Ìàðøðóòèçàöèÿ ïî èñòî÷íèêó (Source Routing) íà ðîóòåðå

[Less]

LARTC-Destination-based-port-routing-multi-gateway wan

portaddress-forwarding-with-iptables-with-one-network-interface.-417225/

google

[OTMOPO3OK]

Âñåì äîáðîãî äíÿ!
Èìååòñÿ ðîóòåð wl-500w (ïðîøèâêà ïîñëåäíÿÿ) ñ äâóìÿ ïîäêëþ÷åííûìè ïðîâàéäåðàìè:
1. eth1 ip 77.239.196.17 gw 77.239.196.1
2. vlan1 ip 10.10.10.3 gw 10.10.10.1
Ëîêàëêà: 192.168.1.0/24
Ðåøèë çàâåðíóòü udp òðàôèê èäóùèé íà ïîðò 1194 â êàíàë ïðîâàéäåðà ¹2.
Ñîçäàë òàáëèöó 4 äëÿ âòîðîãî ïðîâàéäåðà

Code:

touch /etc/iproute2/rt_tables
ip route show table main | grep -v ^default \
     | while read ROUTE ; do
      ip route add table 4 $ROUTE
done
ip route add table 4 default via 10.10.10.1
ip route show table 4

77.239.196.1 dev eth1  scope link
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
10.10.10.0/24 dev vlan1  proto kernel  scope link  src 10.10.10.3
77.239.192.0/20 dev eth1  proto kernel  scope link  src 77.239.196.17
127.0.0.0/8 dev lo  scope link
default via 10.10.10.1 dev vlan1

Äàëåå ìàðêèðóþ ïàêåòû:

Code:

iptables -t mangle -A PREROUTING -p udp --dport 1194 -s 192.168.1.0/24 -j MARK --set-mark 4

Íàòèì ïàêåòû íà âòîðîì èíòåðôåéñå:

Code:

iptables -t nat -A POSTROUTING -o vlan1 -j SNAT --to-source 10.10.10.3

Ïðàâèì òàáèöó ìàðøðóòèçàöèè ¹4 äëÿ ìàðêèðîâàííûõ ïàêåòîâ:

Code:

ip rule add fwmark 4 table 4
ip rule show

0:      from all lookup local
32765:  from all fwmark        4 lookup 4
32766:  from all lookup main
32767:  from all lookup 253

Âðîäå âñå. Çàïóñêàåì openvpn è tcpdump íà èíòåðôåéñå ¹2

Code:

 tcpdump -i vlan1

00:17:09.809660 IP 10.10.10.3.54816 > xxx-xx-251-80.pride-net.ru.1194: UDP, length: 42
00:17:09.885709 IP xxx-xx-251-80.pride-net.ru.1194 > 10.10.10.3.54816: UDP, length: 50
00:17:11.881966 IP 10.10.10.3.54816 > xxx-xx-251-80.pride-net.ru.1194: UDP, length: 42
00:17:11.956202 IP xxx-xx-251-80.pride-net.ru.1194 > 10.10.10.3.54816: UDP, length: 54
00:17:12.597098 arp who-has 10.10.10.1 tell 10.10.10.3
00:17:12.598064 arp reply 10.10.10.1 is-at 00:1e:be:de:e6:b7
00:17:13.909266 IP 10.10.10.3.54816 > xxx-xx-251-80.pride-net.ru.1194: UDP, length: 42
00:17:13.988404 IP xxx-xx-251-80.pride-net.ru.1194 > 10.10.10.3.54816: UDP, length: 54
00:17:15.959057 IP 10.10.10.3.54816 > xxx-xx-251-80.pride-net.ru.1194: UDP, length: 42
00:17:16.038802 IP xxx-xx-251-80.pride-net.ru.1194 > 10.10.10.3.54816: UDP, length: 54
00:17:18.008920 IP 10.10.10.3.54816 > xxx-xx-251-80.pride-net.ru.1194: UDP, length: 42

Ñîåäèíåíèå íå óñòàíàâëèâàåòñÿ, ïàêåòû óõîäÿò â âåðíîì íàïðàâëåíèè íà èíòåðôåéñ 2 ïðîâàéäåðà è âîçâðàùàþòñÿ, íî òîëüêî íà èíòåðôåéñ vlan1, íî íå äàëüøå.

Çàïóñêàþ ñíèôåð íà br0

Code:

tcpdump -i br0 | grep 1194

00:19:45.674915 IP 192.168.1.15.54818 > xxx-xx-251-80.pride-net.ru.1194: UDP, length: 42
00:19:57.210260 IP 192.168.1.15.54818 > xxx-xx-251-80.pride-net.ru.1194: UDP, length: 42
00:19:59.510409 IP 192.168.1.15.54818 > xxx-xx-251-80.pride-net.ru.1194: UDP, length: 42
00:20:10.654456 IP 192.168.1.15.54819 > xxx-xx-251-80.pride-net.ru.1194: UDP, length: 42
00:20:12.920396 IP 192.168.1.15.54819 > xxx-xx-251-80.pride-net.ru.1194: UDP, length: 42

Ïàêåòû óõîäÿò, íî íå âîçâðàùàþòñÿ!
 ÷åì êîñÿê ïîäñêàæèòå?

[OTMOPO3OK]

Âñå çàðàáîòàëî, âîò êîíôèã
Ðåøèë çàâåðíóòü udp òðàôèê èäóùèé íà ïîðò 1194 â êàíàë ïðîâàéäåðà ¹2.
Ñîçäàë òàáëèöó 4 äëÿ âòîðîãî ïðîâàéäåðà

Code:

touch /etc/iproute2/rt_tables
ip route add table inet_adsl default via 10.10.10.
ip route show table inet_adsl
default via 10.10.10.1 dev vlan1

Äàëåå ìàðêèðóþ ïàêåòû:

Code:

iptables -t mangle -A PREROUTING -p udp --dport 1194 -s 192.168.1.0/24 -j MARK --set-mark 4

Íàòèì ïàêåòû íà âòîðîì èíòåðôåéñå:

Code:

iptables -t nat -A POSTROUTING -o vlan1 -j SNAT --to-source 10.10.10.3

Ïðàâèì òàáèöó ìàðøðóòèçàöèè ¹4 äëÿ ìàðêèðîâàííûõ ïàêåòîâ:

Code:

ip rule add fwmark 4 table inet_adsl
ip rule add from 192.168.1.0/24 table inet_adsl
ip rule show

0:      from all lookup local
32764:  from 192.168.1.0/24 lookup inet_adsl
32765:  from all fwmark        4 lookup inet_adsl
32766:  from all lookup main
32767:  from all lookup 253

[dik-m]

äëÿ áàëàíñèðîâêè ñîåäèíåíèé â áîëüøèíñòâå ñëó÷àåâ äîñòàòî÷íî åäèíñòâåííîé êîìàíäû

Ïóñòü $IF1 áóäåò èìåíåì ïåðâîãî èíòåðôåéñà, à $IF2 -- èìåíåì âòîðîãî.
Äàëåå, $P1 ýòî IP-àäðåñ øëþçà ïðîâàéäåðà 1, à $P2 -- IP àäðåñ øëþçà ïðîâàéäåðà 2.

ip route add default scope global nexthop via $P1 dev $IF1 weight 1 nexthop via $P2 dev $IF2 weight 1 è ò.ä.

[vital-s]

åñëè îñíîâíîé êàíàë ïàäàåò , òî äåôîëòíûé ìàðøðóò ñ ìåòðèêîé 0 óõîäèò
âñå íà÷èíàþò õîäèòü ÷åðåç äåôîëò ñ ìåòðèêîé 1
íå íàäî íèêàêèõ äåìîíîâ è ïð.
ñíàðóæè åñòü äîñòóï ÷åðåç îáà WAN

Íå ïîëó÷èëîñü ïîëó÷èòü äîñòóï èç âíå ïî âòîðîìó WANó. Äåëàë ïî Âàøåé èíñòðóêöèè, ÷òî-òî íå òàê. Âòîðûì èíåòîì ñëóæèò êîìï ñ ïîäêëþ÷åííûì èíòåðíåòîì. Èíòåðíåò õîäèò íî ðîóòåð äàæå íå ïèíãóåòñÿ (WAN2) ñî âòîðîãî êîìïà.

×òî ìîæåò áûòü?

[AndreyPopov]

âàì íóæíà ìàðøðóòèçàöèÿ ïî èñòî÷íèêó, äëÿ ýòî íàäî âîñïîëüçîâàòüñÿ âîçìîæíîñòÿìè iproute2

iproute add rule è òàê äàëåå è ñäåëàòü ÄÂÅ îòäåëüíûõ òàáëèöû ìàðøðóòèçàöèè.

[vital-s]

âàì íóæíà ìàðøðóòèçàöèÿ ïî èñòî÷íèêó, äëÿ ýòî íàäî âîñïîëüçîâàòüñÿ âîçìîæíîñòÿìè iproute2

iproute add rule è òàê äàëåå è ñäåëàòü ÄÂÅ îòäåëüíûõ òàáëèöû ìàðøðóòèçàöèè.

Ìîæåò ÿ ïëîõî îáúÿñíèë, ÷òî ìíå íóæíî.
Íóæíà ïîìîùü â íàñòðîéêå ñâÿçè ìåæäó êîìïüþòåðîì (ÁÁ, ñòîèò ëèíóêñ Ìàíäðèâà) è ðîóòåðîì WL500gp.

Èíåò ÁÁ > (wlan2) >
Èíåò l2tp > (wlan0) > WL500gp < (br0) < Äîìàøíÿÿ ñåòü ÄÑ

Èíåò õîäèò íîðìàëüíî, íî íóæíî âèäåòü ðàñøàðû íà ÁÁ, èç ÄÑ.

[admin@ASUS WL500gp root]$ ip route

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.10.10.2 10.21.68.1 255.255.255.255 UGH 40 0 0 vlan1
10.10.12.3 10.21.68.1 255.255.255.255 UGH 40 0 0 vlan1
94.45.64.34 192.168.3.8 255.255.255.255 UGH 40 0 0 vlan2
192.168.3.8 192.168.3.8 255.255.255.255 UGH 40 0 0 vlan2
10.0.0.28 10.21.68.1 255.255.255.255 UGH 40 0 0 vlan1
192.168.3.0 0.0.0.0 255.255.255.0 U 40 0 0 vlan2
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 br0
10.21.68.0 0.0.0.0 255.255.254.0 U 40 0 0 vlan1
10.0.0.0 10.21.68.1 255.0.0.0 UG 40 0 0 vlan1
10.0.0.0 10.21.68.1 255.0.0.0 UG 40 0 0 vlan1
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 94.27.127.8 0.0.0.0 UG 40 0 0 ppp0
0.0.0.0 192.168.3.8 0.0.0.0 UG 40 0 0 vlan2
0.0.0.0 10.21.68.1 0.0.0.0 UG 40 0 0 vlan1

iptables-save

# Generated by iptables-save v1.2.7a on Tue Jul 13 09:30:44 2010
*nat
:PREROUTING ACCEPT [5562:365511]
:POSTROUTING ACCEPT [1751:105158]
:OUTPUT ACCEPT [1760:107120]
:VSERVER - [0:0]
-A PREROUTING -d 94.27.68.125 -j VSERVER
-A PREROUTING -d 10.21.69.241 -j VSERVER
-A PREROUTING -d 192.168.3.2 -j VSERVER
-A POSTROUTING -s ! 94.27.68.125 -o ppp0 -j MASQUERADE
-A POSTROUTING -s ! 10.21.69.241 -o vlan1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 8089 -j DNAT --to-destination 192.168.1.254:80
-A VSERVER -p udp -m udp --dport 51255 -j DNAT --to-destination 192.168.1.3:5125 5
-A VSERVER -p udp -m udp --dport 51300 -j DNAT --to-destination 192.168.1.8:5130 0
-A VSERVER -p udp -m udp --dport 59263 -j DNAT --to-destination 192.168.1.7:5926 3
-A VSERVER -p tcp -m tcp --dport 59263 -j DNAT --to-destination 192.168.1.7:5926 3
-A VSERVER -p tcp -m tcp --dport 51413 -j DNAT --to-destination 192.168.1.8:5141 3
-A VSERVER -p udp -m udp --dport 27272 -j DNAT --to-destination 192.168.1.4:2727 2
-A VSERVER -p tcp -m tcp --dport 51300 -j DNAT --to-destination 192.168.1.8:5130 0
-A VSERVER -p udp -m udp --dport 50711 -j DNAT --to-destination 192.168.1.4:5071 1
-A VSERVER -p tcp -m tcp --dport 50711 -j DNAT --to-destination 192.168.1.4:5071 1
-A VSERVER -p udp -m udp --dport 47197 -j DNAT --to-destination 192.168.1.4:4719 7
-A VSERVER -p udp -m udp --dport 59265 -j DNAT --to-destination 192.168.1.7:5926 5
-A VSERVER -p tcp -m tcp --dport 59265 -j DNAT --to-destination 192.168.1.7:5926 5
-A VSERVER -p tcp -m tcp --dport 33058 -j DNAT --to-destination 192.168.1.4:3305 8
-A VSERVER -p tcp -m tcp --dport 6000 -j DNAT --to-destination 192.168.1.8:6000
-A VSERVER -p tcp -m tcp --dport 8077 -j DNAT --to-destination 192.168.1.10:8077
-A VSERVER -p tcp -m tcp --dport 6000 -j DNAT --to-destination 192.168.1.8:6000
-A VSERVER -p tcp -m tcp --dport 9091 -j DNAT --to-destination 192.168.1.8:9091
-A VSERVER -p tcp -m tcp --dport 10000 -j DNAT --to-destination 192.168.1.8:1000 0
COMMIT
# Completed on Tue Jul 13 09:30:44 2010
# Generated by iptables-save v1.2.7a on Tue Jul 13 09:30:44 2010
*mangle
:PREROUTING ACCEPT [37449:4162632]
:INPUT ACCEPT [33894:3594506]
:FORWARD ACCEPT [3305:524753]
:OUTPUT ACCEPT [43593:31186134]
:POSTROUTING ACCEPT [47039:31750434]
COMMIT
# Completed on Tue Jul 13 09:30:44 2010
# Generated by iptables-save v1.2.7a on Tue Jul 13 09:30:44 2010
*filter
:INPUT DROP [3496:210987]
:FORWARD ACCEPT [638:82448]
:OUTPUT ACCEPT [43105:30758683]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -p tcp -m tcp --dport 51778:51779 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -p 2 -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -p udp -m udp ! --dport 1900 -j ACCEPT
-A INPUT -i ppp0 -m state --state NEW -j SECURITY
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -d 192.168.1.254 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5122 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j TCPMSS --clamp-mss-to-pm tu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o ppp0 -j DROP
-A FORWARD -i ! br0 -o vlan1 -j DROP
-A FORWARD -i ! br0 -m state --state NEW -j SECURITY
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -o br0 -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequen ce --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence - -log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT

[AndreyPopov]

âàì íàäî äåëàòü ÎÒÄÅËÜÍÓÞ òàáëèöó äëÿ ÊÀÆÄÎÃÎ èíòåðôåéñà.

çàéäèòå íà ôîðóì DD-WRT è íãàéäèòå òàì òåìó Dual/Triple WAN - òàì åñòü àâòîìàòèçèðîâàííûå ñêðèïòû!

îäíîé òàáëèöåé âû íå îáîéäåòåñü - åùå ðàç âàì ïîâòîðÿþ!

äëÿ êàæîãî WAN äîëæíà áûòü ÑÂÎß òàáëèöà!

âîò ìîé ïðèìåð ×ÅÒÛÐÅÕ ïðîâàéäåðîâ, êîòîðûå ïîäêëþ÷åíû ê îäíîìó WL-500GP.


IF0=eth1
IF1=eth0
IF2=eth2
IF3=eth3
IF4=eth4
P0_NET=195.24.153.64/27
P01_NET=195.24.153.96/27
P1_NET=195.24.153.32/29
P2_NET=195.24.153.0/27
P3_NET=195.24.153.48/29
P4_NET=195.24.153.56/29
IP0=195.24.153.68
IP01=195.24.153.100
IP1=195.24.153.34
IP2=195.24.153.1
IP3=195.24.153.50
IP4=195.24.153.58
P1=195.24.153.33
P2=195.24.153.2
P3=195.24.153.49
P4=195.24.153.57


ip rule add from 195.24.153.5 table 50 prio 500
ip route flush table 50
ip route add default via $P1 table 50

ip route add $P0_NET dev $IF0 table 50
ip route add $P01_NET dev $IF0 table 50
ip route add $P1_NET dev $IF1 table 50
ip route add $P2_NET dev $IF2 src $IP2 table 50
ip route add $P3_NET dev $IF3 table 50
ip route add $P4_NET dev $IF4 table 50
ip route add 127.0.0.0/8 dev lo table 50

ip route flush cache

195.24.153.5 - ýòî àäðåñ ðîóòåðà, çà êîòîðûì íàõîäèòñÿ äîìàøíÿÿ ñåòü.
à äàëåå ó ìåíÿ ðóêàìè ðàçáðîñàí "load balancing" ïî âñåì ïðîâàéäåðàì table 50

116.0.0.0/6 via 195.24.153.57 dev eth4
120.0.0.0/6 via 195.24.153.2 dev eth2
132.0.0.0/6 via 195.24.153.49 dev eth3
140.0.0.0/6 via 195.24.153.2 dev eth2
136.0.0.0/6 via 195.24.153.57 dev eth4
148.0.0.0/6 via 195.24.153.57 dev eth4
144.0.0.0/6 via 195.24.153.49 dev eth3
156.0.0.0/6 via 195.24.153.49 dev eth3
152.0.0.0/6 via 195.24.153.2 dev eth2
164.0.0.0/6 via 195.24.153.2 dev eth2
160.0.0.0/6 via 195.24.153.57 dev eth4
180.0.0.0/6 via 195.24.153.57 dev eth4
176.0.0.0/6 via 195.24.153.49 dev eth3
184.0.0.0/6 via 195.24.153.2 dev eth2
204.0.0.0/6 via 195.24.153.2 dev eth2
200.0.0.0/6 via 195.24.153.2 dev eth2
212.0.0.0/6 via 195.24.153.57 dev eth4
208.0.0.0/6 via 195.24.153.49 dev eth3
220.0.0.0/6 via 195.24.153.49 dev eth3
216.0.0.0/6 via 195.24.153.49 dev eth3
default via 195.24.153.33 dev eth0

P.S. ó ìåíÿ íà ðîóòåðå ýòîì Firewall/NAT âûêëþ÷åíû, íî íà DD-WRT ñêðèïòû ëåæàò ñ ïîääåðæêîé Firewall/NAT è àâòîìàòè÷åñêèì load balancing

[vital-s]

âàì íàäî äåëàòü ÎÒÄÅËÜÍÓÞ òàáëèöó äëÿ ÊÀÆÄÎÃÎ èíòåðôåéñà.

çàéäèòå íà ôîðóì DD-WRT è íãàéäèòå òàì òåìó Dual/Triple WAN - òàì åñòü àâòîìàòèçèðîâàííûå ñêðèïòû!

îäíîé òàáëèöåé âû íå îáîéäåòåñü - åùå ðàç âàì ïîâòîðÿþ!

äëÿ êàæîãî WAN äîëæíà áûòü ÑÂÎß òàáëèöà!

Ñïàñèáî çà ñîâåò, ïîïðîáóþ ðàçîáðàòüñÿ, ìîæåò ïðèìåð åñòü, áóäó ïðèçíàòåëåí.

[MrGalaxy]

âàì íóæíà ìàðøðóòèçàöèÿ ïî èñòî÷íèêó, äëÿ ýòî íàäî âîñïîëüçîâàòüñÿ âîçìîæíîñòÿìè iproute2

iproute add rule è òàê äàëåå è ñäåëàòü ÄÂÅ îòäåëüíûõ òàáëèöû ìàðøðóòèçàöèè.

À êàê ýòî ñäåëàòü?
 ìàíóàëå ïî iproute2 ñêàçàíî

Code:

4.2.1. Ðàçäåëüíûé äîñòóï

 Ïåðâûé âîïðîñ çàêëþ÷àåòñÿ â òîì, êàê îðãàíèçîâàòü ìàðøðóòèçàöèþ òàêèì îáðàçîì, ÷òîáû îòâåòû íà çàïðîñû, ïðèõîäÿùèå ÷åðåç îïðåäåëåííîãî ïðîâàéäåðà, ñêàæåì ðîâàéäåðà 1, óõîäèëè ÷åðåç òîãî æå ïðîâàéäåðà. 

 Äàâàéòå îïðåäåëèì íåêîòîðûå ïåðåìåííûå. Ïóñòü $IF1 áóäåò èìåíåì ïåðâîãî èíòåðôåéñà (if1 íà ðèñóíêå), à $IF2 -- èìåíåì âòîðîãî. Òîãäà $IP1 áóäåò IP àäðåñîì $IF1 , à $IP2 -- IP àäðåñîì $IF2 . Äàëåå, $P1 ýòî IP-àäðåñ øëþçà ïðîâàéäåðà 1, à $P2 -- IP àäðåñ øëþçà ïðîâàéäåðà 2. Íàêîíåö, $P1_NET ýòî IP ñåòü, ê êîòîðîé ïðèíàäëåæèò $P1 , à $P2_NET -- ñåòü, ê êîòîðîé ïðèíàäëåæèò $P2 . 

 Ñîçäàäèì äâå äîïîëíèòåëüíûå òàáëèöû ìàðøðóòèçàöèè, ñêàæåì T1 è T2. Äîáàâèì èõ â ôàéë /etc/iproute2/rt_tables. Òåïåðü ìîæíî íàñòðîèòü ýòè òàáëèöû ñëåäóþùèìè êîìàíäàìè: 
ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add default via $P1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2

Íà ðîóòåðå íåò ôàéëà /etc/iproute2/rt_tables. À âîò, ñêàæåì, íà Óáóíòå åñòü.

The Miron, ñïàñèáî çà îòâåò, óæå ëåã÷å. Çðÿ òîëüêî â ýòó âåòêó ïåðåíåñëè, âîïðîñ îòíîñèòñÿ íå òîëüêî ê WL500gP-v.2.

[AndreyPopov]

- åñòü ÷åòûðå ïðîâàéäåðà
- åñòü öåíòðàëüíûé ðîóòåð x86 OpenWRT Kamikaze 8.09.02, íà êîòîðîì ðåàëèçîâàí multi-wan ñ ìàðøðóòèçàöèåé ïî èñòî÷íèêó è Load balncing ïî ïðàâèëàì.
- ó âñåõ ïðîâàéäåðîâ PPPoE ïîäíÿòî íà ðîóòåðàõ asus wl-5xx
- ðîóòåðû asus wl-5xx ïîäêëþ÷åíû ê öåíòðàëüíîìó ðîóòåðó x86 OpenWRT
- íà äâóõ ñòîèò ïðîøèâêà ýíòóçèàñòîâ, íà äâóõ DD-WRT
â îáùåì-òî âñå ðàáîòàåò áåç îñîáûõ ïðîáëåì.

íî åñòü íåêîòîðûå "íåïîíÿòíîñòè", êîòîðûå ñîçäàþò íåêîòîðûå íåóäîáñòâà.

âñå íà÷àëîñü ñ íåïîíÿòíûõ ïðîáëåì ïî ïðîáðîñêå ïîðòîâ, íî òàì ñîøëîñü âñå âìåñòå:
à) ãëþ÷àùèé ÄÑË ìîäåì â ðåæèìå ìîñòà
á) ïðîâàéäåð áëîêèðîâàâøèé ñïàì
â) äàííàÿ ïðîáëåìà ïî Source Routing

ñðàçó îãîâîðþñü, ÷òî ïðîáëåìà íå â öåíòðàëüíîì ðîóòåðå x86 OpenWRT è åãî ñêðèïòàõ. â íåì ñòîÿò îäèíàêîâûå ñåòåâûå êàðòû è äëÿ êàæäîãî èíòåðôåéñà ïðîïèñàíà òàáëèöà ìàðøðóòèçàöèè. ñêðèïòû ïðîâåðåíû è ïåðåïðîâåðåíû!

ïðîáëåìà â òîì, ÷òî ðîóòåðû asus wl-5xx ñ ðàçíîé ïðîøèâêîé ïî ðàçíîìó âçàèìîäåéñòâóþò ñ öåíòðàëüíûì ðîóòåðîì x86 OpenWRT, â ÷åì ýòî çàêëþ÷àåòñÿ:
- ïðè ïèíãå ñ ðîóòåðîâ ñ ïðîøèâêîé ýíòóçèàñòîâ íà àäðåñ âíóòðåííåé ñåòè çà öåíòðàëüíûì ðîóòåðîì âðåìÿ çàäåðæêè ìîæåòå äîõîäèòü äî 100ìñ, ïðè ïèíãå ñ ðîóòåðîâ DD-WRT çàäåðæêà â ñðåäíåì 1ìñ
- ïî êîìàíäå traceroute íà àäðåñ âíóòðåííåé ñåòè çà öåíòðàëüíûì ðîóòåðîì âûâîä îòâåòà ìîæåò çàäåðæàòüñÿ íà 15-60ñ íà ðîóòåðàõ ñ ïðîøèâêîé ýíòóçèàñòîâ, íà ðîóòåðàõ DD-WRT îòâåò âèäåí ïðàêòè÷åñêè ìãíîâåííî.

WAN1 (wl-500gpv1 1.9.2.7-rtn):

Code:

[admin@cs-trifle root]$ ip route
10.198.0.1 dev ppp0  proto kernel  scope link  src 85.198.188.40
195.24.153.32/29 dev br0  proto kernel  scope link  src 195.24.153.33
195.24.153.0/24 via 195.24.153.34 dev br0  metric 1
10.51.0.0/16 dev vlan1  proto kernel  scope link  src 10.51.0.13
127.0.0.0/8 dev lo  scope link
default via 10.198.0.1 dev ppp0

WAN2 (wl-500W DD-WRT):

Code:

root@cs-urktel:~# ip route
195.5.5.202 dev ppp0  scope link
195.5.5.202 dev ppp0  proto kernel  scope link  src 82.207.89.70
195.24.153.0/27 dev br0  proto kernel  scope link  src 195.24.153.2
195.24.153.0/24 via 195.24.153.1 dev br0
127.0.0.0/8 dev lo  scope link
default via 195.5.5.202 dev ppp0

WAN3 (wl-500gpv2 1.9.2.7-rtn):

Code:

[admin@csoptima8 root]$ ip route
195.248.176.231 dev ppp0  proto kernel  scope link  src 78.25.8.242
195.24.153.48/29 dev br0  proto kernel  scope link  src 195.24.153.49
195.24.153.0/24 via 195.24.153.50 dev br0  metric 1
169.254.0.0/16 dev vlan1  proto kernel  scope link  src 169.254.130.131
127.0.0.0/8 dev lo  scope link
default via 195.248.176.231 dev ppp0

WAN4 (wl-520gu DD-WRT):

Code:

root@csoptima4:~# ip route
195.24.153.56/29 dev br0  proto kernel  scope link  src 195.24.153.57
195.24.153.0/24 via 195.24.153.58 dev br0
127.0.0.0/8 dev lo  scope link

ó ýòîãî ïðîâàéäåðà ñåé÷àñ îáðûâ ïðîâîäà, ïîòîìó íåò ñåññèè PPPoE, ïîòîìó êàê íå ñ ýòèì âñå æå ïðîáëåìà.

traceroute:

Code:

[admin@cs-trifle root]$ traceroute 195.24.153.67
traceroute to 195.24.153.67 (195.24.153.67), 30 hops max, 38 byte packets
 1  195.24.153.34 (195.24.153.34)  0.468 ms  1.074 ms  0.864 ms
 2  195.24.153.67 (195.24.153.67)  1.447 ms  0.959 ms  1.097 ms
[admin@cs-trifle root]$


root@cs-urktel:~# traceroute 195.24.153.67
traceroute to 195.24.153.67 (195.24.153.67), 30 hops max, 38 byte packets
 1  cs-central-router.computersystemsltd.com (195.24.153.1)  1.148 ms  1.265 ms  1.000 ms
 2  exchange.computersystemsltd.com (195.24.153.67)  0.891 ms  *  0.923 ms


[admin@csoptima8 root]$ traceroute 195.24.153.67
traceroute to 195.24.153.67 (195.24.153.67), 30 hops max, 38 byte packets
 1  195.24.153.50 (195.24.153.50)  0.429 ms  1.354 ms  0.351 ms
 2  195.24.153.67 (195.24.153.67)  1.291 ms  1.301 ms  1.192 ms


root@csoptima4:~# traceroute 195.24.153.67
traceroute to 195.24.153.67 (195.24.153.67), 30 hops max, 38 byte packets
 1  cs-central-router.computersystemsltd.com (195.24.153.58)  0.576 ms  cs-central-router.computersystemsltd.com (195.24.153.58)  0.428 ms  0.421 ms
 2  exchange.computersystemsltd.com (195.24.153.67)  1.808 ms  *  0.636 ms

[Fast Deer]

Çäðàâñòâóéòå!
Ñîáñòâåííî ñàáæ. Ïîäðîáíîñòè:
íà ñâîåì WL500W ïîäíÿë âòîðîé WAN (W2) ñ ëîêàëêîé îò âòîðîãî ïðîâà (ñòàòèê IP, vlan1), ïðîïèñàë ìàðøðóò. Ïðîâåðèë - ïàêåòû õîäÿò âî âòîðóþ ñåòü (tracert ñåòü 2ãî ïðîâà), íî èíòåðíåò ïî äåôîëòó íàñòðîåí íà îñíîâíîãî ïðîâà (WAN1, PPPoE) è ñîîòâåòñòâåííî, âñå õîäÿò ÷åðåç íåãî, à òàì êàíàë íå î÷åíü øèðîêèé. Ìíå íóæíî çàâåðíóòü òðàôèê ñ îïðåäåëåííûõ ìàøèí ìîåé ëîêàëêè (ïî IP àäðåñó) ÷åðåç W2, à òàêæå ïî îïðåäåëåííûì ïîðòàì îñòàâèòü íà îñíîâíîì WAN (W1) - ýòî íóæíî äëÿ äîñòóïà íåêîòîðûå ðåñóðñû ïðîâîâ.
Òàêæå õîòåëîñü áû íà âñÿêèé ñëó÷àé (ïðè ïàäåíèè êàêîãî íèòü êàíàëà) ïåðåêëþ÷àòü (ïåðåêëþ÷åíèå âðó÷íóþ) îñíîâíîãî ïðîâà äëÿ âñåõ êîìïîâ ìîåé ëîêàëêè.
Êàê ýòî ìîæíî ðåàëèçîâàòü? Åñëè íóæíî áîëåå ïîäðîáíî, òî ïîäðîáíîñòè âûëîæó â òåìó, íî IMHO, ìîæíî îáîéòèñü è ïåðåìåííûìè - íóæíûå çíà÷åíèÿ ïîäñòàâëþ ñàì.
Òå êòî ìîæåò ïîìî÷ü - ïèøèòå â ëè÷êó, ïëèç. Îòâå÷àþ íå ñðàçó.

[AndreyPopov]

Íåñêîëüêî ïðîâàéäåðîâ, source routing, ìàðêèðîâàíèå ïàêåòîâ iptables è Windows - âíåøíèé äîñòóï ê âíóòðåííèì ðåñóðñàì ÷åðåç íåñêîëüêèõ ïðîâàéäåðîâ

äóìàþ íà ñåãîäíÿ, êîãäà åñòü âîçìîæíîñòü ïîäêëþ÷èòü íåñêîëüêèõ ïðîâàéäåðîâ, ÷òîáû:
- èìåòü ðåçåðâíûé êàíàë
- óâåëè÷èòü ïðîïóñêíóþ ñïîñîáíîñòü
è äðóãèå âàðèàíòû ýòèõ äâóõ ïóíêòîâ, ìíîãèõ èíòåðåñóåò ýòîò âîïðîñ.

òàêæå îäíîé èç çàäà÷ â òàêèõ óñëîâèÿõ ÿâëÿåòñÿ âíåøíèé äîñòóï ê âíóòðåííèì ðåñóðñàì âàøåé ñî âñåõ ïðîâàéäåðîâ.

åñëè ðå÷ü èäåò î ñèñòåìàõ íà áàçå Linux, òî øèðîêèå âîçìîæíîñòè ïàêåò iproute2 ïî íàñòðîéêå íåñêîëüêèõ òàáëèö ìàðøðóòèçàöèè íà îñíîâå ðàçíûõ ïðàâèë è â òîì ÷èñëå ìàðøðóòèçàöèÿ ïî èñòî÷íèêó (source routing), èñïîëüçîâàíèå ìàðêèðîâêè ïàêåòîâ ñèëàìè iptables äëÿ ôîðìèðîâàíèÿ ýòèõ ïðàâèë - â îáùåì íà ñèñòåìàõ Linux âîçìîæíîñòåé ìàðøðóòèçàöèè íà ëþáîé âêóñ.

íî êîãäà äåëî äîõîäèò äî Windows, òî òóò äàæå âñå îáèëèå âîçìîæíîñòåé ïàêåòà iproute2/iptables ïðîñòî óáèâàåòñÿ!


è òàê, êàêîâà ìîÿ ñèòóàöèÿ:
èñòîðè÷åñêè ñëîæèëîñü òàê, ÷òî ó ìåíÿ ÷åòûðå ïðîâàéäåðà
íà êàæäîãî ïðîâàéäåðà ñòîèò ðîóòåð(Linux) ñ ïîäíÿòîé ñåññèåé PPPoe
ýòè ÷åòûðå ðîóòåðà ïîäêëþ÷åíû ê öåíòðàëüíîìó ðîóòåðó(Linux), êîòîðûé çàíèìàåòñÿ áàëàíñèðîâêîé òðàôèêà
çà öåíòðàëüíûì ðîóòåðîì íàõîäèòñÿ îôèñíàÿ ñåòü è ñåðâåðà - âñå Windows/Windows Server

Code:

P1 --R1---\
            \       ____________
              \----|            |
P2 --R2------------|  central   |
                   | balansing  |-------- office and servers
P3 --R3------------|   router   |
              /----|____________|
            /
P4 --R4---/

è åñëè ñ áàëàíñèðîâêîé òðàôèêà, "çàâîðà÷èâàíèåì òðàôèêà" íà íóæíîãî ïðîâàéäåðà ( â ñëó÷àå ê ïðèìåðó êîãäà ïðîâàéäåð ïðåäîñòàâëÿåò áåñïëàòíûé ïî÷òîâûé ÿùèê ñ äîñòóïîì ó íåìó ÷åðåç ýòîãî ïðîâàéäåðà) - âñå áûëî äîñòàòî÷íî ïðîñòî, òî ñ âíåøíèì äîñòóïîì ê âíóòðåííèì ñåðâåðàì ïðèøëîñü ïîâîçèòüñÿ è äîñòàòî÷íî äîëãî.


áûëè ïåðåïðîáîâàíû âñå ìåòîäû íà÷èíàÿ:
- ñ source routing
- ìàðêèðîâêà ïàêåòîâ ñ ïîìîùüþ iptables -j MARK --set-mark xx
- ìàðêèðîâêà ïàêåòîâ ñ ïîìîùüþ iptables -j CONNMARK --set-mark xx
- ìàðêèðîâêà ïàêåòîâ ñ ïîìîùüþ iptables -j TOS --set-tos xx


íî äåëî â òîì, ÷òî Windows ïðèíèìàÿ IP (TCP/UDP) ïàêåò ïðîñòî èãíîðèðóåò âñå âûñòàâëåííûå â ïàêåòàõ ïðèîðèòåòû è ìàðêåðû è ñîîòâåòñòâåííî â îòâåò âûñûëàåò "äåâñòâåííî" ÷èñòûé ïàêåò. åäèíñòâåííîå, ÷òî óìååò äåëàòü Windows/Windows Server ýòî ìàðêèðîâàòü çàãîëîâîê ïàêåòà ïðèîðèòåòîì TOS, ñ ïîìîùüþ ñëóæáû QoS. íî ñëåäóåò çàìåòèòü, ÷òî è ýòî ðàáîòàåò äàëåêî íå âñåãäà, ïîòîìó êàê äðàéâåðà íå âñåõ ñåòåâûõ êàðò ïîääåðæèâàþò ýòó ôóíêöèþ.

ðåøåíèå áûëî íàéäåíî òàêèì ïóòåì:
- íà êàæäîì ñåðâåðå, äîñòóï ê êîòîðîìó íóæåí áûë èçâíå ê îñíîâíîìó àäðåñó áûëî äîáàâëåíî åùå ïî ÷åòûðå äîïîëíèòåëüíûõ àäðåñà (ïî îäíîìó íà êàæäîãî ïðîâàéäåðà).
ñêàæåì òàê ó - ó ñåðâåðà îñíîâíîé àäðåñ 192.168.1.254, åìó íà òîò æå èíòåðôåéñ äîáàâèëè 192.168.1.241, 192.168.1.242, 192.168.1.243, 192.168.1.244
- â ïðîáðîñå ïîðòîâ Virtual Server íà êàæäîì ïðîóòåðå áûë ïðîïèñàí íà ñâîé àäðåñ:
P1 --R1 -> 192.168.1.241
P2 --R2 -> 192.168.1.242
P3 --R3 -> 192.168.1.243
P4 --R4 -> 192.168.1.244

- íà öåíòðàëüíîì ðîóòåðå ñîçäàíû äîïîëíèòåëüíûå òàáëèöû ìàðøðóòèçàöèè:
ip route add from 192.168.1.241 table 1
ip route add default via R1 table 1

ip route add from 192.168.1.242 table 2
ip route add default via R2 table 2

ip route add from 192.168.1.243 table 3
ip route add default via R3 table 3

ip route add from 192.168.1.244 table 4
ip route add default via R4 table 4

âîò â òàêîé êîíôèãóðàöèè ðàáîòàåò è áàëàíñèðîâêà è âíåøíèé äîñòóï îò êàæäîãî ïðîâàéäåðà.

[ryzhov_al]

Ôîðóì ïîñâÿù¸í äîìàøíèì ðîóòåðàì ASUS.
Êàêèå íàôèã office and servers?!

[AndreyPopov]

Ôîðóì ïîñâÿù¸í äîìàøíèì ðîóòåðàì ASUS.
Êàêèå íàôèã office and servers?!

à òèïà ñåé÷àñ äîìà íè óêîãî íå ìîæåò áûòü äâóõ ïðîâàéäåðîâ è íåò äîìàøíåãî âýá ñåðâåðà?

êîãäà âýá ñåðâåð ïîäíÿò íà ôëýøêå ïîäêëþ÷åííîé ê ñàìîìó ðîóòåðó - òî îñîáûõ ïðîáëåì íå âîçíèêàåò.

à âîò êîãäàñåðâåð íàõîäèòñÿ çà ðîóòåðîì è íà íåì ñòîèò âèíäà - âîò òîãäà íà÷èíàåòñÿ ñàìîå èíòåðåñíîå.

à ðîóòåðû ýòè äàâíî íå äîìàøíèå, îíè îòíîñÿòñÿ ê êàòåãîðèè SOHO - Small Office & Home Office

è ýòîò òîïèê àäðåñîâàí èìåííî òóäà.