我正在将 Linux 家庭路由器切换到 FreeBSD。它有两个网卡 - ue0 连接到 Internet,ue1 连接到 LAN 内部网络。我需要在 eu0 上运行 VPN 连接并通过该 VPN 转发所有 ue1 客户端。因此,所有连接到 ue1 的客户端都将通过 VPN 连接到互联网,但他们甚至不知道这一点。
ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
ether b8:27:eb:9f:19:56
inet 192.168.1.15 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ue1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8000b<RXCSUM,TXCSUM,VLAN_MTU,LINKSTATE>
ether 9c:eb:e8:0b:98:ee
inet 172.16.1.1 netmask 0xffffff00 broadcast 172.16.1.255
media: Ethernet autoselect (none)
status: no carrier
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet 10.8.0.3 --> 10.8.0.1 netmask 0xffffff00
inet6 fddd:1194:1194:1194::1001 prefixlen 64
inet6 fe80::ba27:ebff:fe9f:1956%tun0 prefixlen 64 scopeid 0x4
groups: tun
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 1499
ue1 上的客户端从 dnsmasq 获取 ip。作为流量转发器,我计划使用 ipfw。实际上我能够使用 iptables 在 Linux 机器上实现转发:
#!/bin/bash
IPTABLES="/sbin/iptables"
#forward between ifaces
$IPTABLES -t nat -A POSTROUTING -o ue0 -j MASQUERADE
$IPTABLES -A FORWARD -i ue0 -o ue1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i ue1 -o ue0 -j ACCEPT
#VPN forwarding
$IPTABLES -t nat -A POSTROUTING -o tun0 -j MASQUERADE
$IPTABLES -A FORWARD -i tun0 -o ue1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i ue1 -o tun0 -j ACCEPT
在 FreeBSD 上,我能够在接口之间转发流量,而不是通过 VPN 连接。
#!/bin/sh
wan="ue0"
lan="ue1"
wan_int="dhcpd"
lan_int="172.16.1.1"
ipfw="/sbin/ipfw -q"
#Reset all rules:
${ipfw} -f flush
${ipfw} -f pipe flush
${ipfw} -f queue flush
${ipfw} add allow ip from any to any via lo0
${ipfw} add deny ip from any to 127.0.0.0/8
${ipfw} add deny ip from 127.0.0.0/8 to any
${ipfw} add divert natd ip from any to any via ue0
${ipfw} add allow ip from any to any
rc.conf
hostname="freebsdPI"
ifconfig_ue0="DHCP"
ifconfig_ue1="inet 172.16.1.1 netmask 255.255.255.0"
#
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_logging="YES"
natd_enable="YES"
natd_interface="ue0"
#ntp
ntpd_enable="YES"
ntpdate_enable="YES"
ntpdate_hosts="asia.pool.ntp.org"
##
dnsmasq_enable="YES"
sshd_enable="YES"
ipfw秀
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 4887 1225786 divert 8668 ip from any to any via ue0
00500 4940 1237011 allow ip from any to any
65535 992 283655 allow ip from any to any