我在数据中心有一台运行 Ubuntu Trusty (14.04) 的物理服务器,他们在其中分配了一个 IP 地址,以及来自不同子网的 /28 块(16 个 IP 地址,14 个可用)。他们说额外的子网是通过物理主机静态路由的,我认为这意味着他们的网络只会接受来自主机 NIC 硬件地址的请求。
我将把它与 virtualbox 一起使用,这样每个虚拟机都有自己的 IP 地址,并且就像网络上真实的物理服务器一样工作(换句话说,没有 NAT)。我进一步假设虚拟机需要通过主机路由其流量,以便其请求使用主机的硬件地址。
我不是设置基本静态 IP 或 NAT 之外的复杂网络的专家,因此我阅读了手册页、Ubuntu 在线文档以及不同 StackExchange 站点上的大量问题和解答。据我所知,我需要在主机 IP 地址和子网中的一个地址之间建立一个虚拟桥,后者充当虚拟机的网关。因此,虚拟机将进行简单的设置,网关位于其子网中。
我可以从主机访问虚拟机,反之亦然,但虚拟机无法访问主机之外的互联网,我也无法从互联网访问虚拟机。我假设问题是我没有正确设置桥来通过它路由请求。任何让我朝着正确方向前进的提示都将受到高度赞赏。
主办方的/etc/network/interfaces
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
name Bridge for VMs to connect via
address x.x.x.229
netmask 255.255.255.192
gateway x.x.x.193
# default route to access subnet - this was provided by the data centre:
up route add -net x.x.x.192 netmask 255.255.255.192 gw x.x.x.193 eth0
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
auto br0:0
iface br0:0 inet static
name Gateway IP for VMs in subnet y.y.y.240/28
address y.y.y.241
netmask 255.255.255.240
broadcast y.y.y.255
network y.y.y.240
主机系统信息:
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 x.x.x.193 0.0.0.0 UG 0 0 0 br0
x.x.x.192 0.0.0.0 255.255.255.192 U 0 0 0 br0
y.y.y.240 0.0.0.0 255.255.255.240 U 0 0 0 br0
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
link/ether c8:60:00:5e:bd:e0 brd ff:ff:ff:ff:ff:ff
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether c8:60:00:5e:bd:e0 brd ff:ff:ff:ff:ff:ff
inet x.x.x.229/26 brd x.x.x.255 scope global br0
valid_lft forever preferred_lft forever
inet y.y.y.241/28 brd y.y.y.255 scope global br0:0
valid_lft forever preferred_lft forever
$ ifconfig
br0 Link encap:Ethernet HWaddr c8:60:00:5e:bd:e0
inet addr:x.x.x.229 Bcast:x.x.x.255 Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:743907 errors:0 dropped:0 overruns:0 frame:0
TX packets:519787 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:92549304 (92.5 MB) TX bytes:172422977 (172.4 MB)
br0:0 Link encap:Ethernet HWaddr c8:60:00:5e:bd:e0
inet addr:y.y.y.241 Bcast:y.y.y.255 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth0 Link encap:Ethernet HWaddr c8:60:00:5e:bd:e0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:743968 errors:0 dropped:0 overruns:0 frame:0
TX packets:519787 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:102968103 (102.9 MB) TX bytes:172422977 (172.4 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:674890 errors:0 dropped:0 overruns:0 frame:0
TX packets:674890 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:302219962 (302.2 MB) TX bytes:302219962 (302.2 MB)
虚拟机的/etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address y.y.y.243
netmask 255.255.255.240
gateway y.y.y.241
虚拟机系统信息:
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 y.y.y.241 0.0.0.0 UG 0 0 0 eth0
y.y.y.240 0.0.0.0 255.255.255.240 U 0 0 0 eth0
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:f7:36:74 brd ff:ff:ff:ff:ff:ff
inet y.y.y.243/28 brd y.y.y.255 scope global eth0
valid_lft forever preferred_lft forever
$ ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:f7:36:74
inet addr:y.y.y.243 Bcast:y.y.y.255 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18112 errors:0 dropped:0 overruns:0 frame:0
TX packets:241 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1123962 (1.1 MB) TX bytes:54822 (54.8 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:444 errors:0 dropped:0 overruns:0 frame:0
TX packets:444 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:35428 (35.4 KB) TX bytes:35428 (35.4 KB)
$ ping -c 4 -W 5 x.x.x.229
PING x.x.x.229 (x.x.x.229) 56(84) bytes of data.
64 bytes from x.x.x.229: icmp_seq=1 ttl=64 time=0.117 ms
64 bytes from x.x.x.229: icmp_seq=2 ttl=64 time=0.106 ms
64 bytes from x.x.x.229: icmp_seq=3 ttl=64 time=0.102 ms
64 bytes from x.x.x.229: icmp_seq=4 ttl=64 time=0.103 ms
--- x.x.x.229 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.102/0.107/0.117/0.006 ms
$ ping -c 4 -W 5 x.x.x.193
PING x.x.x.193 (x.x.x.193) 56(84) bytes of data.
--- x.x.x.193 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3007ms
$ ping -c 4 -W 5 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3023ms
在 Virtualbox 中,我将 VM 的虚拟网络接口设置为连接到 br0 的桥接适配器。我也尝试将其连接到 eth0,但没有明显的区别。
更新:
根据评论中的建议,我启用了 IP 转发:
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
$ sudo sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
我还在 virtualbox 网络设置中启用了混杂模式,尽管我认为这没有任何区别。
我注意到一些有趣的事情。当我在网络上 ping 某些内容(例如 Google 的名称服务器)时,我会在第一个 ping 中得到答复,但在后续 ping 中却得不到答复:
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From y.y.y.241: icmp_seq=1 Redirect Host(New nexthop: y.y.y.y.241)
64 bytes from y.y.y.241: icmp_seq=1 ttl=54 time=5.97 ms
From y.y.y.241 icmp_seq=2 Destination Host Unreachable
From y.y.y.241 icmp_seq=3 Destination Host Unreachable
From y.y.y.241 icmp_seq=4 Destination Host Unreachable
From y.y.y.241 icmp_seq=5 Destination Host Unreachable
From y.y.y.241 icmp_seq=6 Destination Host Unreachable
From y.y.y.241 icmp_seq=7 Destination Host Unreachable
^C
--- 8.8.8.8 ping statistics ---
9 packets transmitted, 1 received, +6 errors, 88% packet loss, time 8041ms
rtt min/avg/max/mdev = 5.972/5.972/5.972/0.000 ms, pipe 3
当 IP 转发关闭时,我得到的只是:
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
11 packets transmitted, 0 received, 100% packet loss, time 10000ms
这是自重新启动虚拟机后第一次在虚拟机上 ping 8.8.4.4 时嗅探主机上的 IP 数据包时得到的结果。对同一 IP 地址的后续 ping 仅给出底部的重复行(而不是前两行)。
$ sudo tcpdump -q -c 10 -e -n host y.y.y.243
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:32:57.199202 c8:60:00:5e:bd:e0 > cc:e1:7f:07:e0:af, IPv4, length 98: y.y.y.243 > 8.8.4.4: ICMP echo request, id 1060, seq 1, length 64
12:32:57.204498 cc:e1:7f:07:e0:af > c8:60:00:5e:bd:e0, IPv4, length 98: 8.8.4.4 > y.y.y.243: ICMP echo reply, id 1060, seq 1, length 64
12:32:58.202555 08:00:27:f7:36:74 > ff:ff:ff:ff:ff:ff, ARP, length 60: Request who-has x.x.x.193 tell y.y.y.243, length 46
12:32:59.201628 08:00:27:f7:36:74 > ff:ff:ff:ff:ff:ff, ARP, length 60: Request who-has x.x.x.193 tell y.y.y.243, length 46
12:33:00.201652 08:00:27:f7:36:74 > ff:ff:ff:ff:ff:ff, ARP, length 60: Request who-has x.x.x.193 tell y.y.y.243, length 46
12:33:01.201759 08:00:27:f7:36:74 > ff:ff:ff:ff:ff:ff, ARP, length 60: Request who-has x.x.x.193 tell y.y.y.243, length 46
12:33:02.201502 08:00:27:f7:36:74 > ff:ff:ff:ff:ff:ff, ARP, length 60: Request who-has x.x.x.193 tell y.y.y.243, length 46
12:33:03.201394 08:00:27:f7:36:74 > ff:ff:ff:ff:ff:ff, ARP, length 60: Request who-has x.x.x.193 tell y.y.y.243, length 46
12:33:04.201706 08:00:27:f7:36:74 > ff:ff:ff:ff:ff:ff, ARP, length 60: Request who-has x.x.x.193 tell y.y.y.243, length 46
12:33:05.201647 08:00:27:f7:36:74 > ff:ff:ff:ff:ff:ff, ARP, length 60: Request who-has x.x.x.193 tell y.y.y.243, length 46
10 packets captured
11 packets received by filter
0 packets dropped by kernel
是什么可能导致如此奇怪的结果呢?我还可以测试什么来让我更接近解决方案?
更新2:
我现在对这个问题感到很困惑。我从网络通过 ssh 连接了附加子网 (yyy241) 内主机的 IP 地址,只是为了确保到该子网的路由有效,结果确实如此。然后我ssh'd yyy243并期望什么也得不到,但令我惊讶的是我竟然进去了!突然间,一切都按预期工作了......我可以 ping 8.8.8.8 和其他任何东西,并 ssh 到任何互联网主机。这是在对主机或虚拟机不执行任何操作之后的情况。
所以我当然做了正确的事——我以科学的名义打破了它。我必须找出是什么让它发挥作用!因此,在主机上:
sudo sysctl -w net.ipv4.ip_forward=0
显然我再次启用了它:
sudo sysctl -w net.ipv4.ip_forward=1
果然,又回到了上面的情况。除了从主机之外无法联系虚拟机。在虚拟机上,对任何互联网主机进行 ping 操作都会得到第一个回复,然后就没有任何回复。
现在真正令人费解的是,我只是将其放置了几个小时,当我回来时 - 我强调我对主机或虚拟机没有做任何事情 - 它神奇地工作了。我不欣赏魔法。我是一个科学家,我喜欢事情要么有效,要么无效,最好是前者。有谁知道什么会导致如此奇怪的延迟?