通过隧道向有权访问该网络的网关提供缺失的网络

通过隧道向有权访问该网络的网关提供缺失的网络

我对隧道非常陌生,所以我可能误解了这些概念,或者犯了一些初学者的错误:尝试将新的 SLES15 主机添加到现有基础设施中我尝试提供到本地主机无法访问的网络的连接通过网关。请参见图片进行说明:

说明场景

我们有一个连接所有主机的bond0/网络。 /br0网络并非对所有主机可用,但对标记的主机可用bond1br13X(是一类类似的主机)。

我的想法是在主机上配置 IPIP 隧道316以某种方式16将所有bond1流量转发到3通过bond0一会儿3可能会将流量转发到X使用bond1(一组主机的一个代表)。返回的流量来自X3via应通过bond1转发至tun16bond016, 然后。

第一步,我尝试了之间的隧道163具有这样的设置(具有多个节点,例如16节点3每个这样的节点都需要一条隧道和一条路由,对吧?):

16:~ # ip tunnel add tun1 mode ipip remote 172.20.78.3 dev br0
16:~ # ip addr add 172.20.78.16 dev tun1
16:~ # ip link set up tun1
16:~ # ip route add 172.20.78.0/23 via 172.20.78.3 dev tun1 onlink
16:~ # ip route show
default via 172.20.17.254 dev br0
172.20.16.0/23 dev br0 proto kernel scope link src 172.20.16.16
172.20.78.0/23 via 172.20.78.3 dev tun1 onlink

03:~ # ip tunnel add tun116 mode ipip remote 172.20.16.16 dev bond0
03:~ # ip addr add 10.3.78.16 dev tun116
03:~ # ip link set up tun116
03:~ # ip route add 172.20.78.16 via 172.20.78.16 dev tun116 onlink
03:~ # ip route show
default via 172.20.17.254 dev bond0
10.2.2.0/23 dev bond2 proto kernel scope link src 10.2.2.3
172.20.16.0/23 dev bond0 proto kernel scope link src 172.20.16.3
172.20.78.0/23 dev bond1 proto kernel scope link src 172.20.78.3
172.20.78.16 via 172.20.78.16 dev tun116 onlink
224.0.0.0/4 dev bond0 scope link
03:~ # sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

当 ping 时316我看到这个3:

3:~ # tcpdump -n -p -i tun116
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun116, link-type RAW (Raw IP), capture size 262144 bytes
14:59:29.036354 IP 172.20.78.16 > 172.20.78.3: ICMP echo request, id 21175, seq 13310, length 64
14:59:29.036389 IP 172.20.78.3 > 172.20.78.16: ICMP echo reply, id 21175, seq 13310, length 64
14:59:29.036601 IP 172.20.78.16 > 172.20.78.3: ICMP echo request, id 21175, seq 13310, length 64
14:59:29.036623 IP 172.20.78.3 > 172.20.78.16: ICMP echo reply, id 21175, seq 13310, length 64
14:59:30.060360 IP 172.20.78.16 > 172.20.78.3: ICMP echo request, id 21175, seq 13311, length 64
...
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel

当我尝试 ping 时163,我明白了:

h03:~ # ping 172.20.78.16
PING 172.20.78.16 (172.20.78.16) 56(84) bytes of data.
From 10.3.78.16 icmp_seq=2 Destination Host Unreachable
From 10.3.78.16 icmp_seq=3 Destination Host Unreachable
^C
--- 172.20.78.16 ping statistics ---
3 packets transmitted, 0 received, +2 errors, 100% packet loss, time 2023ms

16:~ # tcpdump -n -v -p  icmp
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:02:47.329812 IP (tos 0xc0, ttl 64, id 6681, offset 0, flags [none], proto ICMP (1), length 132)
    172.20.16.16 > 172.20.16.3: ICMP 172.20.16.16 protocol 4 port 84 unreachable, length 112
        IP (tos 0x0, ttl 64, id 37038, offset 0, flags [DF], proto IPIP (4), length 104)
    172.20.16.3 > 172.20.16.16: IP (tos 0x0, ttl 64, id 53094, offset 0, flags [DF], proto ICMP (1), length 84)
    10.3.78.16 > 172.20.78.16: ICMP echo request, id 12308, seq 1, length 64
15:02:48.331745 IP (tos 0xc0, ttl 64, id 6700, offset 0, flags [none], proto ICMP (1), length 132)
    172.20.16.16 > 172.20.16.3: ICMP 172.20.16.16 protocol 4 port 84 unreachable, length 112
        IP (tos 0x0, ttl 64, id 37051, offset 0, flags [DF], proto IPIP (4), length 104)
    172.20.16.3 > 172.20.16.16: IP (tos 0x0, ttl 64, id 53151, offset 0, flags [DF], proto ICMP (1), length 84)

因此,数据包穿过隧道,但响应没有到达(在我看来)。

我忘记了什么或者我做错了什么?

相关内容