Home » Форум

Форум

ipf + ipnat + squid нет пинга у клиентов, а интернет есть  

Страница 1 / 3
 

Max999
(@max999)
Eminent Member
Присоединился: 1 месяц назад
Сообщения: 31
13/07/2019 9:50 дп  

При переходе на другого провайдера твориться непонятно что. До меня система настраивалась кем то другим. В общем что происходит, у клиентов есть интернет, но через консоль нет пинга в инет. Так же перестаёт работать nylon. куда копать?


Цитата
STALKER_SLX
(@stalker_slx)
Trusted Member
Присоединился: 9 месяцев назад
Сообщения: 99
13/07/2019 10:15 дп  

Как-то поподробнее опишите что у Вас там! Чтобы нам тут не гадать, ответьте сразу на следующие вопросы.

1. Что за ОС используется (linux, FreeBSD, pfsense или что-то иное)? Какой релиз ОС?

2. До смены провайдера "таких проблем", как сейчас, не было?! А был ли пинг до смены провайдера? А может он заблокирован файерволом (то есть прохождение ICMP-пакетов)?! 

3. Какие настройки Вами производились после смены провайдера (какие конфиги правили)?!

4. Есть ли пинг на самом шлюзе?

5. Когда начались проблемы? Точнее, после каких действий/манипуляций с Вашей стороны? 


ОтветитьЦитата
Max999
(@max999)
Eminent Member
Присоединился: 1 месяц назад
Сообщения: 31
13/07/2019 10:22 дп  

1. используется FreeBSD 10.3

2. До смены провайдера таких проблем не было. Новый провайдер дал интернет для отладки работы, есть пока что возможность переключатся между ними физически.

3. правился rc.conf, ipnat.rules, ipf.rules.

4. есть пинг только со шлюза.

5. начались проблемы после физического "перетыкания" кабеля

Если возвращаюсь обратно, на старого провайдера, то всё гуд.

Заметил ещё такой интерфейс как ng0

причём при новом провайдере тунель не создаётся, что в принципе и понятно.


ОтветитьЦитата
Max999
(@max999)
Eminent Member
Присоединился: 1 месяц назад
Сообщения: 31
13/07/2019 10:23 дп  

сейчас есть ещё возможность переключаться между провайдерами.


ОтветитьЦитата
STALKER_SLX
(@stalker_slx)
Trusted Member
Присоединился: 9 месяцев назад
Сообщения: 99
13/07/2019 10:32 дп  

Тогда показывайте свои конфиги (прикрепляйте к сообщению вложением), которые Вы правите в том числе и "nylon".


ОтветитьЦитата
Max999
(@max999)
Eminent Member
Присоединился: 1 месяц назад
Сообщения: 31
13/07/2019 10:41 дп  

rc.conf

hostname="gw.f67.donenergo.net"
background_fsck="NO"
fsck_y_enable="YES"

ifconfig_bce1="up"
ifconfig_bce1="DHCP"
ifconfig_bce0="inet 192.168.188.2 netmask 255.255.255.252"

static_routes="net188 net189 net190 net191 net192 net252 ascue de donen glonas ofd"

route_net188=" -net 192.168.188.0/24 192.168.188.1"
route_net189=" -net 192.168.189.0/24 192.168.188.1"
route_net190=" -net 192.168.190.0/24 192.168.188.1"
route_net191=" -net 192.168.191.0/24 192.168.188.1"
route_net192=" -net 192.168.192.0/24 192.168.188.1"
route_net252=" -net 192.168.190.252/30 192.168.188.1"
route_ascue=" -net 10.10.90.0/24 192.168.188.1"
route_de=" -net 192.168.70.0/24 192.168.188.1"
route_donen=" -net 192.168.10.0/24 192.168.188.1"

#старый провайдер
route_glonas=" -net 87.117.31.0/24 83.221.*.*"
#route_glonas=" -net 87.117.31.0/24 91.230.*.*"

gateway_enable="YES"
router_enable="NO"

ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"

ipnat_enable="YES"
ipnat_program="/sbin/ipnat -CF -f"
ipnat_rules="/etc/ipnat.rules"

syslogd_enable="YES"
syslogd_flags="-b 192.168.188.2 -c -n -s"

sshd_enable="YES"

ntpd_enable="YES"
ntpdate_program="/usr/local/bin/ntpdate"

apache24_enable="NO"

squid_enable="YES" #Anton

usbd_enable="YES"

mpd_enable="YES"
ppp_enable="NO"
ppp_mode="ddial"
ppp_nat="YES"
ppp_profile="papchap"

openvpn_enable="NO"
openvpn_if="tun"
openvpn_flags=""
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_dir="/usr/local/etc/openvpn"

sendmail_enable="NO"
webmin_enable="YES"
mysql_enable="NO"
samsd_enable="NO"

local_unbound_enable="YES"

nylon_enable="YES"


ОтветитьЦитата
Max999
(@max999)
Eminent Member
Присоединился: 1 месяц назад
Сообщения: 31
13/07/2019 10:42 дп  

ipnat.rules

map ng0 192.168.188.0/24 -> 192.168.188.2/32 portmap tcp/udp auto
map ng0 192.168.188.0/24 -> 192.168.188.2/32

map ng0 192.168.189.0/24 -> 192.168.188.2/32 portmap tcp/udp auto
map ng0 192.168.189.0/24 -> 192.168.188.2/32

map ng0 192.168.190.0/24 -> 192.168.188.2/32 portmap tcp/udp auto
map ng0 192.168.190.0/24 -> 192.168.188.2/32

map ng0 192.168.191.0/24 -> 192.168.188.2/32 portmap tcp/udp auto
map ng0 192.168.191.0/24 -> 192.168.188.2/32

map ng0 192.168.192.0/24 -> 192.168.188.2/32 portmap tcp/udp auto
map ng0 192.168.192.0/24 -> 192.168.188.2/32

###############################################################
rdr ng0 192.168.188.0/24 -> 192.168.188.2 3128

rdr ng0 192.168.189.0/24 -> 192.168.188.2 3128
rdr ng0 192.168.190.0/24 -> 192.168.188.2 3128
rdr ng0 192.168.191.0/24 -> 192.168.188.2 3128
rdr ng0 192.168.192.0/24 -> 192.168.188.2 3128
#
rdr ng0 0/0 port 5432 -> 192.168.188.2 port 5432


ОтветитьЦитата
Max999
(@max999)
Eminent Member
Присоединился: 1 месяц назад
Сообщения: 31
13/07/2019 10:45 дп  

ipf.rules

pass in quick on lo0 all
pass out quick on lo0 all
#######################

block out quick on ng0 from any to 192.168.0.0/16
block out quick on ng0 from any to 172.16.0.0/12
block out quick on ng0 from any to 127.0.0.0/8

block out quick on ng0 from any to 10.10.0.0/16
block out quick on ng0 from any to 10.8.0.0/16

block out quick on ng0 from any to 0.0.0.0/8
block out quick on ng0 from any to 169.254.0.0/16
block out quick on ng0 from any to 192.0.2.0/24
block out quick on ng0 from any to 204.152.64.0/23

block out quick on ng0 from any to 224.0.0.0/3

block in quick on ng0 from 192.168.0.0/16 to any
block in quick on ng0 from 172.16.0.0/12 to any
block in quick on ng0 from 127.0.0.0/8 to any

block in quick on ng0 from 10.10.0.0/16 to any
block in quick on ng0 from 10.8.0.0/16 to any

block in quick on ng0 from 0.0.0.0/8 to any
block in quick on ng0 from 169.254.0.0/16 to any
block in quick on ng0 from 192.0.2.0/24 to any
block in quick on ng0 from 204.152.64.0/23 to any

block in quick on ng0 from 224.0.0.0/3 to any

#################################################
block in log first quick on ng0 proto tcp/udp from any to any port = 135
block in log first quick on ng0 proto tcp/udp from any to any port = 136
block in log first quick on ng0 proto tcp/udp from any to any port = 137
block in log first quick on ng0 proto tcp/udp from any to any port = 138
block in log first quick on ng0 proto tcp/udp from any to any port = 139
block in log first quick on ng0 proto tcp/udp from any to any port = 445

#block in quick on bce0 proto udp from any to 8.8.8.8 port = 53

block in log first quick on bce0 proto tcp/udp from any to any port = 135
block in log first quick on bce0 proto tcp/udp from any to any port = 136
block in log first quick on bce0 proto tcp/udp from any to any port = 137
block in log first quick on bce0 proto tcp/udp from any to any port = 138
block in log first quick on bce0 proto tcp/udp from any to any port = 139
block in log first quick on bce0 proto tcp/udp from any to any port = 445

#################################################

pass in quick on bce0 proto tcp from 192.168.0.0/16 to 192.168.0.0/16 port = 80
block in quick on bce0 proto tcp from 192.168.0.0/16 to any port = 80

block in quick on ng0 from 192.168.189.2/32 to any port = 25
block in quick on bce0 from 192.168.189.2/32 to any port = 25

block in quick on ng0 from any to any port = 22273
block out quick on ng0 from any to any port = 22273

block in quick on ng0 from any to any port = 2915
block out quick on ng0 from any to any port = 2915

block in quick on ng0 from any to 213.252.*.*
block out quick on ng0 from 213.252.*.* to any

pass out quick on ng0 proto tcp from any to any port = 53 flags S keep state
pass out quick on ng0 proto udp from any to any port = 53 keep state

pass out quick on ng0 proto tcp from any to any port = 110 flags S keep state
pass out quick on ng0 proto tcp from any to any port = 143 flags S keep state
pass out quick on ng0 proto tcp from any to any port = 25 flags S keep state

pass out quick on ng0 proto tcp from any to any port = 5222 flags S keep state
pass in quick on bce0 proto tcp from any to any port = 5222 flags S keep state

pass in quick on ng0 proto tcp from any to any port = 1194 flags S keep state
pass out quick on ng0 proto tcp from any to any port = 1194 flags S keep state

pass in quick on tun1 proto tcp from any to 10.10.90.1 port = 1433 flags S keep state
pass out quick on tun1 proto tcp from 10.10.90.1 to any port = 1433 flags S keep state

pass out quick on ng0 proto tcp from 192.168.192.2 to any port = 5190 flags S keep state

#pass in quick on ng0 proto tcp/udp from 46.137.83.240 to 91.230.*.*
pass in quick on ng0 proto tcp/udp from 46.137.83.240 to 83.221.*.*
#pass out quick on ng0 proto tcp/udp from 91.230.*.* to 46.137.83.240
pass out quick on ng0 proto tcp/udp from 83.221.*.* to 46.137.83.240

#---- SQUID
pass in quick on bce0 proto tcp/udp from 192.168.188.0/24 to 192.168.188.2/32 port = 3128
pass in quick on bce0 proto tcp/udp from 192.168.189.0/24 to 192.168.188.2/32 port = 3128
#####
pass in quick on bce0 proto tcp/udp from 192.168.190.0/24 to 192.168.188.2/32 port = 3128
#####
pass in quick on bce0 proto tcp/udp from 192.168.191.0/24 to 192.168.188.2/32 port = 3128
pass in quick on bce0 proto tcp/udp from 192.168.192.0/24 to 192.168.188.2/32 port = 3128

pass out quick on bce0 proto tcp/udp from any to any port = 123
pass in quick on bce0 proto tcp/udp from any to any port = 123
pass out quick on ng0 proto udp from any to any port = 123 keep state

pass out quick on ng0 proto tcp from any to any port = 3000 flags S keep state
pass in quick on bce0 proto tcp from any to any port = 3000 flags S keep state

pass in quick on bce0 proto tcp from any to 83.221.*.* port = 8080
pass out quick on ng0 proto tcp from 83.221.*.* to any port = 8080
pass out quick on bce0 proto tcp from any to www.donenergo.ru port = 88 flags S/FSRPAU keep state

pass in quick on bce0 proto tcp from any to any port = 88
pass out quick on ng0 proto tcp from any to any port = 88

pass out quick on bce0 proto tcp from any to any port = 6911
pass in quick on ng0 proto tcp from any to any port = 6911
pass out quick on bce0 proto tcp from any to any port = 6003
pass in quick on ng0 proto tcp from any to any port = 6003

pass in log quick on tun1 proto icmp from any to any
pass out log quick on tun1 proto icmp from any to any
pass out quick on tun1 proto tcp from 192.168.192.2 to any port = 5900 flags S keep state
pass out quick on tun1 proto tcp from 10.8.67.0/24 to any flags S keep state

##### END #####

pass in quick all
pass out quick all


ОтветитьЦитата
Max999
(@max999)
Eminent Member
Присоединился: 1 месяц назад
Сообщения: 31
13/07/2019 10:46 дп  

nylon.conf

# sample configuration # marius aamodt eriksen (marius@umich.edu)
# $Id: nylon.conf,v 1.11 2002/03/27 07:39:53 beriksen Exp $
# general settings
[General]

# number of simultaneous connections allowed
No-Simultaneous-Conn=10

# log connections and other information to syslog? 1: on, 0: off
Log=1

# be verbose on the console? 1: on, 0: off
Verbose=1

# store pid file
PIDfile=/var/run/nylon.pid

# server settings
[Server]

# interface to listen to connections
#Binding-Interface=fxp1
Binding-Interface=bce0

# interface to bind outgoing connections to
#Connecting-Interface=fxp0
Connecting-Interface=ng0

# listening port to bind to
Port=1080

# allowed is processed first, then deny

# allowable connect ips/ranges
#Allow-IP=141.0.0.0/8 127.0.0.1 10.0.0.0/24
#Allow IPs 192.168.192.6, 192.168.192.7 and 192.168.189.25 for GLONASS_GPS_Client:
Allow-IP=127.0.0.1/32 192.168.192.6 192.168.192.7 192.168.189.25 192.168.189.26 192.168.190.34 192.168.190.163 192.168.190.50 192.168.190.180 192.168.190.182 192.168.190.153 192.168.190.132 192.168.190.114 192.168.190.83 192.168.189.15 192.168.190.131 192.168.190.98 192.168.190.180 192.168.190.66 192.168.191.3 192.168.190.182 192.168.190.188
# denied connect ips/ranges
#Deny-IP=10.0.0.0/24

This post was modified 1 месяц назад by Max999

ОтветитьЦитата
Max999
(@max999)
Eminent Member
Присоединился: 1 месяц назад
Сообщения: 31
13/07/2019 10:47 дп  

unbound.conf

# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:

#+Anton 12.10.2017
# Log level - 0 (errors only)
verbosity: 0
# Listen port
port: 53
# Listen interface (LAN, local network)
interface: 127.0.0.1
interface: 192.168.188.2
# Outgoing inteface (WAN, Internet)
outgoing-interface: 83.221.*.*
#outgoing-interface: 91.230.*.*
# Allow networks
access-control: 192.169.188.0/24 allow
access-control: 192.169.189.0/24 allow
access-control: 192.169.190.0/24 allow
access-control: 192.169.191.0/24 allow
access-control: 192.169.192.0/24 allow
# "On" ip4, tcp, udp support and "off" ipv6
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
# Set logfile name and swithoff using syslog
logfile: "unbound.log"
use-syslog: no
# "Hide" version (for security;))
hide-version: yes
#~Anton 12.10.2017

username: unbound
directory: /var/unbound
chroot: /var/unbound
pidfile: /var/run/local_unbound.pid
auto-trust-anchor-file: /var/unbound/root.key

include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/control.conf
include: /var/unbound/conf.d/*.conf


ОтветитьЦитата
Max999
(@max999)
Eminent Member
Присоединился: 1 месяц назад
Сообщения: 31
13/07/2019 10:52 дп  

squid.conf

visible_hostname gw.f67.donenergo.net
http_port 192.168.188.2:3128

coredump_dir /var/log/squid
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log

logfile_rotate 10

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

dns_v4_first on

cache_mem 256 MB
maximum_object_size 8192 KB
minimum_object_size 4 KB
cache_dir ufs /var/cache/squid 5120 16 256

refresh_pattern -i \.gif$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.png$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.jpg$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.jpeg$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.swf$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.zip$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.rar$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.pdf$ 3600 100% 3600 override-lastmod override-expire
refresh_pattern -i \.mp3$ 3600 100% 3600 override-lastmod override-expire

acl manager proto cache_object

acl localnet src 10.8.67.0/24 # RFC1918 possible internal network
acl localnet src 192.168.188.0/24 # RFC1918 possible internal network
acl localnet src 192.168.189.0/24 # RFC1918 possible internal network
acl localnet src 192.168.190.0/24 # RFC1918 possible internal network
acl localnet src 192.168.191.0/24 # RFC1918 possible internal network
acl localnet src 192.168.192.0/24 # RFC1918 possible internal network

acl corp-srv dst "/usr/local/etc/squid/xallow/srv-corp"

acl ftp-ports port "/usr/local/etc/squid/xallow/port-ftp"
acl http-ports port "/usr/local/etc/squid/xallow/port-http"
acl ssl-ports port "/usr/local/etc/squid/xallow/port-ssl"

acl FTP proto FTP
acl HTTP proto HTTP
acl CONNECT method CONNECT
acl http-method-good method GET POST HEAD

acl servers-list src списки кому куда можно

delay_pools 2 # Set two delay pools (numbered 1 and 2)
delay_class 1 2 # Set class 2 for delay pool 1
delay_parameters 1 512000/128000 128000/64000
delay_access 1 allow servers-list
delay_access 1 allow adm-list
delay_access 1 deny all # "Off" traffic limit delay pool 1 for all
delay_class 2 2 # Set class 2 for delay pool 2
delay_parameters 2 384000/128000 96000/48000
delay_access 2 allow *-list
delay_access 2 deny all # "Off" traffic limit delay pool 2 for all

acl uch_white url_regex "/usr/local/etc/squid/xallow/site-uch"
acl otp_white url_regex "/usr/local/etc/squid/xallow/site-otp"
acl smit_white url_regex "/usr/local/etc/squid/xallow/site-smit"

acl corp_white url_regex "/usr/local/etc/squid/xallow/site-corp"

acl pto_white url_regex "/usr/local/etc/squid/xallow/site-pto"

http_access allow uch-list uch_white
http_access allow otp-list otp_white
http_access allow smit-list smit_white

http_access allow all corp_white

acl porn-sites url_regex -i "/usr/local/etc/squid/xdeny/site-porno"
http_access deny porn-sites # Block list of porn sites for all

acl torrent_mime rep_mime_type -i ^application/x-bittorrent$
acl torrent_mime rep_mime_type -i application/x-bittorrent
http_reply_access deny torrent_mime

acl torrent urlpath_regex -i \.torrent$
http_access deny torrent

http_access deny FTP !ftp-ports
http_access deny HTTP !http-ports
http_access deny CONNECT !ssl-ports
http_access deny HTTP !http-method-good
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost

http_access deny all

via off
forwarded_for off
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all


ОтветитьЦитата
Max999
(@max999)
Eminent Member
Присоединился: 1 месяц назад
Сообщения: 31
13/07/2019 10:57 дп  

К этому всему добавлю, что настраивал вообще левую машину из говна и палок так же на FreeBSD 10.3 только ipfw + nat + squid и через свитч раздавал инет в сеть, так вот всё пинговалось. Неужели проще будет всё снести и настроить по своему?


ОтветитьЦитата
Max999
(@max999)
Eminent Member
Присоединился: 1 месяц назад
Сообщения: 31
13/07/2019 10:58 дп  

в конфигах только раскомментировал строки к новому провайдеру и закомментировал к старому.


ОтветитьЦитата
STALKER_SLX
(@stalker_slx)
Trusted Member
Присоединился: 9 месяцев назад
Сообщения: 99
13/07/2019 11:19 дп  

На первый взгляд никаких причин, которые могли бы приводить к указанным Вами последствиям, пока не увидел. А Вы после внесённых изменений рестаротовали все службы (сеть, squid, nylon и т.п.) на сервере?!


ОтветитьЦитата
Max999
(@max999)
Eminent Member
Присоединился: 1 месяц назад
Сообщения: 31
13/07/2019 11:21 дп  

Более того, я рестартил сам сервер. Так как сегодня на предприятии выходной, а я вышел поработать.


ОтветитьЦитата
Страница 1 / 3
Share:
  
Работает

Пожалуйста, Вход или Зарегистрироваться