IPv6 iptables/nftables 多 WAN NETMAP 无法从 WAN2、WAN3 访问内部主机

tag-icon tag-icon iptables ipv6 nftables
IPv6 iptables/nftables 多 WAN NETMAP 无法从 WAN2、WAN3 访问内部主机

我有一个 ip6tables 路由器,有 3 个 WAN,每个都支持 IPv6。出于某种原因,传入连接仅适用于默认路由,而不适用于 ISP #2 和 #3。例如,我可以 ping WAN1 的转换 IP,但 WAN 2 和 3 的转换 IP 超时,除非我将默认路由更改为出 WAN 2 或 3...一次一个。传出连接工作正常,我可以通过不同的 ISP 进行策略路由。

通过 WAN2(转换后)到 ULA IP 的传入连接应返回 WAN2,但它们却从 WAN1(默认网关)传出。这会导致所有传入连接都通过 WAN 2 + 3 进行故障转移。

我已经设置了策略路由,它对于传出连接非常有用。

iptables 脚本

$IP6TABLES -t nat -A POSTROUTING -s $IPv6_ULA -o eno2 -j NETMAP --to $SPECTRUM_IPv6_PD
$IP6TABLES -t nat -A PREROUTING -d $SPECTRUM_IPv6_PD -i eno2 -j NETMAP --to $IPv6_ULA

$IP6TABLES -t nat -A POSTROUTING -s $IPv6_ULA -o he-ipv6-vz -j NETMAP --to $HE_VZ_IPv6
$IP6TABLES -t nat -A PREROUTING -d $HE_VZ_IPv6 -i he-ipv6-vz -j NETMAP --to $IPv6_ULA

$IP6TABLES -t nat -A POSTROUTING -s $IPv6_ULA -o he-ipv6-nw -j NETMAP --to $HE_NW_IPv6
$IP6TABLES -t nat -A PREROUTING -d $HE_NW_IPv6 -i he-ipv6-nw -j NETMAP --to $IPv6_ULA

ip-6 规则

0:  from all lookup local
208:    from all fwmark 0x68 lookup 51820
209:    from all fwmark 0x70 lookup NW
210:    from all fwmark 0x6f lookup SPC
211:    from all fwmark 0x6e lookup VZ
212:    from all fwmark 0x68 lookup 51820
213:    from all to fd8a:9ae9:9ec8:b00::/56 lookup main
214:    from 2001:120:0f06:b48::2/64 lookup NW
215:    from 2001:120:0f07:b48::/64 lookup NW
216:    from 2001:120:88b6::/48 lookup NW
217:    from 2001:120:9f06:242::2/64 lookup VZ
218:    from 2001:120:6f07:242::/64 lookup VZ
219:    from 2001:120:3935::/48 lookup VZ
220:    from all lookup 220
32767:  from all lookup main

路由

default via fe80::117:30ff:1e9c:b596 dev eno2 proto ra metric 20 mtu 1500 pref medium
default dev he-ipv6-vz metric 100 pref medium
default dev he-ipv6-nw metric 200 pref medium

但只有当我更改路由器上的默认 IPv6 路由时,才能访问内部主机的转换后的 IPv6 IP。我遗漏了什么?

就好像我需要某种连接跟踪,但我不确定如何设置?

ip -6 路由显示表全部

default via 2001:201:021f:242::1 dev he-ipv6-vz table VZ metric 1024 pref medium
default via 2001:201:021f:b48::1 dev he-ipv6-nw table NW metric 1024 pref medium
default dev wg1 table 51820 metric 1024 pref medium
::1 dev lo proto kernel metric 256 pref medium
2001:201:021f:242::/64 dev he-ipv6-vz proto kernel metric 256 pref medium
2001:201:021f:b48::/64 dev he-ipv6-nw proto kernel metric 256 pref medium
2602:6012:1600:ae00::/64 dev eno4 proto dhcp metric 207 pref medium
2602:6012:1600:ae01::/64 dev eno4 proto dhcp metric 207 pref medium
unreachable 2602:6012:1600:ae00::/56 dev lo proto dhcp metric 201 pref medium
2603:2020:426:b::/64 dev eno2 proto ra metric 20 mtu 1500 pref medium
2603:2020:725:7::/64 dev eno2 proto ra metric 20 mtu 1500 pref medium
2603:2020:200:8a8::/64 dev eno2 proto ra metric 20 mtu 1500 pref medium
2603:2020:c25:6::/64 dev eno2 proto ra metric 20 mtu 1500 pref medium
2603:2020:bfc0:10a::/64 dev eno2 proto ra metric 20 mtu 1500 pref medium
fc00:bbbb:bbbb:bb01::8:9a1 dev wg1 proto kernel metric 256 pref medium
fd8a:9ae9:9ec8:b00::/64 dev enp2s0f0 proto kernel metric 256 pref medium
fd8a:9ae9:9ec8:b01::/64 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev eno1 proto kernel metric 256 pref medium
fe80::/64 dev eno3 proto kernel metric 256 pref medium
fe80::/64 dev eno4 proto kernel metric 256 pref medium
fe80::/64 dev eno2 proto kernel metric 256 pref medium
fe80::/64 dev he-ipv6-nw proto kernel metric 256 pref medium
fe80::/64 dev he-ipv6-vz proto kernel metric 256 pref medium
fe80::/64 dev ifb2 proto kernel metric 256 pref medium
fe80::/64 dev ifb0 proto kernel metric 256 pref medium
fe80::/64 dev ifb1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev enp2s0f0 proto kernel metric 256 pref medium
default via fe80::217:10ff:fe9c:b096 dev eno2 proto ra metric 20 mtu 1500 pref medium
default dev he-ipv6-vz metric 100 pref medium
default dev he-ipv6-nw metric 200 pref medium
default dev wg1 metric 1000 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 2001:201:021f:242:: dev he-ipv6-vz table local proto kernel metric 0 pref medium
local 2001:201:021f:242::2 dev he-ipv6-vz table local proto kernel metric 0 pref medium
anycast 2001:201:021f:b48:: dev he-ipv6-nw table local proto kernel metric 0 pref medium
local 2001:201:021f:b48::2 dev he-ipv6-nw table local proto kernel metric 0 pref medium
anycast 2602:6012:1600:ae00:: dev eno4 table local proto kernel metric 0 pref medium
local 2602:6012:1600:ae00::1 dev eno4 table local proto kernel metric 0 pref medium
anycast 2602:6012:1600:ae01:: dev eno4 table local proto kernel metric 0 pref medium
local 2602:6012:1600:ae01::1 dev eno4 table local proto kernel metric 0 pref medium
local 2603:2020:bfc0:10a:f0dd:bdbf:204c:2f8b dev eno2 table local proto kernel metric 0 pref medium
local fc00:bbbb:bbbb:bb01::8:9a1 dev wg1 table local proto kernel metric 0 pref medium
anycast fd8a:9ae9:9ec8:b00:: dev enp2s0f0 table local proto kernel metric 0 pref medium
local fd8a:9ae9:9ec8:b00::1 dev enp2s0f0 table local proto kernel metric 0 pref medium
anycast fd8a:9ae9:9ec8:b01:: dev wg0 table local proto kernel metric 0 pref medium
local fd8a:9ae9:9ec8:b01::1 dev wg0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eno1 table local proto kernel metric 0 pref medium
anycast fe80:: dev eno2 table local proto kernel metric 0 pref medium
anycast fe80:: dev eno3 table local proto kernel metric 0 pref medium
anycast fe80:: dev eno4 table local proto kernel metric 0 pref medium
anycast fe80:: dev he-ipv6-nw table local proto kernel metric 0 pref medium
anycast fe80:: dev he-ipv6-vz table local proto kernel metric 0 pref medium
anycast fe80:: dev ifb2 table local proto kernel metric 0 pref medium
anycast fe80:: dev ifb0 table local proto kernel metric 0 pref medium
anycast fe80:: dev ifb1 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
anycast fe80:: dev enp2s0f0 table local proto kernel metric 0 pref medium
local fe80::44e9:b312 dev he-ipv6-nw table local proto kernel metric 0 pref medium
local fe80::4769:fe4d dev he-ipv6-vz table local proto kernel metric 0 pref medium
local fe80::1931:913f:5bdb:289 dev tun0 table local proto kernel metric 0 pref medium
local fe80::3080:ac4d:a9f0:280b dev enp2s0f0 table local proto kernel metric 0 pref medium
local fe80::54f1:e8ae:ae4e:4a25 dev eno3 table local proto kernel metric 0 pref medium
local fe80::7b36:38b8:7a46:6cdf dev ifb2 table local proto kernel metric 0 pref medium
local fe80::9805:bc53:7a4e:1ca7 dev eno2 table local proto kernel metric 0 pref medium
local fe80::a95b:cdbd:dc52:3426 dev eno4 table local proto kernel metric 0 pref medium
local fe80::bf8a:d6dd:95d0:f485 dev eno1 table local proto kernel metric 0 pref medium
local fe80::c0b1:beff:fe11:e8ae dev ifb2 table local proto kernel metric 0 pref medium
local fe80::dbb0:8340:e61e:70d6 dev ifb1 table local proto kernel metric 0 pref medium
local fe80::f290:6345:989a:770d dev ifb0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev enp2s0f0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eno1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eno2 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eno3 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eno4 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev he-ipv6-nw table local proto kernel metric 256 pref medium
multicast ff00::/8 dev he-ipv6-vz table local proto kernel metric 256 pref medium
multicast ff00::/8 dev ifb2 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wg0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev ifb0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev ifb1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wg1 table local proto kernel metric 256 pref medium

相关内容