我有一台 PC,可充当 LAN 的服务器/网关/路由器。我想添加第三个接口作为其 wifi 接入点,这样 LAN 设备就可以访问 WIFI 连接的设备,并且它们中的任何一个都可以通过网关访问互联网。
我已经让 LAN 连接设备完美运行,可以通过网关访问互联网以及网关上的服务(ssh、http 等等)。但由于某种原因,连接到WIFI AP的设备既无法连接到Internet,也无法连接到网关。
我怀疑这可能只是我忽略的配置中的一个简单细节。(最有可能是在我的 IP 寻址设置和/或在我的 shorewall 伪装设置中?..)
缺点:
- 网关可以访问互联网/广域网。
- 有线/局域网可以通过网关访问互联网
- 有线/局域网可以访问网关上运行的服务
- 然而,WIFI 连接的设备可以不是到达网关、局域网或互联网
- 他们显然得到了正确的认证hostapd
- 它们确实收到了预期的 DHCP 设置,看上去很好
- 但即使
ping 192.168.0.1 (the gateway's ip)失败
- 但即使
网关/路由器上的软件堆栈:
- systemd-networkd (设置接口和 ISP 网关连接)
- 岸墙 (用于防火墙和路由器)
- 未绑定 (用于缓存/转发 DNS 服务器)
- dhcpd(4) (用于 DHCP 服务器)
- hostapd (用于设置 wifi AP)
网关/路由器上的物理接口:
- WAN/Internet 接口(通过 DHCP 从 ISP 获取动态地址):
## from 'ip address show'
4: enp0s20u1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether <REDACTED MAC> brd ff:ff:ff:ff:ff:ff
inet <REDACTED IP> brd 255.255.255.255 scope global dynamic noprefixroute enp0s20u1
valid_lft 9497sec preferred_lft 7239sec
inet6 <REDACTED IP> scope global dynamic noprefixroute
valid_lft 25472sec preferred_lft 25472sec
inet6 <REDACTED IP> scope link
valid_lft forever preferred_lft forever
## /etc/systemd/network/enp0s20u1.network
[Match]
Name=enp0s20u1
[Network]
#IPv6AcceptRA=0
#DNSDefaultRoute=1
DHCP=ipv4
DNSSEC=allow-downgrade
DNS=127.0.0.1
[Route]
GatewayOnLink=1
[DHCP]
RouteMetric=1000
[DHCPv4]
UseDNS=0
[DHCPv6]
UseDNS=0
- LAN/有线接口(静态 IP 和“主”服务器接口):
## from 'ip address show'
#
2: ens1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether <REDACTED MAC> brd ff:ff:ff:ff:ff:ff
altname enp2s0
inet 192.168.0.1/23 brd 192.168.1.255 scope global ens1
valid_lft forever preferred_lft forever
inet6 <REDACTED IPV6 ADRESS> scope link
valid_lft forever preferred_lft forever
## /etc/systemd/network/ens1.network
#
[Match]
Name=ens1
[Network]
Address=192.168.0.1/23
UseDNS=0
DHCP=0
- WIFI(AP)接口(作为 WPA(2)-PSK 接入点):
## from 'ip address show'
#
3: wlp0s20u2u1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether <REDACTED MAC> brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/23 brd 192.168.1.255 scope global wlp0s20u2u1
valid_lft forever preferred_lft forever
inet6 <REDACTED IPV6 ADDRESS> scope link
valid_lft forever preferred_lft forever```
## /etc/systemd/network/wlp0s20u2u1.network
#
[Match]
Name=wlp0s20u2u1
[Network]
Address=192.168.1.1/23
UseDNS=0
DHCP=0
Shorewall 配置:
## /etc/shorewall/interfaces
#
internet NET_IF dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=enp0s20u1
lokal LOCAL_IF dhcp,tcpflags,nosmurfs,routefilter,logmartians,physical=ens1
lokal WIFI_IF dhcp,tcpflags,nosmurfs,routefilter,logmartians,physical=wlp0s20u2u1
docker docker0 bridge
## /etc/shorewall/zones
#
fw firewall
internet ipv4
lokal ipv4
docker ipv4
## /etc/shorewall/snat
#
MASQUERADE 192.168.0.0/23 NET_IF
MASQUERADE 192.168.1.0/23 NET_IF
## from /etc/shorewall/rules
#
Invalid(DROP) internet all tcp
# allow 'lokal' to access dhcpd
ACCEPT lokal $FW udp 67:68
#allow DNS
DNS(ACCEPT) $FW internet
DNS(ACCEPT) lokal $FW
# allow 'lokal' to ssh into to gateway
ACCEPT lokal $FW tcp 2222
# ping stuff
Ping(ACCEPT) lokal $FW
Ping(DROP) internet $FW
ACCEPT $FW lokal icmp
ACCEPT $FW internet icmp
#just some http(/s) stuff
ACCEPT internet $FW tcp 80,443
ACCEPT lokal $FW tcp 8090,8443
ACCEPT internet $FW tcp 8090,8443
DHCPD 配置:
## /etc/dhcpd.conf
#
subnet 192.168.0.0 netmask 255.255.254.0
{
option subnet-mask 255.255.254.0;
option routers 192.168.0.1;
option domain-name-servers 192.168.0.1;
range 192.168.0.100 192.168.0.254;
}
subnet 127.0.0.0 netmask 255.0.0.0
{
}
HOSTAPD 配置:
## /etc/hostapd/hostapd.conf
#
interface=wlp0s20u2u1
# "g" simply means 2.4GHz band
hw_mode=g
# the channel to use
channel=10
# limit the frequencies used to those allowed in the country
ieee80211d=1
# the country code
country_code=NO
# 802.11n support
ieee80211n=1
# QoS support, also required for full speed on 802.11n/ac/ax
wmm_enabled=1
# the name of the AP
ssid=<REDACTED SSID>
# 1=wpa, 2=wep, 3=both
auth_algs=1
# WPA2 only
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=<REDACTED PSK PASSWORD>
一些(可能)相关的说明:
- https://shorewall.org/two-interface.htm#Wireless
- https://wiki.archlinux.org/title/Shorewall
- https://bbs.archlinux.org/viewtopic.php?pid=821090#p821090
- https://shorewall.org/manpages/shorewall-snat.html
如果您在评论中提出请求,我很乐意提供任何其他可能有用的信息。