N1盒子作为旁路由 + esim 4G模块实现主路由国内外IP分流走不同网口

waving

硬件：N1盒子（f大的openwrt）、移远4G模块+USB开发板+天线+ESIM白卡




插入USB 4G模块后，先进行4G模块初始化，在openwrt接口处添加接口，QMI协议，调制器选正确。APN我因为是redteago，所以填的是mobile.three.com.hk

确保4G模块正常上网：

1. root@OpenWrt:~# curl -s --interface wwan0 https://myip.ipip.net
   
2. 当前 IP：123.136.X.X  来自于：中国 香港   移动
   
3. root@OpenWrt:~#

复制代码

简化脚本：

192.168.101.1是我N1作为旁路由的上级路由IP地址

wwan0是4G模块的接口

1. cat > /etc/init.d/ip-split << 'EOF'
   
2. #!/bin/sh /etc/rc.common
   
3. 
   
4. START=99
   
5. STOP=10
   
6. 
   
7. LAN_DEV="eth0"
   
8. LAN_GW="192.168.101.1"
   
9. MODEM_DEV="wwan0"
   
10. 
    
11. CN_IP_URL="https://ispip.clang.cn/all_cn.txt"
    
12. CN_IP_FILE="/etc/ip-split/china.txt"
    
13. IPSET_NAME="cn_split"
    
14. 
    
15. start() {
    
16.     echo "Starting IP split routing..."
    
17.     mkdir -p /etc/ip-split
    
18.    
    
19.     # 1. 下载IP列表
    
20.     echo "Downloading China IP list..."
    
21.     curl -fsL --connect-timeout 10 --max-time 30 "$CN_IP_URL" -o "$CN_IP_FILE.tmp" 2>/dev/null
    
22.     if [ -f "$CN_IP_FILE.tmp" ]; then
    
23.         line_count=$(wc -l < "$CN_IP_FILE.tmp")
    
24.         [ "$line_count" -gt 1000 ] && mv "$CN_IP_FILE.tmp" "$CN_IP_FILE" || rm -f "$CN_IP_FILE.tmp"
    
25.     fi
    
26.    
    
27.     if [ ! -f "$CN_IP_FILE" ]; then
    
28.         echo "Error: No IP list available"
    
29.         exit 1
    
30.     fi
    
31.    
    
32.     # 2. 创建ipset
    
33.     echo "Creating ipset..."
    
34.     ipset destroy $IPSET_NAME 2>/dev/null || true
    
35.     ipset create $IPSET_NAME hash:net maxelem 100000
    
36.    
    
37.     while read ip; do
    
38.         [ -z "$ip" ] && continue
    
39.         echo "$ip" | grep -q "^#" && continue
    
40.         ipset add $IPSET_NAME $ip 2>/dev/null
    
41.     done < "$CN_IP_FILE"
    
42.    
    
43.     # 添加局域网段
    
44.     ipset add $IPSET_NAME 192.168.0.0/16 2>/dev/null || true
    
45.     ipset add $IPSET_NAME 10.0.0.0/8 2>/dev/null || true
    
46.     ipset add $IPSET_NAME 172.16.0.0/12 2>/dev/null || true
    
47.    
    
48.     # 3. 配置路由表
    
49.     echo "Configuring routes..."
    
50.     ip route flush table 100 2>/dev/null || true
    
51.     ip route add default dev $MODEM_DEV table 100
    
52.    
    
53.     ip route flush table 200 2>/dev/null || true
    
54.     ip route add default via $LAN_GW dev $LAN_DEV table 200
    
55.    
    
56.     # 4. 配置路由规则
    
57.     ip rule del fwmark 0x1 table 100 2>/dev/null || true
    
58.     ip rule del fwmark 0x2 table 200 2>/dev/null || true
    
59.     ip rule add fwmark 0x1 table 100 priority 100
    
60.     ip rule add fwmark 0x2 table 200 priority 200
    
61.    
    
62.     # 5. 配置流量分流
    
63.     echo "Configuring traffic split..."
    
64.     iptables -t mangle -D PREROUTING -i $LAN_DEV -m set --match-set $IPSET_NAME dst -j MARK --set-mark 0x2 2>/dev/null || true
    
65.     iptables -t mangle -D PREROUTING -i $LAN_DEV -m set ! --match-set $IPSET_NAME dst -j MARK --set-mark 0x1 2>/dev/null || true
    
66.    
    
67.     # 先国内后国外
    
68.     iptables -t mangle -A PREROUTING -i $LAN_DEV -m set --match-set $IPSET_NAME dst -j MARK --set-mark 0x2
    
69.     iptables -t mangle -A PREROUTING -i $LAN_DEV -m set ! --match-set $IPSET_NAME dst -j MARK --set-mark 0x1
    
70.    
    
71.     # 6. NAT
    
72.     iptables -t nat -A POSTROUTING -o $LAN_DEV -j MASQUERADE 2>/dev/null || true
    
73.     iptables -t nat -A POSTROUTING -o $MODEM_DEV -j MASQUERADE 2>/dev/null || true
    
74.    
    
75.     # 7. IP转发
    
76.     echo 1 > /proc/sys/net/ipv4/ip_forward
    
77.    
    
78.     echo "Done!"
    
79. }
    
80. 
    
81. stop() {
    
82.     echo "Stopping..."
    
83.     iptables -t mangle -D PREROUTING -i $LAN_DEV -m set --match-set $IPSET_NAME dst -j MARK --set-mark 0x2 2>/dev/null || true
    
84.     iptables -t mangle -D PREROUTING -i $LAN_DEV -m set ! --match-set $IPSET_NAME dst -j MARK --set-mark 0x1 2>/dev/null || true
    
85.    
    
86.     ip rule del fwmark 0x1 table 100 2>/dev/null || true
    
87.     ip rule del fwmark 0x2 table 200 2>/dev/null || true
    
88.    
    
89.     ip route flush table 100 2>/dev/null || true
    
90.     ip route flush table 200 2>/dev/null || true
    
91.    
    
92.     ipset destroy $IPSET_NAME 2>/dev/null || true
    
93.     echo "Stopped!"
    
94. }
    
95. 
    
96. restart() {
    
97.     stop
    
98.     sleep 1
    
99.     start
    
100. }
     
101. EOF
     
102. 
     
103. chmod +x /etc/init.d/ip-split

复制代码

DNS如果被污染劫持，可以使用smartDNS

1. # 安装smartdns
   
2. opkg update
   
3. opkg install smartdns
   
4. 
   
5. # 配置smartdns分流
   
6. cat > /etc/smartdns/smartdns.conf << 'EOF'
   
7. # 监听端口
   
8. bind :53
   
9. 
   
10. # 国内DNS（用于国内域名）
    
11. server 223.5.5.5 -group china
    
12. server 114.114.114.114 -group china
    
13. 
    
14. # 国外DNS（通过4G查询）
    
15. server 8.8.8.8 -group overseas -exclude-default-group
    
16. server 1.1.1.1 -group overseas -exclude-default-group
    
17. 
    
18. # 国内域名用国内DNS
    
19. nameserver /cn/china
    
20. nameserver /baidu.com/china
    
21. nameserver /alibaba.com/china
    
22. 
    
23. # 默认用国外DNS（防止污染）
    
24. server 8.8.8.8
    
25. server 1.1.1.1
    
26. 
    
27. # 缓存
    
28. cache-size 512
    
29. EOF
    
30. 
    
31. # 启动smartdns
    
32. /etc/init.d/smartdns enable
    
33. /etc/init.d/smartdns start
    
34. 
    
35. # 让dnsmasq转发到smartdns
    
36. uci set dhcp.@dnsmasq[0].port=5353
    
37. uci set dhcp.@dnsmasq[0].server='127.0.0.1#53'
    
38. uci commit dhcp
    
39. /etc/init.d/dnsmasq restart

复制代码

1. # 创建custom.conf实现域名分流
   
2. cat > /etc/smartdns/custom.conf << 'EOF'
   
3. # ========== 国内域名使用国内DNS ==========
   
4. nameserver /cn/china
   
5. nameserver /baidu.com/china
   
6. nameserver /alicdn.com/china
   
7. nameserver /aliyun.com/china
   
8. nameserver /alipay.com/china
   
9. nameserver /alibaba.com/china
   
10. nameserver /qq.com/china
    
11. nameserver /tencent.com/china
    
12. nameserver /weixin.com/china
    
13. nameserver /wechat.com/china
    
14. nameserver /bilibili.com/china
    
15. nameserver /bdstatic.com/china
    
16. nameserver /bdimg.com/china
    
17. nameserver /sina.com/china
    
18. nameserver /weibo.com/china
    
19. nameserver /douban.com/china
    
20. nameserver /zhihu.com/china
    
21. nameserver /jianshu.com/china
    
22. nameserver /csdn.net/china
    
23. nameserver /oschina.net/china
    
24. nameserver /cnblogs.com/china
    
25. nameserver /aliyuncs.com/china
    
26. nameserver /tencentcloud.com/china
    
27. nameserver /qcloud.com/china
    
28. nameserver /myqcloud.com/china
    
29. nameserver /126.net/china
    
30. nameserver /163.com/china
    
31. nameserver /netease.com/china
    
32. nameserver /jd.com/china
    
33. nameserver /taobao.com/china
    
34. nameserver /tmall.com/china
    
35. nameserver /alipayobjects.com/china
    
36. nameserver /mmstat.com/china
    
37. nameserver /cnzz.com/china
    
38. nameserver /iqiyi.com/china
    
39. nameserver /youku.com/china
    
40. nameserver /mgtv.com/china
    
41. nameserver /pptv.com/china
    
42. nameserver /le.com/china
    
43. nameserver /sohu.com/china
    
44. nameserver /sogou.com/china
    
45. nameserver /360.cn/china
    
46. nameserver /360.com/china
    
47. 
    
48. # ========== 强制国外域名使用国外DNS（防止污染）==========
    
49. # Google相关
    
50. nameserver /google.com/overseas
    
51. nameserver /googleapis.com/overseas
    
52. nameserver /googleusercontent.com/overseas
    
53. nameserver /googlevideo.com/overseas
    
54. nameserver /gstatic.com/overseas
    
55. nameserver /youtube.com/overseas
    
56. nameserver /ytimg.com/overseas
    
57. nameserver /ggpht.com/overseas
    
58. nameserver /withgoogle.com/overseas
    
59. nameserver /google-analytics.com/overseas
    
60. 
    
61. # Twitter/X相关
    
62. nameserver /twitter.com/overseas
    
63. nameserver /x.com/overseas
    
64. nameserver /twimg.com/overseas
    
65. nameserver /t.co/overseas
    
66. 
    
67. # Facebook/Meta相关
    
68. nameserver /facebook.com/overseas
    
69. nameserver /fbcdn.net/overseas
    
70. nameserver /instagram.com/overseas
    
71. nameserver /cdninstagram.com/overseas
    
72. nameserver /whatsapp.com/overseas
    
73. nameserver /fb.com/overseas
    
74. nameserver /messenger.com/overseas
    
75. 
    
76. # 其他国外常用
    
77. nameserver /github.com/overseas
    
78. nameserver /gitlab.com/overseas
    
79. nameserver /stackoverflow.com/overseas
    
80. nameserver /reddit.com/overseas
    
81. nameserver /medium.com/overseas
    
82. nameserver /wordpress.com/overseas
    
83. nameserver /blogspot.com/overseas
    
84. nameserver /tumblr.com/overseas
    
85. nameserver /pinterest.com/overseas
    
86. nameserver /linkedin.com/overseas
    
87. nameserver /netflix.com/overseas
    
88. nameserver /nflxvideo.net/overseas
    
89. nameserver /amazon.com/overseas
    
90. nameserver /aws.amazon.com/overseas
    
91. nameserver /cloudfront.net/overseas
    
92. nameserver /akamai.net/overseas
    
93. nameserver /fastly.net/overseas
    
94. nameserver /cloudflare.com/overseas
    
95. nameserver /cdn.cloudflare.net/overseas
    
96. 
    
97. # 新闻/媒体
    
98. nameserver /bbc.com/overseas
    
99. nameserver /bbc.co.uk/overseas
    
100. nameserver /cnn.com/overseas
     
101. nameserver /nytimes.com/overseas
     
102. nameserver /washingtonpost.com/overseas
     
103. nameserver /theguardian.com/overseas
     
104. nameserver /reuters.com/overseas
     
105. nameserver /apnews.com/overseas
     
106. nameserver /bloomberg.com/overseas
     
107. nameserver /wsj.com/overseas
     
108. nameserver /ft.com/overseas
     
109. nameserver /economist.com/overseas
     
110. 
     
111. # 科技
     
112. nameserver /apple.com/overseas
     
113. nameserver /icloud.com/overseas
     
114. nameserver /mzstatic.com/overseas
     
115. nameserver /microsoft.com/overseas
     
116. nameserver /windows.net/overseas
     
117. nameserver /office365.com/overseas
     
118. nameserver /live.com/overseas
     
119. nameserver /outlook.com/overseas
     
120. nameserver /skype.com/overseas
     
121. nameserver /dropbox.com/overseas
     
122. nameserver /dropboxapi.com/overseas
     
123. nameserver /onedrive.com/overseas
     
124. 
     
125. # 工具/服务
     
126. nameserver /wikipedia.org/overseas
     
127. nameserver /wikimedia.org/overseas
     
128. nameserver /wikimediafoundation.org/overseas
     
129. nameserver /archive.org/overseas
     
130. nameserver /archive.today/overseas
     
131. nameserver /duckduckgo.com/overseas
     
132. nameserver /startpage.com/overseas
     
133. 
     
134. # ========== 默认使用国外DNS（防止污染）==========
     
135. # 所有未匹配的域名使用默认DNS（8.8.8.8, 1.1.1.1）
     
136. EOF

复制代码

1. # 1. 在mangle表的OUTPUT链标记SmartDNS的DNS查询
   
2. iptables -t mangle -I OUTPUT 1 -p udp --dport 53 -m owner --cmd-owner smartdns -j MARK --set-mark 0x1
   
3. iptables -t mangle -I OUTPUT 2 -p tcp --dport 53 -m owner --cmd-owner smartdns -j MARK --set-mark 0x1
   
4. 
   
5. # 2. 所有发往8.8.8.8和1.1.1.1的流量都走4G
   
6. iptables -t mangle -I OUTPUT 1 -d 8.8.8.8 -j MARK --set-mark 0x1
   
7. iptables -t mangle -I OUTPUT 2 -d 8.8.4.4 -j MARK --set-mark 0x1
   
8. iptables -t mangle -I OUTPUT 3 -d 1.1.1.1 -j MARK --set-mark 0x1
   
9. iptables -t mangle -I OUTPUT 4 -d 1.0.0.1 -j MARK --set-mark 0x1

复制代码

1. # 修改smartdns配置，使用DoH/DoT
   
2. uci delete smartdns.@server[2] 2>/dev/null
   
3. uci delete smartdns.@server[3] 2>/dev/null
   
4. 
   
5. # 添加Google DoH
   
6. uci add smartdns server
   
7. uci set smartdns.@server[-1].enabled='1'
   
8. uci set smartdns.@server[-1].type='https'
   
9. uci set smartdns.@server[-1].ip='https://dns.google/dns-query'
   
10. uci set smartdns.@server[-1].host_name='dns.google'
    
11. uci set smartdns.@server[-1].no_check_certificate='0'
    
12. 
    
13. # 添加Cloudflare DoH  
    
14. uci add smartdns server
    
15. uci set smartdns.@server[-1].enabled='1'
    
16. uci set smartdns.@server[-1].type='https'
    
17. uci set smartdns.@server[-1].ip='https://cloudflare-dns.com/dns-query'
    
18. uci set smartdns.@server[-1].host_name='cloudflare-dns.com'
    
19. uci set smartdns.@server[-1].no_check_certificate='0'
    
20. 
    
21. uci commit smartdns
    
22. /etc/init.d/smartdns restart

复制代码

1. # 清除旧的DNS相关规则
   
2. iptables -t mangle -D OUTPUT -d 8.8.8.8 -j MARK --set-mark 0x1 2>/dev/null
   
3. iptables -t mangle -D OUTPUT -d 8.8.4.4 -j MARK --set-mark 0x1 2>/dev/null
   
4. iptables -t mangle -D OUTPUT -d 1.1.1.1 -j MARK --set-mark 0x1 2>/dev/null
   
5. iptables -t mangle -D OUTPUT -d 1.0.0.1 -j MARK --set-mark 0x1 2>/dev/null
   
6. 
   
7. # 添加规则：所有发往公共DNS的流量强制走4G
   
8. iptables -t mangle -I OUTPUT 1 -d 8.8.8.8 -j MARK --set-mark 0x1
   
9. iptables -t mangle -I OUTPUT 2 -d 8.8.4.4 -j MARK --set-mark 0x1
   
10. iptables -t mangle -I OUTPUT 3 -d 1.1.1.1 -j MARK --set-mark 0x1
    
11. iptables -t mangle -I OUTPUT 4 -d 1.0.0.1 -j MARK --set-mark 0x1
    
12. 
    
13. # 同时标记PREROUTING链（处理转发设备的DNS）
    
14. iptables -t mangle -D PREROUTING -p udp --dport 53 -j MARK --set-mark 0x1 2>/dev/null
    
15. iptables -t mangle -I PREROUTING 1 -p udp --dport 53 -j MARK --set-mark 0x1

复制代码

1. # 安装https支持（如果还没装）
   
2. opkg install libopenssl
   
3. 
   
4. # 配置DoH
   
5. uci delete smartdns.@server[0]
   
6. uci delete smartdns.@server[1]
   
7. 
   
8. # Google DoH
   
9. uci add smartdns server
   
10. uci set smartdns.@server[-1].enabled='1'
    
11. uci set smartdns.@server[-1].type='https'
    
12. uci set smartdns.@server[-1].ip='https://dns.google/dns-query'
    
13. uci set smartdns.@server[-1].host_name='dns.google'
    
14. 
    
15. # Cloudflare DoH
    
16. uci add smartdns server
    
17. uci set smartdns.@server[-1].enabled='1'
    
18. uci set smartdns.@server[-1].type='https'
    
19. uci set smartdns.@server[-1].ip='https://cloudflare-dns.com/dns-query'
    
20. uci set smartdns.@server[-1].host_name='cloudflare-dns.com'
    
21. 
    
22. uci commit smartdns
    
23. /etc/init.d/smartdns restart

复制代码

保存iptables规则

1. # 安装iptables-save工具（如果没有）
   
2. opkg install iptables-mod-extra
   
3. 
   
4. # 保存当前规则
   
5. iptables-save > /etc/iptables.rules
   
6. 
   
7. # 创建启动脚本自动加载
   
8. cat > /etc/init.d/iptables-restore << 'EOF'
   
9. #!/bin/sh /etc/rc.common
   
10. 
    
11. START=20
    
12. 
    
13. start() {
    
14.     [ -f /etc/iptables.rules ] && iptables-restore < /etc/iptables.rules
    
15. }
    
16. EOF
    
17. 
    
18. chmod +x /etc/init.d/iptables-restore
    
19. /etc/init.d/iptables-restore enable

复制代码

1. # 创建启动脚本
   
2. cat > /etc/init.d/route-rules << 'EOF'
   
3. #!/bin/sh /etc/rc.common
   
4. 
   
5. START=25
   
6. 
   
7. start() {
   
8.     # 等待网络就绪
   
9.     sleep 5
   
10.    
    
11.     # 添加路由规则
    
12.     ip rule del fwmark 0x1 table 100 2>/dev/null
    
13.     ip rule del fwmark 0x2 table 200 2>/dev/null
    
14.     ip rule add fwmark 0x1 table 100 priority 100
    
15.     ip rule add fwmark 0x2 table 200 priority 200
    
16.    
    
17.     # 添加路由表
    
18.     ip route flush table 100 2>/dev/null
    
19.     ip route add default dev wwan0 table 100
    
20.    
    
21.     ip route flush table 200 2>/dev/null
    
22.     ip route add default via 192.168.101.1 dev eth0 table 200
    
23.    
    
24.     # 重新添加iptables规则（确保）
    
25.     iptables -t mangle -D PREROUTING -i eth0 -m set --match-set cn_split dst -j MARK --set-mark 0x2 2>/dev/null
    
26.     iptables -t mangle -D PREROUTING -i eth0 -m set ! --match-set cn_split dst -j MARK --set-mark 0x1 2>/dev/null
    
27.     iptables -t mangle -A PREROUTING -i eth0 -m set --match-set cn_split dst -j MARK --set-mark 0x2
    
28.     iptables -t mangle -A PREROUTING -i eth0 -m set ! --match-set cn_split dst -j MARK --set-mark 0x1
    
29.    
    
30.     # DNS强制走4G
    
31.     iptables -t mangle -D OUTPUT -d 8.8.8.8 -j MARK --set-mark 0x1 2>/dev/null
    
32.     iptables -t mangle -D OUTPUT -d 8.8.4.4 -j MARK --set-mark 0x1 2>/dev/null
    
33.     iptables -t mangle -D OUTPUT -d 1.1.1.1 -j MARK --set-mark 0x1 2>/dev/null
    
34.     iptables -t mangle -I OUTPUT 1 -d 8.8.8.8 -j MARK --set-mark 0x1
    
35.     iptables -t mangle -I OUTPUT 2 -d 8.8.4.4 -j MARK --set-mark 0x1
    
36.     iptables -t mangle -I OUTPUT 3 -d 1.1.1.1 -j MARK --set-mark 0x1
    
37.    
    
38.     # NAT
    
39.     iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 2>/dev/null
    
40.     iptables -t nat -A POSTROUTING -o wwan0 -j MASQUERADE 2>/dev/null
    
41.    
    
42.     # IP转发
    
43.     echo 1 > /proc/sys/net/ipv4/ip_forward
    
44. }
    
45. EOF
    
46. 
    
47. chmod +x /etc/init.d/route-rules
    
48. /etc/init.d/route-rules enable

复制代码

1. # 启动分流（会自动下载最新IP列表）
   
2. /etc/init.d/ip-split start
   
3. 
   
4. # 查看状态
   
5. /etc/init.d/ip-split status
   
6. 
   
7. # 手动更新IP列表（不中断服务）
   
8. /etc/init.d/ip-split update
   
9. 
   
10. # 停止分流
    
11. /etc/init.d/ip-split stop
    
12. 
    
13. # 重启分流
    
14. /etc/init.d/ip-split restart
    
15. 
    
16. # 开机自启
    
17. /etc/init.d/ip-split enable

复制代码

coder_z

好方法，我本来也想整一个国外银行走esim，其他国外流量走梯子，谢谢楼主

enzur

ESIM流量够用吗，

waving

enzur 发表于 2026-3-24 15:26
ESIM流量够用吗，

还好，我用的少，月均20G，redteago的100G套餐能用5个月。

Zoeng

看起来很厉害，新手不懂操作啊😯

waving

Zoeng 发表于 2026-3-24 19:49
看起来很厉害，新手不懂操作啊😯

还有个更省流量的方法，通过smartDNS域名自动分流，指定的域名自动加入ipset，再通过iptables处理转发，后续有时间的话做个简单的流程