при изменении:
route change default 10.0.0.1
остаются в интернет только пользователи сквида меняем обратно:
route change default 170.112.31.1 - все в работе.
Пользователи с прямым подключением остаются без интернета.
Предполагаю косяк с правилами ipfw.
Прошу помощи.
Подробности:
провайдер 1 - статический ip
провайдер 2 - pppoe, статический ip, mpd5
FreeBSD 10.1
Ядро с опциями:
Код: Выделить всё
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT
options DUMMYNET
options IPFIREWALL_NAT
options LIBALIAS
options ROUTETABLES=2
options IPFIREWALL_FORWARD
Код: Выделить всё
hostname="inet"
gateway_enable="YES"
defaultrouter="170.112.31.1"
setfib1_enable="YES" #Это второй провайдер,
setfib1_defaultroute="10.0.0.1"
#Локалка
ifconfig_re2="inet 192.168.101.254 netmask 0xffffff00"
#Провайдер 2 с pppoe
ifconfig_re1="inet 192.168.0.1 netmask 0xffffff00 -rxcsum -tso"
#провайдер 1, статичный ip
ifconfig_re0="inet 170.112.31.48 netmask 255.255.255.192 -rxcsum -tso"
squid_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rule"
firewall_type="open"
mpd_enable="YES"
Код: Выделить всё
#!/bin/sh
ipfw="/sbin/ipfw"
iProv1="re0"
Prov1IP="170.112.31.48"
iProv2="re1"
Prov2IP="192.168.0.1"
iLocalNet="re2"
LocalIP="192.168.101.254"
LocalNet="192.168.101.0/24"
#Opredeleniya portov=============================================================
ssh="22"
video="37777"
pochta="25, 110, 465, 993, 995"
#********************************************************************************
${ipfw} -f flush
${ipfw} nat 1 delete
#================================================================================
${ipfw} add 50 deny ip from any to any not verrevpath in
${ipfw} add 100 deny ip from any to any frag
${ipfw} add 120 reject ip from 192.168.0.0/16 to any in recv ${iProv1}, ${iProv2}
${ipfw} add 125 reject ip from any to 192.168.0.0/16 in recv ${iProv1}, ${iProv2}
${ipfw} add 130 reject ip from 172.16.0.0/12 to any in recv ${iProv1}, ${iProv2}
${ipfw} add 135 reject ip from any to 172.16.0.0/12 in recv ${iProv1}, ${iProv2}
${ipfw} add 140 reject ip from 169.254.0.0/16 to any in recv ${iProv1}, ${iProv2}
${ipfw} add 145 reject ip from any to 169.254.0.0/16 in recv ${iProv1}, ${iProv2}
${ipfw} add 150 reject ip from ${LocalNet} to any in via ${iProv1}, ${iProv2}
${ipfw} add 200 reject tcp from any to any not established tcpflags fin
${ipfw} add 250 reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
${ipfw} add 300 reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
${ipfw} add 350 deny all from any 137-139 to any
${ipfw} add 400 deny all from any to any dst-port 137-139
#********************************************************************************
#Internet bez proksi.=Tablica 1 zanyata bruteblockd==============================
${ipfw} table 2 add 192.168.101.36
${ipfw} table 2 add 192.168.101.197
${ipfw} table 2 add 192.168.101.21
${ipfw} table 2 add 192.168.101.12
#********************************************************************************
#Pryamoy dostup k etim IP=(table 3)==============================================
${ipfw} table 3 add 195.149.70.70 #Mesplan
#********************************************************************************
#Zapreshaem vse, chto nalovil bruteblockd========================================
${ipfw} add 450 deny all from table\(1\) to me
#********************************************************************************
#Razreshaem vse po loopback======================================================
${ipfw} add 500 allow all from any to any via lo0
#********************************************************************************
#Razreshaem squid================================================================
${ipfw} add 550 allow all from ${LocalNet} to ${LocalIP}
${ipfw} add 600 allow all from any to any uid squid
#********************************************************************************
#SSH=============================================================================
${ipfw} add 650 allow tcp from any to me ${ssh} keep-state
#********************************************************************************
#Konfiguriruem NAT===============================================================
${ipfw} nat 1 config log if ${iProv1} reset same_ports deny_in
${ipfw} nat 2 config log if ${iProv2} reset same_ports deny_in
#********************************************************************************
#Pochta v NAT====================================================================
${ipfw} add 700 nat 1 ip from ${LocalNet} to any ${pochta} out via ${iProv1}
${ipfw} add 701 nat 2 ip from ${LocalNet} to any ${pochta} out via ${iProv2}
#********************************************************************************
#Videonabludeniye================================================================
${ipfw} add 750 nat 1 ip from ${LocalNet} to any ${video} out via ${iProv1}
${ipfw} add 751 nat 2 ip from ${LocalNet} to any ${video} out via ${iProv2}
#********************************************************************************
#DNS iz localki ot KD============================================================
${ipfw} add 800 nat 1 udp from ${LocalNet} to any 53 out via ${iProv1}
${ipfw} add 801 nat 2 udp from ${LocalNet} to any 53 out via ${iProv2}
#********************************************************************************
#Internet bez proksi=============================================================
${ipfw} add 850 nat 1 ip from table\(2\) to any out via ${iProv1}
${ipfw} add 851 nat 2 ip from table\(2\) to any out via ${iProv2}
${ipfw} add 900 nat 1 ip from ${LocalNet} to table\(3\) out via ${iProv1}
${ipfw} add 901 nat 2 ip from ${LocalNet} to table\(3\) out via ${iProv2}
${ipfw} add 950 nat 1 ip from any to any in via ${iProv1}
${ipfw} add 951 nat 2 ip from any to any in via ${iProv2}
#********************************************************************************
#Razreshaem vse chto v nat popalo================================================
#Dostup bez proksi
${ipfw} add 1000 allow all from table\(2\) to not ${LocalNet} in via ${iLocalNet}
#Dostup bez proksi k nekotorum saytam
${ipfw} add 1050 allow all from ${LocalNet} to table\(3\) in via ${iLocalNet}
#Dostup k pochte
${ipfw} add 1100 allow all from ${LocalNet} to not ${LocalNet} ${pochta} in via ${iLocalNet}
#Dostup k DNS
${ipfw} add 1150 allow udp from ${LocalNet} to not ${LocalNet} 53 in via ${iLocalNet}
#Dostup k videonabludeniyu
${ipfw} add 1200 allow all from ${LocalNet} to not ${LocalNet} ${video} in via ${iLocalNet}
#********************************************************************************
#Poluchaem otvety================================================================
${ipfw} add 1250 allow all from not ${LocalNet} to ${LocalNet} in via ${iProv1}
${ipfw} add 1251 allow all from not ${LocalNet} to ${LocalNet} in via ${iProv2}
${ipfw} add 1300 allow all from not ${LocalNet} to ${LocalNet} out via ${iLocalNet}
*********************************************************************************
#Razreshaem shlyzy hodit v inet==================================================
${ipfw} add 1350 allow all from me to any
#********************************************************************************