如何在 openbsd 上从内部客户端路由到内部服务?

tag-icon tag-icon networking local-area-network
如何在 openbsd 上从内部客户端路由到内部服务?

我有一个域my.domain,我想将其指向我的 WAN,然后将其端口转发到内部服务器。

使用我当前的设置,外部用户可以连接到my.domain,但本地用户不能。我该如何让其my.domain在内部路由?

我的内部网络如下所示:

         .----------.
         | Internet |
         '----------'
               ^
               | em0
               |
  .-------------------------.
  | OpenBSD Router          |      em2
  | 192.168.1.1 - my.domain |<-------------.
  '-------------------------'              |
           ^                               |
           | em1                  .----------------.
           |                      | managed switch |
   .----------------.             '----------------'
   | Gigabit Switch |<--------.
   '----------------'         |
           ^                  |
           |                  |
   .--------------.    .--------------.
   | Docker VM    |    | unifi wap    |
   | 192.168.1.10 |    | 192.168.1.30 |
   '--------------'    '--------------'

这是我的pf.conf

#------------------------------#
# set up macros #
#------------------------------#

ext_if="em0"

int_if="em1"
dmz_if="em2"
localnet = "{ em1:network, em2:network }"

docker_vm="192.168.1.10"

table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 192.0.0.0/24 192.0.2.0/24 }
webports = "{ http, https }"

#------------------------------#
# protect and block by default #
#------------------------------#

set skip on lo0
match in all scrub (max-mss 1440)

# spoofing protection for all ifaces
antispoof quick for { $int_if $dmz_if }
block in from no-route
block in quick from urpf-failed

# block non-routable private addrs
block in quick on $ext_if from <martians> to any
block return out quick on $ext_if from any to <martians>

# default block all traffic on all lan nics from any pc/device
block return in on { $int_if $dmz_if }

# block all traffic on ext interface from the internet
block drop in log on $ext_if

# allow ICMP
match in on $ext_if inet proto icmp icmp-type { echoreq } tag ICMP_IN
block drop in on $ext_if proto icmp
pass in proto icmp tagged ICMP_IN max-pkt-rate 100/10
pass in on $ext_if inet proto icmp icmp-type { 3 code 4, 11 code 0 }

# allow NICs to pass data thru ethernet port
pass out inet

#------------------------------#
# internal lan #
#------------------------------#

# allows any pc on $int_if to send data thru NICs ethernet
pass in on $int_if

# block dns queries not addressed to our dns server
block return in quick on $int_if proto { udp tcp } to ! $int_if port { 53 853 }

#------------------------------#
# dmz lan rules #
#------------------------------#

# allows any pc on $int_if to send data thru NICs ethernet
pass in on $dmz_if

# block dns queries not addressed to our dns server
block return in quick on $dmz_if proto { udp tcp } to ! $int_if port { 53 853 }

#------------------------------#
# NAT #
#------------------------------#

pass out on $ext_if inet from $localnet to any nat-to ($ext_if)

#------------------------------#
# Redirects #
#------------------------------#

pass in proto tcp to $ext_if port ssh

# ???
pass in on $ext_if inet proto tcp to $ext_if port $webports rdr-to $docker_vm tag RDR
pass in on $int_if inet proto tcp from $localnet to $docker_vm port $webports

答案1

最终解决了这个问题,尽管我不确定是否有比通过手动指定每个 DNS 记录更好的方法unbound

我编辑了unbound的配置(/var/unbound/etc/unbound.conf),并添加了一些local-data策略:

server:
    local-zone: "my.domain." static
    local-data: "my.domain. IN A 192.168.1.10"
    local-data: "sub1.my.domain. IN A 192.168.1.10"
    local-data: "sub2.my.domain. IN A 192.168.1.10"

然后重新开始解除绑定rcctl restart unbound

现在当我这样做时traceroute我得到:

traceroute to sub1.my.domain (192.168.1.10), 30 hops max, 60 byte packets
 1  192.168.1.10 (192.168.1.10)  1.348 ms  1.299 ms  1.278 ms

相关内容