XTang, 请教个网络方面的问题

XTang,有个问题想请你帮助解答一下,至少给我科普一下br0,tap0这些东西,谢谢了:)

环境有点复杂。
1.一台ADSL猫。外网IP假设为222.128.6.100,内网为192.168.1.*网段。
2.里面有一台XP,IP为192.168.1.6。(为了能从外部访问,在ADSL里开通端口3389)
3.XP上安装VirtualBox, 里面运行CentOS.网络采用bridged adapter,IP为192.168.1.15(开通端口22,使可从外面SSH登陆)
4.CentOS上同时安装OpenVPN服务器,开通端口1194.

到此为止一切正常。

[root@localhost ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:74:30:E0  
          inet addr:192.168.1.15  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe74:30e0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:151 errors:0 dropped:0 overruns:0 frame:0
          TX packets:92 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:24192 (23.6 KiB)  TX bytes:12307 (12.0 KiB)
          Interrupt:10 Base address:0xd020 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1167 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1167 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2001152 (1.9 MiB)  TX bytes:2001152 (1.9 MiB)




但我想把OpenVPN从routed模式改成bridged模式,使广播可以通过。所以要采用桥接模式,
于是运行脚本bridge-start

#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.1.15"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"

for t in $tap; do
    ./openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

网络状态为:

[root@localhost openvpn-2.1.1]# ifconfig
br0       Link encap:Ethernet  HWaddr 08:00:27:74:30:E0  
          inet addr:192.168.1.15  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe74:30e0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:18 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2709 (2.6 KiB)  TX bytes:5896 (5.7 KiB)

eth0      Link encap:Ethernet  HWaddr 08:00:27:74:30:E0  
          inet6 addr: fe80::a00:27ff:fe74:30e0/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:2266 errors:0 dropped:0 overruns:0 frame:0
          TX packets:559 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:340045 (332.0 KiB)  TX bytes:68175 (66.5 KiB)
          Interrupt:10 Base address:0xd020 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1167 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1167 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2001152 (1.9 MiB)  TX bytes:2001152 (1.9 MiB)

tap0      Link encap:Ethernet  HWaddr BA:CF:C4:A9:D9:FF  
          inet6 addr: fe80::b8cf:c4ff:fea9:d9ff/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:24 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

问题就出现了,内网SSH连接什么的都正常,但外网连接就不行了。好像是端口映射不起作用了!

之后就算调用bridge-stop并手动添加上IP(ipconfig eth0 192.168.1.15 netmask 255.255.255.0)也不行了。

#!/bin/bash

####################################
# Tear Down Ethernet bridge on Linux
####################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

ifconfig $br down
brctl delbr $br

for t in $tap; do
    ./openvpn --rmtun --dev $t
done

我有些说不清楚要问什么。br0,tap0,eth0之间是什么样的关系,会对网络有什么微妙的影响。

主要是为什么这些操作不影响内网,却会影响端口映射,从而从外网不能连进来?


Openvpn相关参数解释如下:

TUN/TAP persistent tunnel config mode:

Available with linux 2.4.7+. These options comprise a standalone mode of OpenVPN which can be used to create and delete persistent tunnels.
--mktun
(Standalone) Create a persistent tunnel on platforms which support them such as Linux. Normally TUN/TAP tunnels exist only for the period of time that an application has them open. This option takes advantage of the TUN/TAP driver's ability to build persistent tunnels that live through multiple instantiations of OpenVPN and die only when they are deleted or the machine is rebooted.
One of the advantages of persistent tunnels is that they eliminate the need for separate --up and --down scripts to run the appropriate ifconfig(8) and route(8) commands. These commands can be placed in the the same shell script which starts or terminates an OpenVPN session.

Another advantage is that open connections through the TUN/TAP-based tunnel will not be reset if the OpenVPN peer restarts. This can be useful to provide uninterrupted connectivity through the tunnel in the event of a DHCP reset of the peer's public IP address (see the --ipchange option above).

One disadvantage of persistent tunnels is that it is harder to automatically configure their MTU value (see --link-mtu and --tun-mtu above).

On some platforms such as Windows, TAP-Win32 tunnels are persistent by default.

--rmtun
(Standalone) Remove a persistent tunnel.

Br0是bridge interface, 它桥接的是en0和tap0两个interface.

你的问题,我猜想是因为在创立br0时,删除了en0的地址把它重设到br0上,这个会导致default route被删除的。如果在执行bridge-start以后,做一个route add default 192.168.1.1, 不知道能不能解决你的问题。(假设你的adsl的内网地址是.1.1