将 VPN 流量路由到 Freebsd 上的第二个 iface

tag-icon tag-icon freebsd vpn ipfw
将 VPN 流量路由到 Freebsd 上的第二个 iface

我正在将 Linux 家庭路由器切换到 FreeBSD。它有两个网卡 - ue0 连接到 Internet,ue1 连接到 LAN 内部网络。我需要在 eu0 上运行 VPN 连接并通过该 VPN 转发所有 ue1 客户端。因此,所有连接到 ue1 的客户端都将通过 VPN 连接到互联网,但他们甚至不知道这一点。

    ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
        ether b8:27:eb:9f:19:56
        inet 192.168.1.15 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    ue1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8000b<RXCSUM,TXCSUM,VLAN_MTU,LINKSTATE>
        ether 9c:eb:e8:0b:98:ee
        inet 172.16.1.1 netmask 0xffffff00 broadcast 172.16.1.255
        media: Ethernet autoselect (none)
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 10.8.0.3 --> 10.8.0.1 netmask 0xffffff00
        inet6 fddd:1194:1194:1194::1001 prefixlen 64
        inet6 fe80::ba27:ebff:fe9f:1956%tun0 prefixlen 64 scopeid 0x4
        groups: tun
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 1499

ue1 上的客户端从 dnsmasq 获取 ip。作为流量转发器,我计划使用 ipfw。实际上我能够使用 iptables 在 Linux 机器上实现转发:

#!/bin/bash
IPTABLES="/sbin/iptables"

#forward between ifaces
$IPTABLES -t nat -A POSTROUTING -o ue0 -j MASQUERADE
$IPTABLES -A FORWARD -i ue0 -o ue1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i ue1 -o ue0 -j ACCEPT

#VPN forwarding
$IPTABLES -t nat -A POSTROUTING -o tun0 -j MASQUERADE
$IPTABLES -A FORWARD -i tun0 -o ue1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i ue1 -o tun0 -j ACCEPT

在 FreeBSD 上,我能够在接口之间转发流量,而不是通过 VPN 连接。

#!/bin/sh
wan="ue0"
lan="ue1"
wan_int="dhcpd"
lan_int="172.16.1.1"
ipfw="/sbin/ipfw -q"

#Reset all rules:
${ipfw} -f flush
${ipfw} -f pipe flush
${ipfw} -f queue flush

${ipfw} add allow ip from any to any via lo0
${ipfw} add deny ip from any to 127.0.0.0/8
${ipfw} add deny ip from 127.0.0.0/8 to any

${ipfw} add divert natd ip from any to any via ue0
${ipfw} add allow ip from any to any

rc.conf

hostname="freebsdPI"
ifconfig_ue0="DHCP"
ifconfig_ue1="inet 172.16.1.1 netmask 255.255.255.0"


#
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_logging="YES"
natd_enable="YES"
natd_interface="ue0"


#ntp
ntpd_enable="YES"
ntpdate_enable="YES"
ntpdate_hosts="asia.pool.ntp.org"

##
dnsmasq_enable="YES"
sshd_enable="YES"

ipfw秀

00100    0       0 allow ip from any to any via lo0
00200    0       0 deny ip from any to 127.0.0.0/8
00300    0       0 deny ip from 127.0.0.0/8 to any
00400 4887 1225786 divert 8668 ip from any to any via ue0
00500 4940 1237011 allow ip from any to any
65535  992  283655 allow ip from any to any

相关内容