On 13/02/2017 19:28, Catalin(ux) M. BOIE wrote: > Un tcpdump pe ambele interfete, ar putea sa-ti arate chestii interesante: > conexiunea din exterior vine pe un IP, dar pleaca cu o sursa incorecta. > > Astept cu nerabdare exact configuratia pe care ai facut-o si trace-urile > de tcpdump.
N-am vrut sa insir vreun cearsaf pe aici, dar se pare ca n-am incotro :-) Eu am facut deja cam toate lucrurile pe care le-ai spus. O sa incerc sa le expun si aici si sa minimizez cat pot. Am "float" in configuratia de openvpn, altfel nu mergea in varianta cu default route setat. Configuratia de iproute2: ---------------------------------------------------- IF0="enp4s0" IF1="enp0s25" IF2="enp4s2" IP0="172.24.100.1" IP1=“1.1.1.1” IP2=“2.2.2.2” P1=“1.1.1.254” P2=“2.2.2.254” P0_NET="172.24.100.0/24" P1_NET=“1.1.1.0/24" P2_NET=“2.2.2.0/24” ip route flush table T1 ip route flush table T2 ip rule del from $IP1 table T1 ip rule del from $IP2 table T2 ip route add $P1_NET dev $IF1 src $IP1 table T1 ip route add default via $P1 table T1 ip route add $P2_NET dev $IF2 src $IP2 table T2 ip route add default via $P2 table T2 ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 ip route add $P0_NET dev $IF0 table T1 ip route add $P2_NET dev $IF2 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add $P0_NET0 dev $IF0 table T2 ip route add $P1_NET dev $IF1 table T2 ip route add 127.0.0.0/8 dev lo table T2 ---------------------------------------------------- Cred ca e destul de clar, IF0 e interfata interna, celelalte 2 catre cei 2 provideri. Cu ruta default setata prin P2 ma conectez la openvpn prin P1: Mon Feb 13 18:45:20 2017 UDPv4 link local: [undef] Mon Feb 13 18:45:20 2017 UDPv4 link remote: [AF_INET]1.1.1.1:1194 Mon Feb 13 18:45:20 2017 TLS: Initial packet from [AF_INET]2.2.2.2:1194, sid=d2a8840d f02fe16c Dupa cum vezi asta spune si in loguri, n-are rost sa mai dau detalii din tcpdump, intra pachetele pe o interfata, se intorc pe cealalta (default route) - cu 'float' setat. Acum sterg ruta default si ma conectez in acelasi mod la openvpn prin P1 (de la ip-ul public 9.9.9.9): # tcpdump -i enp0s25 -nn port 1194 23:41:58.709140 IP 9.9.9.9.37307 > 1.1.1.1.1194: UDP, length 42 23:42:00.892050 IP 9.9.9.9.37307 > 1.1.1.1.1194: UDP, length 42 23:42:04.166071 IP 9.9.9.9.37307 > 1.1.1.1.1194: UDP, length 42 23:42:12.880868 IP 9.9.9.9.37307 > 1.1.1.1.1194: UDP, length 42 23:42:28.337031 IP 9.9.9.9.37307 > 1.1.1.1.1194: UDP, length 42 23:43:00.184881 IP 9.9.9.9.40322 > 1.1.1.1.1194: UDP, length 42 23:43:02.307497 IP 9.9.9.9.40322 > 1.1.1.1.1194: UDP, length 42 23:43:06.552837 IP 9.9.9.9.40322 > 1.1.1.1.1194: UDP, length 42 23:43:15.045645 IP 9.9.9.9.40322 > 1.1.1.1.1194: UDP, length 42 23:43:31.338430 IP 9.9.9.9.40322 > 1.1.1.1.1194: UDP, length 42 [etc] Ascultand si pe celelalte interfete - chiar si pe cea interna :-)) - pe portul 1194 nu apare niciun pachet in toata perioada asta. In schimb daca de exemplu fac un test pe portul 25 (tot fara default route): # telnet 1.1.1.1 25 Trying 1.1.1.1... Connected to 1.1.1.1. Escape character is '^]'. 220 mail.localhost.localdomain ESMTP Postfix # tcpdump -i enp0s25 -nn port 25 00:02:27.365936 IP 9.9.9.9.35082 > 1.1.1.1.25: Flags [S], seq 3989728965, win 29200, options [mss 1460,sackOK,TS val 3423415060 ecr 0,nop,wscale 7], length 0 00:02:27.365959 IP 1.1.1.1.25 > 9.9.9.9.35082: Flags [S.], seq 794810362, ack 3989728966, win 28960, options [mss 1460,sackOK,TS val 92128016 ecr 3423415060,nop,wscale 7], length 0 00:02:27.409897 IP 9.9.9.9.35082 > 1.1.1.1.25: Flags [.], ack 1, win 229, options [nop,nop,TS val 3423415104 ecr 92128016], length 0 00:02:27.434864 IP 1.1.1.1.25 > 9.9.9.9.35082: Flags [P.], seq 1:37, ack 1, win 227, options [nop,nop,TS val 92128085 ecr 3423415104], length 36 00:02:27.479003 IP 9.9.9.9.35082 > 1.1.1.1.25: Flags [.], ack 37, win 229, options [nop,nop,TS val 3423415173 ecr 92128085], length 0 Sper sa nu fi scurtat prea mult povestea asta, mai dau detalii daca mai trebuie. Rezolvare alternativa probabil ca este, de exemplu sa pun un script care sa schimbe default route pe celelalt provider cand pica cel initial. In cazul asta ar merge openvpn tot timpul. Dar daca teoria spune ca ar trebui sa mearga fara default route (si asa poate ar fi si logic) atunci ce e in neregula? Mersi de ajutor, Catalin Bucur _______________________________________________ RLUG mailing list RLUG@lists.lug.ro http://lists.lug.ro/mailman/listinfo/rlug
