希望这是正确的论坛。
我有一台 Linux (Centos 7) 服务器,安装了 Quagga(用于 BGP)和 DNSMASQ(用于 DHCP)。我们通过 BGP 运行 DHCP 服务以实现冗余。
当前,客户端正在通过 BGP IP 地址 (10.10.12.12) 联系 DHCP 服务器并发送 DISCOVER 数据包。 DHCP 服务器看到它并发出一个 OFFER,但是该 OFFER 不会返回给客户端,因为 DHCP 服务器正在使用 DHCP 服务器的内部 IP 的源地址(172.18.25.10 - 您可以看到(下面第二个 tcpdump 数据包中的)而不是 BGP IP 地址 (10.10.12.12)。 172.18.25.10 被我们的防火墙阻止(我们不想打开它)。
如何将返回给客户端的源地址设置为 BGP 地址而不是内部 IP?我一直在尝试 ip 路由配置,但似乎无法正确配置。有任何想法吗?
路线
$ ip r
default via 172.18.25.1 dev ens256 proto static metric 100
172.18.25.0/24 dev ens256 proto kernel scope link src 172.18.25.10 metric 100
接口
$ ifconfig
ens256: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.25.10 netmask 255.255.255.0 broadcast 172.18.25.255
(truncated for brevity...)
lo:10: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 10.10.12.12 netmask 255.255.255.255
loop txqueuelen 1 (Local Loopback)
lo:10 的虚拟接口配置
DEVICE=lo:10
IPADDR=10.10.12.12
NETMASK=255.255.255.255
ONBOOT=yes
NAME=lo10
DHCP 服务器 tcpdump
17:44:11.833026 IP (tos 0x0, ttl 62, id 4923, offset 0, flags [none], proto UDP (17), length 388)
192.168.69.1.67 > 10.10.12.12.67: [udp sum ok] BOOTP/DHCP, Request from a8:60:b6:0c:49:cd, length 360, hops 1, xid 0xad97213f, secs 8, Flags [none] (0x0000)
Gateway-IP 192.168.69.1
Client-Ethernet-Address a8:60:b6:0c:49:cd
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Parameter-Request Option 55, length 10:
Subnet-Mask, Classless-Static-Route, Default-Gateway, Domain-Name-Server
Domain-Name, Option 119, Option 252, LDAP
Netbios-Name-Server, Netbios-Node
MSZ Option 57, length 2: 1500
Client-ID Option 61, length 7: ether a8:60:b6:0c:49:cd
Lease-Time Option 51, length 4: 7776000
Hostname Option 12, length 9: "tests-MBP"
Agent-Information Option 82, length 57:
Circuit-ID SubOption 1, length 42: ToR-vc.corp.fake01:ge-0/0/20.0:dhcp-test-69
Remote-ID SubOption 2, length 11: ge-0/0/20.0
17:44:11.833196 IP (tos 0xc0, ttl 64, id 4315, offset 0, flags [none], proto UDP (17), length 394)
172.18.25.10.67 > 192.168.69.1.67: [bad udp cksum 0xcc4d -> 0xe7d1!] BOOTP/DHCP, Reply, length 366, hops 1, xid 0xad97213f, secs 8, Flags [none] (0x0000)
Your-IP 192.168.69.230
Server-IP 172.18.25.10
Gateway-IP 192.168.69.1
Client-Ethernet-Address a8:60:b6:0c:49:cd
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Server-ID Option 54, length 4: 172.18.25.10
Lease-Time Option 51, length 4: 300
RN Option 58, length 4: 150
RB Option 59, length 4: 262
Subnet-Mask Option 1, length 4: 255.255.255.0
BR Option 28, length 4: 192.168.69.255
Default-Gateway Option 3, length 4: 192.168.69.1
Domain-Name-Server Option 6, length 4: 172.18.25.10
Domain-Name Option 15, length 13: "example.com"
Agent-Information Option 82, length 57:
Circuit-ID SubOption 1, length 42: ToR-vc.corp.fake01:ge-0/0/20.0:dhcp-test-69
Remote-ID SubOption 2, length 11: ge-0/0/20.0
答案1
基于iptables:如果目标地址匹配,则更改本地源地址我找到了添加简单 ip 路由的解决方案。
ip route add 192.168.69.1/32 via 172.18.25.1 src 10.10.12.12
或者
ip route add 0.0.0.0/0 via 172.18.25.1 src 10.10.12.12
答案2
如果我很清楚这是 dnsmasq 的问题,该软件为您的问题提供了一些解决方案:强制侦听指定接口的接口,例如:
interface=lo:10
no-dhcp-interface 禁用此接口上的 DHCP 分配,例如:
no-dhcp-interface=ens256
监听地址,看起来像接口,但指定了一个绑定IP,例如:
listen-address=10.10.12.12
-i, --interface=<interface name> Listen only on the specified interface(s).
Dnsmasq automatically adds the loopback (local) interface to the list of
interfaces to use when the --interface option is used. If no --interface or
-2, --no-dhcp-interface=<interface name>
Do not provide DHCP or TFTP on the specified interface, but do provide DNS
service.
-a, --listen-address=<ipaddr>
Listen on the given IP address(es). Both --interface and --listen-address
options may be given, in which case the set of both interfaces and addresses
is used. Note that if no --interface option is given, but --listen-address
is, dnsmasq will not automatically listen on the loopback interface. To
achieve this, its IP address, 127.0.0.1, must be explicitly given as a --
listen-address option.