freebsd переключение каналов

Настройка сетевых служб, маршрутизации, фаерволлов. Проблемы с сетевым оборудованием.
Правила форума
Убедительная просьба юзать теги [code] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
svetogor82
рядовой
Сообщения: 43
Зарегистрирован: 2009-11-16 20:33:38

freebsd переключение каналов

Непрочитанное сообщение svetogor82 » 2014-03-03 9:24:21

имеется freebsd 10 настраиваю переключение каналов
периодически пропадает сеть при этом если запустить tcpdump
tcpdump -i ste0

Код: Выделить всё

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ste0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:33:18.769631 
tcpdump -i rl0

Код: Выделить всё

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl0, link-type EN10MB (Ethernet), capture size 65535 bytes 
pf.conf

Код: Выделить всё

int_if="age0" #lan
ext_if_2="ste0" #wan2
ext_if_1="rl0" #wan

internal_net="10.0.8.0/24" #
local_if="lo0" # 127.0.0.1

ext_addr_1="109.206.у.у" # IPS_1 wan
ext_addr_2="95.128.xx" # IPS_2 wan
int_addr="10.0.8.20" # LAN IP

gw_1="109.206.w.w" # IPS_1 gw
gw_2="95.128.q.q" # IPS_2 gw


tcp_svc="{ssh, www}" # разрешенные порты на внешних интерфейсах.

set block-policy drop
set skip on lo0
set fingerprints "/etc/pf.os"
set debug urgent
set require-order yes
set loginterface $ext_if_1
set loginterface $ext_if_2
set timeout { frag 10, tcp.established 3600 udp.first 300, udp.single 150, udp.multiple 900 }
icmp_types="{ echoreq, unreach }"

table <internal_net> {10.0.8.2/31, 10.0.8.4/30, 10.0.8.8/30, 10.0.8.12/31, 10.0.8.40, 10.0.8.41, 10.0.8.42, 10.0.8.43, 10.0.8.44, 10.0.8.45, 10.0.8.46, 10.0.8.47, 10.0.8.48, 10.0.8.49, 10.0.8.80, 10.0.8.81, 10.0.8.82 10.0.8.85, 10.0.8.86, 10.0.8.87, 10.0.8.88, 10.0.8.89, 10.0.8.90, 10.0.8.91 10.0.8.89 10.0.8.254}


scrub in all fragment reassemble
scrub out all random-id

nat-anchor "ftp-proxy/*"

nat on $ext_if_1 from <internal_net> to any -> ($ext_if_1) static-port
nat on $ext_if_2 from <internal_net> to any -> ($ext_if_2) static-port

rdr-anchor "ftp-proxy/*"

#RDR

rdr on $ext_if_2 proto tcp from any to $ext_addr_2 port 21  -> 127.0.0.1 port 8021
rdr on $ext_if_1 proto tcp from any to $ext_addr_1 port 21  -> 127.0.0.1 port 8021

#sqdid
rdr on $int_if proto tcp from $internal_net to any port 80 -> 10.0.8.20 port 3128

#telefon
rdr on $ext_if_1 proto { tcp udp } from any to $ext_addr_1 port 5060:5070 tag EXT_IF_A -> 10.0.8.8
rdr on $ext_if_1  proto { tcp udp } from any to $ext_addr_1 port 17000:30000 tag EXT_IF_A  -> 10.0.8.8

rdr on $ext_if_2 proto { tcp udp } from any to $ext_addr_2 port 5060:5070 tag EXT_IF_B -> 10.0.8.8
rdr on $ext_if_2  proto { tcp udp } from any to $ext_addr_2 port 17000:30000 tag EXT_IF_B  -> 10.0.8.8


##
block all
block in quick from urpf-failed label uRPF
block in quick from any os nmap to any


block in log quick proto tcp from any to any flags /S
block in log quick proto tcp from any to any flags /SFRA
block in log quick proto tcp from any to any flags /SFRAU
block in log quick proto tcp from any to any flags A/A
block in log quick proto tcp from any to any flags F/SFRA
block in log quick proto tcp from any to any flags U/SFRAU
block in log quick proto tcp from any to any flags SF/SF
block in log quick proto tcp from any to any flags SF/SFRA
block in log quick proto tcp from any to any flags SR/SR
block in log quick proto tcp from any to any flags FUP/FUP
block in log quick proto tcp from any to any flags FUP/SFRAUPEW
block in log quick proto tcp from any to any flags SFRAU/SFRAU
block in log quick proto tcp from any to any flags SFRAUP/SFRAUP
block in log quick proto tcp from any to any flags FPU/SFRAUP
block in log quick proto tcp from any to any flags F/SFRA
block in log quick proto tcp from any to any flags P/P

#####
pass  out  log  on $ext_if_1 from any to any
pass  out  log  on $ext_if_2 from any to any


# OUTGOING ROUTE
# Маршрутизирем исходящий трафик

pass out route-to ($ext_if_1 $gw_1) inet from ($ext_if_1)
pass out route-to ($ext_if_2 $gw_2) inet from ($ext_if_2)

pass out inet from { $ext_if_1 $ext_if_2 } to (self:network)

pass  out  on {$ext_if_1, $ext_if_1} from any to any

pass in  on $int_if from $internal_net to $int_if
pass out  on $int_if from $internal_net to $int_if
pass in  on $int_if from $int_if to $internal_net
pass out  on $int_if from $int_if to $internal_net

#
antispoof quick for $int_if inet

# ICMP

# IPS_1
pass in on $ext_if_1 reply-to ($ext_if_1 $gw_1) inet proto icmp to ($ext_if_1) icmp-type $icmp_types
pass in on $ext_if_1 inet proto icmp from ($ext_if_1:network) to ($ext_if_1) icmp-type $icmp_types

# IPS_2
pass in on $ext_if_2 reply-to ($ext_if_2 $gw_2) inet proto icmp to ($ext_if_2) icmp-type $icmp_types
pass in on $ext_if_2 inet proto icmp from ($ext_if_2:network) to ($ext_if_2) icmp-type $icmp_types

# allow tcp ports

# IPS_1
pass in on $ext_if_1 reply-to ($ext_if_1 $gw_1) inet proto tcp to ($ext_if_1) port  $tcp_svc
pass in on $ext_if_1 inet proto tcp from ($ext_if_1:network) to ($ext_if_1) port $tcp_svc

# IPS_2
pass in on $ext_if_2 reply-to ($ext_if_2 $gw_2) inet proto tcp to ($ext_if_2) port  $tcp_svc
pass in on $ext_if_2 inet proto tcp from ($ext_if_2:network) to ($ext_if_2) port $tcp_svc

# INCOMING ROUTE

# IPS_1
pass in quick from ($ext_if_1:network) tagged EXT_IF_A keep state
pass in quick reply-to ($ext_if_1 $gw_1) tagged EXT_IF_A keep state

# IPS_2
pass in quick from ($ext_if_2:network) tagged EXT_IF_B keep state
pass in quick reply-to ($ext_if_2 $gw_2) tagged EXT_IF_B keep state


# FIREWALL
# разрешаем все во внутреннем пространстве шлюза
pass out inet from (self:network)
pass in inet proto icmp to (self:network)

# OUTGOING ROUTE
# Маршрутизирем исходящий трафик

pass out route-to ($ext_if_1 $gw_1) inet from ($ext_if_1)
pass out route-to ($ext_if_2 $gw_2) inet from ($ext_if_2)

pass out inet from { $ext_if_1 $ext_if_2 } to (self:network)



# LOCAL NETWORK
# Разрешаем весь трафик на выход из локальной сети

pass out on $int_if proto tcp  from any to any port 80
pass in on $int_if proto tcp  from any to any port 80
pass out on $int_if proto tcp  from any to any port 3128
pass in on $int_if proto tcp  from any to any port 3128
pass out on $int_if proto tcp from any to any port 443
pass in on $int_if proto tcp  from any to any port 443
pass out on $int_if proto udp from any to any port 53
pass in on $int_if proto udp from any to any port 53
pass out on $int_if proto { tcp udp } from any to any port 123
pass in on $int_if proto { tcp udp } from any to any port 123
pass out on $int_if proto { tcp udp } from any to any port 67:69
pass in on $int_if proto { tcp udp } from any to any port 67:69
pass in  on $int_if proto { tcp, udp } from any to  any port  161
pass out  on $int_if proto { tcp, udp } from any to any port 161
anchor "ftp-proxy/*" 
ifconfig

Код: Выделить всё

age0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c319b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MCAST,WOL_MAGIC,VLAN_HWTSO,LINKSTATE>
        ether 00:1d:60:7c:1d:d6
        inet 10.0.8.20 netmask 0xffff0000 broadcast 10.0.255.255
        inet6 fe80::21d:60ff:fe7c:1dd6%age0 prefixlen 64 scopeid 0x1
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
ste0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
        ether 00:22:15:d6:4c:03
        inet 95.128.xx netmask 0xfffffff8 broadcast 95.128.xxx.xxx
        inet6 fe80::222:15ff:fed6:4c03%ste0 prefixlen 64 scopeid 0x2
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=2008<VLAN_MTU,WOL_MAGIC>
        ether 00:c0:26:2c:00:04
        inet 109.206.у.у netmask 0xffffff00 broadcast 109.206.yyy.yyy
        inet6 fe80::2c0:26ff:fe2c:4%rl0 prefixlen 64 scopeid 0x3
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active 
netstat -rn

Код: Выделить всё

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            109.206.w.w      UGS         0      439    rl0
10.0.0.0/16        link#1             U           0        0   age0
10.0.8.20          link#1             UHS         0        0    lo0
95.128.xx/29        link#2             U           0        0   ste0
95.128.xx          link#2             UHS         0        0    lo0
109.206.у.у/24     link#3             U           0        0    rl0
109.206.у.у        link#3             UHS         0        0    lo0
127.0.0.1          link#6             UH          0        0    lo0 
скрипт переключение каналов

Код: Выделить всё

#!/usr/bin/perl -w

use strict;
use warnings;
use Net::Ping;

# 1 - автоматический режим переключение канала
# 2 - принудительное переключение на второй канал.

my $action = 1;
my $p = Net::Ping->new("icmp");
my $host_gw = "109.206.w.w"; # default gw
my $gw = "995.128.q.q";
my $now = localtime time;
my $google = "8.8.8.8";

if($action == 1){
my $command = `netstat -rn | grep default`;
my @b = split('\s+',$command,0.05);
if ($p->ping($google,4)){
print "host $host_gw is ok\n";
if($b[1] ne $host_gw){
if($b[1] eq ""){
`route add default 109.206.w.w`;
}else{
`route change default 109.206.w.w`;

open(LOG,">>./change_route.log");
print LOG "[!] $now Route change to 109.206.w.w\n";
close(LOG);
}
}
}else{
print "host $host_gw is bad.\n";
if($b[1] ne $gw){
`route change default 95.128.q.q`;
open(LOG,">>./change_route.log");
print LOG "[!] $now Route change to 95.128.q.q\n";
close(LOG);
}
}
$p->close();
}

if($action == 2){
my $command = `netstat -rn | grep default`;
my @b = split('\s+',$command,3);
if($b[1] ne $gw){
if($b[1] eq ""){
`route add default 95.128.q.q`;
}else{
`route change default 95.128.q.q`;
open(LOG,">>./change_route.log");
print LOG "[!] $now Route change to 95.128.q.q\n";
close(LOG);
}
}
} 
если руками запустить скрипт переключения канала то получу
/usr/scripts/route.sh

Код: Выделить всё

host 109.206.w.w is bad.
при этом переключается канал
netstat -rn

Код: Выделить всё

default            95.128.q.q     UGS         0      451   ste0
10.0.0.0/16        link#1             U           0        0   age0
10.0.0.0/16        link#1             U           0        0   age0
10.0.8.20          link#1             UHS         0        0    lo0
95.128.xx/29        link#2             U           0        0   ste0
95.128.xx          link#2             UHS         0        0    lo0
109.206.у.у/24     link#3             U           0        0    rl0
109.206.у.у        link#3             UHS         0        0    lo0
127.0.0.1          link#6             UH          0        0    lo0	
если еще раз запустить /usr/scripts/route.sh

Код: Выделить всё

host 109.206.w.w is ok
но пакеты так и не ходя

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

svetogor82
рядовой
Сообщения: 43
Зарегистрирован: 2009-11-16 20:33:38

Re: freebsd переключение каналов

Непрочитанное сообщение svetogor82 » 2014-03-04 11:57:22

с этой проблемой разобрался
теперь внутри сети не ходят пакеты наружу
tcpdump -i age0 host 10.0.8.47

Код: Выделить всё

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on age0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:52:21.027331 IP 10.0.8.47 > google-public-dns-a.google.com: ICMP echo request, id 512, seq 18432, length 40
12:52:26.304552 IP 10.0.8.47 > google-public-dns-a.google.com: ICMP echo request, id 512, seq 18688, length 40
12:52:31.806026 IP 10.0.8.47 > google-public-dns-a.google.com: ICMP echo request, id 512, seq 18944, length 40
12:52:37.302871 IP 10.0.8.47 > google-public-dns-a.google.com: ICMP echo request, id 512, seq 19200, length 40
на внешних интерфейсах пусто