整个局域网访问不上外网
经过一宿断电
经过一宿断电,公司内网所有设备都无法访问到公网。
(base) xlh626@xlh626-OEM:~$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=292 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=328 ms
^C
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 2 received, 33.3333% packet loss, time 2002ms
rtt min/avg/max/mdev = 292.278/310.015/327.753/17.737 ms
(base) xlh626@xlh626-OEM:~$ ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.312 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.569 ms
^C
--- 192.168.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1016ms
rtt min/avg/max/mdev = 0.312/0.440/0.569/0.128 ms
(base) xlh626@xlh626-OEM:~$
(base) xlh626@xlh626-OEM:~$ ping baidu.com
ping: baidu.com: 域名解析出现暂时性错误
(base) xlh626@xlh626-OEM:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.1.2 icmp_seq=152 Destination Net Unreachable
(base) xlh626@xlh626-OEM:~$ ping 223.5.5.5
PING 223.5.5.5 (223.5.5.5) 56(84) bytes of data.
From 192.168.1.2 icmp_seq=1 Destination Net Unreachable
From 192.168.1.2 icmp_seq=2 Destination Net Unreachable
^C
--- 223.5.5.5 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1047ms
可见,内网能访问,但是主路由访问延迟很高,就不正常,旁路由的访问延迟就很合理。
域名无法访问呢,谷歌的DNS服务器无法访问,阿里的DNS无法访问。
查看路由表
(base) xlh626@xlh626-OEM:~$ ip route
default via 192.168.1.2 dev enp2s0 proto static metric 20100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.1.0/24 dev enp2s0 proto kernel scope link src 192.168.1.4 metric 100
(base) xlh626@xlh626-OEM:~$ ^C
可见我的ip是1.4,查看的这个旁路由ip是1.2
接着登录到旁路由查看。
root@BleachWrt:~# ip route
default via 192.168.1.1 dev br-lan
10.32.134.0/24 dev ztp6nf4n7e proto kernel scope link src 10.32.134.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.2
root@BleachWrt:~# ^C
旁路由指定的网关是主路由1.1,并且有两条规则
- 10.32.134.0/24网段的流量走ztp6nf4n7e网卡发送到10.32.134.1设备上
- 192.168.1.0/24网段的流量走br-lan发送到1.2设备(旁路由自己,不转发)
尝试探测一下主路由上网能力。
C:\Users\Administrator>ping 223.5.5.5
正在 Ping 223.5.5.5 具有 32 字节的数据:
来自 223.5.5.5 的回复: 字节=32 时间<1ms TTL=128
来自 223.5.5.5 的回复: 字节=32 时间<1ms TTL=128
来自 223.5.5.5 的回复: 字节=32 时间<1ms TTL=128
来自 223.5.5.5 的回复: 字节=32 时间<1ms TTL=128
223.5.5.5 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
C:\Users\Administrator>ipconfig
找来台window设备直连主路由,拔掉了旁路由和主路由的lan相连,让windows的网关指定为主路由。发现可以正常访问dns,说明刚才unreachable是因为旁路由的网络策略。
查看旁路由上网能力
root@BleachWrt:~# ping -c 4 223.5.5.5
PING 223.5.5.5 (223.5.5.5): 56 data bytes
64 bytes from 223.5.5.5: seq=0 ttl=51 time=15.518 ms
64 bytes from 223.5.5.5: seq=1 ttl=51 time=14.408 ms
64 bytes from 223.5.5.5: seq=2 ttl=51 time=9.070 ms
64 bytes from 223.5.5.5: seq=3 ttl=51 time=12.672 ms
--- 223.5.5.5 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 9.070/12.917/15.518 ms
root@BleachWrt:~# ping -c 4 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=110 time=78.296 ms
64 bytes from 8.8.8.8: seq=1 ttl=110 time=82.841 ms
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 2 packets received, 50% packet loss
round-trip min/avg/max = 78.296/80.568/82.841 ms
root@BleachWrt:~# nslookup baidu.com
旁路由能请求也有返回,且还算正常,说明可能问题在旁路由到其他设备上。
尝试追踪路由
//普通主机上
(base) xlh626@xlh626-OEM:~$ traceroute 223.5.5.5
traceroute to 223.5.5.5 (223.5.5.5), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
//旁路由上
root@BleachWrt:~# traceroute 223.5.5.5
traceroute to 223.5.5.5 (223.5.5.5), 30 hops max, 46 byte packets
1 192.168.1.1 (192.168.1.1) 60.605 ms 42.107 ms 49.355 ms
2 * * *
3 122.231.1.19 (122.231.1.19) 42.286 ms 125.118.13.85 (125.118.13.85) 15.716 ms 115.227.150.241 (115.227.150.241) 5.661 ms
4 * * *
5 * 61.164.31.190 (61.164.31.190) 15.185 ms 61.164.31.202 (61.164.31.202) 7.878 ms
6 115.236.101.213 (115.236.101.213) 8.195 ms 122.224.214.70 (122.224.214.70) 5.616 ms 115.238.21.117 (115.238.21.117) 11.087 ms
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * *
这里更是佐证了之前的猜测,旁路由正常跑出主路由,访问公网。主机一个跃点都没有。
解法
这样有两种解法:
- 让局域网所有流量都走主路由发送到旁路由,由旁路由转发,这样的缺点是旁路有出问题,整个局域网无法上网。
- 主机->旁路有->主路由->外网->主路由->旁路有->主机
- 主机->主路由->外网->主路由->旁路有->主机
- 让旁路有改写经过它的流量的源地址,让主路由知道原路返回。
- 主机->旁路有->主路由->外网->主路由->旁路有->主机
- 主机->主路由->外网->主路由->主机
这里我选了方案二。
//旁路由上。
%% 旁路有清理下缓存 %%
iptables -t nat -F
%% 添加策略 %%
iptables -t nat -A POSTROUTING -o br-lan -j SNAT --to-source 192.168.1.2
%% 查看路由表 %%
iptables -t nat -L -n -v
此时在再主机上已经能traceroute 8.8.8.8了。
(base) xlh626@xlh626-OEM:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.1.2 (192.168.1.2) 0.332 ms 0.280 ms 0.254 ms
2 192.168.1.1 (192.168.1.1) 60.694 ms 60.667 ms 60.646 ms
3 * * *
4 * 122.231.1.3 (122.231.1.3) 107.804 ms 115.227.150.237 (115.227.150.237) 107.781 ms
5 * 122.231.1.26 (122.231.1.26) 107.735 ms *
6 220.191.198.197 (220.191.198.197) 107.689 ms 220.191.198.173 (220.191.198.173) 17.701 ms 61.164.8.86 (61.164.8.86) 18.132 ms
7 202.97.101.25 (202.97.101.25) 28.658 ms * 202.97.23.229 (202.97.23.229) 269.975 ms
8 202.97.62.114 (202.97.62.114) 268.694 ms * *
9 202.97.39.61 (202.97.39.61) 269.582 ms 202.97.12.201 (202.97.12.201) 269.469 ms 202.97.74.1 (202.97.74.1) 270.492 ms
10 202.97.53.242 (202.97.53.242) 313.603 ms 202.97.58.114 (202.97.58.114) 313.308 ms 202.97.25.230 (202.97.25.230) 313.458 ms
^C
(base) xlh626@xlh626-OEM:~$ ping baidu.com
PING baidu.com (220.181.7.203) 56(84) bytes of data.
64 bytes from 220.181.7.203: icmp_seq=1 ttl=52 time=80.1 ms
64 bytes from 220.181.7.203: icmp_seq=2 ttl=52 time=56.4 ms
64 bytes from 220.181.7.203: icmp_seq=3 ttl=52 time=114 ms
^C
--- baidu.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 56.435/83.395/113.687/23.491 ms
(base) xlh626@xlh626-OEM:~$
持久化路由策略
# 编辑防火墙自定义脚本
vi /etc/firewall.user
#添加
iptables -t nat -A POSTROUTING -o br-lan -j SNAT --to-source 192.168.1.2
给nas用的端口转发也down了
//添加端口转发到1.160
iptables -t nat -A PREROUTING -p tcp --dport 3690 -j DNAT --to-destination 192.168.1.160:3690
//查看监听服务
netstat -tulnp | grep LISTEN
//查看端口转发规则
iptables -t nat -L PREROUTING -n -v
持久化端口转发
vi /etc/firewall.user
%% 添加 %%
iptables -t nat -A PREROUTING -p tcp --dport 3690 -j DNAT --to-destination 192.168.1.160:3690
浙公网安备 33010602011771号