Имеются 2 сервера FreeBSD1, FreeBSD2
Настроенны они таким образом:
FreeBSD1
vlan2 ip 192.168.10.113/24 локалка
vlan4 ip 10.0.28.194/30 провайдер
Настройки туннеля:
Код: Выделить всё
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
tunnel inet 10.0.28.194 --> 10.0.28.170
inet 192.168.10.113 --> 192.168.14.1 netmask 0xffffffff
options=1<ACCEPT_REV_ETHIP_VER>Правила ipfw:
Код: Выделить всё
# ipfw sh | more
ipfw: DEPRECATED: 'sh' matched 'show' as a sub-string
00001 1568 93712 allow ip from any to any via gif0
00100 9549 5434190 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 34173 33074300 allow tcp from me 20,21 to any keep-state
00600 380 16356 deny tcp from any 135,137-139 to any
00700 564793 52470603 deny udp from any 135,137-139 to any
00800 4401150 3586422614 allow ip from 172.16.16.0/24 to 192.168.10.100
00900 2260086 173715574 allow ip from 192.168.10.100 to 172.16.16.0/24
01000 107 13276 allow ip from 172.16.16.0/24 to 192.168.10.103
01000 83 11590 allow ip from 192.168.10.103 to 172.16.16.0/24
10000 85025 4724201 divert 8668 ip from 172.16.16.0/24 to any out via vlan2
10100 36172 9143413 divert 8668 ip from 192.168.10.0/24 to any out via vlan2
10200 172805 7545755 divert 8668 ip from 192.168.11.0/24 to any out via vlan2
10300 396447 483817456 divert 8668 ip from any to 172.16.24.113 in via vlan2
10400 13698 1886743 divert 8668 ip from any to 192.168.10.113 in via vlan2
10500 33984 1361253 allow icmp from any to any icmptypes 0,3,4,8,11
10600 739095 507665509 allow ip from me to any
10700 439696 490862792 allow ip from any to any in recv vlan2
10800 7042 695318 allow tcp from any to me established
10900 0 0 allow ospf from any to me
11000 68 4352 allow ospf from any to 224.0.0.5
11100 0 0 allow ospf from any to 224.0.0.6
11200 0 0 allow ospf from me to any
11300 61 2996 allow tcp from any to me dst-port 22,80,53,1723,3128 setup
11400 0 0 allow gre from any to me setup
11500 34912 3318242 fwd 127.0.0.1,3128 tcp from 192.168.11.0/24 to any dst-port 80
11600 3265 208018 allow udp from any to any dst-port 53
11900 171551 7495224 allow ip from 192.168.11.0/24 to any
12000 349204 463288016 allow ip from any to 192.168.11.0/24
12100 85904 4766726 allow ip from 172.16.16.0/24 to any
12200 29036 4911698 allow ip from any to 172.16.16.0/24
12300 11950 3913962 allow ip from 192.168.10.0/24 to any
12400 35614 16199332 allow ip from any to 192.168.10.0/24
12500 348917 24633634 allow ip from 10.0.28.160/27 to any
12600 0 0 allow ip from any to 10.0.28.160/27
12650 3094 148512 allow ip from 192.168.14.0/24 to any
12650 0 0 allow ip from any to 192.168.14.0/24
65535 396 84389 deny ip from any to any
Код: Выделить всё
# netstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 172.16.24.1 UGS 608 261835 vlan2
10.0.15.0/24 10.0.28.193 UG1 0 0 vlan4
10.0.28.160/27 10.0.28.193 UG1 0 421333 vlan4
10.0.28.192/30 link#10 U 0 30 vlan4
10.0.28.194 link#10 UHS 0 186 lo0
127.0.0.1 link#6 UH 0 1434 lo0
172.16.0.0/24 link#9 U 0 6707 vlan3
172.16.0.1 link#9 UHS 0 0 lo0
172.16.16.0/24 link#11 U 1 1162067 vlan5
172.16.16.1 link#11 UHS 0 0 lo0
172.16.24.0/24 link#8 U 13 12554 vlan2
172.16.24.113 link#8 UHS 0 0 lo0
172.18.18.0/24 link#3 U 0 0 xl0
172.18.18.1 link#3 UHS 0 0 lo0
192.168.10.0/24 link#8 U 1 2589004 vlan2
192.168.10.113 link#7 UHS 1 3357 lo0
192.168.14.0/24 192.168.14.1 UGS 0 112 gif0
192.168.14.1 link#7 UH 0 790 gif0
=======================================================================================
FreeBSD2
rl0 ip 192.168.14.1/24 локалка
rl1 ip 10.0.28.170/27 провайдер
настройки туннеля:
Код: Выделить всё
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
tunnel inet 10.0.28.170 --> 10.0.28.194
inet 192.168.14.1 --> 192.168.10.113 netmask 0xffffff00
options=1<ACCEPT_REV_ETHIP_VER>Код: Выделить всё
# ipfw sh|more
ipfw: DEPRECATED: 'sh' matched 'show' as a sub-string
00001 2584 199072 allow ip from any to any via gif0
65000 14555 3110317 allow ip from any to any
65535 0 0 deny ip from any to anyКод: Выделить всё
# netstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.10.113 UGS 0 2943 gif0
10.0.28.160/27 link#2 U 0 0 re1
10.0.28.170 link#2 UHS 0 0 lo0
10.0.28.194 10.0.28.161 UGHS 0 4267 re1
127.0.0.1 link#6 UH 0 136 lo0
192.168.10.0/24 192.168.10.113 UGS 0 0 gif0
192.168.10.113 link#7 UH 0 1327 gif0
192.168.14.0/24 link#3 U 0 306 re2
192.168.14.1 link#3 UHS 1 0 lo0
Сразу после подвисания ssh, начинаю коннектится опять по этой схеме FreeBSD1 > ssh > FreeBSD2 все нормально. Минут через 3-5 опять ситуация повторяется. Клиенты со стороны FreeBSD2 жалуются на то что на FTP сервер (на стороне FreeBSD1) при загрузке файлов останавливается на 10-20%.
Кусочек логов tcpdump с сервера FreeBSD1 именно в тот момент когда подвисает ssh и все остальные службы:
Код: Выделить всё
# tcpdump -i gif0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
17:35:00.364239 IP 192.168.14.1.22 > 192.168.10.113.16901: Flags [.], ack 64, win 8326, options [nop,nop,TS val 2253429692 ecr 89255782], length 0
17:35:00.687251 IP 192.168.14.7.3384 > 192.168.0.20.3402: Flags [S], seq 219138927, win 65535, options [mss 1460,nop,nop,sackOK], length 0
17:35:02.318831 IP 192.168.14.10.2693 > 192.168.0.20.3402: Flags [S], seq 2070203026, win 65535, options [mss 1460,nop,nop,sackOK], length 0
17:35:03.642198 IP 192.168.14.7.3384 > 192.168.0.20.3402: Flags [S], seq 219138927, win 65535, options [mss 1460,nop,nop,sackOK], length 0
17:35:05.282035 IP 192.168.10.113.16901 > 192.168.14.1.22: Flags [P.], ack 1, win 8326, options [nop,nop,TS val 89260679 ecr 2253367905,nop,nop,sack 1 {49:1105}], length 48
17:35:05.359738 IP 192.168.14.1.22 > 192.168.10.113.16901: Flags [P.], ack 112, win 8326, options [nop,nop,TS val 2253434727 ecr 89260679], length 48
17:35:05.359758 IP 192.168.10.113.16901 > 192.168.14.1.22: Flags [.], ack 1, win 8326, options [nop,nop,TS val 89260754 ecr 2253367905,nop,nop,sack 1 {49:1153}], length 0
17:35:05.371363 IP 192.168.14.1.22 > 192.168.10.113.16901: Flags [P.], ack 112, win 8326, options [nop,nop,TS val 2253434728 ecr 89260679], length 48
17:35:05.371377 IP 192.168.10.113.16901 > 192.168.14.1.22: Flags [.], ack 1, win 8326, options [nop,nop,TS val 89260765 ecr 2253367905,nop,nop,sack 1 {49:1201}], length 0
17:35:05.377967 IP 192.168.14.1.22 > 192.168.10.113.16901: Flags [P.], ack 112, win 8326, options [nop,nop,TS val 2253434728 ecr 89260679], length 48
17:35:05.377980 IP 192.168.10.113.16901 > 192.168.14.1.22: Flags [.], ack 1, win 8326, options [nop,nop,TS val 89260771 ecr 2253367905,nop,nop,sack 1 {49:1249}], length 0
17:35:05.384620 IP 192.168.14.1.22 > 192.168.10.113.16901: Flags [P.], ack 112, win 8326, options [nop,nop,TS val 2253434728 ecr 89260679], length 48
17:35:05.384633 IP 192.168.10.113.16901 > 192.168.14.1.22: Flags [.], ack 1, win 8326, options [nop,nop,TS val 89260778 ecr 2253367905,nop,nop,sack 1 {49:1297}], length 0
17:35:05.391272 IP 192.168.14.1.22 > 192.168.10.113.16901: Flags [P.], ack 112, win 8326, options [nop,nop,TS val 2253434728 ecr 89260679], length 48
17:35:05.391285 IP 192.168.10.113.16901 > 192.168.14.1.22: Flags [.], ack 1, win 8326, options [nop,nop,TS val 89260784 ecr 2253367905,nop,nop,sack 1 {49:1345}], length 0
