Äîìîâûå ñåòè, DHCP + PPPoE/PPTP/L2TP

**Power** · 01-06-2009, 18:03

Originally Posted by l2net

åùå ñåãîäíÿ âûÿñíèëîñü, ÷òî íàïèìåð ïèíã ãóãëü.êîì íå ïðîõîäèò à ïèíã àéïèøíèêà íà êîòîì âèñèò ãóãëü.êîì - èäåò

Òàê ýòî ïîëó÷àåòñÿ, ÷òî ó âàñ DNS ïî÷åìó-òî íå ðàáîòàåò.
×òî âûäà¸ò, åñëè íà êîìïå â êîìàíäíîé ñòðîêå íàáðàòü "nslookup www.google.com" (ïðè ïîäêëþ÷åíèè ÷åðåç ðîóòåð) ?
È ïîêàæèòå, ÷òî âûäàþò êîìàíäû, âûïîëíåííûå íà ðîóòåðå:

Code:

iptables-save
route -n

**l2net** · 01-06-2009, 21:11

Code:

C:\Users\Ëåîíèä>nslookup www.google.com
╤õ¨òõ¨:  wl500gp
Address:  192.168.1.1

*** wl500gp íå óäàëîñü íàéòè www.google.com: Query refused

Code:

[admin@wl500gp root]$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.10.10.2      10.71.58.1      255.255.255.255 UGH   1      0        0 vlan1
10.0.0.3        10.71.58.1      255.255.255.255 UGH   0      0        0 vlan1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
10.71.58.0      0.0.0.0         255.255.255.0   U     0      0        0 vlan1
10.0.0.0        10.71.58.1      255.0.0.0       UG    0      0        0 vlan1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         94.27.125.131   0.0.0.0         UG    0      0        0 ppp0
0.0.0.0         10.71.58.1      0.0.0.0         UG    1      0        0 vlan1

Code:

[admin@wl500gp root]$ iptables-save
# Generated by iptables-save v1.2.7a on Thu Jan  1 02:04:09 1970
*nat
:PREROUTING ACCEPT [113:13041]
:POSTROUTING ACCEPT [70:4132]
:OUTPUT ACCEPT [70:4132]
:VSERVER - [0:0]
-A PREROUTING -d 188.163.12.109 -j VSERVER
-A PREROUTING -d 10.71.58.234 -j VSERVER
-A POSTROUTING -s ! 188.163.12.109 -o ppp0 -j MASQUERADE
-A POSTROUTING -s ! 10.71.58.234 -o vlan1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 30702 -j DNAT --to-destination 192.168.1.3:30702
-A VSERVER -p tcp -m tcp --dport 30700 -j DNAT --to-destination 192.168.1.2:30700
-A VSERVER -p udp -m udp --dport 30700 -j DNAT --to-destination 192.168.1.2:30700
-A VSERVER -p tcp -m tcp --dport 30700 -j DNAT --to-destination 192.168.1.1:30700
-A VSERVER -p udp -m udp --dport 30700 -j DNAT --to-destination 192.168.1.1:30700
-A VSERVER -p tcp -m tcp --dport 30701 -j DNAT --to-destination 192.168.1.1:30701
-A VSERVER -p udp -m udp --dport 30701 -j DNAT --to-destination 192.168.1.1:30701
-A VSERVER -p tcp -m tcp --dport 30799 -j DNAT --to-destination 192.168.1.1:30799
-A VSERVER -p udp -m udp --dport 30799 -j DNAT --to-destination 192.168.1.1:30799
-A VSERVER -p tcp -m tcp --dport 30702 -j DNAT --to-destination 192.168.1.3:30702
-A VSERVER -p udp -m udp --dport 30702 -j DNAT --to-destination 192.168.1.3:30702
COMMIT
# Completed on Thu Jan  1 02:04:09 1970
# Generated by iptables-save v1.2.7a on Thu Jan  1 02:04:09 1970
*mangle
:PREROUTING ACCEPT [2705:462957]
:INPUT ACCEPT [2135:302318]
:FORWARD ACCEPT [532:156352]
:OUTPUT ACCEPT [2196:575992]
:POSTROUTING ACCEPT [2913:799282]
COMMIT
# Completed on Thu Jan  1 02:04:09 1970
# Generated by iptables-save v1.2.7a on Thu Jan  1 02:04:09 1970
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [88:13557]
:OUTPUT ACCEPT [1741:268878]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]

Ñïàñèáî çà òåðïåíèå è ëþáûå ñîâåòû !

ï.ñ. íîâàÿ èíôîðìàöèÿ - åñëè ïðîïèñàòü íà êîìïå ÷óæèå (îòêðûòûå äíñ ñåðâåðà) ÄÍÑ - òî èíòåðíåò ÷åðåç ðîóòåð íà ýòîì êîìïå ðàáîòàåò.

ïðè ïîïûòêå ïðîïèñòàü ýòè æå ÄÍÑ (îòêðûòûå äíñ ñåðâåðà) â ðîóòåð (ïî óìîë÷àíèþ áûëè àâòîìàòè÷åñêè ïðèíèìàåìûå) - òî ÂÏÍ ñîåäèíåíèå íå ïîäíèìàåòüñÿ

.
Íî îïÿòü òàêè íå ïîíÿòíî, êàêèì îáðàçîì íà êîìïå (ïðè ïîäêëþ÷åíèè ÷åðåç øíóðîê, ìèìî ðîóòåðà) - íà òåõ æå ÄÍÑ (êîòîðûå ïðîâàéäåð ïåðåäàåò àâòîìàòîì) - âñå ðàáîòàåò

**Power** · 02-06-2009, 14:21

Originally Posted by l2net

ï.ñ. íîâàÿ èíôîðìàöèÿ - åñëè ïðîïèñàòü íà êîìïå ÷óæèå (îòêðûòûå äíñ ñåðâåðà) ÄÍÑ - òî èíòåðíåò ÷åðåç ðîóòåð íà ýòîì êîìïå ðàáîòàåò.

Ìîæíî äëÿ íà÷àëà èñïîëüçîâàòü ýòî êàê âðåìåííîå ðåøåíèå.

Íî âû íå äî êîíöà ïðèâåëè âûâîä êîìàíäû iptables-save. Õîòåëîñü áû îñòàëüíîå òîæå óâèäåòü.

**l2net** · 02-06-2009, 19:52

Originally Posted by Power

Íî âû íå äî êîíöà ïðèâåëè âûâîä êîìàíäû iptables-save. Õîòåëîñü áû îñòàëüíîå òîæå óâèäåòü.

Ñîððè, ïðèâîæó ïîëíîñòüþ

Code:

[admin@wl500gp root]$ iptables-save
# Generated by iptables-save v1.2.7a on Fri Jan  2 00:15:55 1970
*nat
:PREROUTING ACCEPT [36974:3030999]
:POSTROUTING ACCEPT [23804:1412441]
:OUTPUT ACCEPT [23815:1415489]
:VSERVER - [0:0]
-A PREROUTING -d 188.163.8.253 -j VSERVER
-A PREROUTING -d 10.71.58.234 -j VSERVER
-A POSTROUTING -s ! 188.163.8.253 -o ppp0 -j MASQUERADE
-A POSTROUTING -s ! 10.71.58.234 -o vlan1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 30702 -j DNAT --to-destination 192.168.1.3:30702
-A VSERVER -p tcp -m tcp --dport 30700 -j DNAT --to-destination 192.168.1.2:30700
-A VSERVER -p udp -m udp --dport 30700 -j DNAT --to-destination 192.168.1.2:30700
-A VSERVER -p tcp -m tcp --dport 30700 -j DNAT --to-destination 192.168.1.1:30700
-A VSERVER -p udp -m udp --dport 30700 -j DNAT --to-destination 192.168.1.1:30700
-A VSERVER -p tcp -m tcp --dport 30701 -j DNAT --to-destination 192.168.1.1:30701
-A VSERVER -p udp -m udp --dport 30701 -j DNAT --to-destination 192.168.1.1:30701
-A VSERVER -p tcp -m tcp --dport 30799 -j DNAT --to-destination 192.168.1.1:30799
-A VSERVER -p udp -m udp --dport 30799 -j DNAT --to-destination 192.168.1.1:30799
-A VSERVER -p tcp -m tcp --dport 30702 -j DNAT --to-destination 192.168.1.3:30702
-A VSERVER -p udp -m udp --dport 30702 -j DNAT --to-destination 192.168.1.3:30702
COMMIT
# Completed on Fri Jan  2 00:15:55 1970
# Generated by iptables-save v1.2.7a on Fri Jan  2 00:15:55 1970
*mangle
:PREROUTING ACCEPT [1256740:676794437]
:INPUT ACCEPT [732622:330999895]
:FORWARD ACCEPT [519002:345306422]
:OUTPUT ACCEPT [652543:127274355]
:POSTROUTING ACCEPT [1211691:487556823]
COMMIT
# Completed on Fri Jan  2 00:15:55 1970
# Generated by iptables-save v1.2.7a on Fri Jan  2 00:15:55 1970
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [35493:2667576]
:OUTPUT ACCEPT [652446:127258641]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i ppp0 -m state --state NEW -j SECURITY
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o ppp0 -j DROP
-A FORWARD -i ! br0 -o vlan1 -j DROP
-A FORWARD -i ! br0 -m state --state NEW -j SECURITY
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -o br0 -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Fri Jan  2 00:15:55 1970

à ìîæíî ýòî âðåìåííîå ðåøåíèå, êàêèì-òî îáðàçîì àäàïòèðîâàòü äëÿ ðîóòåðà ? ( âñòàëè òîððåíòû)

**4am_orchestra** · 02-06-2009, 20:06

åùå ñåãîäíÿ âûÿñíèëîñü, ÷òî íàïèìåð ïèíã ãóãëü.êîì íå ïðîõîäèò ïèíã àéïèøíèêà íà êîòîì âèñèò ãóãëü.êîì - èäåò

Äà, òàê è åñòü.

×òî âûäà¸ò, åñëè íà êîìïå â êîìàíäíîé ñòðîêå íàáðàòü "nslookup www.google.com" (ïðè ïîäêëþ÷åíèè ÷åðåç ðîóòåð) ?

Âûäàåò query refused.
Åñëè çàñòàâèòü nslookup èñïîëüçîâàòü dns ïðîâàéäåðà âìåñòî ðîóòåðîâñêîãî dnsmasq - òà æå èñòîðèÿ.
Ñèòóàöèÿ îäèíàêîâà êàê ñ ìàøèíû çà ðîóòåðîì, òàê èç êîíñîëè ñàìîãî ðîóòåðà.

Íî âû íå äî êîíöà ïðèâåëè âûâîä êîìàíäû iptables-save. Õîòåëîñü áû îñòàëüíîå òîæå óâèäåòü.

Ýòî íå ïðè÷åì òî÷íî. Â ëîãàõ íèêàêèõ äðîïíóòûõ ïàêåòîâ íåò, è ïðàâèë ïðî 53é ïîðò òîæå íå âèäíî.

×òî ÿ äóìàþ, òàê ýòî òî, ÷òî Áèëàéí-Óêðàèíà ðåæåò ðîóòåðó äîñòóï ê DNS.
Èñïîëüçîâàòü ÷óæèå DNS ñåðâåðà ÿ íå ñ÷èòàþ íîðìàëüíûì ðåøåíèåì.
Òåõïîääåðæêà íå ãîâîðèò ÷òî îíè ïîìåíÿëè íà ïðîøëîé íåäåëå (äî ýòîãî óæå íåñêîëüêî ìåñÿöåâ âñ¸ ðàáîòàëî êàê ÷àñû).

Íà äíÿõ ïîïðîáóþ åùå íà ñâîåé ëèíóêñîâîé ìàøèíå ïîäíÿòü èíòåðíåò íàïðÿìóþ è ïîñìîòðåòü âíèìàòåëüíåå íà òðàôôèê îò è ê ñåðâåðàì.

**Power** · 02-06-2009, 22:58

l2net, 4am_orchestra,
Ïîõîæå, äåéñòâèòåëüíî, ïðîâàéäåð êàê-òî ôèëüòðóåò DNS-çàïðîñû. Âîïðîñ â òîì, äåëàþò ëè îíè ýòî íàìåðåííî è ïî êàêîìó êðèòåðèþ.
Ìîæíî ïîïðîáîâàòü âûñòàâèòü íà ðîóòåðå ttl=128 ("echo 128 > /proc/sys/net/ipv4/ip_default_ttl") è âûïîëíèòü ñ ðîóòåðà nslookup. È âîîáùå, ïðîñëåäèòü çà çàïðîñàìè ñ ïîìîùüþ tcpdump.
Ìîæíî åù¸ ïîïðîáîâàòü ïðîïèñàòü ïîñòîÿííûé DNS-ñåðâåð 10.10.10.2 (åñëè îí ðàáîòàåò äëÿ âíåøíèõ èì¸í).
Ìîæíî íàâàÿòü ñêðèïò post-firewall, êîòîðûé ïðè ïîäíÿòèè ppp0 áóäåò çàìåíÿòü ñïèñîê DNS íà êàêèå-òî âíåøíèå (íàïðèìåð, OpenDNS, ïîëüçóþùèåñÿ ïîïóëÿðíîñòüþ).
Ìîæíî âîîáùå âíåøíèå çàáèòü ñòàòè÷åñêè, à VPN-ñåðâåð ïðîïèñàòü â âèäå IP-àäðåñà.
Íî íóæíî ðàçáèðàòüñÿ íà ìåñòå.

**l2net** · 03-06-2009, 11:15

Originally Posted by Power

l2net, 4am_orchestra,
Ìîæíî åù¸ ïîïðîáîâàòü ïðîïèñàòü ïîñòîÿííûé DNS-ñåðâåð 10.10.10.2 (åñëè îí ðàáîòàåò äëÿ âíåøíèõ èì¸í).

Èç âñåõ ïðåäëîæåííûõ âàðèàíòîâ ýòîò îêàçàëñÿ ñàìûì ïðîñòûì è íà óäèâëåíèå ýôôåêòèâíûì - ñïàñèáî!

**4am_orchestra** · 03-06-2009, 11:33

Originally Posted by l2net

Èç âñåõ ïðåäëîæåííûõ âàðèàíòîâ ýòîò îêàçàëñÿ ñàìûì ïðîñòûì è íà óäèâëåíèå ýôôåêòèâíûì - ñïàñèáî!

Åñëè ëîêàëüíûé DNS ðåçîëâèò áîëüøîé èíòåðíåò, òî ýòî êðóòî.
Ïîïðîáóþ, ïîñìîòðþ.

**vital-s** · 03-06-2009, 12:40

Originally Posted by 4am_orchestra

Òà æå ñèòóàöèÿ, òîò æå ïðîâàéäåð. Íà÷àëîñü 28-ãî ÷èñëà ãäå-òî.
wl500gpv1 àïïàðàò. ïðîøèâêà ñòîÿëà 1.9.2.7-10.7

DNS-ñåðâåðà ïðîâàéäåðà ïèíãóþòñÿ,
nslookup google.com <äíñ-ñåðâåð> îòâå÷àë Query refused.

Êàê òîëüêî îæèâëþ ðîóòåð (îí ñåé÷àñ îòêàçûâàåòñÿ ïðîøèâêó êóøàòü, âîîáùå), îòïèøó ïîäðîáíåå.

ß âèæó ýòî ðàñïðîñòðàíåííàÿ ïðîáëåìà (Áèëàéí, Êèåâ), ñ 28-ãî íà÷àëèñü ïåðåáîè ñ èíòåðíåòîì, ñâÿçü ðâåòñÿ è íå âîñòàíàâëèâàåòñÿ. Ñåé÷àñ ïåðåøåë c PPTP íà L2TP, îáðûâû ñòàëè ðåæå, ïîñòàâèë ïðîøèâêó 1.9.2.7-d-r308, ïðîðàáîòàëî 8-ìü ÷àñîâ áåç îáðûâîâ.

Çàìåòèë, ÷òî L2TP ñèëüíî ãðóçèò ïðîö - 45-70% è íå ìîãó âûñòàâèòü Idle Disconnect Time in seconds(option): íà 0, îïöèÿ íå àêòèâíà.

**avk** · 03-06-2009, 15:15

Originally Posted by vital-s

íå ìîãó âûñòàâèòü Idle Disconnect Time in seconds(option): íà 0, îïöèÿ íå àêòèâíà.

Íîëü äëÿ ñîåäèíåíèÿ äàííîãî âèäà - âåëè÷èíà ïîñïîÿííàÿ.

**vital-s** · 03-06-2009, 15:19

Originally Posted by avk

Íîëü äëÿ ñîåäèíåíèÿ äàííîãî âèäà - âåëè÷èíà ïîñïîÿííàÿ.

Òàê ñîåäèíåíèå íå âîñòàíàâëèâàåòñÿ, ÷òî äåëàòü, íàäîåëî óæå âðó÷íóþ çàïóñêàòü.

**Omega** · 03-06-2009, 15:58

Originally Posted by vital-s

Òàê ñîåäèíåíèå íå âîññòàíàâëèâàåòñÿ, ÷òî äåëàòü, íàäîåëî óæå âðó÷íóþ çàïóñêàòü.

À ïîèñêîì âîñïîëüçîâàòüñÿ íå ïðîáîâàëè ?

Ïî ÊÎÐÁÈëàéÍÓ çäåñü óæå ìíîãî ïèñàëè ...

Code:

Jan 1 02:00:07 dhcp client: deconfig: lease is lost
Jan 1 02:00:09 udhcpc[113]: Lease of 10.71.58.234 obtained, lease time 172800
Jan 1 02:00:09 dnsmasq[70]: read /etc/hosts - 5 addresses
Jan 1 02:00:09 dnsmasq[70]: reading /tmp/resolv.conf
Jan 1 02:00:09 dnsmasq[70]: using nameserver 10.10.10.2#53
Jan 1 02:00:09 dhcp client: bound IP : 10.71.58.234 from 10.71.58.1
Jan 1 02:00:09 pppd[123]: pppd 2.4.2 started by admin, uid 0
Jan 1 02:00:09 pppd[123]: Serial connection established.
Jan 1 02:00:09 pppd[123]: Using interface ppp0
Jan 1 02:00:09 pppd[123]: Connect: ppp0 <--> /dev/pts/0
Jan 1 02:00:10 dnsmasq[70]: DHCPINFORM(br0) 192.168.1.2 00:15:af:8b:80:83
Jan 1 02:00:10 dnsmasq[70]: DHCPACK(br0) 192.168.1.2 00:15:af:8b:80:83 Music-Box
Jan 1 02:00:14 pppd[123]: PAP authentication succeeded
Jan 1 02:00:14 pppd[123]: local IP address 188.163.12.76
Jan 1 02:00:14 pppd[123]: remote IP address 94.27.125.131
Jan 1 02:00:14 pppd[123]: primary DNS address 212.109.32.5
Jan 1 02:00:14 pppd[123]: secondary DNS address 212.109.32.9
Jan 1 02:00:14 dnsmasq[70]: read /etc/hosts - 5 addresses
Jan 1 02:00:14 dnsmasq[70]: reading /tmp/resolv.conf
Jan 1 02:00:14 dnsmasq[70]: using nameserver 212.109.32.9#53
Jan 1 02:00:14 dnsmasq[70]: using nameserver 212.109.32.5#53
Jan 1 02:00:14 PPTP: connect to ISP

Âîò çäåñü óæå ðåøàëè àíàëîãè÷íóþ ïðîáëåìó :

http://wl500g.info/showthread.php?t=18684

**avk** · 03-06-2009, 15:59

Originally Posted by vital-s

Òàê ñîåäèíåíèå íå âîññòàíàâëèâàåòñÿ, ÷òî äåëàòü, íàäîåëî óæå âðó÷íóþ çàïóñêàòü.

Îò ýòîãî íîëÿ âîññòàíîâëåíèå ñâÿçè íå çàâèñèò - ýòî âðåìÿ ÷åðåç êîòîðîå ïðîèñõîäèò ðàçðûâ ïðè îòñóòñòâèè àêòèâíîñòè, ò.å. êîãäà íåò òðàôôèêà.

**jtjoker** · 03-06-2009, 18:00

Originally Posted by l2net

Èç âñåõ ïðåäëîæåííûõ âàðèàíòîâ ýòîò îêàçàëñÿ ñàìûì ïðîñòûì è íà óäèâëåíèå ýôôåêòèâíûì - ñïàñèáî!

Ïîääñêàæè, ïëç, êàê ýòî îñóùåñòâèòü?

**l2net** · 03-06-2009, 23:38

Originally Posted by jtjoker

Ïîääñêàæè, ïëç, êàê ýòî îñóùåñòâèòü?

Â ðîóòåðå íà ñòðàíèöå íàñòðîåê ïîäêëþ÷åíèÿ ê ïðîâàéäåðó, âìåñòî àâòîìàòè÷åñêîãî ïîëó÷åíèÿ ÄÍÑ, ñòàâèì ðó÷íîé ââîä è çàáèâàåì â ïåðâûé ÄÍÑ - 10.10.10.2
âñå)

Thread: Äîìîâûå ñåòè, DHCP + PPPoE/PPTP/L2TP

Thread Tools

Display

Similar Threads

Ïðîáëåìû ñ l2tp è pptp â Êîðáèëàéíå

Asus WL-500W - ïðîáëåìû ñ VPN (PPTP, L2TP)

2 PPPoE ïîäêëþ÷åíèÿ íà ðîóòåðå

Êòî-íèáóäü íàñòðàèâàë PPtP ïîâåðõ PPPoE?

PPPoE authentication question

Tags for this Thread

Posting Permissions