我确实有两台服务器:
- 服务器 A:运行 RHEL 8.5(5.17.1 内核 - 因此它具有原生 wireguard 支持)的本地 NAS;本地 IP
192.168.1.1 - 服务器 B:带有 Debian 11.3 的 VPS(5.10.0 内核 - 也支持 wireguard)
现在我的本地网络有一个 FritzBox,其 IP 为:192.168.0.1。它的 DHCP 配置为网络掩码为22。
我将网络分为:
- 192.168.0.x 为
normal devices - 192.168.1.x(对于具有静态 IP 的服务器)
- 192.168.2.x 用于运行 Docker 容器服务器 A(稍后会详细介绍)
fastd我曾经服务器A和B(服务器 B曾是IP 192.168.1.2)并有一个桥接设备服务器 A管理local ethernet,docker macvlan和tap device from fastd。这样normal devices,docker 容器就可以到达服务器 B。
由于最近我本地互联网的数据包丢失(>6%),它fastd停止工作(数据包丢失超过 89%),我尝试用 替换fastd。wireguard但 wireguard 只在第 3 层工作。这破坏了我通过 fastd 使用的桥接器的路由。
我的想法是,我能够使所有连接正常工作(例如192.168.0.10可以达到10.0.0.1;服务器 B可以访问192.168.0.x和192.168.1.x)192.168.2.x,但 Docker 容器除外服务器 A. 他们无法到达服务器 B。
iptables我会想象我的或者它本身有问题macvlan device。
我也愿意接受有关如何从头开始重建网络的建议
最后一件事,只有默认网络的 docker 容器才能访问服务器 B。
设备详细信息:
Docker容器:
# how I created the macvlan
$ docker network create -d macvlan --subnet 192.168.2.0/22 --gateway 192.168.0.1 --ip-range 192.168.2.2/24 --aux-address 'host=192.168.2.1' --aux-address 'block=192.168.2.0' -o parent=mesh-bridge macvlan-docker
# and I have a script that runs on boot:
#!/bin/bash
ip link add docker-shim link mesh-bridge type macvlan mode bridge
ip addr add 192.168.2.1/24 dev docker-shim
ip link set docker-shim up
$ docker inspect
...
"Networks": {
"macvlan-docker": {
"IPAMConfig": {
"IPv4Address": "192.168.2.5"
},
"Links": null,
"Aliases": [
"4c5782507c3f",
"munin"
],
"NetworkID": "c6ef34cba56ebef8de2107e085473098637c51e14354cf6840c29b26947b1798",
"EndpointID": "be818e3e67e8d028aebfe41ef7f648418665efe7dbe3488ea108a744da649c79",
"Gateway": "192.168.0.1",
"IPAddress": "192.168.2.5",
"IPPrefixLen": 22,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:c0:a8:02:05",
"DriverOpts": null
}
}
...
# from within the container
root@4c5782507c3f:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
89: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c0:a8:02:05 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.2.5/22 brd 192.168.3.255 scope global eth0
valid_lft forever preferred_lft forever
root@4c5782507c3f:/# ip route
default via 192.168.0.1 dev eth0
192.168.0.0/22 dev eth0 proto kernel scope link src 192.168.2.5
root@4c5782507c3f:/# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
From 192.168.0.1 icmp_seq=1 Redirect Host(New nexthop: 1.1.168.192)
服务器 A:
# I stripped devices that are unreleated
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master mesh-bridge state UP group default qlen 1000
link/ether b4:96:91:20:65:4d brd ff:ff:ff:ff:ff:ff
5: mesh-bridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether b4:96:91:20:65:4d brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/23 brd 192.168.1.255 scope global noprefixroute mesh-bridge
valid_lft forever preferred_lft forever
inet6 fe80::8a7b:703c:eb38:12c0/64 scope link noprefixroute
valid_lft forever preferred_lft forever
21: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:19:fd:18:f5 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
28: docker-shim@mesh-bridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 06:a2:68:5c:38:09 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 scope global docker-shim
valid_lft forever preferred_lft forever
inet6 fe80::4a2:68ff:fe5c:3809/64 scope link
valid_lft forever preferred_lft forever
132: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.0.0.2/32 scope global wg0
valid_lft forever preferred_lft forever
-----
$ ip route
default via 192.168.0.1 dev mesh-bridge proto static metric 425
10.0.0.0/24 dev wg0 scope link
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.0.0/23 dev mesh-bridge proto kernel scope link src 192.168.1.1 metric 425
192.168.2.0/24 dev docker-shim proto kernel scope link src 192.168.2.1
-----
# wireguard config
[Interface]
PrivateKey = <<key>>
Address = 10.0.0.2/32
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE;
[Peer]
PublicKey = <<key>>
Endpoint = <<public ip of server b>>:51820
AllowedIPs = 10.0.0.0/24
服务器B:
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 76:18:69:37:a7:8b brd ff:ff:ff:ff:ff:ff
altname enp0s3
inet <public ip>/22 brd <netmask> scope global dynamic ens3
valid_lft 2597782sec preferred_lft 2597782sec
inet6 <public ipv6>::1/64 scope global
valid_lft forever preferred_lft forever
inet6 <other ipv6>/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:91:ad:db:f2 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
37: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.0.0.1/32 scope global wg0
valid_lft forever preferred_lft forever
-----
$ ip route
default via <gateway> dev ens3
10.0.0.0/24 dev wg0 scope link
<vps network>/22 dev ens3 proto kernel scope link src <public ip>
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.0.0/22 dev wg0 scope link
-----
# wireguard config
[Interface]
PrivateKey = <<key>>
Address = 10.0.0.1/32
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE;
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE;
[Peer]
PublicKey = <<key>>
AllowedIPs = 10.0.0.0/24, 192.168.0.0/22
PersistentKeepalive = 15
弗里茨博克斯
有FritzBox的静态路由10.0.0.0 255.255.255.0 192.168.1.1。这样网络上的其他设备就可以到达服务器 B