estou tentando configurar o roteamento com o iproute, para que uma determinada sub-rede do cliente possa acessar um uplink de firewall na Internet em outra interface.
O servidor tem quatro interfaces:
2: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether a0:36:9f:e6:7a:9e brd ff:ff:ff:ff:ff:ff
inet 10.20.30.1/16 brd 10.20.255.255 scope global enp2s0f0
valid_lft forever preferred_lft forever
inet6 fe80::a236:9fff:fee6:7a9e/64 scope link
valid_lft forever preferred_lft forever
3: enp2s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether a0:36:9f:e6:7a:9f brd ff:ff:ff:ff:ff:ff
inet 10.132.128.70/26 brd 10.132.128.127 scope global enp2s0f1
valid_lft forever preferred_lft forever
inet6 fe80::a236:9fff:fee6:7a9f/64 scope link
valid_lft forever preferred_lft forever
4: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether ac:1f:6b:00:d1:ce brd ff:ff:ff:ff:ff:ff
inet 10.132.128.71/26 brd 10.132.128.127 scope global eno1
valid_lft forever preferred_lft forever
inet6 fe80::ae1f:6bff:fe00:d1ce/64 scope link
valid_lft forever preferred_lft forever
5: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether ac:1f:6b:00:d1:cf brd ff:ff:ff:ff:ff:ff
inet 172.16.10.1/21 brd 172.16.15.255 scope global eno2
valid_lft forever preferred_lft forever
inet6 fe80::ae1f:6bff:fe00:d1cf/64 scope link
valid_lft forever preferred_lft forever
Os clientes podem se conectar à sub-rede 10.20.0.0/16 e obter um endereço IP via DHCP. Eles devem então poder acessar a internet pela interface enp2s0f1. Essa interface é um uplink de firewall na Internet com o gateway em 10.132.128.65. Eu não tenho controle sobre o firewall.
As regras e tabelas de roteamento são assim:
table local:
broadcast 10.20.0.0 dev enp2s0f0 proto kernel scope link src 10.20.30.1
local 10.20.30.1 dev enp2s0f0 proto kernel scope host src 10.20.30.1
broadcast 10.20.255.255 dev enp2s0f0 proto kernel scope link src 10.20.30.1
broadcast 10.132.128.64 dev eno1 proto kernel scope link src 10.132.128.71
broadcast 10.132.128.64 dev enp2s0f1 proto kernel scope link src 10.132.128.70
local 10.132.128.70 dev enp2s0f1 proto kernel scope host src 10.132.128.70
local 10.132.128.71 dev eno1 proto kernel scope host src 10.132.128.71
broadcast 10.132.128.127 dev eno1 proto kernel scope link src 10.132.128.71
broadcast 10.132.128.127 dev enp2s0f1 proto kernel scope link src 10.132.128.70
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 172.16.0.0 dev tap0 proto kernel scope link src 172.16.0.66
local 172.16.0.66 dev tap0 proto kernel scope host src 172.16.0.66
broadcast 172.16.3.255 dev tap0 proto kernel scope link src 172.16.0.66
broadcast 172.16.8.0 dev eno2 proto kernel scope link src 172.16.10.1
local 172.16.10.1 dev eno2 proto kernel scope host src 172.16.10.1
broadcast 172.16.15.255 dev eno2 proto kernel scope link src 172.16.10.1
main da tabela:
10.20.0.0/16 dev enp2s0f0 scope link src 10.20.30.1
10.132.128.64/26 dev eno1 proto kernel scope link src 10.132.128.71
10.132.128.64/26 dev enp2s0f1 proto kernel scope link src 10.132.128.70
172.16.0.0/22 dev tap0 proto kernel scope link src 172.16.0.66
172.16.8.0/21 dev eno2 proto kernel scope link src 172.16.10.1
Tabela padrão
:
default via 10.132.128.65 dev eno1 onlink
Eu tentei configurar a rota assim:
echo 200 clients >> /etc/iproute2/rt_tables
ip rule add from 10.20.0.0/16 lookup clients
ip route add default via 10.132.128.70 dev enp2s0f1 table clients
ip route flush cache
mas isso não funcionou. Então, eu tenho tentado mudar a regra de roteamento para
from 10.20.30.1 lookup clients
//and
from iif enp2s0f0 lookup clients
mas eu ainda nunca consegui uma conexão com a interface. Eu testo com
ping -I enp2s0f0 10.132.128.70
Como a regra parece boa, tentei rotas diferentes:
ip route add 10.20.0.0/16 dev enp2s0f0 table clients
ip route add 10.132.128.64/26 via 10.132.128.65 dev enp2s0f1 table clients
ip route add 10.132.128.64/26 via 10.20.30.1 dev enp2s0f1 table clients
ip route add default 10.20.0.0/16 via 10.132.128.65 dev enp2s0f1 table clients
Como você deve ter adivinhado, neste momento estou apenas me confundindo. Se eu entendi corretamente, funciona assim:
ip route add {source_network} via {gateway} dev {output_device} table clients
Ou eu entendi errado?
Outra coisa é quando eu faço um
ip route get 10.132.128.65 // where we want to end up
O resultado é
10.132.128.65 dev eno1 src 10.132.128.71
cache
Assim, a rota na tabela padrão parece sobrescrever a regra para a tabela do cliente ... mas a regra da tabela do cliente está ativa, pois as alterações na tabela de clientes alteram a conectividade para os clientes na rede 10.20.0.0/16.
Se houver alguma iformação faltando, terei prazer em fornecê-la.
Obrigado antecipadamente!