我有一台运行 Debian 11 的虚拟机,它需要连接到两个 VLAN。在本地网络的建筑物内,我可以通过两个 IP 顺利访问它,但当我在网络外使用路由器的 VPN 或路由器上的 1:1 NAT 时,我只能连接到列出的第一个网络/etc/network/interfaces(从 VPN 我甚至无法 ping 第二个网络)。不确定这是否与路由器特别相关,还是与某种其他类型的“更多外部源”有关。
为什么顺序很重要?我能做些什么让两者正常工作?如果我交换它们并重新启动,启动时文件中第一个文件似乎可以正常工作,而顺序中的第二个文件只能在本地计算机上工作。
很多安装过程都是按照我看不懂的说明进行的,所以我会在这里列出一些看似相关的内容,但我可能做错了一些事情
我安装了 vlan 软件(我想?)
# apt install vlan
# modprobe 8021q && lsmod | grep 8021q
并禁用 Gnome 的 NetworkManager
我/etc/sysctl.conf已经添加了
net.ipv4.ip_forward=1
net.ipv4.conf.all.arp_filter=0
net.ipv4.conf.all.rp_filter=2
我需要将端口 80 和 443 转发到 1024 以上
# iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-ports [new port]
# iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-ports [new port]
# iptables -t nat -I OUTPUT -p tcp -o lo --dport 80 -j REDIRECT --to-ports [new port]
# iptables -t nat -I OUTPUT -p tcp -o lo --dport 443 -j REDIRECT --to-ports [new port]
# iptables-save | sudo tee /etc/iptables.rules
看起来/etc/network/interfaces像
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# A VPN client can ping this one
auto ens18.200
iface ens18.200 inet dhcp
pre-up iptables-restore < /etc/iptables.rules
# But not this one
auto ens18.40
iface ens18.40 inet dhcp
pre-up iptables-restore < /etc/iptables.rules
如果需要的话,路由器是 Meraki MX250
要求的输出
root:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:--:--:-- brd ff:ff:ff:ff:ff:ff
altname enp0s18
inet6 fe80::---:----:----:----/64 scope link
valid_lft forever preferred_lft forever
3: ens18.200@ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:50:56:--:--:-- brd ff:ff:ff:ff:ff:ff
inet 10.26.1.100/22 brd 10.26.3.255 scope global dynamic ens18.200
valid_lft 623197sec preferred_lft 623197sec
inet6 fe80::---:----:----:----/64 scope link
valid_lft forever preferred_lft forever
4: ens18.40@ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:50:56:--:--:-- brd ff:ff:ff:ff:ff:ff
inet 192.168.1.114/24 brd 192.168.1.255 scope global dynamic ens18.40
valid_lft 623198sec preferred_lft 623198sec
inet6 fe80::---:----:----:----/64 scope link
valid_lft forever preferred_lft forever
root:~# ip ru
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root:~# ip r
default via 10.26.1.1 dev ens18.200
10.26.0.0/22 dev ens18.200 proto kernel scope link src 10.26.1.100
192.168.1.0/24 dev ens18.40 proto kernel scope link src 192.168.1.114
root:~# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root:~# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 39528 packets, 7495K bytes)
pkts bytes target prot opt in out source destination
166 8509 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports [new port]
215 10964 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports [new port]
Chain INPUT (policy ACCEPT 38823 packets, 7422K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 249 packets, 15870 bytes)
pkts bytes target prot opt in out source destination
3 180 REDIRECT tcp -- * lo 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports [new port]
3 180 REDIRECT tcp -- * lo 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports [new port]
Chain POSTROUTING (policy ACCEPT 255 packets, 16230 bytes)
pkts bytes target prot opt in out source destination
root:~# tcpdump
-bash: tcpdump: command not found