在 OVH 中,我有 2 台 ProxMox 服务器,每台服务器都包含一个防火墙和一些其他主机。我尝试使用 OVH vRack 在它们之间进行私人通信,但不起作用。
以下是我的网络摘要:
目标是从 PRD2FRM201 访问 PRD1FRM206 ,反之亦然。
主办方
- PRD1FRM206 - PVE01 服务器中的主机
- PRD1FWL100 - PVE01 服务器中的防火墙
- PRD2FRM201 - PVE02 服务器中的主机
- PRD2FWL100 - PVE02 服务器中的防火墙
- PVE01 和 PVE02 - ProxMox 专用服务器,均托管在 OVH,由 OVH VRack 互连
PVE01 网络配置:
# Server pag-01
# network interfaces
#
# Author: Gilberto Martins
# Creation: 03/19/2021
# ================================
auto lo
iface lo inet loopback
auto enp5s0f0
iface enp5s0f0 inet manual
auto enp5s0f1
iface enp5s0f1 inet manual
# Internet Interface
auto vmbr0
iface vmbr0 inet dhcp
# Internet Interface
bridge-ports enp5s0f0
bridge-stp off
bridge-fd 0
# Tools Network
auto vmbr1
iface vmbr1 inet manual
# Rede Tools - 172.21.10.0/27
bridge-ports dummy1
bridge-stp off
bridge-fd 0
# WebPRD Network
auto vmbr2
iface vmbr2 inet manual
# Rede WebPRD - 172.21.20.0/27
bridge-ports dummy2
bridge-stp off
bridge-fd 0
# WebHML Network
auto vmbr3
iface vmbr3 inet manual
# Rede WebHML - 172.21.30.0/27
bridge-ports dummy3
bridge-stp off
bridge-fd 0
# Interface PrivateNetwork
# auto vmbr4
# iface vmbr4 inet static
# Rede VRack - NAO USAR
# address 192.168.0.10/31
# bridge-ports enp5s0f1
# bridge-stp off
# bridge-fd 0
# WebSites Network
auto vmbr5
iface vmbr5 inet manual
# Rede WebSites - 172.21.40.0/27
bridge-ports dummy4
bridge-stp off
bridge-fd 0
PVE01当前接口:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp5s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr0 state UP group default qlen 1000
link/ether KK:KK:KK:KK:KK:KK brd ff:ff:ff:ff:ff:ff
3: enp5s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr4 state UP group default qlen 1000
link/ether YY:YY:YY:YY:YY:YY brd ff:ff:ff:ff:ff:ff
4: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether UU:UU:UU:UU:UU:UU brd ff:ff:ff:ff:ff:ff
inet 9.9.9.9/24 brd 9.9.9.255 scope global dynamic vmbr0
valid_lft 56089sec preferred_lft 56089sec
inet6 zz99::zz22:zzbb:zzhh:zzkk/64 scope link
valid_lft forever preferred_lft forever
5: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 2a:30:fb:a2:d2:f1 brd ff:ff:ff:ff:ff:ff
inet6 fe80::30c0:14ff:fea4:abfd/64 scope link
valid_lft forever preferred_lft forever
6: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 96:b3:67:f5:c3:cd brd ff:ff:ff:ff:ff:ff
inet6 fe80::a849:97ff:fe6c:14e9/64 scope link
valid_lft forever preferred_lft forever
7: vmbr3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 5e:99:bd:90:12:24 brd ff:ff:ff:ff:ff:ff
inet6 fe80::e033:5fff:fe6d:222a/64 scope link
valid_lft forever preferred_lft forever
8: vmbr4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether AA:AA:AA:AA:AA:AA brd ff:ff:ff:ff:ff:ff
inet6 fe80::a242:3fff:fe47:3cfb/64 scope link
valid_lft forever preferred_lft forever
9: tap201i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr1 state UNKNOWN group default qlen 1000
link/ether 2a:30:fb:a2:d2:f1 brd ff:ff:ff:ff:ff:ff
10: tap100i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN group default qlen 1000
link/ether 1a:61:72:52:5b:a0 brd ff:ff:ff:ff:ff:ff
11: tap100i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr1 state UNKNOWN group default qlen 1000
link/ether 56:16:5b:14:ce:e3 brd ff:ff:ff:ff:ff:ff
12: tap100i2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000
link/ether 96:b3:67:f5:c3:cd brd ff:ff:ff:ff:ff:ff
13: tap100i3: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr3 state UNKNOWN group default qlen 1000
link/ether 5e:99:bd:90:12:24 brd ff:ff:ff:ff:ff:ff
14: tap100i4: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr4 state UNKNOWN group default qlen 1000
link/ether ae:84:54:57:7f:46 brd ff:ff:ff:ff:ff:ff
15: tap203i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr1 state UNKNOWN group default qlen 1000
link/ether aa:dd:66:e9:fd:74 brd ff:ff:ff:ff:ff:ff
17: tap204i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr1 state UNKNOWN group default qlen 1000
link/ether ce:6b:9e:cb:ca:25 brd ff:ff:ff:ff:ff:ff
18: tap205i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr1 state UNKNOWN group default qlen 1000
link/ether f2:76:a3:12:48:da brd ff:ff:ff:ff:ff:ff
19: tap206i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr1 state UNKNOWN group default qlen 1000
link/ether be:92:f0:2e:54:2b brd ff:ff:ff:ff:ff:ff
21: tap402i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000
link/ether 5a:4b:71:1c:b1:6e brd ff:ff:ff:ff:ff:ff
22: tap403i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000
link/ether ba:0a:25:76:01:6e brd ff:ff:ff:ff:ff:ff
23: tap301i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr3 state UNKNOWN group default qlen 1000
link/ether 9e:2c:dd:7b:fb:8a brd ff:ff:ff:ff:ff:ff
24: tap302i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr3 state UNKNOWN group default qlen 1000
link/ether 6e:50:73:30:67:ae brd ff:ff:ff:ff:ff:ff
25: tap303i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr3 state UNKNOWN group default qlen 1000
link/ether ae:96:60:a4:bc:21 brd ff:ff:ff:ff:ff:ff
26: veth900i0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1 state UP group default qlen 1000
link/ether fe:92:fa:19:f1:93 brd ff:ff:ff:ff:ff:ff link-netnsid 0
29: tap304i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr3 state UNKNOWN group default qlen 1000
link/ether f2:14:af:70:17:42 brd ff:ff:ff:ff:ff:ff
31: tap404i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000
link/ether 8e:3e:76:76:fb:29 brd ff:ff:ff:ff:ff:ff
32: tap401i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000
link/ether e2:af:68:37:ed:7e brd ff:ff:ff:ff:ff:ff
33: dummy4: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr5 state UNKNOWN group default qlen 1000
link/ether c2:7e:27:1c:0c:af brd ff:ff:ff:ff:ff:ff
34: vmbr5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether c2:7e:27:1c:0c:af brd ff:ff:ff:ff:ff:ff
inet6 fe80::c07e:27ff:fe1c:caf/64 scope link
valid_lft forever preferred_lft forever
35: tap100i5: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr5 state UNKNOWN group default qlen 1000
link/ether 92:cb:02:fe:5f:86 brd ff:ff:ff:ff:ff:ff
42: tap501i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr5 state UNKNOWN group default qlen 1000
link/ether 8a:80:41:55:95:0c brd ff:ff:ff:ff:ff:ff
49: tap202i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr1 state UNKNOWN group default qlen 1000
link/ether c6:2e:7c:40:b8:02 brd ff:ff:ff:ff:ff:ff
PVE02 网络配置:
# Server pag-02
# network interfaces
#
# Author: Gilberto Martins
# Creation: 06/08/2021
# ================================
auto lo
iface lo inet loopback
auto eno1
iface eno1 inet manual
auto eno2
iface eno2 inet manual
# Internet Interface
auto vmbr0
iface vmbr0 inet dhcp
# Interface externa - NAO USAR
bridge-ports eno1
bridge-stp off
bridge-fd 0
# Tools Network
auto vmbr1
iface vmbr1 inet manual
# Tools Network - 172.22.10.0/27
bridge-ports dummy1
bridge-stp off
bridge-fd 0
# DataBase Network
auto vmbr2
iface vmbr2 inet manual
# DataBase Network - 172.22.20.0/27
bridge-ports dummy2
bridge-stp off
bridge-fd 0
# VRack Network
# auto vmbr3
# iface vmbr3 inet static
# VRack Network
# address 192.168.0.11/31
# bridge-ports eno2
# bridge-stp off
# bridge-fd 0
PVE02当前接口:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr0 state UP group default qlen 1000
link/ether d0:50:99:fb:24:13 brd ff:ff:ff:ff:ff:ff
3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr3 state UP group default qlen 1000
link/ether d0:50:99:fb:24:12 brd ff:ff:ff:ff:ff:ff
4: enp0s20f0u8u3c2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 26:fc:24:e9:66:dc brd ff:ff:ff:ff:ff:ff
5: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether RR:RR:RR:RR:RR:RR brd ff:ff:ff:ff:ff:ff
inet 4.4.4.4/24 brd 4.4.4.255 scope global dynamic vmbr0
valid_lft 73446sec preferred_lft 73446sec
inet6 fe80::d250:99ff:fefb:2413/64 scope link
valid_lft forever preferred_lft forever
6: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ba:32:c1:5c:c7:77 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ccf5:5bff:fead:bf80/64 scope link
valid_lft forever preferred_lft forever
7: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 46:c7:8c:94:01:4b brd ff:ff:ff:ff:ff:ff
inet6 fe80::58d2:51ff:fe31:6516/64 scope link
valid_lft forever preferred_lft forever
8: vmbr3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether d0:50:99:fb:24:12 brd ff:ff:ff:ff:ff:ff
inet6 fe80::d250:99ff:fefb:2412/64 scope link
valid_lft forever preferred_lft forever
13: tap100i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN group default qlen 1000
link/ether 9a:de:c5:ba:40:80 brd ff:ff:ff:ff:ff:ff
14: tap100i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr1 state UNKNOWN group default qlen 1000
link/ether ba:32:c1:5c:c7:77 brd ff:ff:ff:ff:ff:ff
15: tap100i2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000
link/ether 46:c7:8c:94:01:4b brd ff:ff:ff:ff:ff:ff
16: tap100i3: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr3 state UNKNOWN group default qlen 1000
link/ether a2:e9:f1:ba:f1:a9 brd ff:ff:ff:ff:ff:ff
17: tap301i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000
link/ether 66:ba:b1:22:e8:22 brd ff:ff:ff:ff:ff:ff
18: tap302i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000
link/ether e2:f8:74:ad:e4:77 brd ff:ff:ff:ff:ff:ff
19: tap303i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000
link/ether 3e:b1:f0:42:8d:75 brd ff:ff:ff:ff:ff:ff
20: tap304i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000
link/ether 52:7a:ec:b5:46:4b brd ff:ff:ff:ff:ff:ff
21: veth201i0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr201i0 state UP group default qlen 1000
link/ether fe:0c:f2:09:62:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0
22: fwbr201i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ae:fd:8d:06:38:c5 brd ff:ff:ff:ff:ff:ff
23: fwpr201p0@fwln201i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1 state UP group default qlen 1000
link/ether 52:58:a1:6d:db:00 brd ff:ff:ff:ff:ff:ff
24: fwln201i0@fwpr201p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr201i0 state UP group default qlen 1000
link/ether ae:fd:8d:06:38:c5 brd ff:ff:ff:ff:ff:ff
PRD1FWL100网络配置:
# This is the network config written by 'subiquity'
#
# Author: Gilberto Martins
# Modified: 03/19/2021
# ===============================
network:
ethernets:
# External IP
ens18:
# IP and Gateway have been intentionally changed
addresses:
- 1.1.1.1/32
gateway4: 1.1.1.254
# OVH mandatory routes
routes:
- to: 1.1.1.154/32
via: 1.1.1.1
- to: 0.0.0.0/0
via: 1.1.1.1
nameservers:
addresses:
- 172.21.10.2
search:
- kprd1
# Tools Network
ens19:
addresses:
- 172.21.10.1/27
# WebPrd Network
ens20:
addresses:
- 172.21.20.1/27
# WebHml Network
ens21:
addresses:
- 172.21.30.1/27
# Vrack Network (RFC 3021)
ens22:
addresses:
- 172.30.0.0/31
routes:
# Tools network at kprd2
- to: 172.22.10.0/27
via: 172.30.0.0
# Database network at kprd2
- to: 172.22.20.0/27
via: 172.30.0.0
# VRack <-> VRack
- to: 172.30.0.1
via: 172.30.0.0
# WebServer Network
ens23:
addresses:
- 172.21.50.1/27
version: 2
PRD1FWL100当前接口:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether XS:XS:XS:XS:XS:XS brd ff:ff:ff:ff:ff:ff
inet 9.9.9.9/32 scope global ens18
valid_lft forever preferred_lft forever
inet6 fe80::ff:fe41:b0ec/64 scope link
valid_lft forever preferred_lft forever
3: ens19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 22:a9:69:cd:9a:08 brd ff:ff:ff:ff:ff:ff
inet 172.21.10.1/27 brd 172.21.10.31 scope global ens19
valid_lft forever preferred_lft forever
inet6 fe80::20a9:69ff:fecd:9a08/64 scope link
valid_lft forever preferred_lft forever
4: ens20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 96:c5:9a:8e:13:0d brd ff:ff:ff:ff:ff:ff
inet 172.21.20.1/27 brd 172.21.20.31 scope global ens20
valid_lft forever preferred_lft forever
inet6 fe80::94c5:9aff:fe8e:130d/64 scope link
valid_lft forever preferred_lft forever
5: ens21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 36:b2:5a:cc:a4:91 brd ff:ff:ff:ff:ff:ff
inet 172.21.30.1/27 brd 172.21.30.31 scope global ens21
valid_lft forever preferred_lft forever
inet6 fe80::34b2:5aff:fecc:a491/64 scope link
valid_lft forever preferred_lft forever
6: ens22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 92:5b:ab:3c:75:2f brd ff:ff:ff:ff:ff:ff
inet 172.30.0.0/31 scope global ens22
valid_lft forever preferred_lft forever
inet6 fe80::905b:abff:fe3c:752f/64 scope link
valid_lft forever preferred_lft forever
7: ens23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 9a:a2:c1:97:59:54 brd ff:ff:ff:ff:ff:ff
inet 172.21.50.1/27 brd 172.21.50.31 scope global ens23
valid_lft forever preferred_lft forever
inet6 fe80::98a2:c1ff:fe97:5954/64 scope link
valid_lft forever preferred_lft forever
8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.10.1.1/29 brd 10.10.1.7 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::ece8:6abc:f8bd:d5f4/64 scope link stable-privacy
valid_lft forever preferred_lft forever
PRD1FWL100 当前路由表
注意:外部地址已被隐藏
user@prd1fwl100:~$ ip route
default via 9.9.9.9 dev ens18 proto static
10.10.1.0/29 dev tun0 proto kernel scope link src 10.10.1.1
9.9.9.9 via 8.8.8.8 dev ens18 proto static
172.21.10.0/27 dev ens19 proto kernel scope link src 172.21.10.1
172.21.20.0/27 dev ens20 proto kernel scope link src 172.21.20.1
172.21.30.0/27 dev ens21 proto kernel scope link src 172.21.30.1
172.21.50.0/27 dev ens23 proto kernel scope link src 172.21.50.1
172.22.10.0/27 via 172.30.0.0 dev ens22 proto static
172.22.20.0/27 via 172.30.0.0 dev ens22 proto static
172.30.0.1 via 172.30.0.0 dev ens22 proto static
user@prd1fwl100:~$ ip route show table local
broadcast 10.10.1.0 dev tun0 proto kernel scope link src 10.10.1.1
local 10.10.1.1 dev tun0 proto kernel scope host src 10.10.1.1
broadcast 10.10.1.7 dev tun0 proto kernel scope link src 10.10.1.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 9.9.9.9 dev ens18 proto kernel scope host src 9.9.9.9
broadcast 172.21.10.0 dev ens19 proto kernel scope link src 172.21.10.1
local 172.21.10.1 dev ens19 proto kernel scope host src 172.21.10.1
broadcast 172.21.10.31 dev ens19 proto kernel scope link src 172.21.10.1
broadcast 172.21.20.0 dev ens20 proto kernel scope link src 172.21.20.1
local 172.21.20.1 dev ens20 proto kernel scope host src 172.21.20.1
broadcast 172.21.20.31 dev ens20 proto kernel scope link src 172.21.20.1
broadcast 172.21.30.0 dev ens21 proto kernel scope link src 172.21.30.1
local 172.21.30.1 dev ens21 proto kernel scope host src 172.21.30.1
broadcast 172.21.30.31 dev ens21 proto kernel scope link src 172.21.30.1
broadcast 172.21.50.0 dev ens23 proto kernel scope link src 172.21.50.1
local 172.21.50.1 dev ens23 proto kernel scope host src 172.21.50.1
broadcast 172.21.50.31 dev ens23 proto kernel scope link src 172.21.50.1
local 172.30.0.0 dev ens22 proto kernel scope host src 172.30.0.0
PRD2FWL100网络配置:
# This file is generated from information provided by the datasource. Changes
# to it will not persist across an instance reboot. To disable cloud-init's
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
version: 2
ethernets:
# Internet interface
eth0:
# Sensitive addressing information have been intentionally changed
addresses:
- 3.3.3.3/32
gateway4: 3.3.3.254
match:
macaddress: XX:XX:XX:XX:XX:XX
# OVH mandatory routes
routes:
- to: 3.3.3.3/32
via: 3.3.3.8
- to: 0.0.0.0/0
via: 3.3.3.8
nameservers:
addresses:
- 172.22.10.2
search:
- kprd2
set-name: eth0
# Tools interface
eth1:
addresses:
- 172.22.10.1/27
match:
macaddress: 6a:6d:d1:0a:de:10
nameservers:
addresses:
- 172.22.10.2
search:
- kprd2
set-name: eth1
# Database interface
eth2:
addresses:
- 172.22.20.1/27
match:
macaddress: aa:89:70:41:ed:22
set-name: eth2
# VRack Network
eth3:
addresses:
- 172.30.0.1/31
match:
macaddress: ZZ:ZZ:ZZ:ZZ:ZZ:ZZ
routes:
# Tools network at kprd1
- to: 172.21.10.0/27
via: 172.30.0.1
# WebPrd network at kprd1
- to: 172.21.20.0/27
via: 172.30.0.1
# WebHml network at kprd1
- to: 172.21.30.0/27
via: 172.30.0.1
# WebServer network at kprd1
- to: 172.21.50.0/27
via: 172.30.0.1
# VRack <-> VRack
- to: 172.30.0.0
via: 172.30.0.1
set-name: eth3
PRD2FWL100当前接口:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether FE:FE:FE:FE:FE brd ff:ff:ff:ff:ff:ff
inet 7.7.7.7/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::ff:fe92:ec0/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 6a:6d:d1:0a:de:10 brd ff:ff:ff:ff:ff:ff
inet 172.22.10.1/27 brd 172.22.10.31 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::686d:d1ff:fe0a:de10/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether aa:89:70:41:ed:22 brd ff:ff:ff:ff:ff:ff
inet 172.22.20.1/27 brd 172.22.20.31 scope global eth2
valid_lft forever preferred_lft forever
inet6 fe80::a889:70ff:fe41:ed22/64 scope link
valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether d6:9f:c5:e4:93:9d brd ff:ff:ff:ff:ff:ff
inet 172.30.0.1/31 scope global eth3
valid_lft forever preferred_lft forever
inet6 fe80::d49f:c5ff:fee4:939d/64 scope link
valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.10.2.1/29 brd 10.10.2.7 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::d63:c98b:2e1:ad3d/64 scope link stable-privacy
valid_lft forever preferred_lft forever
PRD2FWL100 路由表
注意:外部地址已被隐藏
user@prd2fwl100:~$ ip route
default via 144.217.125.8 dev eth0 proto static
10.10.2.0/29 dev tun0 proto kernel scope link src 10.10.2.1
9.9.9.9 via 8.8.8.8 dev eth0 proto static
172.21.10.0/27 via 172.30.0.1 dev eth3 proto static
172.21.20.0/27 via 172.30.0.1 dev eth3 proto static
172.21.30.0/27 via 172.30.0.1 dev eth3 proto static
172.21.50.0/27 via 172.30.0.1 dev eth3 proto static
172.22.10.0/27 dev eth1 proto kernel scope link src 172.22.10.1
172.22.20.0/27 dev eth2 proto kernel scope link src 172.22.20.1
172.30.0.0 via 172.30.0.1 dev eth3 proto static
user@prd2fwl100:~$ ip route show table local
broadcast 10.10.2.0 dev tun0 proto kernel scope link src 10.10.2.1
local 10.10.2.1 dev tun0 proto kernel scope host src 10.10.2.1
broadcast 10.10.2.7 dev tun0 proto kernel scope link src 10.10.2.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 8.8.8.8 dev eth0 proto kernel scope host src 8.8.8.8
broadcast 172.22.10.0 dev eth1 proto kernel scope link src 172.22.10.1
local 172.22.10.1 dev eth1 proto kernel scope host src 172.22.10.1
broadcast 172.22.10.31 dev eth1 proto kernel scope link src 172.22.10.1
broadcast 172.22.20.0 dev eth2 proto kernel scope link src 172.22.20.1
local 172.22.20.1 dev eth2 proto kernel scope host src 172.22.20.1
broadcast 172.22.20.31 dev eth2 proto kernel scope link src 172.22.20.1
local 172.30.0.1 dev eth3 proto kernel scope host src 172.30.0.1
PRD1FRM206 网络配置:
# This file is generated from information provided by the datasource. Changes
# to it will not persist across an instance reboot. To disable cloud-init's
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
version: 2
ethernets:
eth0:
addresses:
- 172.21.10.7/27
gateway4: 172.21.10.1
match:
macaddress: ca:7a:03:34:a0:43
nameservers:
addresses:
- 172.21.10.2
search:
- kprd1
set-name: eth0
PRD2FRM201网络配置:
PRD2FRM201 是 ProxMox 上的 LXC 主机,其配置如下:
- IP 172.22.10.2/27
- 网关 172.22.10.1
- 桥接 vmbr1
通信测试:
从 PRD2FWL100,我可以 ping全部PRD1FRM206 之前的跳数:
user@prd2fwl100:~$ ping 172.30.0.0 -c1
PING 172.30.0.0 (172.30.0.0) 56(84) bytes of data.
64 bytes from 172.30.0.0: icmp_seq=1 ttl=64 time=0.671 ms
--- 172.30.0.0 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.671/0.671/0.671/0.000 ms
user@prd2fwl100:~$ ping 172.21.10.1 -c1
PING 172.21.10.1 (172.21.10.1) 56(84) bytes of data.
64 bytes from 172.21.10.1: icmp_seq=1 ttl=64 time=0.822 ms
--- 172.21.10.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.822/0.822/0.822/0.000 ms
但我无法 ping 或 arping PRD1FRM206:
user@prd2fwl100:~$ ping 172.21.10.7 -c1
PING 172.21.10.7 (172.21.10.7) 56(84) bytes of data.
From 172.30.0.1 icmp_seq=1 Destination Host Unreachable
--- 172.21.10.7 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
user@prd2fwl100:~$ arping 172.21.10.7 -c1
ARPING 172.21.10.7 from 172.30.0.1 eth3
Sent 1 probes (1 broadcast(s))
Received 0 response(s)
接下来,我将尝试 ping 从 PRD2FRM201 到 PRD1FRM206 的所有 IP:
user@PRD2FRM201:~$ sudo ping 172.22.10.1 -c1
PING 172.22.10.1 (172.22.10.1) 56(84) bytes of data.
64 bytes from 172.22.10.1: icmp_seq=1 ttl=64 time=0.134 ms
--- 172.22.10.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.134/0.134/0.134/0.000 ms
user@PRD2FRM201:~$ sudo ping 172.30.0.1 -c1
PING 172.30.0.1 (172.30.0.1) 56(84) bytes of data.
64 bytes from 172.30.0.1: icmp_seq=1 ttl=64 time=0.159 ms
--- 172.30.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.159/0.159/0.159/0.000 ms
同样,有一个地方我不能再进一步了:
user@PRD2FRM201:~$ sudo ping 172.30.0.0 -c1
PING 172.30.0.0 (172.30.0.0) 56(84) bytes of data.
--- 172.30.0.0 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
user@PRD2FRM201:~$ sudo arping 172.30.0.0 -c1
ARPING 172.30.0.0 from 172.22.10.2 eth0
Sent 1 probes (1 broadcast(s))
Received 0 response(s)
我要怎么做才能修复这个问题?
答案1
有些路线完全错误。我展示了低级更正,高级网络配置应该相应更改。
PRD1FWL100
172.30.0.1 via 172.30.0.0 dev ens22 proto static
虽然从技术上讲,使用自己的 IP 地址作为网关与不使用网关是一样的:就像在同一个以太网广播 LAN 中桥接的两个系统上一样。这里根本不使用网关。替换为...实际上 LAN 路由应该由内核设置,但更高级别的工具可能选择覆盖它(通过使用 声明地址noprefixroute)。src下面的提示可能是可选的。输入以下任一内容(应该是首选,因为如果不覆盖,这将是内核设置的默认设置):
172.30.0.0/31 dev ens22 src 172.30.0.0
或者这样:
172.30.0.1/32 dev ens22 src 172.30.0.0
172.22.10.0/27 via 172.30.0.0 dev ens22 proto static 172.22.20.0/27 via 172.30.0.0 dev ens22 proto static
这些路由确实错了:如果路由器将自己声明为网关,这又意味着它认为这些地址在同一个 LAN 中可直接访问。它不会尝试将这些数据包路由到下一跳 (172.30.0.1),而是会在 ens22 上发出 ARP 广播,但不会有回复...
... 除了对等体 PRD2FRM201 的地址之外,在 ping 其 IP 地址 172.22.x.1 时,因为 Linux 遵循弱主机模型将要回答 地址解析协议到任何任何接口上的本地地址。这个看似半工作状态的部分可能导致人们认为问题出在其他地方。可以在 PRD1FWL100 上检查,ip neigh show dev ens22它将显示一个被其他 IP 网络的地址污染的 ARP 表。属于对等路由器的地址将被解决,但其他地址将处于失败状态(=> 没有到主机的路由)。
用。。。来代替:
172.22.10.0/27 via 172.30.0.1 dev ens22
172.22.20.0/27 via 172.30.0.1 dev ens22
PRD2FWL100
这与反转地址的问题完全相同。
172.30.0.1 via 172.30.0.0 dev ens22 proto static
替换为:
172.30.0.0/31 dev ens22 src 172.30.0.1
或者
172.30.0.0/32 dev ens22 src 172.30.0.1
172.21.10.0/27 via 172.30.0.1 dev eth3 proto static 172.21.20.0/27 via 172.30.0.1 dev eth3 proto static 172.21.30.0/27 via 172.30.0.1 dev eth3 proto static 172.21.50.0/27 via 172.30.0.1 dev eth3 proto static
替换为:
172.21.10.0/27 via 172.30.0.0 dev eth3
172.21.20.0/27 via 172.30.0.0 dev eth3
172.21.30.0/27 via 172.30.0.0 dev eth3
172.21.50.0/27 via 172.30.0.0 dev eth3