我运行双栈(IPv4 和 IPv6)家庭网络,使用几个 VLAN 将物联网设备(VLAN 20)与普通用户(VLAN 10)和网络硬件(未标记的 VLAN)隔离开来。我目前在 Raspberry Pi 3 B+(运行 raspbian)上托管本地 DNS(和一些其他服务),它通常位于未标记的 VLAN 上,但我想尝试为它提供其他 2 个 VLAN(10 和 20)上的地址作为实验(简化防火墙规则,减少路由器负载等)。我第一次尝试失败了,所以我试图简化事情,只把它放在未标记的 VLAN 和 VLAN 10 上,但这也失败了,我不明白为什么。
单一地址设置
这是正常设置(仅有未标记 VLAN 上的地址,VLAN 10 或 20 上没有任何地址):
/etc/network/interfaces是空的。
这里是/etc/dhcpcd.conf:
hostname
clientid
persistent
option rapid_commit
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
option ntp_servers
option interface_mtu
require dhcp_server_identifier
slaac private
interface eth0
static ip_address=192.168.1.10/24
static ip6_address=fd:<STATIC_IPv6_ULA>/64
static routers=192.168.1.1 fd:<STATIC_IPv6_ULA_FOR_ROUTER>
static domain_name_servers=127.0.0.1 ::1
以下是我得到的结果地址:
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether <MAC_ADDR> brd ff:ff:ff:ff:ff:ff
inet 192.168.1.10/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fd:<IPv6_ULA_FROM_SLAAC>/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 85965sec preferred_lft 13965sec
inet6 <IPv6_GLOBAL_ADDR_FROM_SLAAC>/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 85965sec preferred_lft 13965sec
inet6 fd:<STATIC_IPv6_ULA>/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::<IPv6_LLA>/64 scope link
valid_lft forever preferred_lft forever
这很好,我可以通过路由器路由到 VLAN 10 和 20 上的主机。当尝试在其中一个 VLAN 上添加接口时,问题就出现了……
添加 VLAN
为了在 VLAN 10 上添加地址,我在单地址设置中的配置顶部添加了以下配置:
这里是/etc/network/interfaces:
auto eth0.10
iface eth0.10 inet manual
vlan-raw-device eth0
iface eth0.10 inet6 manual
vlan-raw-device eth0
这里是/etc/dhcpcd.conf:
interface eth0.10
static ip_address=10.0.10.10/24
static ip6_address=fd:<STATIC_IPv6_VLAN_10_ULA>/64
static routers=10.0.10.1 <STATIC_IPv6_VLAN_10_ULA_FOR_ROUTER>
static domain_name_servers=127.0.0.1 ::1
以下是我得到的结果地址:
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether <MAC_ADDR> brd ff:ff:ff:ff:ff:ff
inet 192.168.1.10/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fd:<STATIC_IPv6_ULA>/64 scope global noprefixroute
valid_lft forever preferred_lft forever
3: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether <MAC_ADDR> brd ff:ff:ff:ff:ff:ff
inet 10.0.10.10/24 brd 10.0.10.255 scope global eth0.10
valid_lft forever preferred_lft forever
inet6 fd:<IPv6_VLAN_10_ULA_FROM_SLAAC>/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 86377sec preferred_lft 14377sec
inet6 <IPv6_GLOBAL_ADDR_FROM_SLAAC>/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 86377sec preferred_lft 14377sec
inet6 fd:<STATIC_IPv6_VLAN_10_ULA>/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::<IPv6_LLA>/64 scope link
valid_lft forever preferred_lft forever
这很奇怪,我丢失了未标记 VLAN 上的全局 IPv6 地址,以及从 SLAAC 获得的链路本地地址 (LLA) 和 ULA。我尝试了一些 ping 来查看哪些有效,以下是我发现的结果:
$ ping -4 -I eth0 www.google.com
<SUCCESS>
$ ping -4 -I eth0.10 www.google.com
<SUCCESS>
$ ping -6 -I eth0 www.google.com
connect: Network is unreachable
$ ping -6 -I eth0.10 www.google.com
<SUCCESS>
因此,IPv4 在两个 VLAN 上都运行良好,但 IPv6 在未标记的 VLAN 上出现故障。我查看了syslog与 相关的所有消息dhcpcd,发现了以下内容:
00:28:23 HOSTNAME systemd[1]: Starting dhcpcd on all interfaces...
00:28:23 HOSTNAME dhcpcd[340]: dev: loaded udev
00:28:23 HOSTNAME dhcpcd[340]: eth0: waiting for carrier
00:28:23 HOSTNAME dhcpcd[340]: eth0.10: waiting for carrier
00:28:24 HOSTNAME dhcpcd[340]: eth0: carrier acquired
00:28:24 HOSTNAME dhcpcd[340]: DUID <DUID>
00:28:24 HOSTNAME dhcpcd[340]: eth0: IAID <IAID>
00:28:24 HOSTNAME dhcpcd[340]: eth0: IAID conflicts with one assigned to eth0.10
00:28:24 HOSTNAME dhcpcd[340]: eth0: adding address fe80::<IPv6_LLA>
00:28:24 HOSTNAME dhcpcd[340]: eth0: adding address fd:<STATIC_IPv6_ULA>/64
00:28:24 HOSTNAME dhcpcd[340]: eth0: adding route to fd:<STATIC_IPv6_ULA_PREFIX>/64
00:28:24 HOSTNAME dhcpcd[340]: eth0: probing address 192.168.1.10/24
00:28:24 HOSTNAME dhcpcd[340]: eth0.10: carrier acquired
00:28:24 HOSTNAME dhcpcd[340]: eth0.10: IAID <IAID>
00:28:24 HOSTNAME dhcpcd[340]: eth0.10: IAID conflicts with one assigned to eth0
00:28:24 HOSTNAME dhcpcd[340]: eth0: deleting address fe80::<IPv6_LLA>
00:28:24 HOSTNAME dhcpcd[340]: eth0.10: adding address fe80::<IPv6_LLA>
00:28:24 HOSTNAME dhcpcd[340]: eth0.10: adding address fd:<STATIC_IPv6_VLAN_10_ULA>/64
00:28:24 HOSTNAME dhcpcd[340]: eth0.10: adding route to fd:<STATIC_IPv6_ULA_VLAN_10_PREFIX>/64
00:28:24 HOSTNAME dhcpcd[340]: eth0.10: probing address 10.0.10.10/24
00:28:24 HOSTNAME dhcpcd[340]: eth0: soliciting an IPv6 router
00:28:25 HOSTNAME dhcpcd[340]: eth0.10: soliciting an IPv6 router
00:28:29 HOSTNAME dhcpcd[340]: eth0.10: using static address 10.0.10.10/24
00:28:29 HOSTNAME dhcpcd[340]: eth0.10: adding route to 10.0.10.0/24
00:28:29 HOSTNAME dhcpcd[340]: eth0.10: adding default route via 10.0.10.1
00:28:29 HOSTNAME dhcpcd[340]: forked to background, child pid 603
00:28:29 HOSTNAME systemd[1]: Started dhcpcd on all interfaces.
00:28:30 HOSTNAME dhcpcd[603]: eth0: using static address 192.168.1.10/24
00:28:30 HOSTNAME dhcpcd[603]: eth0: adding route to 192.168.1.0/24
00:28:30 HOSTNAME dhcpcd[603]: eth0: adding default route via 192.168.1.1
00:28:30 HOSTNAME dhcpcd[603]: eth0.10: Router Advertisement from fe80::<IPv6_LLA_OF_ROUTER>
00:28:30 HOSTNAME dhcpcd[603]: eth0.10: adding address <IPv6_GLOBAL_ADDR_FROM_SLAAC>/64
00:28:30 HOSTNAME dhcpcd[603]: eth0.10: adding address <IPv6_VLAN_10_ULA_FROM_SLAAC>/64
00:28:30 HOSTNAME dhcpcd[603]: eth0.10: adding route to <IPv6_GLOBAL_PREFIX_FROM_SLAAC>/64
00:28:30 HOSTNAME dhcpcd[603]: eth0.10: adding default route via fe80::<IPv6_LLA_OF_ROUTER>
00:29:17 HOSTNAME dhcpcd[603]: eth0.10: fe80::<IPv6_LLA_OF_ROUTER> is unreachable, expiring it
00:30:08 HOSTNAME dhcpcd[603]: eth0.10: fe80::<IPv6_LLA_OF_ROUTER> is reachable again
因此,似乎存在一个问题,导致 LLA 在未标记的 VLAN 上被删除,从而阻止它在该接口上看到路由器通告。
我猜这种设置应该是可行的(每个 NIC 有多个 VLAN,使用 IPv6)。您知道是什么原因导致了这个问题吗?这只是我的配置失误吗?
以防万一,这是在 Raspberry Pi 上运行的 raspbian 内核版本:
$ uname -a
Linux HOSTNAME 4.14.70-v7+ #1144 SMP Tue Sep 18 17:34:46 BST 2018 armv7l GNU/Linux
答案1
感谢@grawity 的提示!问题很简单,就是它dhcpcd已经过时了。正如@grawity 在上面的评论中提到的,dhcpcd版本 7.0.0 只添加了对 VLAN 标记接口上的自动 IAID 的支持。这是我的 raspbian 系统上使用默认安装的版本apt:
$ sudo dhcpcd --version
dhcpcd 6.11.5
Copyright (c) 2006-2016 Roy Marples
Compiled in features: INET IPv4LL INET6 DHCPv6 AUTH
如果它对任何人有帮助,以下是我从源代码安装最新版本(7.0.8)所采取的步骤:
查看https://github.com/rsmarples/dhcpcd/releases以获取最新版本的dhcpcd。
wget https://github.com/rsmarples/dhcpcd/archive/dhcpcd-7.0.8.tar.gz
tar xzf dhcpcd-7.0.8.tar.gz
cd dhcpcd-dhcpcd-7.0.8
./configure --libexecdir=/lib/dhcpcd --dbdir=/var/lib/dhcpcd5
make
sudo make install
请注意,我设置dbdir为/var/lib/dhcpcd5,尽管这些说明一般建议使用/var/lib/dhcpcd。在我的系统上,/var/lib/dhcpcd5已被现有的 安装使用dhcpcd,并且/var/lib/dhcpcd不存在。请做任何对您有意义的事情。
现在已经完成了:
$ sudo dhcpcd --version
dhcpcd 7.0.8
Copyright (c) 2006-2018 Roy Marples
Compiled in features: INET ARP ARPing IPv4LL INET6 DHCPv6 AUTH
现在,添加 VLAN 10 接口后,一切都运行正常(添加 VLAN 20 接口后,一切也都运行正常)。下面是仅添加 VLAN 10 接口后的情况:
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether <MAC_ADDR> brd ff:ff:ff:ff:ff:ff
inet 192.168.1.10/24 brd 192.168.1.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fd:<IPv6_ULA_FROM_SLAAC>/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 86382sec preferred_lft 14382sec
inet6 <IPv6_GLOBAL_ADDR_FROM_SLAAC>/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 86382sec preferred_lft 14382sec
inet6 fd:<STATIC_IPv6_ULA>/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::<IPv6_LLA>/64 scope link
valid_lft forever preferred_lft forever
3: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether <MAC_ADDR> brd ff:ff:ff:ff:ff:ff
inet 10.0.10.10/24 brd 10.0.10.255 scope global noprefixroute eth0.10
valid_lft forever preferred_lft forever
inet6 fd:<IPv6_VLAN_10_ULA_FROM_SLAAC>/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 86381sec preferred_lft 14381sec
inet6 <IPv6_VLAN_10_GLOBAL_ADDR_FROM_SLAAC>/64 scope global mngtmpaddr noprefixroute dynamic
valid_lft 86381sec preferred_lft 14381sec
inet6 fd:<STATIC_IPv6_VLAN_10_ULA>/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::<IPv6_LLA_2>/64 scope link
valid_lft forever preferred_lft forever
有趣的是,每个接口的 LLA 都是唯一的。它看起来像是从 IAID 派生出来的,我syslog现在可以看到 IAID 在每个接口上都是唯一的。对于 eth0,我的 IAID 是从我的 MAC 地址派生出来的,但对于 VLAN 10 接口,IAID 只是ff:00:00:0a。对于 VLAN 20 接口,它是ff:00:00:14。因此,IAID 似乎只是ff::VLAN_NUMBER,这导致每个接口上的 LLA 都是唯一的。无论如何,这更像是一种好奇,而不是真正的问题……
无论如何,所有接口都配置正确,并且它们都可以访问内部网络主机以及外部互联网主机。再次感谢@grawity!