.ip6.arpa
56	17.521229	192.168.9.1	192.168.9.6	DNS	164	Standard query response 0xc8ed PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.e.5.1.7.e.6.e.1.a.8.9.0.4.2.ip6.arpa PTR RT-AX86U-CE58-IPv6
57	17.521555	2409:8a1e:6e71:5eb0::e8b	2409:8a1e:6e71:5eb0::1	DNS	152	Standard query 0xc8ed PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.e.5.1.7.e.6.e.1.a.8.9.0.4.2.ip6.arpa
58	17.521621	2409:8a1e:6e71:5eb0::e8b	240c::6666	DNS	152	Standard query 0xc8ed PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.e.5.1.7.e.6.e.1.a.8.9.0.4.2.ip6.arpa
59	17.521754	2409:8a1e:6e71:5eb0::1	2409:8a1e:6e71:5eb0::e8b	DNS	184	Standard query response 0xc8ed PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.e.5.1.7.e.6.e.1.a.8.9.0.4.2.ip6.arpa PTR RT-AX86U-CE58-IPv6
 
60	17.529532	192.168.9.6	192.168.9.1	DNS	97	Standard query 0x0d8a A pki.home.kokomi.site.home.kokomi.site
61	17.529617	192.168.9.1	192.168.9.6	DNS	97	Standard query response 0x0d8a No such name A pki.home.kokomi.site.home.kokomi.site
62	17.537006	192.168.9.6	192.168.9.1	DNS	97	Standard query 0xa091 AAAA pki.home.kokomi.site.home.kokomi.site
63	17.537070	192.168.9.1	192.168.9.6	DNS	97	Standard query response 0xa091 No such name AAAA pki.home.kokomi.site.home.kokomi.site
64	17.544076	192.168.9.6	192.168.9.1	DNS	92	Standard query 0x8241 A pki.home.kokomi.site.kokomi.site
65	17.544152	192.168.9.1	192.168.9.6	DNS	92	Standard query response 0x8241 No such name A pki.home.kokomi.site.kokomi.site
66	17.551450	192.168.9.6	192.168.9.1	DNS	92	Standard query 0x19b8 AAAA pki.home.kokomi.site.kokomi.site
67	17.551515	192.168.9.1	192.168.9.6	DNS	92	Standard query response 0x19b8 No such name AAAA pki.home.kokomi.site.kokomi.site

自作主张就算了，还用 DNS 后缀递归向上

124	14.127969	192.168.9.6	192.168.9.1	DNS	75	Standard query 0x1d62 A pve.kokomi.site
125	14.128047	192.168.9.6	114.114.114.114	DNS	75	Standard query 0x1d62 A pve.kokomi.site
126	14.128115	2409:8a1e:6e71:5eb0::e8b	2409:8a1e:6e71:5eb0::1	DNS	95	Standard query 0x1d62 A pve.kokomi.site
127	14.128156	2409:8a1e:6e71:5eb0::e8b	240c::6666	DNS	95	Standard query 0x1d62 A pve.kokomi.site
128	14.128397	2409:8a1e:6e71:5eb0::1	2409:8a1e:6e71:5eb0::e8b	DNS	95	Standard query response 0x1d62 No such name A pve.kokomi.site
129	14.128496	192.168.9.1	192.168.9.6	DNS	75	Standard query response 0x1d62 No such name A pve.kokomi.site
130	14.136350	192.168.9.6	192.168.9.1	DNS	75	Standard query 0xb468 AAAA pve.kokomi.site
131	14.136430	192.168.9.1	192.168.9.6	DNS	75	Standard query response 0xb468 No such name AAAA pve.kokomi.site
132	14.183931	114.114.114.114	192.168.9.6	DNS	151	Standard query response 0x1d62 No such name A pve.kokomi.site SOA anuj.ns.cloudflare.com

$ nslookup pve.home.kokomi.site.  
服务器: RT-AX86U-CE58-IPv6  
Address: 2409:8a1e:6e71:5eb0::1  
  
名称: pve.home.kokomi.site  
Addresses: 2409:8a1e:6e71:5eb1:1e1b:dff:fe95:90d1  
fe80::1e1b:dff:fe95:90d1  
192.168.9.17

下面几个文件展示关键的内容，并作为备份。如何修改见 RG-MA3063 开启 SSH

iptables-save

# Generated by iptables-save v1.4.21 on Tue Aug 12 23:49:33 2025
*nat
:PREROUTING ACCEPT [209:24679]
:INPUT ACCEPT [51:3425]
:OUTPUT ACCEPT [308:20188]
:POSTROUTING ACCEPT [417:33978]
:MINIUPNPD - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:webpop_ipt - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -i br-lan -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.10.1
-A PREROUTING -j webpop_ipt
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Tue Aug 12 23:49:33 2025
# Generated by iptables-save v1.4.21 on Tue Aug 12 23:49:33 2025
*raw
:PREROUTING ACCEPT [39341:9395039]
:OUTPUT ACCEPT [11900:1438386]
:zone_lan_helper - [0:0]
-A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
-A zone_lan_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
-A zone_lan_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
-A zone_lan_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
-A zone_lan_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
-A zone_lan_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
-A zone_lan_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
-A zone_lan_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
-A zone_lan_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
-A zone_lan_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
-A zone_lan_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
-A zone_lan_helper -p tcp -m comment --comment "!fw3: RTSP connection tracking" -m tcp --dport 554 -j CT --helper rtsp
COMMIT
# Completed on Tue Aug 12 23:49:33 2025
# Generated by iptables-save v1.4.21 on Tue Aug 12 23:49:33 2025
*mangle
:PREROUTING ACCEPT [625976:219773249]
:INPUT ACCEPT [139862:34209841]
:FORWARD ACCEPT [931372:387644211]
:OUTPUT ACCEPT [116138:18657492]
:POSTROUTING ACCEPT [1043308:406133083]
COMMIT
# Completed on Tue Aug 12 23:49:33 2025
# Generated by iptables-save v1.4.21 on Tue Aug 12 23:49:33 2025
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 21 -m comment --comment "!fw3: REJECT-WAN-VISIT" -j reject
-A zone_wan_input -p tcp -m tcp --dport 22 -m comment --comment "!fw3: REJECT-WAN-VISIT" -j reject
-A zone_wan_input -p tcp -m tcp --dport 23 -m comment --comment "!fw3: REJECT-WAN-VISIT" -j reject
-A zone_wan_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: REJECT-WAN-VISIT" -j reject
-A zone_wan_input -p tcp -m tcp --dport 80 -m comment --comment "!fw3: REJECT-WAN-VISIT" -j reject
-A zone_wan_input -p tcp -m tcp --dport 443 -m comment --comment "!fw3: REJECT-WAN-VISIT" -j reject
-A zone_wan_input -p tcp -m tcp --dport 8088 -m comment --comment "!fw3: REJECT-WAN-VISIT" -j reject
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Tue Aug 12 23:49:33 2025

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
 
config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
 
config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option masq6_privacy '0'
	option masq6 '0'
 
config forwarding
	option src 'lan'
	option dest 'wan'
 
config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
 
config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
 
config rule
	option name 'REJECT-WAN-VISIT'
	option src 'wan'
	option dest_port '21 22 23 53 80 443 8088'
	option proto 'tcp'
	option target 'REJECT'
	option enabled '1'
 
config include
	option path '/etc/firewall.user'
 
config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'
 
config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'
 
config include 'qcanssecm'
	option type 'script'
	option path '/etc/firewall.d/qca-nss-ecm'
	option family 'any'
	option reload '1'
 
config include 'rg_fw'
	option type 'script'
	option path '/etc/firewall.d/rg_fw'
	option family 'any'
	option reload '1'

config rj_fw 'guest_accept_ath01_ipv6'
	option name 'guest_accept_ath01_ipv6'
	option rules 'ebtables -I INPUT -p iPv6 -i ath01 -j DROP'
 
config rj_fw 'guest_accept_ath11_ipv6'
	option name 'guest_accept_ath11_ipv6'
	option rules 'ebtables -I INPUT -p iPv6 -i ath11 -j DROP'
 
config rj_fw 'guest_accept_ath01_dhcp'
	option name 'guest_accept_ath01_dhcp'
	option rules 'ebtables -t nat -A PREROUTING -i ath01 -p ip --ip-proto 17 --ip-sport 67:68 --ip-dport 67:68 -j ACCEPT'
 
config rj_fw 'guest_accept_ath11_dhcp'
	option name 'guest_accept_ath11_dhcp'
	option rules 'ebtables -t nat -A PREROUTING -i ath11 -p ip --ip-proto 17 --ip-sport 67:68 --ip-dport 67:68 -j ACCEPT'
 
config rj_fw 'guest_accept_ath01_dns6'
	option name 'guest_accept_ath01_dns6'
	option rules 'ebtables -t nat -A PREROUTING -i ath01 -p ip --ip-proto 6 --ip-dport 53 -j ACCEPT'
 
config rj_fw 'guest_accept_ath01_dns17'
	option name 'guest_accept_ath01_dns17'
	option rules 'ebtables -t nat -A PREROUTING -i ath01 -p ip --ip-proto 17 --ip-dport 53 -j ACCEPT'
 
config rj_fw 'guest_accept_ath11_dns6'
	option name 'guest_accept_ath11_dns6'
	option rules 'ebtables -t nat -A PREROUTING -i ath11 -p ip --ip-proto 6 --ip-dport 53 -j ACCEPT'
 
config rj_fw 'guest_accept_ath11_dns17'
	option name 'guest_accept_ath11_dns17'
	option rules 'ebtables -t nat -A PREROUTING -i ath11 -p ip --ip-proto 17 --ip-dport 53 -j ACCEPT'
 
config rj_fw 'guest_accept_ath01_icmp'
	option name 'guest_accept_ath01_icmp'
	option rules 'ebtables -t nat -A PREROUTING -i ath01 -p ip --ip-proto 1 -j DROP'
 
config rj_fw 'guest_accept_ath11_icmp'
	option name 'guest_accept_ath11_icmp'
	option rules 'ebtables -t nat -A PREROUTING -i ath11 -p ip --ip-proto 1 -j DROP'
 
config rj_fw 'guest_accept_ath01_ipv6icmp'
	option name 'guest_accept_ath01_ipv6icmp'
	option rules 'ebtables -A FORWARD -i ath01 -p iPv6 --ip6-protocol 58 -j DROP'
 
config rj_fw 'guest_accept_ath11_ipv6icmp'
	option name 'guest_accept_ath11_ipv6icmp'
	option rules 'ebtables -A FORWARD -i ath11 -p iPv6 --ip6-protocol 58 -j DROP'
 
config rj_fw 'guest_accept_ath01_local_wanip'
	option name 'guest_accept_ath01_local_wanip'
	option rules 'ebtables -t nat -A PREROUTING -i ath01 -p ip --ip-destination 192.168.9.6 -j DROP'
 
config rj_fw 'guest_accept_ath11_local_wanip'
	option name 'guest_accept_ath11_local_wanip'
	option rules 'ebtables -t nat -A PREROUTING -i ath11 -p ip --ip-destination 192.168.9.6 -j DROP'
 
config rj_fw 'guest_accept_ath01_local_ip'
	option name 'guest_accept_ath01_local_ip'
	option rules 'ebtables -t nat -A PREROUTING -i ath01 -p ip --ip-destination 192.168.10.1 -j DROP'
 
config rj_fw 'guest_accept_ath11_local_ip'
	option name 'guest_accept_ath11_local_ip'
	option rules 'ebtables -t nat -A PREROUTING -i ath11 -p ip --ip-destination 192.168.10.1 -j DROP'
 
config rj_fw 'guest_accept_ath01_other_ip'
	option name 'guest_accept_ath01_other_ip'
	option rules 'ebtables -t nat -A PREROUTING -i ath01 -p ip --ip-destination ! 192.168.9.6/255.255.255.0 -j ACCEPT'
 
config rj_fw 'guest_accept_ath11_other_ip'
	option name 'guest_accept_ath11_other_ip'
	option rules 'ebtables -t nat -A PREROUTING -i ath11 -p ip --ip-destination ! 192.168.9.6/255.255.255.0 -j ACCEPT'
 
config rj_fw 'guest_accept_ath01_all'
	option name 'guest_accept_ath01_all'
	option rules 'ebtables -t nat -A PREROUTING -i ath01 -p ip -j DROP'
 
config rj_fw 'guest_accept_ath11_all'
	option name 'guest_accept_ath11_all'
	option rules 'ebtables -t nat -A PREROUTING -i ath11 -p ip -j DROP'
 
config rj_fw 'web_hijack'
	option name 'web_hijack'
	option rules 'ebtables -t broute -I BROUTING -p 0x800 --ip-destination 192.168.10.1 -j dnat --to-dst E0:5D:54:7C:07:F4 --dnat-target ACCEPT'
 
config rj_fw 'dev_no_wan_ping'
	option name 'dev_no_wan_ping'
	option rules 'iptables -w -I INPUT -i eth0 -p icmp --icmp-type 8 -s 0/0 -j DROP'
 
config rj_fw 'dev_no_wan_ping_ipv6'
	option name 'dev_no_wan_ping_ipv6'
	option rules 'ip6tables -w -I INPUT -i eth0 -p icmpv6 --icmpv6-type 128 -s 0/0 -j DROP'
 
config rj_fw 'dev_no_8088'
	option name 'dev_no_8088'
	option rules 'iptables -w -I INPUT -p tcp --dport 8088 -j REJECT --reject-with tcp-reset'
 
config rj_fw 'dev_no_8088_ipv6'
	option name 'dev_no_8088_ipv6'
	option rules 'ip6tables -w -I INPUT -p tcp --dport 8088 -j REJECT --reject-with tcp-reset'
 
config rj_fw 'dnsv4_hijack'
	option name 'dnsv4_hijack'
	option rules 'iptables -w -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to-destination 192.168.10.1'
 
config rj_fw 'dnsv6_hijack'
	option name 'dnsv6_hijack'
	option rules 'ip6tables -w -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to-destination fe80::e25d:54ff:fe7c:7f4'
 
config rj_fw 'dnsv4_eb_hijack'
	option name 'dnsv4_eb_hijack'
	option rules 'ebtables -t broute -I BROUTING -p 0x800 --ip-proto 17 --ip-dport 53 -j dnat --to-dst E0:5D:54:7C:07:F4 --dnat-target ACCEPT'
 
config rj_fw 'dnsv6_eb_hijack'
	option name 'dnsv6_eb_hijack'
	option rules 'ebtables -t broute -I BROUTING -p 0x86dd --ip6-proto 17 --ip6-dport 53 -j dnat --to-dst E0:5D:54:7C:07:F4 --dnat-target ACCEPT'

跨网段代理 IPv6 地址发现

ndppd

Syncthing on Synology with HTTP/2 Enabled Constant Trigger net::ERR_HTTP2_PROTOCOL_ERROR 200 (OK) on Chrome

Syncthing 部署在 Synology 上并通过反向代理在 syncthing.enihsyou.synology.me 对外提供 HTTPS 服务。

表现是对 https://syncthing.enihsyou.synology.me/rest/events?since=22042 的请求在 5s 内未得到相应，控制台中有如下错误

GET https://syncthing.enihsyou.synology.me/rest/events?since=22042 net::ERR_HTTP2_PROTOCOL_ERROR 200 (OK)
 
... 调用栈中都是 errorFn@eventService.js:50 回调，直到深度超过 15 ，从控制台中看不到栈了，转为抛出下面的
 
Failed to load resource: net::ERR_HTTP2_PROTOCOL_ERROR rest/events?since=21803:1

这 5s 后面确认是在代理服务器上设置的 upstream timeout

从浏览器把请求复制到 cURL 中执行提示 curl: (35) schannel: next InitializeSecurityContext failed: CRYPT_E_REVOCATION_OFFLINE (0x80092013) -，这错误提示一看就联想到了之前遇到的 CRL 无法下载问题。没错，这个网站用的也是 Let’s Encrypt。马上补上代理好了，响应时间飞快。但连接报错还是存在

注意到浏览器同时发的另一个请求没有问题（隐私信息已删除）

xh https://syncthing.enihsyou.synology.me/rest/events?limit=1 -vv
GET /rest/events?limit=1 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br, zstd
Connection: keep-alive
Host: syncthing.enihsyou.synology.me
User-Agent: xh/0.24.1
 
HTTP/2.0 200 OK
cache-control: max-age=0, no-cache, no-store
content-type: application/json; charset=utf-8
date: Tue, 12 Aug 2025 12:50:39 GMT
expires: Tue, 12 Aug 2025 12:50:39 GMT
pragma: no-cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-syncthing-version: v1.29.6
x-xss-protection: 1; mode=block
 
[
    {
        "id": 22042,
        "globalID": 23497,
        "time": "2025-08-12T20:48:36.232836129+08:00",
        "type": "StateChanged",
        "data": {
            "duration": 0.232821449,
            "folder": "rwfhh-ihkes",
            "from": "scanning",
            "to": "idle"
        }
    }
]
Elapsed time: 0.05452s

我猜这意思是，目前服务器上最新消息 ID 为 22042。此时如果尝试 /events?since=22042 会一直阻塞等待直到发生下一条 22043 消息，通过随意修改文件触发 Sync 并观察网络请求，确实接口立刻给了响应。

打开本地部署的 Syncthing，确实会卡住最长 60s 一直等待响应。再一看 syncthing/lib/api/api.go at 5d8033343fd31963286395b009fa7ff0b18ee461 · syncthing/syncthing 源代码确实是 time.Minute 默认超时。再一看文档 GET /rest/events — Syncthing v2.0.0 documentation 确实会阻塞，那可以确认是预期行为了。

前端代码也没写 “timeout”，所以这里最简单的修复是调整反向代理超时大于 60s

`ps` 常用组合

ps -efH 所有进程缩进展示，当做信息一览
ps auxf 所有进程树状展示，带有面向 CPU、内存资源信息
ps -C cmd 直接搜进程名，适合重点关注「有没有这个进程」

自动化处理 Syncthing 冲突

本来我就 Local & Synology 两个设备之间同步，并且只在 Local 进行更新，理应不出现冲突。
但目前实测，Local 总是产生 .sync-conflict 文件，而 Synology 没有，并且实际没有内容冲突，文件里的历史版本。
原因暂时不管，先搞个自动合并脚本。
Monitors a Syncthing-synced directory and tries to merge conflicting files (based on https://www.rafa.ee/articles/resolve-syncthing-conflicts-using-three-way-merge/). Probably adaptable for other directory types, but only tested with Logseq (works for me™️).

Windows 符号链接和目录结合点

windows - “directory junction” vs “directory symbolic link”? - Super User
filesystems - Creating the equivalent of Soft and Hard Links in Windows - Super User
简单来说，除非遇到权限问题无法创建符号链接（Symbolic Link），一律建议创建支持文件、目录、相对、远程位置的符号链接。

# for file
mklink linkname targetpath
# for directory
mklink /d linkname targetpath

PVE 的 HTTPS 证书未按时续期

近期 PKI 服务所在的子网维护中，导致 ACME 服务未能正常续订证书，先手动执行下。

SystemD/Timer 不支持提前触发，但可以手动运行底下的 Service

systemctl start --no-block pve-daily-update.service
journalctl -u pve-daily-update.service -f

涼果笔记

探索

局域网 DHCP 主机名 DNS 解析时灵时不灵

跨网段代理 IPv6 地址发现

Syncthing on Synology with HTTP/2 Enabled Constant Trigger net::ERR_HTTP2_PROTOCOL_ERROR 200 (OK) on Chrome

`ps` 常用组合

自动化处理 Syncthing 冲突

Windows 符号链接和目录结合点

PVE 的 HTTPS 证书未按时续期

关系图谱

目录

反向链接

涼果笔记

探索

2025-08-12

局域网 DHCP 主机名 DNS 解析时灵时不灵

跨网段代理 IPv6 地址发现

Syncthing on Synology with HTTP/2 Enabled Constant Trigger net::ERR_HTTP2_PROTOCOL_ERROR 200 (OK) on Chrome

ps 常用组合

自动化处理 Syncthing 冲突

Windows 符号链接和目录结合点

PVE 的 HTTPS 证书未按时续期

关系图谱

目录

反向链接

`ps` 常用组合