我有一个带有多个 LAN 接口的 ubuntu 18.04 路由器:
第一个接口:2 端口 10G NIC(接口已绑定/组合)bond1:接口:[enp5s0f0,enp5s0f1]
第二个接口:4 端口 NIC enp8s0f0、enp8s0f1、enp9s0f0、enp9s0f1
路由器充当网关和 DHCP 服务器。目前,第 1 个和第 2 个接口桥接到 192.168.0.1(LAN 接口)。我当前的 netplan 配置如下:
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: networkd
ethernets:
enp0s8:
dhcp4: no
dhcp6: no
addresses: [69.59.34.150/24]
gateway4: 69.59.34.1
nameservers:
addresses: [69.60.173.84, 8.8.8.8]
optional: true
enp0s9:
dhcp4: no
dhcp6: no
enp2s0f0:
dhcp4: no
dhcp6: no
enp2s0f1:
dhcp4: no
dhcp6: no
enp5s0f0:
dhcp4: no
dhcp6: no
enp5s0f1:
dhcp4: no
dhcp6: no
enp8s0f0:
dhcp4: no
dhcp6: no
enp8s0f1:
dhcp4: no
dhcp6: no
enp9s0f0:
dhcp4: no
dhcp6: no
enp9s0f1:
dhcp4: no
dhcp6: no
bonds:
bond0:
interfaces: [enp2s0f0, enp2s0f1]
parameters:
mode: 802.3ad
lacp-rate: fast
mii-monitor-interval: 100
bond1:
interfaces: [enp5s0f0, enp5s0f1]
parameters:
mode: 802.3ad
lacp-rate: fast
mii-monitor-interval: 100
bridges:
br0:
addresses: [192.168.0.1/24]
gateway4: 192.168.0.254
routes:
- to: 10.10.10.0/24
via: 192.168.0.254
- to: 20.20.20.0/24
via: 192.168.0.254
interfaces: [enp8s0f0, enp8s0f1, enp9s0f0, enp9s0f1, bond1]
parameters:
stp: false
forward-delay: 0
请注意,还有其他几个接口,但我的问题与桥接 4 端口 NIC 和 2 端口 10G NIC 的 br0 有关 - 它们都位于同一子网 192.168.0.x 上。我已为 VLAN 的静态路由指定了一个网关(192.168.0.254 处的交换机)。
我想将 4 端口 NIC 和 2 端口 10G NIC 分成不同的子网(即 2 个不同的网桥)。新架构:
子网 192.168.0.x 上的 2 端口 10G NIC 子网 192.168.1.x 上的 4 端口 NIC
我还需要在两个子网上保留 DHCP 功能(由同一个盒子提供)。
我的dhcpd.conf如下:
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.10 192.168.0.240;
option routers 192.168.0.1;
option domain-name "xxxxxx.org yyyyyyy.com";
option domain-name-servers 192.168.0.1;
option broadcast-address 192.168.0.255;
}
host DELL_PowerConnect_6248P {
hardware ethernet aa:bb:cc:dd:ee:ff;
fixed-address 192.168.0.254;
option host-name "DELL_Powerconnect_6248P";
}
我的问题具体是这样的:我是否可以通过在子网 192.168.1.x 上仅使用 4 端口 NIC 创建另一个桥接来分离两个 NIC,然后只需在 DHCP 配置文件中添加另一个子网并使一切正常工作?
我这样做的理由很简单。10G NIC 连接到第 3 层交换机(专用),我想使用其他 4 个端口来像家用路由器一样工作。理论上这似乎可行,但我担心的是保留两个子网中的 DHCP 功能。提前感谢您提供的任何帮助。
答案1
经过大量的辛苦和努力,我终于找到了问题的答案。
首先重申:我有一个家用的 18.04 UBUNTU 路由器,带有 3 个 NICS - 我发布此信息是因为 18.04 使用 netplan,而我在 netplan 的留言板上没有找到合适的答案。
NIC 1:内置千兆以太网 - WAN
NIC 2:2 端口 10G NIC - 绑定并连接到第 3 层交换机(位于 192.168.0.254)- 子网 192.168。0。X
NIC 3:4 端口千兆 NIC,用于本地互联网接入(与交换机分开)- 子网 192.168。1。X
如你所见,我希望创建 2 个子网 -192.168.0.x对于开关和192.168.1.x用于 4 端口 NIC(即使交换机断开连接也可以使用)。
由于这台机器是路由器,它需要路线,分配 IP 地址(DHCP),并提供DNS。下面,您将看到我的 netplan 和 DHCP 配置。DHCP 发生在两个子网上,即使交换机与 NIC 2 断开连接,NIC 3 也可以访问互联网(即它绕过交换机并使用路由器作为网关)
当你查看配置时,你会注意到 2 座桥梁:
- br0 是连接到交换机的 2 端口 10G 网卡
- br1 是用于互联网访问的 4 端口千兆网卡,即使没有交换机,其功能也基本上类似于具有 4 个端口的家用路由器)
这是 /etc/netplan/01-netcfg.yaml 文件:
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: networkd
ethernets:
enp0s8: #WAN interface
dhcp4: no
dhcp6: no
addresses: [xxx.xxx.xxx.xxx/24] #Static IP assigned by ISP
gateway4: xxx.xxx.xxx.xxx #Gateway Assigned by ISP
nameservers:
addresses: [xxx.xxx.xxx.xxx, 8.8.8.8] #DNS assigned by ISP
optional: true
enp0s9: #Internal gigabit NIC Interface not used
dhcp4: no
dhcp6: no
enp2s0f0: #10G NIC Not used
dhcp4: no
dhcp6: no
enp2s0f1: #10G NIC not used
dhcp4: no
dhcp6: no
enp5s0f0: #port 1 NIC2 (10G NIC Bonded connected to switch)
dhcp4: no
dhcp6: no
enp5s0f1: #port 2 NIC2 (10G NIC Bonded connected to switch)
dhcp4: no
dhcp6: no
enp8s0f0: #port1 NIC3 (gigabit NIC acting as home router)
dhcp4: no
dhcp6: no
enp8s0f1: #port2 NIC3 (gigabit NIC acting as home router)
dhcp4: no
dhcp6: no
enp9s0f0: #port3 NIC3 (gigabit NIC acting as home router)
dhcp4: no
dhcp6: no
enp9s0f1: #port3 NIC3 (gigabit NIC acting as home router)
dhcp4: no
dhcp6: no
bonds:
bond0: #first 10G NIC, not used
interfaces: [enp2s0f0, enp2s0f1]
parameters:
mode: 802.3ad
lacp-rate: fast
mii-monitor-interval: 100
bond1: #second 10G NIC, bonded and connected to switch
interfaces: [enp5s0f0, enp5s0f1]
parameters:
mode: 802.3ad
lacp-rate: fast
mii-monitor-interval: 100
bridges:
br0: #this is the 10G nic connected to switch on 192.168.0.x subnet
dhcp4: no
dhcp6: no
addresses: [192.168.0.1/24] #router IP address
interfaces: [bond1]
gateway4: 192.168.0.254
routes:
- to: 192.168.1.1 #router IP address (gateway/DNS) for the 4 port NIC subnet
via: 192.168.0.1 #This allows the br1 to access the internet via the main router IP (located at 192.168.0.1), bypassing the switch
parameters:
stp: false
forward-delay: 0
br1: #home router 4 port gigabit bridge
dhcp4: no
dhcp6: no
addresses: [192.168.1.1/24]
gateway: 192.168.1.1
interfaces: [enp8s0f0, enp8s0f1, enp9s0f0, enp9s0f1]
parameters:
stp: false
forward-delay: 0
注意:因为我需要子网,所以为 Bond 0 建立了一个桥接192.168.0.x在此 NIC 上。
br0 桥允许位于子网192.168.1.x通过路由器(192.168.0.1)连接到互联网
接下来我们需要配置 DHCP两个都子网。以下是 iptables:
# Allow LAN to access internet enp0s8 is WAN interface - mask the LAN IP with that of the WAN interface
iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE
#Allow all subnet access to the internet, The IP address is the WAN IP Address
iptables -t nat -A POSTROUTING -o enp0s8 -j SNAT --to-source 69.59.44.75
# Service rules
# basic global accept rules - ICMP, loopback, traceroute, established all accepted
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# enable traceroute rejections to get sent out
iptables -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
# DNS - accept from LAN
iptables -A INPUT -i br0 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i br0 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i br1 -p udp --dport 53 -j ACCEPT
# SSH - accept from LAN
iptables -A INPUT -i br0 -p tcp --dport 8880 -j ACCEPT
iptables -A INPUT -i br1 -p tcp --dport 8880 -j ACCEPT
# DHCP client requests - accept from LAN
iptables -A INPUT -i br0 -p udp --dport 67:68 -j ACCEPT
iptables -A INPUT -i br1 -p udp --dport 67:68 -j ACCEPT
# drop all other inbound traffic
iptables -A INPUT -j DROP
# Forwarding rules
# forward packets along established/related connections
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# forward from LAN (br0, br1) to WAN (enp0s8)
iptables -A FORWARD -i br0 -o enp0s8 -j ACCEPT
iptables -A FORWARD -i br1 -o enp0s8 -j ACCEPT
# allow traffic from our NAT pinhole (PORT FORWARDING)
iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 8888 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.100 --dport 8888 -j ACCEPT
# drop all other forwarded traffic
iptables -A FORWARD -j DROP
这里需要注意的最重要的一点是,无论我有什么br0 列出的内容,我已为 br1 复制了内容
最后,我们需要设置 DHCP 并确保它在两个子网上都能正常工作。这是 /etc/default/isc-dhcp-server 文件:
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="br0 br1"
INTERFACESv6="br0 br1"
最后我们需要修改 /etc/dhcp/dhcpd.conf 文件:
.......
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.10 192.168.0.240;
option routers 192.168.0.1;
option domain-name "yourdomain.com";
option domain-name-servers 192.168.0.1;
option broadcast-address 192.168.0.255;
}
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.240;
option routers 192.168.1.1;
option domain-name "yourdomain2.org";
option domain-name-servers 192.168.1.1;
option broadcast-address 192.168.1.255;
}
# Add a section to reserve static IPs -------- This must be done for the network switch to enable static routing if needed
host DELL_PowerConnect_6248P {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address 192.168.0.254; #this is the layer 3 switch connected to NIC2 which serves as the gateway for the 192.168.0.x subnet
option host-name "DELL_Powerconnect_6248P";
}
这对我来说很管用。现在,即使断开了交换机连接,我也可以像使用家用路由器一样使用该路由器。请注意:这绝不是创建您自己的 Ubuntu 路由器所需要做的事项的列表。还有很多其他步骤。这可以在互联网上轻松搜索到。希望这个小教程将来能帮助到某些人。Netplan 很麻烦,但相当简单。如果像我这样的白痴可以做到,那么任何人都可以做到。祝您 Ubuntu 愉快。
状态更新。大约一小时后,路由器上的 WAN 接口关闭。阅读一些资料后,我发现上面的配置似乎不太正确。请参阅下面的更正。我在代码中加入了注释(包括我自己和其他人的评论)。
................
bridges:
br0:
dhcp4: no
dhcp6: no
addresses: [192.168.0.1/24]
# gateway4: 192.168.0.254 # because we are using static routes, this option is not needed
interfaces: [bond1]
routes:
- to: 0.0.0.0/0
via: 192.168.0.254
metric: 100
# Here, we have routed ALL subnets and all netmasks. Metric must be supplied if the gateway is not specified.
- to: 192.168.1.1/24
via: 192.168.0.1
metric: 100
# Note: Even though we are specifying ALL subnets above, we can still have routing for a particular subnet so that all routes go to 192.168.0.254, but only 192.168.1.x subnet routes through 192.168.0.1
parameters:
stp: false
forward-delay: 0
br1:
dhcp4: no
dhcp6: no
addresses: [192.168.1.1/24]
gateway: 192.168.1.1
# Here a gateway is specified, because there are no static routes
interfaces: [enp8s0f0, enp8s0f1, enp9s0f0, enp9s0f1]
parameters:
stp: false
forward-delay: 0
如您所见,我调整了配置以证明这一点。即使默认情况下所有子网都路由到 192.168.0.254,但 192.168.1.x 是个例外,它专门路由到 192.168.0.1。这样,即使交换机断开连接,我仍然可以通过 4 端口网卡访问互联网。
现在路由器可以正常工作,并且几个小时都没有出现故障。继续配置绑定、OpenVPN 和所有其他有用的内容。
我能够通过查看 netplan 示例来了解所有这些内容https://netplan.io/examples
希望这能对配置 netplan 有帮助。