linux – 从2 WAN到同一LAN的路由

2021-11-22 02:42:29

我使用的是基于Linux的路由器设备(名为Zeroshell),但它应该是与通用Linux路由相关的问题.

路由器计算机有4个NIC,名为ETH0到ETH3.

> ETH0位于实际LAN(子网192.168.241.0/24)IP 192.168.241.254上
> ETH1位于WAN连接路由器(子网192.168.1.0/24)IP 192.168.1.1,GW 192.168.1.254
> ETH2位于另一个WAN连接路由器(子网192.168.2.0/24)IP 192.168.2.1,GW 192.168.2.254
> ETH3在另一个专用于访客的LAN上(子网192.168.230.0/24)IP 192.168.230.254

路由器上的默认网关设置为192.168.2.254,因此所有传出流量都使用第二个WAN连接(光纤),并且在ETH1和ETH2上都启用了NAT.

在第一个WAN路由器上,192.168.1.1被设置为DMZ.
在第二个WAN路由器上,192.168.2.1设置为DMZ.

我在ETH1和ETH2上的端口80上设置了一些端口转发到位于ETH0子网中的计算机.

当使用浏览器连接到第二个WAN的公共IP时,我会在内部计算机上托管该网站.

使用浏览器连接到第一个WAN的公共IP时,连接会停滞不前.

我很确定这必须处理设置到第二个WAN路由器的默认网关,使所有流量都转发给他,即使它来自第一个WAN路由器.

所以我的问题是:如何在路由器上配置路由表,以便它可以处理来自两个WAN的传入连接,将它们转发到相关的LAN计算机并将答案路由到正确的WAN?

编辑:

从Web服务器添加路由表:

root@webserver:/# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:f1:03:10 brd ff:ff:ff:ff:ff:ff
    inet 192.168.241.23/24 brd 192.168.241.255 scope global eth0
       valid_lft forever preferred_lft forever
root@webserver:/# ip route show
default via 192.168.241.254 dev eth0
10.8.0.0/24 via 192.168.241.21 dev eth0
192.168.240.0/24 via 192.168.241.21 dev eth0
192.168.241.0/24 dev eth0  proto kernel  scope link  src 192.168.241.23

从路由器添加路由表:

root@rtr ~> ip addr show
1: lo: <LOOPBACK,UP,10000> mtu 65536 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: sit0@NONE: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
3: ETH00: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc mq qlen 1000
    link/ether 00:15:5d:f1:05:08 brd ff:ff:ff:ff:ff:ff
    inet 192.168.230.254/24 brd 192.168.230.255 scope global ETH00:00
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fef1:508/64 scope link
       valid_lft forever preferred_lft forever
4: ETH01: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc mq qlen 1000
    link/ether 00:15:5d:f1:05:09 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global ETH01:00
       valid_lft forever preferred_lft forever
    inet6 2a01:e35:2e74:9560:215:5dff:fef1:509/64 scope global dynamic
       valid_lft 86156sec preferred_lft 86156sec
    inet6 fe80::215:5dff:fef1:509/64 scope link
       valid_lft forever preferred_lft forever
5: ETH02: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc mq qlen 1000
    link/ether 00:15:5d:f1:05:0b brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global ETH02:00
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fef1:50b/64 scope link
       valid_lft forever preferred_lft forever
6: ETH03: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc mq qlen 1000
    link/ether 00:15:5d:f1:05:0c brd ff:ff:ff:ff:ff:ff
    inet 192.168.241.254/24 brd 192.168.241.255 scope global ETH03:00
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fef1:50c/64 scope link
       valid_lft forever preferred_lft forever
7: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noqueue
    link/ether 9e:3d:6a:0e:65:39 brd ff:ff:ff:ff:ff:ff
    inet 192.168.141.142/24 brd 192.168.141.255 scope global dummy0
       valid_lft forever preferred_lft forever
8: dummy1: <BROADCAST,NOARP,UP,10000> mtu 1500 qdisc noqueue
    link/ether ee:6e:6f:33:32:34 brd ff:ff:ff:ff:ff:ff
    inet 192.168.142.142/32 brd 192.168.142.255 scope global dummy1
       valid_lft forever preferred_lft forever
    inet6 fe80::ec6e:6fff:fe33:3234/64 scope link
       valid_lft forever preferred_lft forever
9: DEFAULTBR: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
    link/ether 0a:61:ef:f2:09:80 brd ff:ff:ff:ff:ff:ff
10: VPN99: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 10                                                                                                                                     0
    link/ether 1a:e8:0e:ee:78:aa brd ff:ff:ff:ff:ff:ff
    inet 192.168.250.254/24 brd 192.168.250.255 scope global VPN99:00
       valid_lft forever preferred_lft forever
11: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop
    link/ether 8e:65:6c:3d:76:e5 brd ff:ff:ff:ff:ff:ff
12: bond1: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop
    link/ether 1e:34:34:54:8d:48 brd ff:ff:ff:ff:ff:ff
13: bond2: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop
    link/ether 5a:bc:4c:86:83:dc brd ff:ff:ff:ff:ff:ff
14: bond3: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop
    link/ether 6e:81:53:3e:0a:ff brd ff:ff:ff:ff:ff:ff
15: bond4: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop
    link/ether 6a:35:c8:45:d1:ff brd ff:ff:ff:ff:ff:ff
16: bond5: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop
    link/ether ca:5d:10:21:02:30 brd ff:ff:ff:ff:ff:ff
17: bond6: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop
    link/ether 82:60:85:97:d4:90 brd ff:ff:ff:ff:ff:ff
18: bond7: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop
    link/ether b6:fc:c9:a5:06:73 brd ff:ff:ff:ff:ff:ff
19: bond8: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop
    link/ether ce:75:5d:e5:7d:69 brd ff:ff:ff:ff:ff:ff
20: bond9: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop
    link/ether 2e:ef:1e:89:26:1b brd ff:ff:ff:ff:ff:ff
root@rtr ~> ip route show
default via 192.168.1.254 dev ETH02
192.168.1.0/24 dev ETH02  proto kernel  scope link  src 192.168.1.1
192.168.2.0/24 dev ETH01  proto kernel  scope link  src 192.168.2.1
192.168.230.0/24 dev ETH00  proto kernel  scope link  src 192.168.230.254
192.168.240.0/24 via 192.168.241.21 dev ETH03
192.168.241.0/24 dev ETH03  proto kernel  scope link  src 192.168.241.254
192.168.250.0/24 dev VPN99  proto kernel  scope link  src 192.168.250.254

解决方法:

这种双归属设置的问题在于,源自ETH0网络上的网络服务器的返回数据包遵循默认网关,这对于通过该接口进入的连接是正确的.我自己也遇到过这种情况.

我使用的解决方案是为ETH0网络上的Web服务器添加额外的IP地址(我假设为192.168.241.24),并将其用作通过第二个WAN接口进入的连接的DNAT目标.然后添加第二个IP地址通过第二个WAN接口路由出的路由规则.

您需要了解一些基于Linux策略的路由.做ip规则显示:

0:  from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default

当您执行ip route show时,您将默认显示“main”表.您可以通过添加表$name来显示其他表中的一个,例如:

$ip route show table local
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev eth0 proto kernel scope link src 192.168.1.27
local 192.168.1.27 dev eth0 proto kernel scope host src 192.168.1.27
broadcast 192.168.1.255 dev eth0 proto kernel scope link src 192.168.1.27

您可以添加自己的表格;编辑/ etc / iproute2 / rt_tables并添加两行:

11 WAN1
12 WAN2

现在,您可以将ETH01和ETH02上的默认路由添加到相应的表中:

# ip route add default via 192.168.2.254 table WAN1
# ip route add default via 192.168.1.254 table WAN2

(你首先将ETH01描述为具有192.168.1.254作为网关和ETH02并且具有192.168.2.254但是然后你的ip route show输出不同意,所以我将使用后者…除了ETH1 / ETH01之外的区别.)

现在,您需要添加规则以将WAN1表用于来自第二个Web服务器IP地址的流量:

# ip rule add from 192.168.241.24 lookup WAN1 prio 1000

现在,当流量从ETH01进入并通过DNAT发送到网络服务器的第二个IP地址时,网络服务器将返回该地址的数据包,规则将匹配该地址并通过ETH01发送返回流量.

在这种情况下,您并不真正需要WAN2表,但是如果路由器系统本身需要可以从两个WAN接口访问,或者如果您希望能够选择哪种WAN接口,则可以使用它.

上一篇:CakePHP中的动态路由


下一篇:AR/VR硬件的多传感器快速标定方案