具有不同 LAN 子网的 Ubuntu 路由器

Question

经过大量的辛苦和努力，我终于找到了问题的答案。

首先重申：我有一个家用的 18.04 UBUNTU 路由器，带有 3 个 NICS - 我发布此信息是因为 18.04 使用 netplan，而我在 netplan 的留言板上没有找到合适的答案。

NIC 1：内置千兆以太网 - WAN

NIC 2：2 端口 10G NIC - 绑定并连接到第 3 层交换机（位于 192.168.0.254）- 子网 192.168。0。X

NIC 3：4 端口千兆 NIC，用于本地互联网接入（与交换机分开）- 子网 192.168。1。X

如你所见，我希望创建 2 个子网 -192.168.0.x对于开关和192.168.1.x用于 4 端口 NIC（即使交换机断开连接也可以使用）。

由于这台机器是路由器，它需要路线，分配 IP 地址（DHCP），并提供DNS。下面，您将看到我的 netplan 和 DHCP 配置。DHCP 发生在两个子网上，即使交换机与 NIC 2 断开连接，NIC 3 也可以访问互联网（即它绕过交换机并使用路由器作为网关）

当你查看配置时，你会注意到 2 座桥梁：

br0 是连接到交换机的 2 端口 10G 网卡
br1 是用于互联网访问的 4 端口千兆网卡，即使没有交换机，其功能也基本上类似于具有 4 个端口的家用路由器）

这是 /etc/netplan/01-netcfg.yaml 文件：

 # This file describes the network interfaces available on your system
 # For more information, see netplan(5).
 network:
   version: 2
   renderer: networkd
   ethernets:
     enp0s8:  #WAN interface
       dhcp4: no
       dhcp6: no
        addresses: [xxx.xxx.xxx.xxx/24] #Static IP assigned by ISP
        gateway4: xxx.xxx.xxx.xxx       #Gateway Assigned by ISP
       nameservers:
        addresses: [xxx.xxx.xxx.xxx, 8.8.8.8] #DNS assigned by ISP
  optional: true
enp0s9:  #Internal gigabit NIC Interface not used
  dhcp4: no
  dhcp6: no
enp2s0f0:  #10G NIC Not used
  dhcp4: no
  dhcp6: no
enp2s0f1:  #10G NIC not used
  dhcp4: no
  dhcp6: no
enp5s0f0:  #port 1 NIC2 (10G NIC Bonded connected to switch)
  dhcp4: no
  dhcp6: no
enp5s0f1:  #port 2 NIC2 (10G NIC Bonded connected to switch)
  dhcp4: no
  dhcp6: no
enp8s0f0:  #port1 NIC3 (gigabit NIC acting as home router)
  dhcp4: no
  dhcp6: no
enp8s0f1:  #port2 NIC3 (gigabit NIC acting as home router)
  dhcp4: no
  dhcp6: no
enp9s0f0:  #port3 NIC3 (gigabit NIC acting as home router)
  dhcp4: no
  dhcp6: no
enp9s0f1:  #port3 NIC3 (gigabit NIC acting as home router)
  dhcp4: no
  dhcp6: no
bonds:
  bond0: #first 10G NIC, not used
   interfaces: [enp2s0f0, enp2s0f1]
   parameters:
     mode: 802.3ad
     lacp-rate: fast
     mii-monitor-interval: 100
  bond1: #second 10G NIC, bonded and connected to switch
   interfaces: [enp5s0f0, enp5s0f1]
   parameters:
     mode: 802.3ad
     lacp-rate: fast
     mii-monitor-interval: 100
bridges:
  br0: #this is the 10G nic connected to switch on 192.168.0.x subnet
   dhcp4: no
   dhcp6: no
   addresses: [192.168.0.1/24] #router IP address
   interfaces: [bond1]
   gateway4: 192.168.0.254
   routes:
   - to: 192.168.1.1 #router IP address (gateway/DNS) for the 4 port NIC subnet
   via: 192.168.0.1 #This allows the br1 to access the internet via the main router IP (located at 192.168.0.1), bypassing the switch
   parameters:
     stp: false
     forward-delay: 0
  br1: #home router 4 port gigabit bridge
   dhcp4: no
   dhcp6: no
   addresses: [192.168.1.1/24]
   gateway: 192.168.1.1
   interfaces: [enp8s0f0, enp8s0f1, enp9s0f0, enp9s0f1]
   parameters:
     stp: false
     forward-delay: 0

注意：因为我需要子网，所以为 Bond 0 建立了一个桥接192.168.0.x在此 NIC 上。

br0 桥允许位于子网192.168.1.x通过路由器（192.168.0.1）连接到互联网

接下来我们需要配置 DHCP两个都子网。以下是 iptables：

 # Allow LAN to access internet enp0s8 is WAN interface - mask the LAN IP with that of the WAN interface
 iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE

 #Allow all subnet access to the internet, The IP address is the WAN IP Address
 iptables -t nat -A POSTROUTING -o enp0s8 -j SNAT --to-source 69.59.44.75
 # Service rules

 # basic global accept rules - ICMP, loopback, traceroute, established all accepted
 iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
 iptables -A INPUT -p icmp -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

 # enable traceroute rejections to get sent out
 iptables -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable

 # DNS - accept from LAN
 iptables -A INPUT -i br0 -p tcp --dport 53 -j ACCEPT
 iptables -A INPUT -i br0 -p udp --dport 53 -j ACCEPT
 iptables -A INPUT -i br1 -p tcp --dport 53 -j ACCEPT
 iptables -A INPUT -i br1 -p udp --dport 53 -j ACCEPT

 # SSH - accept from LAN
 iptables -A INPUT -i br0 -p tcp --dport 8880 -j ACCEPT
 iptables -A INPUT -i br1 -p tcp --dport 8880 -j ACCEPT

 # DHCP client requests - accept from LAN
 iptables -A INPUT -i br0 -p udp --dport 67:68 -j ACCEPT
 iptables -A INPUT -i br1 -p udp --dport 67:68 -j ACCEPT

 # drop all other inbound traffic
 iptables -A INPUT -j DROP

 # Forwarding rules
 # forward packets along established/related connections
 iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

 # forward from LAN (br0, br1) to WAN (enp0s8)
 iptables -A FORWARD -i br0 -o enp0s8 -j ACCEPT
 iptables -A FORWARD -i br1 -o enp0s8 -j ACCEPT

 # allow traffic from our NAT pinhole (PORT FORWARDING)
 iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 8888 -j ACCEPT
 iptables -A FORWARD -p tcp -d 192.168.1.100 --dport 8888 -j ACCEPT

 # drop all other forwarded traffic
 iptables -A FORWARD -j DROP

这里需要注意的最重要的一点是，无论我有什么br0 列出的内容，我已为 br1 复制了内容

最后，我们需要设置 DHCP 并确保它在两个子网上都能正常工作。这是 /etc/default/isc-dhcp-server 文件：

 # On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
 # Separate multiple interfaces with spaces, e.g. "eth0 eth1".
 INTERFACESv4="br0 br1"
 INTERFACESv6="br0 br1"

最后我们需要修改 /etc/dhcp/dhcpd.conf 文件：

 .......
 subnet 192.168.0.0 netmask 255.255.255.0 {
    range 192.168.0.10 192.168.0.240;
    option routers 192.168.0.1;
    option domain-name "yourdomain.com";
    option domain-name-servers 192.168.0.1;
    option broadcast-address 192.168.0.255;
 }

 subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.10 192.168.1.240;
    option routers 192.168.1.1;
    option domain-name "yourdomain2.org";
    option domain-name-servers 192.168.1.1;
    option broadcast-address 192.168.1.255;
 }
 # Add a section to reserve static IPs --------  This must be done for the network switch to enable static routing if needed

 host DELL_PowerConnect_6248P {
         hardware ethernet XX:XX:XX:XX:XX:XX;
         fixed-address 192.168.0.254; #this is the layer 3 switch connected to NIC2 which serves as the gateway for the 192.168.0.x subnet
         option host-name "DELL_Powerconnect_6248P";  
 }

这对我来说很管用。现在，即使断开了交换机连接，我也可以像使用家用路由器一样使用该路由器。请注意：这绝不是创建您自己的 Ubuntu 路由器所需要做的事项的列表。还有很多其他步骤。这可以在互联网上轻松搜索到。希望这个小教程将来能帮助到某些人。Netplan 很麻烦，但相当简单。如果像我这样的白痴可以做到，那么任何人都可以做到。祝您 Ubuntu 愉快。

状态更新。大约一小时后，路由器上的 WAN 接口关闭。阅读一些资料后，我发现上面的配置似乎不太正确。请参阅下面的更正。我在代码中加入了注释（包括我自己和其他人的评论）。

 ................
   bridges:
    br0:
     dhcp4: no
     dhcp6: no
     addresses: [192.168.0.1/24]
 #   gateway4: 192.168.0.254 # because we are using static routes, this option is not needed
     interfaces: [bond1]
     routes:
     - to: 0.0.0.0/0
     via: 192.168.0.254
     metric: 100
 #   Here, we have routed ALL subnets and all netmasks. Metric must be supplied if the gateway is not specified.
     - to: 192.168.1.1/24
     via: 192.168.0.1
     metric: 100
 #   Note: Even though we are specifying ALL subnets above, we can still have routing for a particular subnet so that all routes go to 192.168.0.254, but only 192.168.1.x subnet routes through 192.168.0.1
     parameters:
       stp: false
       forward-delay: 0   
    br1:
     dhcp4: no
     dhcp6: no
     addresses: [192.168.1.1/24]
     gateway: 192.168.1.1
 #   Here a gateway is specified, because there are no static routes
     interfaces: [enp8s0f0, enp8s0f1, enp9s0f0, enp9s0f1]
     parameters:
       stp: false
       forward-delay: 0

如您所见，我调整了配置以证明这一点。即使默认情况下所有子网都路由到 192.168.0.254，但 192.168.1.x 是个例外，它专门路由到 192.168.0.1。这样，即使交换机断开连接，我仍然可以通过 4 端口网卡访问互联网。

现在路由器可以正常工作，并且几个小时都没有出现故障。继续配置绑定、OpenVPN 和所有其他有用的内容。

我能够通过查看 netplan 示例来了解所有这些内容https://netplan.io/examples

希望这能对配置 netplan 有帮助。

Answer 1