使用 nftables 将未标记的 VLAN 路由到标记的 VLAN

tag-icon tag-icon nftables systemd-networkd
使用 nftables 将未标记的 VLAN 路由到标记的 VLAN

我已经尝试了很多次 nftables,但我整天都被这个问题困扰。我有一个标记为 vlan20 的 wifi ssid。这部分工作正常,我可以看到 dnsmasq 正在从这个范围内分配 ip 地址:

#VLAN 20
dhcp-option=VLAN20,6,192.168.1.1
dhcp-option=VLAN20,3,192.168.20.1
dhcp-range=VLAN20,192.168.20.10,192.168.20.200,255.255.255.0,60m

我将一部备用 Android 手机连接到此 SSID,并从池中为其分配了一个 DHCP 地址。在路由器上,我可以连接到此设备,因此基本连接良好。我在端口 50022 上打开了这部手机上的 sshd,我也可以连接到该端口。

root@router:/etc/systemd/network# ping 192.168.20.184
PING 192.168.20.184 (192.168.20.184) 56(84) bytes of data.
64 bytes from 192.168.20.184: icmp_seq=1 ttl=64 time=192 ms
64 bytes from 192.168.20.184: icmp_seq=2 ttl=64 time=114 ms
^C
--- 192.168.20.184 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2ms
rtt min/avg/max/mdev = 114.063/152.834/191.605/38.771 ms
root@router:/etc/systemd/network#  nc -z -v 192.168.20.184 50022
192.168.20.184: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.20.184] 50022 (?) open

我如何使用 nftables 扩展此功能,以便我的未标记 vlan(即我所有受信任的计算机)中的所有主机都可以连接到此 vlan?我的计划是将 vlan20 分段,以便其中的物联网设备无法连接到我的家庭网络,但我的手机和其他计算机可以连接到此处的任何设备。由于我所做的所有实验,我当前的配置一团糟,但我还是将其塞进去,希望这会让 vlan 完全开放(剧透警告:事实并非如此):

define iot0_if = "vlan20@lan0"

table bridge filter {
    chain input {
        type filter hook input priority 0; policy drop;
        vlan id 20 accept
    }
    chain forward {
        type filter hook forward priority 0; policy drop;
        iifname $iot0_if accept
        oifname $iot0_if accept

    }
    chain output {
        type filter hook output priority 200; policy accept;
    }
}

为了完整起见,这是我的 systemd-networking 配置:

root@router:/etc/systemd/network# cat iot0.netdev
[NetDev]
Name=vlan20
Kind=vlan

[VLAN]
Id=20
root@router:/etc/systemd/network# cat iot0.network
[Match]
Name=vlan20

[Network]
Description="VLAN 20: IOT (Unsecured, 2.4Ghz, no wan access)"
Address=192.168.20.1/24
DNS=192.168.1.1

编辑1:我的路由器是 debian buster 系统,systemd-247.3-1~bpo10+1 和 nftables-0.9.6-1~bpo10+1 和内核 4.19.0-14-amd64

我的未标记网络是 192.168.1.0/24。未标记机器上的默认路由设置为转到 192.168.1.1(路由器,其中配置了所有 VLAN)。我希望保留此设置并让路由器透明地将流量转发到 VLAN

sh-4.3# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

ip a从我的路由器(ifb 来自 SQM,仅在 wan0 上启用):

root@edgelord:/etc# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:e0:67:17:b7:97 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global lan0
       valid_lft forever preferred_lft forever
    inet6 2601:647:c900:8550:2e0:67ff:fe17:b797/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 5344sec preferred_lft 5344sec
    inet6 fe80::2e0:67ff:fe17:b797/64 scope link
       valid_lft forever preferred_lft forever
3: wan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    link/ether 10:6f:3f:88:f2:a1 brd ff:ff:ff:ff:ff:ff
    inet 73.162.3.238/23 brd 73.162.3.255 scope global dynamic wan0
       valid_lft 5947sec preferred_lft 5947sec
    inet6 2001:558:6045:36:cd9d:d781:2cb2:17aa/128 scope global dynamic noprefixroute
       valid_lft 5341sec preferred_lft 5341sec
    inet6 fe80::126f:3fff:fe88:f2a1/64 scope link
       valid_lft forever preferred_lft forever
5: vlan20@lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:e0:67:17:b7:97 brd ff:ff:ff:ff:ff:ff
    inet 192.168.20.1/24 brd 192.168.20.255 scope global vlan20
       valid_lft forever preferred_lft forever
    inet6 fe80::2e0:67ff:fe17:b797/64 scope link
       valid_lft forever preferred_lft forever
7: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether 5e:dd:68:a5:2a:2a brd ff:ff:ff:ff:ff:ff
8: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether 42:42:05:18:d0:59 brd ff:ff:ff:ff:ff:ff
25: ifb4wan0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN group default qlen 32
    link/ether 02:11:5c:38:ab:9f brd ff:ff:ff:ff:ff:ff
    inet6 fe80::11:5cff:fe38:ab9f/64 scope link
       valid_lft forever preferred_lft forever

相关内容