Здравствуйте,
при изменении:
route change default 10.0.0.1
остаются в интернет только пользователи сквида меняем обратно:
route change default 170.112.31.1 - все в работе.Пользователи с прямым подключением остаются без интернета.
Предполагаю косяк с правилами ipfw.Прошу помощи.
Подробности:
провайдер 1 - статический ip
провайдер 2 - pppoe, статический ip, mpd5FreeBSD 10.1
Ядро с опциями:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT
options DUMMYNET
options IPFIREWALL_NAT
options LIBALIAS
options ROUTETABLES=2
options IPFIREWALL_FORWARDrc.conf:
hostname="inet"
gateway_enable="YES"defaultrouter="170.112.31.1"
setfib1_enable="YES" #Это второй провайдер,
setfib1_defaultroute="10.0.0.1"#Локалка
ifconfig_re2="inet 192.168.101.254 netmask 0xffffff00"
#Провайдер 2 с pppoe
ifconfig_re1="inet 192.168.0.1 netmask 0xffffff00 -rxcsum -tso"
#провайдер 1, статичный ip
ifconfig_re0="inet 170.112.31.48 netmask 255.255.255.192 -rxcsum -tso"squid_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rule"
firewall_type="open"mpd_enable="YES"
ipfw:
#!/bin/sh
ipfw="/sbin/ipfw"iProv1="re0"
Prov1IP="170.112.31.48"iProv2="re1"
Prov2IP="192.168.0.1"iLocalNet="re2"
LocalIP="192.168.101.254"
LocalNet="192.168.101.0/24"#Opredeleniya portov=============================================================
ssh="22"
video="37777"
pochta="25, 110, 465, 993, 995"
#********************************************************************************${ipfw} -f flush
${ipfw} nat 1 delete#================================================================================
${ipfw} add 50 deny ip from any to any not verrevpath in
${ipfw} add 100 deny ip from any to any frag
${ipfw} add 120 reject ip from 192.168.0.0/16 to any in recv ${iProv1}, ${iProv2}
${ipfw} add 125 reject ip from any to 192.168.0.0/16 in recv ${iProv1}, ${iProv2}
${ipfw} add 130 reject ip from 172.16.0.0/12 to any in recv ${iProv1}, ${iProv2}
${ipfw} add 135 reject ip from any to 172.16.0.0/12 in recv ${iProv1}, ${iProv2}
${ipfw} add 140 reject ip from 169.254.0.0/16 to any in recv ${iProv1}, ${iProv2}
${ipfw} add 145 reject ip from any to 169.254.0.0/16 in recv ${iProv1}, ${iProv2}
${ipfw} add 150 reject ip from ${LocalNet} to any in via ${iProv1}, ${iProv2}
${ipfw} add 200 reject tcp from any to any not established tcpflags fin
${ipfw} add 250 reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
${ipfw} add 300 reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
${ipfw} add 350 deny all from any 137-139 to any
${ipfw} add 400 deny all from any to any dst-port 137-139
#********************************************************************************#Internet bez proksi.=Tablica 1 zanyata bruteblockd==============================
${ipfw} table 2 add 192.168.101.36
${ipfw} table 2 add 192.168.101.197
${ipfw} table 2 add 192.168.101.21
${ipfw} table 2 add 192.168.101.12
#********************************************************************************#Pryamoy dostup k etim IP=(table 3)==============================================
${ipfw} table 3 add 195.149.70.70 #Mesplan
#********************************************************************************#Zapreshaem vse, chto nalovil bruteblockd========================================
${ipfw} add 450 deny all from table\(1\) to me
#********************************************************************************#Razreshaem vse po loopback======================================================
${ipfw} add 500 allow all from any to any via lo0
#********************************************************************************#Razreshaem squid================================================================
${ipfw} add 550 allow all from ${LocalNet} to ${LocalIP}
${ipfw} add 600 allow all from any to any uid squid
#********************************************************************************#SSH=============================================================================
${ipfw} add 650 allow tcp from any to me ${ssh} keep-state
#********************************************************************************#Konfiguriruem NAT===============================================================
${ipfw} nat 1 config log if ${iProv1} reset same_ports deny_in
${ipfw} nat 2 config log if ${iProv2} reset same_ports deny_in
#********************************************************************************#Pochta v NAT====================================================================
${ipfw} add 700 nat 1 ip from ${LocalNet} to any ${pochta} out via ${iProv1}
${ipfw} add 701 nat 2 ip from ${LocalNet} to any ${pochta} out via ${iProv2}
#********************************************************************************#Videonabludeniye================================================================
${ipfw} add 750 nat 1 ip from ${LocalNet} to any ${video} out via ${iProv1}
${ipfw} add 751 nat 2 ip from ${LocalNet} to any ${video} out via ${iProv2}
#********************************************************************************#DNS iz localki ot KD============================================================
${ipfw} add 800 nat 1 udp from ${LocalNet} to any 53 out via ${iProv1}
${ipfw} add 801 nat 2 udp from ${LocalNet} to any 53 out via ${iProv2}
#********************************************************************************#Internet bez proksi=============================================================
${ipfw} add 850 nat 1 ip from table\(2\) to any out via ${iProv1}
${ipfw} add 851 nat 2 ip from table\(2\) to any out via ${iProv2}
${ipfw} add 900 nat 1 ip from ${LocalNet} to table\(3\) out via ${iProv1}
${ipfw} add 901 nat 2 ip from ${LocalNet} to table\(3\) out via ${iProv2}
${ipfw} add 950 nat 1 ip from any to any in via ${iProv1}
${ipfw} add 951 nat 2 ip from any to any in via ${iProv2}
#********************************************************************************#Razreshaem vse chto v nat popalo================================================
#Dostup bez proksi
${ipfw} add 1000 allow all from table\(2\) to not ${LocalNet} in via ${iLocalNet}
#Dostup bez proksi k nekotorum saytam
${ipfw} add 1050 allow all from ${LocalNet} to table\(3\) in via ${iLocalNet}
#Dostup k pochte
${ipfw} add 1100 allow all from ${LocalNet} to not ${LocalNet} ${pochta} in via ${iLocalNet}
#Dostup k DNS
${ipfw} add 1150 allow udp from ${LocalNet} to not ${LocalNet} 53 in via ${iLocalNet}
#Dostup k videonabludeniyu
${ipfw} add 1200 allow all from ${LocalNet} to not ${LocalNet} ${video} in via ${iLocalNet}
#********************************************************************************#Poluchaem otvety================================================================
${ipfw} add 1250 allow all from not ${LocalNet} to ${LocalNet} in via ${iProv1}
${ipfw} add 1251 allow all from not ${LocalNet} to ${LocalNet} in via ${iProv2}
${ipfw} add 1300 allow all from not ${LocalNet} to ${LocalNet} out via ${iLocalNet}
*********************************************************************************#Razreshaem shlyzy hodit v inet==================================================
${ipfw} add 1350 allow all from me to any
#********************************************************************************
Локализовал проблему.Было:
сетевая карта - 192.168.0.1 (re2) -> mpd5 10.0.0.1 -> 89.209.XXX.XX (адрес выданный провайдером)при изменении default router на 10.0.0.1 сквид работал, напрямую через нат - нет
Локализация:
изменил адрес локальной сетевой с 192.168.0.1 на 192.168.0.254
сетевая карта - 192.168.0.254 (re2) -> роутер tp-link 192.168.0.1 -> 89.209.XXX.XX (адрес выданный провайдером)при изменении default router на 192.168.0.1 - все заработало как надо.
Что в первом варианте может быть не так?