OpenWrt 22.03.5 命令行配置详解(TP-LINK WDR4320)
📜基本配置
1. 登录与基础操作
bash
ssh root@192.168.1.1
uci show system2. 网络接口配置(LAN/WAN)
- 修改 LAN IP:
bash
uci set network.lan.ipaddr='192.168.10.1'
uci set network.lan.netmask='255.255.255.0'
uci commit network
/etc/init.d/network restart- 设置 WAN(PPPoE 示例):
bash
uci set network.wan.proto='pppoe'
uci set network.wan.username='youruser'
uci set network.wan.password='yourpass'
uci commit network
/etc/init.d/network restart3. DHCP 配置
- 启用 DHCP:
bash
uci set dhcp.lan.start='100'
uci set dhcp.lan.limit='150'
uci set dhcp.lan.leasetime='12h'
uci commit dhcp
/etc/init.d/dnsmasq restart4. DNS 配置
- 设置上游 DNS:
bash
uci set network.lan.dns='8.8.8.8 1.1.1.1'
uci commit network
/etc/init.d/network restart- 本地解析(dnsmasq):
bash
uci add_list dhcp.@dnsmasq[0].address='/router.local/192.168.10.1'
uci commit dhcp
/etc/init.d/dnsmasq restart5. 无线配置(Wi-Fi)
bash
uci set wireless.default_radio0.ssid='MyWiFi'
uci set wireless.default_radio0.encryption='psk2'
uci set wireless.default_radio0.key='mypassword'
uci commit wireless
wifi reload6. 防火墙与端口转发
- 添加端口转发(外部 8080 → 内部 80):
bash
uci add firewall redirect
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport='8080'
uci set firewall.@redirect[-1].dest='lan'
uci set firewall.@redirect[-1].dest_ip='192.168.10.100'
uci set firewall.@redirect[-1].dest_port='80'
uci commit firewall
/etc/init.d/firewall restart7. 端口镜像(交换机 swconfig)
假设 LAN1 为监控端口,LAN2 为镜像源:
bash
swconfig dev switch0 set mirror_source_port 2
swconfig dev switch0 set mirror_monitor_port 1
swconfig dev switch0 set apply8. 软件包管理
bash
opkg update
opkg install luci tcpdump nano📜 初始化脚本(一步到位配置 LAN、Wi-Fi、防火墙)
以下脚本可保存为 /etc/init.d/init_setup.sh 并执行:
bash
#!/bin/sh
# 初始化 OpenWrt 22.03.5 基础配置
# LAN 配置
uci set network.lan.ipaddr='192.168.10.1'
uci set network.lan.netmask='255.255.255.0'
uci commit network
# DHCP 配置
uci set dhcp.lan.start='100'
uci set dhcp.lan.limit='150'
uci set dhcp.lan.leasetime='12h'
uci commit dhcp
# DNS 配置
uci set network.lan.dns='8.8.8.8 1.1.1.1'
uci commit network
# Wi-Fi 配置
uci set wireless.default_radio0.ssid='MyWiFi'
uci set wireless.default_radio0.encryption='psk2'
uci set wireless.default_radio0.key='mypassword'
uci commit wireless
# 防火墙端口转发
uci add firewall redirect
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport='8080'
uci set firewall.@redirect[-1].dest='lan'
uci set firewall.@redirect[-1].dest_ip='192.168.10.100'
uci set firewall.@redirect[-1].dest_port='80'
uci commit firewall
# 应用配置
/etc/init.d/network restart
/etc/init.d/dnsmasq restart
/etc/init.d/firewall restart
wifi reload执行:
bash
sh /etc/init.d/init_setup.sh⚠️ 注意事项
- 修改 SSID 和密码时要避免弱口令。
- 端口镜像依赖硬件交换机驱动(swconfig),不同型号可能有所差异。
- 每次
uci修改后必须commit并重启相关服务。
下面是对 初始化脚本 的扩展,加入 IPv6 禁用、防火墙默认策略、MSS clamp 等更安全的配置。这样执行一次脚本,就能完成基础网络、Wi-Fi、防火墙、DHCP/DNS,同时强化安全策略。
🔒 扩展后的初始化脚本
保存为 /etc/init.d/init_setup.sh 并执行:
bash
#!/bin/sh
# 初始化 OpenWrt 22.03.5 基础配置 + 安全扩展
### 1. LAN 配置
uci set network.lan.ipaddr='192.168.10.1'
uci set network.lan.netmask='255.255.255.0'
uci commit network
### 2. DHCP 配置
uci set dhcp.lan.start='100'
uci set dhcp.lan.limit='150'
uci set dhcp.lan.leasetime='12h'
uci commit dhcp
### 3. DNS 配置
uci set network.lan.dns='8.8.8.8 1.1.1.1'
uci commit network
### 4. Wi-Fi 配置
uci set wireless.default_radio0.ssid='MyWiFi'
uci set wireless.default_radio0.encryption='psk2'
uci set wireless.default_radio0.key='mypassword'
uci commit wireless
### 5. 防火墙端口转发(示例:外部8080 → 内部80)
uci add firewall redirect
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport='8080'
uci set firewall.@redirect[-1].dest='lan'
uci set firewall.@redirect[-1].dest_ip='192.168.10.100'
uci set firewall.@redirect[-1].dest_port='80'
uci commit firewall
### 6. IPv6 禁用
uci set network.lan.ip6assign='0'
uci set network.wan6=network.wan6
uci set network.wan6.proto='none'
uci commit network
### 7. 防火墙默认策略(更安全)
uci set firewall.@defaults[0].input='ACCEPT'
uci set firewall.@defaults[0].output='ACCEPT'
uci set firewall.@defaults[0].forward='DROP'
uci commit firewall
### 8. MSS Clamp(防止 MTU 问题)
uci add firewall rule
uci set firewall.@rule[-1].name='MSS-Clamp'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].family='ipv4'
uci set firewall.@rule[-1].target='TCPMSS'
uci set firewall.@rule[-1].tcp_flags='SYN,RST'
uci set firewall.@rule[-1].tcp_mss='clamp-to-pmtu'
uci commit firewall
### 9. 应用配置
/etc/init.d/network restart
/etc/init.d/dnsmasq restart
/etc/init.d/firewall restart
wifi reload🛡️ 配置说明
- IPv6 禁用:避免设备自动获取 IPv6 地址,减少暴露面。
- 防火墙默认策略:
input=ACCEPT→ 允许路由器本机访问output=ACCEPT→ 允许路由器发出流量forward=DROP→ 默认禁止跨网段转发,避免未授权流量
- MSS Clamp:自动调整 TCP MSS,防止 PPPoE/隧道环境下 MTU 不匹配导致连接异常。
这样脚本执行后,你的路由器就具备了 LAN、Wi-Fi、防火墙、DHCP/DNS 的完整配置,并且额外强化了 IPv6 禁用、防火墙安全策略、MSS clamp。