XTang,有个问题想请你帮助解答一下,至少给我科普一下br0,tap0这些东西,谢谢了:)
环境有点复杂。
1.一台ADSL猫。外网IP假设为222.128.6.100,内网为192.168.1.*网段。
2.里面有一台XP,IP为192.168.1.6。(为了能从外部访问,在ADSL里开通端口3389)
3.XP上安装VirtualBox, 里面运行CentOS.网络采用bridged adapter,IP为192.168.1.15(开通端口22,使可从外面SSH登陆)
4.CentOS上同时安装OpenVPN服务器,开通端口1194.
到此为止一切正常。
[root@localhost ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:74:30:E0
inet addr:192.168.1.15 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe74:30e0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:151 errors:0 dropped:0 overruns:0 frame:0
TX packets:92 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:24192 (23.6 KiB) TX bytes:12307 (12.0 KiB)
Interrupt:10 Base address:0xd020
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1167 errors:0 dropped:0 overruns:0 frame:0
TX packets:1167 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2001152 (1.9 MiB) TX bytes:2001152 (1.9 MiB)
但我想把OpenVPN从routed模式改成bridged模式,使广播可以通过。所以要采用桥接模式,
于是运行脚本bridge-start
#!/bin/bash
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.1.15"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"
for t in $tap; do
./openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
网络状态为:
[root@localhost openvpn-2.1.1]# ifconfig
br0 Link encap:Ethernet HWaddr 08:00:27:74:30:E0
inet addr:192.168.1.15 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe74:30e0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18 errors:0 dropped:0 overruns:0 frame:0
TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2709 (2.6 KiB) TX bytes:5896 (5.7 KiB)
eth0 Link encap:Ethernet HWaddr 08:00:27:74:30:E0
inet6 addr: fe80::a00:27ff:fe74:30e0/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:2266 errors:0 dropped:0 overruns:0 frame:0
TX packets:559 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:340045 (332.0 KiB) TX bytes:68175 (66.5 KiB)
Interrupt:10 Base address:0xd020
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1167 errors:0 dropped:0 overruns:0 frame:0
TX packets:1167 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2001152 (1.9 MiB) TX bytes:2001152 (1.9 MiB)
tap0 Link encap:Ethernet HWaddr BA:CF:C4:A9:D9:FF
inet6 addr: fe80::b8cf:c4ff:fea9:d9ff/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:24 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
问题就出现了,内网SSH连接什么的都正常,但外网连接就不行了。好像是端口映射不起作用了!
之后就算调用bridge-stop并手动添加上IP(ipconfig eth0 192.168.1.15 netmask 255.255.255.0)也不行了。
#!/bin/bash
####################################
# Tear Down Ethernet bridge on Linux
####################################
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged together
tap="tap0"
ifconfig $br down
brctl delbr $br
for t in $tap; do
./openvpn --rmtun --dev $t
done
我有些说不清楚要问什么。br0,tap0,eth0之间是什么样的关系,会对网络有什么微妙的影响。
主要是为什么这些操作不影响内网,却会影响端口映射,从而从外网不能连进来?
Openvpn相关参数解释如下:
TUN/TAP persistent tunnel config mode:
Available with linux 2.4.7+. These options comprise a standalone mode of OpenVPN which can be used to create and delete persistent tunnels.
--mktun
(Standalone) Create a persistent tunnel on platforms which support them such as Linux. Normally TUN/TAP tunnels exist only for the period of time that an application has them open. This option takes advantage of the TUN/TAP driver's ability to build persistent tunnels that live through multiple instantiations of OpenVPN and die only when they are deleted or the machine is rebooted.
One of the advantages of persistent tunnels is that they eliminate the need for separate --up and --down scripts to run the appropriate ifconfig(8) and route(8) commands. These commands can be placed in the the same shell script which starts or terminates an OpenVPN session.
Another advantage is that open connections through the TUN/TAP-based tunnel will not be reset if the OpenVPN peer restarts. This can be useful to provide uninterrupted connectivity through the tunnel in the event of a DHCP reset of the peer's public IP address (see the --ipchange option above).
One disadvantage of persistent tunnels is that it is harder to automatically configure their MTU value (see --link-mtu and --tun-mtu above).
On some platforms such as Windows, TAP-Win32 tunnels are persistent by default.
--rmtun
(Standalone) Remove a persistent tunnel.