View previous topic :: View next topic |
Author |
Message |
Wakko n00b
Joined: 04 Nov 2003 Posts: 6 Location: Saint-Petersburg, Russia
|
Posted: Tue Nov 03, 2009 8:15 am Post subject: Dual WAN |
|
|
Добрый день!
Имеется маленький домашний сервачёк с 3-мя сетевыми картам: eth0 (локалка), eth1 (провайдер №1, витая пара), eth2 (провайдер №2, через этот интерфейс бегает PPPoE, соответственно wan2 будет ppp0, а не eth2).
1. Вот содержимое файла /etc/conf.d/net:
Code: | # /etc/conf.d/net
# http://dev.gentoo.org/~robbat2/conf.d-net/dualhomed-manual-failover.txt
# General settings
modules=( "iproute2" )
peer_dns="no"
peer_nis="no"
peer_ntp="no"
# DNS settings
dns_domain=( "acmelabs.spb.ru" )
dns_search=( "acmelabs.spb.ru localdomain" )
dns_servers=( "127.0.0.1 195.19.225.253 195.19.225.254" )
# LAN Link: eth0
config_eth0=( "192.168.255.1/24" )
routes_eth0=(
"from all to 192.168.255.0/24 table localnet"
)
# WAN Links: eth1+eth2+ppp0
config_eth1=( "85.249.167.139/24" )
config_eth2=( "null" )
config_ppp0=( "ppp" )
link_ppp0="eth2"
plugins_ppp0=( "pppoe" )
pppd_ppp0=(
"nodefaultroute"
"persist"
)
username_ppp0="ptn"
password_ppp0="ptn"
RC_NEED_ppp0="net.eth2"
# Now the fun stuff. All of these netblocks belong to the ISP of WAN links.
# These are the two WAN addresses of the box used in the from statement.
# Traffic from either of them to the LAN gets priority 100, and matches the
# localnet table.
# In general, they are not reachable from the other ISP,
# because they are stuff like internal DNS and email
# servers.
# The from rule at the start says any traffic from a server
# that has bound to that external IP should go out of the
# interface.
# The 'from all' rule on the end is for failover.
# blocks for internet_cable
# Cifracom
# ASxxxxx Cifracom local Autonomous System
# AS41025 CIFRA-AS Limited company Betacom www.cifracom.ru
# 85.249.160.0/20 85.249.160.1 .. 85.249.175.255
# 195.189.80.0/22 195.189.80.1 .. 195.189.83.255
# AS24739 SEVEREN-TELECOM Autonomous System St.Petersburg, Russia
# 79.99.104.0/21 79.99.104.1 .. 79.99.111.255
# 81.23.96.0/19 81.23.96.1 .. 81.23.127.255
# 81.24.112.0/20 81.24.112.1 .. 81.24.127.255
# 93.174.240.0/21 93.174.240.1 .. 93.174.247.255
# 193.186.162.0/24 193.186.162.1 .. 193.186.162.255
# 217.197.224.0/20 217.197.224.1 .. 217.197.239.255
# AS20597 ELTEL-AS ELTEL.NET Autonomous System
# 81.9.0.0/20 81.9.0.1 .. 81.9.15.255
# 81.9.32.0/20 81.9.32.1 .. 81.9.47.255
# 81.9.96.0/20 81.9.96.1 .. 81.9.111.255
# 81.222.128.0/20 81.222.128.1 .. 81.222.143.255
# 81.222.192.0/18 81.222.192.1 .. 81.222.255.255
# 85.249.8.0/21 85.249.8.1 .. 85.249.15.255
# 85.249.224.0/19 85.249.224.1 .. 85.249.255.255
# 89.112.0.0/19 89.112.0.1 .. 89.112.31.255
# 89.112.32.0/19 89.112.32.1 .. 89.112.63.255
# 89.112.64.0/19 89.112.64.1 .. 89.112.95.255
# 89.112.96.0/21 89.112.96.1 .. 89.112.103.255
# 89.112.104.0/21 89.112.104.1 .. 89.112.111.255
# 92.53.104.0/22 92.53.104.1 .. 92.53.107.255
# 217.170.64.0/20 217.170.64.1 .. 217.170.79.255
# 217.170.80.0/20 217.170.80.1 .. 217.170.95.255
rules_eth1=(
"from 85.249.167.139/32 to 192.168.255.0/24 table localnet priority 100"
"from 85.249.167.139/32 table internet_cable priority 500"
"to 10.4.0.0/16 table internet_cable priority 525"
"to 10.10.0.0/16 table internet_cable priority 525"
"to 10.11.0.0/16 table internet_cable priority 525"
"to 10.12.0.0/16 table internet_cable priority 525"
"to 10.16.0.0/16 table internet_cable priority 525"
"to 10.32.0.0/16 table internet_cable priority 525"
"to 10.255.0.0/16 table internet_cable priority 525"
"to 172.16.0.0/12 table internet_cable priority 525"
"to 192.168.16.0/21 table internet_cable priority 525"
"to 192.168.24.0/21 table internet_cable priority 525"
"to 192.168.32.0/21 table internet_cable priority 525"
"to 192.168.40.0/21 table internet_cable priority 525"
"to 192.168.48.0/21 table internet_cable priority 525"
"to 192.168.56.0/21 table internet_cable priority 525"
"to 192.168.64.0/21 table internet_cable priority 525"
"to 192.168.72.0/21 table internet_cable priority 525"
"to 192.168.80.0/21 table internet_cable priority 525"
"to 192.168.88.0/21 table internet_cable priority 525"
"to 192.168.96.0/21 table internet_cable priority 525"
"to 192.168.104.0/21 table internet_cable priority 525"
"to 192.168.112.0/21 table internet_cable priority 525"
"to 192.168.120.0/21 table internet_cable priority 525"
"to 192.168.128.0/21 table internet_cable priority 525"
"to 192.168.136.0/21 table internet_cable priority 525"
"to 192.168.144.0/21 table internet_cable priority 525"
"to 192.168.152.0/21 table internet_cable priority 525"
"to 192.168.160.0/21 table internet_cable priority 525"
"to 192.168.168.0/21 table internet_cable priority 525"
"to 192.168.176.0/21 table internet_cable priority 525"
"to 192.168.184.0/21 table internet_cable priority 525"
"to 192.168.192.0/21 table internet_cable priority 525"
"to 192.168.200.0/21 table internet_cable priority 525"
"to 192.168.216.0/21 table internet_cable priority 525"
"to 192.168.224.0/21 table internet_cable priority 525"
"to 192.168.232.0/21 table internet_cable priority 525"
"to 192.168.240.0/21 table internet_cable priority 525"
# "to 192.168.248.0/21 table internet_cable priority 525"
"to 85.249.160.0/20 table internet_cable priority 550"
"to 195.189.80.0/22 table internet_cable priority 550"
"to 79.99.104.0/21 table internet_cable priority 550"
"to 81.23.96.0/19 table internet_cable priority 550"
"to 81.24.112.0/20 table internet_cable priority 550"
"to 93.174.240.0/21 table internet_cable priority 550"
"to 193.186.162.0/24 table internet_cable priority 550"
"to 217.197.224.0/20 table internet_cable priority 550"
"to 81.9.0.0/20 table internet_cable priority 550"
"to 81.9.32.0/20 table internet_cable priority 550"
"to 81.9.96.0/20 table internet_cable priority 550"
"to 81.222.128.0/20 table internet_cable priority 550"
"to 81.222.192.0/18 table internet_cable priority 550"
"to 85.249.8.0/21 table internet_cable priority 550"
"to 85.249.224.0/19 table internet_cable priority 550"
"to 89.112.0.0/19 table internet_cable priority 550"
"to 89.112.32.0/19 table internet_cable priority 550"
"to 89.112.64.0/19 table internet_cable priority 550"
"to 89.112.96.0/21 table internet_cable priority 550"
"to 89.112.104.0/21 table internet_cable priority 550"
"to 92.53.104.0/22 table internet_cable priority 550"
"to 217.170.64.0/20 table internet_cable priority 550"
"to 217.170.80.0/20 table internet_cable priority 550"
"from all table internet_cable priority 40000" # send all other traffic via this
)
# The 85.249.167.0/24 and 192.168.40.0/21 netblocks is directly connected.
# We specify the gateway for this interface with the 'table internet_cable' suffix.
routes_eth1=(
"85.249.167.0/24 dev eth1 table internet_cable scope link" # non-gw stuff
"192.168.40.0/21 dev eth1 table internet_cable scope link" # non-gw stuff
"default via 85.249.167.1 table internet_cable"
)
# blocks for internet_dsl
# PTN
# AS8997 ASN-SPBNIT OJSC North-West Telecom Autonomous System St.Petersburg, Russia
# 78.36.0.0/15 78.36.0.1 .. 78.37.255.255
# 80.88.48.0/20 80.88.48.1 .. 80.88.63.255
# 89.110.0.0/18 89.110.0.1 .. 89.110.63.255
# 91.122.0.0/16 91.122.0.1 .. 91.122.255.255
# 92.100.0.0/15 92.100.0.1 .. 92.101.255.255
# 95.52.0.0/14 95.52.0.1 .. 95.55.255.255
# 212.48.192.0/19 212.48.192.1 .. 212.48.223.255
# 213.158.0.0/19 213.158.0.1 .. 213.158.223.255
rules_ppp0=(
"from 95.55.255.255/32 to 192.168.255.0/24 table localnet priority 100"
"from 95.55.255.255/32 table internet_dsl priority 600"
"to 78.36.0.0/15 table internet_dsl priority 650"
"to 80.88.48.0/20 table internet_dsl priority 650"
"to 89.110.0.0/18 table internet_dsl priority 650"
"to 91.122.0.0/16 table internet_dsl priority 650"
"to 92.100.0.0/15 table internet_dsl priority 650"
"to 95.52.0.0/14 table internet_dsl priority 650"
"to 212.48.192.0/19 table internet_dsl priority 650"
"to 213.158.0.0/19 table internet_dsl priority 650"
"from all table internet_dsl priority 41000" # needed for internet_cable failure
)
routes_ppp0=(
"default via 95.55.16.1 table internet_dsl"
)
# Now some fun functionality.
# This flushes the Linux route cache
# It is important on failover to do this
# otherwise traffic might try an old route for a while.
flush_route_cache() {
ebegin "Flushing route cache for ${IFACE}"
ip route flush cache dev ${IFACE}
ret=$?
eend $ret
return $ret
}
# This will take a rules array, and process it.
ip_rule_runner() {
cmd="$1"
case ${IFACE} in
ppp0) rules=( "${rules_ppp0[@]}" ) ;;
eth1) rules=( "${rules_eth1[@]}" ) ;;
esac
max=$((${#rules[@]} - 1))
cmd="ip rule ${cmd}"
for ln in `seq 0 $max`; do
ebegin " ${cmd} ${rules[$ln]}"
${cmd} ${rules[$ln]}
eend $?
done
}
postup() {
einfo "Adding rules"
ip_rule_runner add
flush_route_cache
}
predown() {
einfo "Removing rules"
ip_rule_runner del
flush_route_cache
} |
Пока на 2-м wan'е используется динамический IP, поэтому пришлось в /etc/conf.d/local.start прописать маленькую заплатку:
Code: | LAN_TB=localnet
LAN_IF=eth0
LAN_NET=192.168.255.0/24
WAN2_TB=internet_dsl
WAN2_IF=ppp0
WAN2_IP=`/sbin/ifconfig $WAN2_IF | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'`
ip rule del from 95.55.255.255/32 to ${LAN_NET} table ${LAN_TB} priority 100
ip rule add from ${WAN2_IP} to ${LAN_NET} table ${LAN_TB} priority 100
ip rule del from 95.55.255.255/32 table ${WAN2_TB} priority 600
ip rule add from ${WAN2_IP} table ${WAN2_TB} priority 600 |
Когда IP станет статическим - заплатку уберу, а в /etc/conf.d/net - IP-адрес заменю с 95.55.255.255/32 на настоящий, соответственно.
Плюсы:- Оба WAN'а нормально работают;
- Разные подсети разрулены по разным провайдерам;
- Если вручную гасим один из внешних интерфейсов - всё продолжает работать как и работало.
Минусы:- Нет автоматической защиты от того что Интернет может "умереть" на одном из провайдеров, соответственно если умрёт первый - останутся жить только подсети второго, если умрёт второй - останется жить всё, кроме подсетей второго;
- По большому счёту используется только первый провайдер, на второй просто зароутены несколько подсетей, т.е. никакой балансировки.
2. IPTABLES:
Code: | # /etc/conf.d/local.start
#----------
LO_IF=lo
LO_NET=127.0.0.0/8
#----------
LAN_TB=localnet
LAN_IF=eth0
LAN_NET=192.168.255.0/24
#----------
WAN1_TB=internet_cable
WAN1_IF=eth1
WAN1_IP=`/sbin/ifconfig $WAN1_IF | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'`
WAN1_GW=85.249.167.1
#----------
WAN2_TB=internet_dsl
WAN2_IF=ppp0
WAN2_IP=`/sbin/ifconfig $WAN2_IF | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'`
WAN2_GW=`/sbin/ifconfig $WAN2_IF | grep 'P-t-P:' | cut -d: -f3 | awk '{ print $1}'`
#----------
# Firewall & kernel modules for NAT...
for ModuleName in "nf_nat nf_nat_ftp nf_nat_pptp nf_nat_proto_gre"; do
modprobe $ModuleName
done
# Firewall & masquerading rules...
IPTABLES=/sbin/iptables
# First we flush our current rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
# Setup default policies to handle unmatched traffic
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
# Then we lock our services so they only work from the LAN
$IPTABLES -I INPUT 1 -i lo -j ACCEPT
$IPTABLES -I INPUT 1 -i ${LAN_IF} -j ACCEPT
$IPTABLES -A INPUT -p UDP --dport bootps ! -i ${LAN_IF} -j REJECT
# Multicast rules
$IPTABLES -A INPUT -p IGMP -j ACCEPT
$IPTABLES -A OUTPUT -p IGMP -j ACCEPT
$IPTABLES -A INPUT -d 224.0.0.0/4 -j ACCEPT
$IPTABLES -A FORWARD -d 224.0.0.0/4 -j ACCEPT
# Allow access to our services from the WANs
# --- SSH ---
$IPTABLES -A INPUT -p TCP --dport 22 -i ${WAN1_IF} -j ACCEPT
$IPTABLES -A INPUT -p TCP --dport 22 -i ${WAN2_IF} -j ACCEPT
# --- DNS ---
$IPTABLES -A INPUT -p TCP --dport 53 -i ${WAN1_IF} -j ACCEPT
$IPTABLES -A INPUT -p TCP --dport 53 -i ${WAN2_IF} -j ACCEPT
$IPTABLES -A INPUT -p UDP --dport 53 -i ${WAN1_IF} -j ACCEPT
$IPTABLES -A INPUT -p UDP --dport 53 -i ${WAN2_IF} -j ACCEPT
# --- FTP ---
$IPTABLES -A INPUT -p TCP --dport 21 -i ${WAN1_IF} -j ACCEPT
$IPTABLES -A INPUT -p TCP --dport 21 -i ${WAN2_IF} -j ACCEPT
# --- SMTP ---
$IPTABLES -A INPUT -p TCP --dport 25 -i ${WAN1_IF} -j ACCEPT
$IPTABLES -A INPUT -p TCP --dport 25 -i ${WAN2_IF} -j ACCEPT
# --- SMTPs ---
$IPTABLES -A INPUT -p TCP --dport 465 -i ${WAN1_IF} -j ACCEPT
$IPTABLES -A INPUT -p TCP --dport 465 -i ${WAN2_IF} -j ACCEPT
# --- IMAP ---
$IPTABLES -A INPUT -p TCP --dport 143 -i ${WAN1_IF} -j ACCEPT
$IPTABLES -A INPUT -p TCP --dport 143 -i ${WAN2_IF} -j ACCEPT
# --- IMAPs ---
$IPTABLES -A INPUT -p TCP --dport 993 -i ${WAN1_IF} -j ACCEPT
$IPTABLES -A INPUT -p TCP --dport 993 -i ${WAN2_IF} -j ACCEPT
# --- HTTP ---
$IPTABLES -A INPUT -p TCP --dport 80 -i ${WAN1_IF} -j ACCEPT
$IPTABLES -A INPUT -p TCP --dport 80 -i ${WAN2_IF} -j ACCEPT
# --- HTTPs ---
$IPTABLES -A INPUT -p TCP --dport 443 -i ${WAN1_IF} -j ACCEPT
$IPTABLES -A INPUT -p TCP --dport 443 -i ${WAN2_IF} -j ACCEPT
# --- VMware ---
$IPTABLES -A INPUT -p TCP --dport 902 -i ppp1 -j ACCEPT
# uTorrent port forwarding
$IPTABLES -t nat -A PREROUTING -p TCP --dport 46138 -i ${WAN1_IF} -j DNAT --to 192.168.255.12
$IPTABLES -t nat -A PREROUTING -p TCP --dport 46138 -i ${WAN2_IF} -j DNAT --to 192.168.255.12
# Drop TCP / UDP packets to privileged ports
$IPTABLES -A INPUT -p TCP ! -i ${LAN_IF} -d 0/0 --dport 0:1023 -j DROP
$IPTABLES -A INPUT -p UDP ! -i ${LAN_IF} -d 0/0 --dport 0:1023 -j DROP
# Finally we add the rules for NAT
$IPTABLES -I FORWARD -i ${LAN_IF} -d ${LAN_NET} -j DROP
$IPTABLES -A FORWARD -i ${LAN_IF} -s ${LAN_NET} -j ACCEPT
$IPTABLES -A FORWARD -i ${WAN1_IF} -d ${LAN_NET} -j ACCEPT
$IPTABLES -A FORWARD -i ${WAN2_IF} -d ${LAN_NET} -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o ${WAN1_IF} -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ${WAN2_IF} -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $f ; done | Вроде бы всё работает - инет в локалку нормально раздаётся, порты куда нужно пробрасываются, но если вооружиться tcpdump'ом, то видно что иногда в интерфейс первого провайдера летят пакеты с обратным адресом от второго, и наоборот, например можно увидеть такое:
Code: | yakko:~# tcpdump host 85.249.167.139 -i ppp0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 68 bytes
11:11:20.108165 IP 85.249.167.139.46138 > 95.54.66.97.52500: S 3748034580:3748034580(0) ack 1343464602 win 16384 <mss 1460,[|tcp]>
11:11:22.853437 IP 85.249.167.139.46138 > 95.54.66.97.52500: S 3748034580:3748034580(0) ack 1343464602 win 16384 <mss 1460,[|tcp]>
11:11:28.891076 IP 85.249.167.139.46138 > 95.54.66.97.52500: S 3748034580:3748034580(0) ack 1343464602 win 16384 <mss 1460,[|tcp]> |
Т.е. всё почти правильно, пакеты направляемые на 95.54.66.97 должны лететь через ppp0, но почему подставляется внешний адрес с другого интерфейса?
Аналогичное можно увидеть и на другом интерфейсе, при чём это пакеты, так или иначе связанные с Torrent'ом, всё остальное работает хорошо.
Как это побороть? _________________ \\Sincerely yours, Wakko |
|
Back to top |
|
|
_Sir_ Guru
Joined: 17 Jan 2005 Posts: 337 Location: Russia, Togliatti
|
Posted: Mon Jan 11, 2010 10:56 pm Post subject: |
|
|
Слегка не в тему, но я бы поробовал поставить там MikroTik. _________________ (Sir) * Life is placeholder for Love * |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|