如何将 WIFI 接入点添加到使用 Shorewall、dhcpd、unbound 和 hostapd 的工作有线网关?

如何将 WIFI 接入点添加到使用 Shorewall、dhcpd、unbound 和 hostapd 的工作有线网关?

我有一台 PC,可充当 LAN 的服务器/网关/路由器。我想添加第三个接口作为其 wifi 接入点,这样 LAN 设备就可以访问 WIFI 连接的设备,并且它们中的任何一个都可以通过网关访问互联网。

我已经让 LAN 连接设备完美运行,可以通过网关访问互联网以及网关上的服务(ssh、http 等等)。但由于某种原因,连接到WIFI AP的设备既无法连接到Internet,也无法连接到网关。

我怀疑这可能只是我忽略的配置中的一个简单细节。(最有可能是在我的 IP 寻址设置和/或在我的 shorewall 伪装设置中?..)

缺点:

  • 网关可以访问互联网/广域网。
  • 有线/局域网可以通过网关访问互联网
  • 有线/局域网可以访问网关上运行的服务
  • 然而,WIFI 连接的设备可以不是到达网关、局域网或互联网
    • 他们显然得到了正确的认证hostapd
    • 它们确实收到了预期的 DHCP 设置,看上去很好
      • 但即使ping 192.168.0.1 (the gateway's ip)失败

网关/路由器上的软件堆栈:

  • systemd-networkd (设置接口和 ISP 网关连接)
  • 岸墙 (用于防火墙和路由器)
  • 未绑定 (用于缓存/转发 DNS 服务器)
  • dhcpd(4) (用于 DHCP 服务器)
  • hostapd (用于设置 wifi AP)

网关/路由器上的物理接口:

  • WAN/Internet 接口(通过 DHCP 从 ISP 获取动态地址)
## from 'ip address show'

4: enp0s20u1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether <REDACTED MAC> brd ff:ff:ff:ff:ff:ff
    inet <REDACTED IP> brd 255.255.255.255 scope global dynamic noprefixroute enp0s20u1
       valid_lft 9497sec preferred_lft 7239sec
    inet6 <REDACTED IP> scope global dynamic noprefixroute 
       valid_lft 25472sec preferred_lft 25472sec
    inet6 <REDACTED IP> scope link 
       valid_lft forever preferred_lft forever
## /etc/systemd/network/enp0s20u1.network

[Match]
Name=enp0s20u1

[Network]
#IPv6AcceptRA=0
#DNSDefaultRoute=1
DHCP=ipv4
DNSSEC=allow-downgrade
DNS=127.0.0.1

[Route]
GatewayOnLink=1

[DHCP]
RouteMetric=1000

[DHCPv4]
UseDNS=0

[DHCPv6]
UseDNS=0
  • LAN/有线接口(静态 IP 和“主”服务器接口)
## from 'ip address show'
#
2: ens1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether <REDACTED MAC> brd ff:ff:ff:ff:ff:ff
    altname enp2s0
    inet 192.168.0.1/23 brd 192.168.1.255 scope global ens1
       valid_lft forever preferred_lft forever
    inet6 <REDACTED IPV6 ADRESS> scope link 
       valid_lft forever preferred_lft forever
## /etc/systemd/network/ens1.network
#
[Match]
Name=ens1

[Network]
Address=192.168.0.1/23
UseDNS=0  
DHCP=0

  • WIFI(AP)接口(作为 WPA(2)-PSK 接入点)
## from 'ip address show'
#
3: wlp0s20u2u1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether <REDACTED MAC> brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/23 brd 192.168.1.255 scope global wlp0s20u2u1
       valid_lft forever preferred_lft forever
    inet6 <REDACTED IPV6 ADDRESS> scope link 
       valid_lft forever preferred_lft forever```
## /etc/systemd/network/wlp0s20u2u1.network
#
[Match]
Name=wlp0s20u2u1

[Network]
Address=192.168.1.1/23
UseDNS=0
DHCP=0

Shorewall 配置:

## /etc/shorewall/interfaces
#
internet        NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=enp0s20u1
lokal           LOCAL_IF        dhcp,tcpflags,nosmurfs,routefilter,logmartians,physical=ens1
lokal           WIFI_IF         dhcp,tcpflags,nosmurfs,routefilter,logmartians,physical=wlp0s20u2u1
docker          docker0         bridge
## /etc/shorewall/zones
#
fw              firewall
internet        ipv4
lokal           ipv4
docker          ipv4
## /etc/shorewall/snat
#
MASQUERADE              192.168.0.0/23          NET_IF
MASQUERADE              192.168.1.0/23          NET_IF
## from /etc/shorewall/rules
#
Invalid(DROP)   internet        all             tcp

# allow 'lokal' to access dhcpd
ACCEPT         lokal            $FW     udp     67:68

#allow DNS
DNS(ACCEPT)     $FW             internet
DNS(ACCEPT)     lokal           $FW

# allow 'lokal' to ssh into to gateway
ACCEPT          lokal           $FW             tcp     2222

# ping stuff
Ping(ACCEPT)    lokal           $FW
Ping(DROP)      internet        $FW
ACCEPT          $FW             lokal           icmp
ACCEPT          $FW             internet        icmp

#just some http(/s) stuff
ACCEPT          internet        $FW             tcp     80,443
ACCEPT          lokal           $FW             tcp     8090,8443
ACCEPT          internet        $FW             tcp     8090,8443

DHCPD 配置:

## /etc/dhcpd.conf
#
subnet 192.168.0.0 netmask 255.255.254.0
{
        option subnet-mask              255.255.254.0;
        option routers                  192.168.0.1;
        option domain-name-servers      192.168.0.1;
        range 192.168.0.100 192.168.0.254;
}

subnet 127.0.0.0 netmask 255.0.0.0
{
  
}

HOSTAPD 配置:

## /etc/hostapd/hostapd.conf
#
interface=wlp0s20u2u1

# "g" simply means 2.4GHz band
hw_mode=g
# the channel to use
channel=10
# limit the frequencies used to those allowed in the country
ieee80211d=1
# the country code
country_code=NO
# 802.11n support
ieee80211n=1
# QoS support, also required for full speed on 802.11n/ac/ax
wmm_enabled=1

# the name of the AP
ssid=<REDACTED SSID>
# 1=wpa, 2=wep, 3=both
auth_algs=1
# WPA2 only
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=<REDACTED PSK PASSWORD>

一些(可能)相关的说明:

如果您在评论中提出请求,我很乐意提供任何其他可能有用的信息。

相关内容