我有一个域my.domain
,我想将其指向我的 WAN,然后将其端口转发到内部服务器。
使用我当前的设置,外部用户可以连接到my.domain
,但本地用户不能。我该如何让其my.domain
在内部路由?
我的内部网络如下所示:
.----------.
| Internet |
'----------'
^
| em0
|
.-------------------------.
| OpenBSD Router | em2
| 192.168.1.1 - my.domain |<-------------.
'-------------------------' |
^ |
| em1 .----------------.
| | managed switch |
.----------------. '----------------'
| Gigabit Switch |<--------.
'----------------' |
^ |
| |
.--------------. .--------------.
| Docker VM | | unifi wap |
| 192.168.1.10 | | 192.168.1.30 |
'--------------' '--------------'
这是我的pf.conf
:
#------------------------------#
# set up macros #
#------------------------------#
ext_if="em0"
int_if="em1"
dmz_if="em2"
localnet = "{ em1:network, em2:network }"
docker_vm="192.168.1.10"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 192.0.0.0/24 192.0.2.0/24 }
webports = "{ http, https }"
#------------------------------#
# protect and block by default #
#------------------------------#
set skip on lo0
match in all scrub (max-mss 1440)
# spoofing protection for all ifaces
antispoof quick for { $int_if $dmz_if }
block in from no-route
block in quick from urpf-failed
# block non-routable private addrs
block in quick on $ext_if from <martians> to any
block return out quick on $ext_if from any to <martians>
# default block all traffic on all lan nics from any pc/device
block return in on { $int_if $dmz_if }
# block all traffic on ext interface from the internet
block drop in log on $ext_if
# allow ICMP
match in on $ext_if inet proto icmp icmp-type { echoreq } tag ICMP_IN
block drop in on $ext_if proto icmp
pass in proto icmp tagged ICMP_IN max-pkt-rate 100/10
pass in on $ext_if inet proto icmp icmp-type { 3 code 4, 11 code 0 }
# allow NICs to pass data thru ethernet port
pass out inet
#------------------------------#
# internal lan #
#------------------------------#
# allows any pc on $int_if to send data thru NICs ethernet
pass in on $int_if
# block dns queries not addressed to our dns server
block return in quick on $int_if proto { udp tcp } to ! $int_if port { 53 853 }
#------------------------------#
# dmz lan rules #
#------------------------------#
# allows any pc on $int_if to send data thru NICs ethernet
pass in on $dmz_if
# block dns queries not addressed to our dns server
block return in quick on $dmz_if proto { udp tcp } to ! $int_if port { 53 853 }
#------------------------------#
# NAT #
#------------------------------#
pass out on $ext_if inet from $localnet to any nat-to ($ext_if)
#------------------------------#
# Redirects #
#------------------------------#
pass in proto tcp to $ext_if port ssh
# ???
pass in on $ext_if inet proto tcp to $ext_if port $webports rdr-to $docker_vm tag RDR
pass in on $int_if inet proto tcp from $localnet to $docker_vm port $webports
答案1
最终解决了这个问题,尽管我不确定是否有比通过手动指定每个 DNS 记录更好的方法unbound
。
我编辑了unbound的配置(/var/unbound/etc/unbound.conf
),并添加了一些local-data
策略:
server:
local-zone: "my.domain." static
local-data: "my.domain. IN A 192.168.1.10"
local-data: "sub1.my.domain. IN A 192.168.1.10"
local-data: "sub2.my.domain. IN A 192.168.1.10"
然后重新开始解除绑定rcctl restart unbound
。
现在当我这样做时traceroute
我得到:
traceroute to sub1.my.domain (192.168.1.10), 30 hops max, 60 byte packets
1 192.168.1.10 (192.168.1.10) 1.348 ms 1.299 ms 1.278 ms