我有一台设备,上面有 3 个以太网设备和一个 WiFi 设备。
我使用 eth0 作为内部网络 (192.168.1.0/24),使用 eth1、eth2 和 wlan0 连接到外部网络 (192.168.0.0/24)。eth1 和 eth2 配置在网桥 br0 中,br0 和 wlan0 配置在绑定中 (主动备份,br0 为主设备)。
以下是该设置的可视化效果:
+---------------+
+-----------+ 192.168.0.3 |
| | (Router) |
| +---------------+
+---------+--------+ +---------------+
+->+ External Network +--+ 192.168.0.160 |
| | 192.168.0.0/24 | +---------------+
| +------------------+
|
+----------------------------------------------------------------+
| My Device | |
+------------------+ | +------+ +--+---+ +------+ +-------+ |
| Internal Network +-------+ eth0 +------+ | eth1 | | eth2 | | wlan0 | |
| 192.168.1.0/24 | | +------+ | +--+---+ +--+---+ +-------+ |
+--------+---------+ | 192.168.1.1 | | | |
| | | +-------+-------+ + |
| | | | |
+------+-------+ | | +--+--+ + |
| 192.168.1.62 | | | | br0 | |
+--------------+ | | +--+--+ + |
| | | |
| | +-----------++ + + + + + + |
| | | |
| | +---+---+ |
| +-----------------------+ bond0 | |
| +-------+ |
| 192.168.0.235 |
| |
+----------------------------------------------------------------+
我希望该设备充当从内部网络到外部网络的路由器。不幸的是,我无法让它工作。这是我的配置(目前未配置 wlan0):
# /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.1
network 192.168.1.0
netmask 255.255.255.0
broadcast 192.168.1.255
# Network bridge between eth1 and eth2
allow-hotplug eth1
iface eth1 inet manual
pre-up ifconfig $IFACE up
pre-down ifconfig $IFACE down
allow-hotplug eth2
iface eth2 inet manual
pre-up ifconfig $IFACE up
pre-down ifconfig $IFACE down
auto br0
iface br0 inet manual
bridge_ports eth1 eth2
bond-master bond0
bond-primary br0
bond-mode active-backup
auto bond0
iface bond0 inet static
address 192.168.0.235
netmask 255.255.255.0
gateway 192.168.0.3
dns-nameservers 8.8.8.8 8.8.4.4
bond-master bond0
bond-primary br0
bond-mode active-backup
bond-miimon 100
bond-slaves none
我使用以下命令来设置 iptables 并启用转发:
/sbin/iptables -A FORWARD -o bond0 -i eth0 -m conntrack --ctstate NEW -j ACCEPT
/sbin/iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o bond0 -j MASQUERADE
/sbin/sysctl -w net.ipv4.ip_forward=1
路由表如下所示:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.3 0.0.0.0 UG 100 0 0 bond0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 bond0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
现在,当我尝试在ping 192.168.0.160连接到 eth0 的设备上运行(该设备的 IP 为 192.168.1.62)时,我没有收到任何回复。这是来自该设备的 tcpdump:
07:22:44.568488 IP 192.168.1.62 > 192.168.0.160: ICMP echo request, id 27191, seq 1, length 64
07:22:45.571836 IP 192.168.1.62 > 192.168.0.160: ICMP echo request, id 27191, seq 2, length 64
07:22:46.571892 IP 192.168.1.62 > 192.168.0.160: ICMP echo request, id 27191, seq 3, length 64
07:22:47.571984 IP 192.168.1.62 > 192.168.0.160: ICMP echo request, id 27191, seq 4, length 64
这是我的设备的 tcpdump(192.168.1.1 / 192.168.0.235)
07:22:44.566474 IP 192.168.0.235 > 192.168.0.160: ICMP echo request, id 27191, seq 1, length 64
07:22:45.569468 IP 192.168.0.235 > 192.168.0.160: ICMP echo request, id 27191, seq 2, length 64
07:22:46.569490 IP 192.168.0.235 > 192.168.0.160: ICMP echo request, id 27191, seq 3, length 64
07:22:47.569496 IP 192.168.0.235 > 192.168.0.160: ICMP echo request, id 27191, seq 4, length 64
以下是来自目标设备 (192.168.0.160) 的 tcpdump
01:19:10.509404 IP 192.168.0.235 > 192.168.0.160: ICMP echo request, id 27191, seq 1, length 64
01:19:10.509477 IP 192.168.0.160 > 192.168.0.235: ICMP echo reply, id 27191, seq 1, length 64
01:19:11.512402 IP 192.168.0.235 > 192.168.0.160: ICMP echo request, id 27191, seq 2, length 64
01:19:11.512450 IP 192.168.0.160 > 192.168.0.235: ICMP echo reply, id 27191, seq 2, length 64
01:19:12.512369 IP 192.168.0.235 > 192.168.0.160: ICMP echo request, id 27191, seq 3, length 64
01:19:12.512414 IP 192.168.0.160 > 192.168.0.235: ICMP echo reply, id 27191, seq 3, length 64
01:19:13.512347 IP 192.168.0.235 > 192.168.0.160: ICMP echo request, id 27191, seq 4, length 64
01:19:13.512393 IP 192.168.0.160 > 192.168.0.235: ICMP echo reply, id 27191, seq 4, length 64
因此从外观上看,目标确实收到了 ping 并发送了回复,但我的设备却没有对其执行任何操作。
这是我在 ping 运行期间在系统日志中获得的内容:
Mar 16 07:22:44 cb035 kernel: [ 4673.602509] martian source 192.168.1.64 from 192.168.0.3, on dev br0
Mar 16 07:22:44 cb035 kernel: [ 4673.602562] ll header: 00:0d:b9:3c:23:71:40:4a:03:06:ef:86:08:00
Mar 16 07:22:44 cb035 kernel: [ 4673.737283] martian source 192.168.1.62 from 192.168.0.160, on dev br0
Mar 16 07:22:44 cb035 kernel: [ 4673.737306] ll header: 00:0d:b9:3c:23:71:00:0d:b9:2b:27:8c:08:00
Mar 16 07:22:45 cb035 kernel: [ 4674.740295] martian source 192.168.1.62 from 192.168.0.160, on dev br0
Mar 16 07:22:45 cb035 kernel: [ 4674.740318] ll header: 00:0d:b9:3c:23:71:00:0d:b9:2b:27:8c:08:00
Mar 16 07:22:46 cb035 kernel: [ 4675.740317] martian source 192.168.1.62 from 192.168.0.160, on dev br0
Mar 16 07:22:46 cb035 kernel: [ 4675.740341] ll header: 00:0d:b9:3c:23:71:00:0d:b9:2b:27:8c:08:00
Mar 16 07:22:47 cb035 kernel: [ 4676.740294] martian source 192.168.1.62 from 192.168.0.160, on dev br0
Mar 16 07:22:47 cb035 kernel: [ 4676.740317] ll header: 00:0d:b9:3c:23:71:00:0d:b9:2b:27:8c:08:00
这是否意味着我的设备在错误的接口(br0 而不是 bond0)上接收回复,因此不知道如何处理它们?有办法解决这个问题吗?