我正在尝试为我的家庭网络设置虚拟化防火墙。架构如下:Internet -> 虚拟化 pfSense -> lan。有很多关于如何使用旧网络配置器执行此操作的示例,但没有使用 Ubuntu 18.04 的网络管理器 netplan 的示例。
我在主机上有两张网卡,并且新安装了ubuntu 18.04服务器版。
以下是 /etc/netplan/50-cloud-init.yaml 文件的内容
username@scarif:~$ cat /etc/netplan/50-cloud-init.yaml
network:
version: 2
renderer: networkd
ethernets:
eno1:
dhcp4: no
dhcp6: no
enp5s0:
dhcp4: no
dhcp6: no
bridges:
br_wan:
interfaces: [enp5s0]
dhcp4: no
dhcp6: no
addresses: [10.0.0.1/24]
br_lan:
interfaces: [eno1]
dhcp4: no
dhcp6: no
addresses: [192.168.1.29/24]
gateway4: 192.168.1.1
nameservers:
addresses: [192.168.1.1,8.8.8.8]
请注意,我认为我需要为 LAN 桥分配一个静态 IP,并且我希望虚拟化的 pfSense 从 ISP 请求 DHCP 地址,因此我为 WAN 桥分配了一个一次性 IP,并且故意没有为 WAN 桥分配网关或名称服务器。(如果这是错误的,很高兴在此 netplan 配置上得到纠正)
我认为我需要创建第二个虚拟网桥,所以我也这样做了。我同时显示了默认网桥(又称 LAN)和我创建的名为 wan_bridge 的网桥
username@scarif:~$ sudo virsh net-dumpxml default
<network>
<name>default</name>
<uuid>5e5d35c8-c46a-43ed-9fc4-13dcb3853b34</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:dc:57:8f'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>
username@scarif:~$ sudo virsh net-dumpxml wan_bridge
<network>
<name>wan_bridge</name>
<uuid>37a0163b-ae70-445d-a25f-c62cbe7d5b51</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='52:54:00:dc:57:8d'/>
<ip address='192.168.133.1' netmask='255.255.255.0'>
</ip>
</network>
两者都在 virsh net-list 中显示正常
username@scarif:~$ sudo virsh net-list
Name State Autostart Persistent
----------------------------------------------------------
default active yes yes
wan_bridge active yes yes
我也在 brctl 中看到了这两个
username@scarif:~$ sudo brctl show
bridge name bridge id STP enabled interfaces
br_lan 8000.aefa52b9a49b no eno1
br_wan 8000.22c9e0f24ba3 no enp5s0
virbr0 8000.525400dc578f yes virbr0-nic
virbr1 8000.525400dc578d yes virbr1-nic
完成上述操作后,运行 ifconfig 会导致:
username@scarif:~$ ifconfig
br_lan: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.29 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::acfa:52ff:feb9:a49b prefixlen 64 scopeid 0x20<link>
ether ae:fa:52:b9:a4:9b txqueuelen 1000 (Ethernet)
RX packets 20623 bytes 3453527 (3.4 MB)
RX errors 0 dropped 36 overruns 0 frame 0
TX packets 4756 bytes 5192472 (5.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
br_wan: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::20c9:e0ff:fef2:4ba3 prefixlen 64 scopeid 0x20<link>
ether 22:c9:e0:f2:4b:a3 txqueuelen 1000 (Ethernet)
RX packets 13 bytes 650 (650.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 1996 (1.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 98:90:96:be:eb:02 txqueuelen 1000 (Ethernet)
RX packets 22673 bytes 4163339 (4.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9632 bytes 5540146 (5.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf7d00000-f7d20000
enp5s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 68:1c:a2:12:f8:e9 txqueuelen 1000 (Ethernet)
RX packets 849 bytes 128644 (128.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26 bytes 1996 (1.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 347 bytes 26756 (26.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 347 bytes 26756 (26.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:dc:57:8f txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.133.1 netmask 255.255.255.0 broadcast 192.168.133.255
ether 52:54:00:dc:57:8d txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
但是当我使用此命令字符串安装 pfSense 时:
sudo virt-install \
--name pfsense \
--memory 2048
--graphics vnc,listen=0.0.0.0 \
--disk /var/lib/libvirt/images/pfsense.qcow2,size=8,format=qcow2 \
--autostart \
--os-type linux\
--cdrom /home/dooguls/pfSense-CE-2.4.4-RELEASE-amd64.iso \
--debug
安装顺利,但 pfSense 只看到一个接口,即默认网络提供的接口,即我的 LAN 接口/网桥。
答案1
在输入完所有问题后,我意识到问题在于虚拟机未配置为“查看”另一个接口。因此,为了解决这个问题,我做了以下操作:
sudo virsh dumpxml pfsense > 20181201-pfsense.txt
这当然给出了我的虚拟机的完整 xml 定义。然后我复制了现有的接口条目:
<interface type='bridge'>
<mac address='52:54:00:3a:37:7d'/>
<source bridge='br_lan'/>
<model type='rtl8139'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
并通过运行以下命令将其复制以创建新界面:sudo virsh edit pfsense
并添加以下几行:(请注意,我将 mac 地址更改了一位,并将虚拟网卡分配给插槽 0x06)
<interface type='bridge'>
<mac address='52:54:00:3a:37:7e'/>
<source bridge='br_wan'/>
<target dev='vnet1'/>
<model type='rtl8139'/>
<alias name='net1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</interface>
然后我要做的就是启动 pfSense VM 并将我的接口分配给 WAN 和 LAN。WAN 从 ISP 获取 DHCP,我在 LAN 接口上设置静态 IP。
因此,我认为虚拟机管理程序/主机上的三个关键步骤是:
- 在 netplan 中设置两个网桥,每个 NIC 卡一个,并将 IP 地址分配给网桥,而不是物理 NIC 卡。
- 使用 virsh net-define 而不是 virsh net-create 创建一个新虚拟网络。(前者使其持久)
- 将第二个接口添加到虚拟机的 XML 定义中,并将该接口指向 WAN 桥。