我在 RP3 上设置了 hostapd,以便可以将一些 IoT 设备连接到它。在 RP3 中,我有几个 docker 容器,其中一个正在运行 MQTT Broker。
MQTT Broker 在桥接网络 (172.16.1.0) 上运行,Hostapd 在桥接上的 wlan0 下配置,使用 eth0 进行互联网访问 (br0),dnsmasq 分配 192.168.2.150-192.168.2.250 范围内的 IP,这与 RP3 运行的 IP 范围 (192.168.2.10) 相同。
问题是我无法从外部客户端连接到 MQTT 代理,但我可以从 RP3 连接到代理,尽管它说 IP 范围为 172.16.1.x 的客户端正在尝试访问 RP3 IP(192.168.2.10)。
我认为缺少了一些东西,即 hostapd 客户端和 docker 容器桥接网络之间的路由,但我不确定如何实现这一点。是在 iptables 中,还是在 dnsmasq 中?我不想在主机模式下运行 MQTT docker。
一些配置设置:
net.ipv4.ip_forward=1 is enabled
$ nano /etc/hostapd/hostapd.conf
interface=wlan0
bridge=br0
...
$ nano /etc/dnsmasq.conf
interface=wlan0
dhcp-range=192.168.2.150,192.168.2.250,255.255.255.0,24h
$ nano /etc/dhcpcd.conf
...
denyinterfaces wlan0 eth0
interface eth0
static ip_address=192.168.2.10
static routers=192.168.2.1
# static domain_name_servers=200.30.192.14
interface wlan0
static ip_address=192.168.2.149
static routers=192.168.2.1
nohook wpa_supplicant
interface br0
static ip_address=192.168.2.10
static routers=192.168.2.1
$ ifconfig
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.10 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::93db:ce25:c561:7628 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:36:86:95 txqueuelen 1000 (Ethernet)
RX packets 1363877 bytes 557765234 (531.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1852401 bytes 209982006 (200.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
br-34828e803471: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.1.254 netmask 255.255.0.0 broadcast 172.16.255.255
inet6 fe80::f2df:bb3a:df64:d8b9 prefixlen 64 scopeid 0x20<link>
ether 02:42:1f:98:2a:39 txqueuelen 0 (Ethernet)
RX packets 29239 bytes 1416296 (1.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 862702 bytes 111847089 (106.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether b8:27:eb:36:86:95 txqueuelen 1000 (Ethernet)
RX packets 256255 bytes 15930835 (15.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 710584 bytes 104106492 (99.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether b8:27:eb:63:d3:c0 txqueuelen 1000 (Ethernet)
RX packets 2640481 bytes 1215747996 (1.1 GiB)
RX errors 0 dropped 18255 overruns 0 frame 0
TX packets 3941056 bytes 472915664 (451.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
...
$ iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i br-34828e803471 -o br-34828e803471 -j ACCEPT
-A FORWARD -o br-b66bbdf9b3a6 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-b66bbdf9b3a6 -j DOCKER
-A FORWARD -i br-b66bbdf9b3a6 ! -o br-b66bbdf9b3a6 -j ACCEPT
-A FORWARD -i br-b66bbdf9b3a6 -o br-b66bbdf9b3a6 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 ! -s 172.16.0.0/16 -o br-34828e803471 -j DROP
-A DOCKER-ISOLATION-STAGE-1 ! -d 172.16.0.0/16 -i br-34828e803471 -j DROP
-A DOCKER-ISOLATION-STAGE-1 -i br-b66bbdf9b3a6 ! -o br-b66bbdf9b3a6 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-b66bbdf9b3a6 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A f2b-sshd -j RETURN
答案1
很简单,只需将 docker 网络适配器从 internal: true 更改为 internal: false。这解决了问题,尽管我必须连接到 RP3 IP 地址 192.168.2.10:1883