Step 1 SSH破解
根据以下文章进行操作,注意只有老的开发版本的固件才支持刷入SSH登录工具,最新的开发版固件是不支持的,小米官方没有给出说明,这一点很坑,浪费很多时间按照官方文档在尝试,却始终不成功。 https://gist.github.com/rambolee/468ee988d2cf80224a6ac4675c141b4f
Step 2 设置wan port forwarding
a) 因为小米路由器3的固件是基于openwrt开发的,所以以root身份SSH登录路由器系统后,按照openwrt给出的方法设置wan port forwarding
https://wiki.openwrt.org/doc/howto/port.forwarding
外网测试结果:失败
b) 在小米路由器3的web UI上设置串口重定向
外网测试结果:失败
经过多重分析后未发现失败原因,通过public IP仍然无法ssh login。初步怀疑小米自身的固件做得偏向与安全和保守,所以下一步是尝试刷第三方开源固件。
Step 3 刷入第三方开源固件Padavan
根据reddit上的操作指南刷入俄罗斯开发者Andy Padavan开发的开源固件Padavan。
Xiaomi Mi WiFi Router 3 alternative Firmware
https://www.reddit.com/r/openwrt/comments/4iunp9/xiaomi_mi_wifi_router_3_alternative_firmware/
[Guide] How to install Padavan custom firmware on the Xiaomi Mi Router 3:https://www.reddit.com/r/Xiaomi/comments/5d0wmx/guide_how_to_install_padavan_custom_firmware_on/
Step 4 设置端口重定向
wan->Port Forwarding
Screenshot from 2018-09-20 23:28:27.png
外网测试结果:失败
ssh: connect to host xxx.xxx.xxx.xxx port 22: Connection refused
Step 4 查找分析原因
根据以下链接进行排查
https://ubuntuforums.org/archive/index.php/t-906252.html
发现
yangyong@vultr:~$ ssh -vvv yongyang@PUBLIC_IP -p 443
OpenSSH_7.5p1 Ubuntu-10ubuntu0.1, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving Publi_IP port 443
debug2: ssh_connect_direct: needpriv 0
然后又找到这篇帖子,怀疑到是ISP没有提供Public IP, 而是多用户共享一个Public IP, 而且设置了很多端口限制。
https://bitbucket.org/padavan/rt-n56u/issues/31/port-forwarding-not-working
Andy Padavan里面提到
"
I see:
-
Pure PPPoE (w/o MAN). eth3 is not obtained IPv4 address. Goto "WAN - Internet Connection", set "PPPoE & MAN access:" No
-
Port forwarding via 443 is done, NAT completed, FORWARD completed. FORWARD drop 0 packets (except INVALID state).
"
我的小米路由器3上网络状态是这样的
/home # iptables -L -nv -t nat
Chain PREROUTING (policy ACCEPT 421 packets, 51876 bytes)
pkts bytes target prot opt in out source destination
0 0 vserver all -- * * 0.0.0.0/0 192.168.1.3
Chain INPUT (policy ACCEPT 197 packets, 12158 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 43 packets, 3339 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 42 packets, 2743 bytes)
pkts bytes target prot opt in out source destination
126 7560 SNAT all -- * eth2.2 192.168.31.0/24 0.0.0.0/0 to:192.168.1.3
1 596 SNAT all -- * br0 192.168.31.0/24 192.168.31.0/24 to:192.168.31.1
Chain upnp (0 references)
pkts bytes target prot opt in out source destination
Chain upnp-post (0 references)
pkts bytes target prot opt in out source destination
Chain vserver (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.31.33:22
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.31.33
/home # iptables -L -nv
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
974 167K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
238 14642 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 vpnlist all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33534
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 TCPMSS tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
3902 1352K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
213 12780 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 vpnlist all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
Chain OUTPUT (policy ACCEPT 1194 packets, 376K bytes)
pkts bytes target prot opt in out source destination
Chain bfplimit (0 references)
pkts bytes target prot opt in out source destination
Chain upnp (0 references)
pkts bytes target prot opt in out source destination
Chain vpnlist (2 references)
pkts bytes target prot opt in out source destination
然后按文中的操作Goto "WAN - Internet Connection", set "PPPoE & MAN access:" No
发现无Internet访问
Step 5 找电信运营商中国电信确认公网IP地址的问题
中国电信那边的答复是需要配置静态公网IP地址才能从外网访问内网,企业宽带套餐才分配静态公网IP,而普通宽带是不分配公网IP的,而且有很多端口访问限制。
知乎上关于家庭公网IP地址分配的讨论
https://www.zhihu.com/question/27443119
https://www.zhihu.com/question/24043585
询问电信工作人员,是否可以给普通宽带套餐的客户分配DHCP动态的公网IP,等待答复中,待更新。
更新
电信客服告知个人和家庭用户是不提供公网IP地址的。
网友评论