Olá pessoal, isso provavelmente é apenas algo estúpido que estou perdendo, mas estou tendo problemas para configurar um namespace de rede para usar em minha VPN. A parte estranha é que esse script/configuração estava funcionando e parou repentinamente nas últimas semanas.
Eu tenho uma única interface Ethernet no servidor com um conjunto de IP estático que desejo usar para todo o meu tráfego normal. Em seguida, uso uma ponte e como mestre e conecto a VPN à mesma ponte por meio de uma Ethernet virtual. Por alguma razão, a interface da minha VPN pode responder com êxito às solicitações ARP, mas parece não conseguir executar ping no meu gateway e, portanto, não consegue se conectar à Internet). Sinto que isso pode ser um problema de roteamento, mas não consigo descobrir.
Netplan
# Let NetworkManager manage all devices on this system
network:
version: 2
renderer: networkd
ethernets:
enp3s0:
dhcp4: false
addresses:
- 192.168.0.54/24
bridges:
br0:
interfaces:
- enp3s0
routes:
- to: default
via: 192.168.0.1
- to: 192.168.0.0/24
nameservers:
addresses: [1.1.1.1, 8.8.8.8]
Script para configurar o namespace da rede VPN:
ip link add vpn0 type veth peer name vpn1
ip link set dev vpn0 master br0
ip netns add vpn
ip link set vpn1 netns vpn
ip link set dev vpn0 promisc on
ip link set vpn0 up
ip netns exec vpn ip link set lo up
ip netns exec vpn ip link set vpn1 up
ip netns exec vpn ip address add 192.168.0.53/24 dev vpn1
ip netns exec vpn ip route add default via 192.168.0.1 dev vpn1
Endereço/rotas VPN
root@sam-server:~# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
5: vpn1@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 06:9e:19:5a:a4:a5 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.0.53/24 scope global vpn1
valid_lft forever preferred_lft forever
inet6 fe80::49e:19ff:fe5a:a4a5/64 scope link
valid_lft forever preferred_lft forever
root@sam-server:~# ip route
default via 192.168.0.1 dev vpn1
192.168.0.0/24 dev vpn1 proto kernel scope link src 192.168.0.53
Endereço/rotas normais
root@sam-server:~# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000
link/ether 88:d7:f6:78:91:72 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.54/24 brd 192.168.0.255 scope global enp3s0
valid_lft forever preferred_lft forever
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether e6:3d:5a:ce:a9:fb brd ff:ff:ff:ff:ff:ff
inet6 fe80::e43d:5aff:fece:a9fb/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:19:80:3c:94 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
6: vpn0@if5: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
link/ether 66:2c:f9:35:3d:0e brd ff:ff:ff:ff:ff:ff link-netns vpn
inet6 fe80::642c:f9ff:fe35:3d0e/64 scope link
valid_lft forever preferred_lft forever
root@sam-server:~# ip route
default via 192.168.0.1 dev br0 proto static onlink
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.0.0/24 dev br0 proto static scope link
192.168.0.0/24 dev enp3s0 proto kernel scope link src 192.168.0.54
Ping de Namespae VPN(Arp parece resolver, mas não consigo executar ping no gateway)
root@sam-server:~# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
^C
--- 192.168.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3066ms
root@sam-server:~# ping 192.168.0.54
PING 192.168.0.54 (192.168.0.54) 56(84) bytes of data.
64 bytes from 192.168.0.54: icmp_seq=1 ttl=64 time=0.037 ms
64 bytes from 192.168.0.54: icmp_seq=2 ttl=64 time=0.052 ms
64 bytes from 192.168.0.54: icmp_seq=3 ttl=64 time=0.052 ms
^C
--- 192.168.0.54 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2031ms
rtt min/avg/max/mdev = 0.037/0.047/0.052/0.007 ms
root@sam-server:~# arp
Address HWtype HWaddress Flags Mask Iface
192.168.0.1 ether b0:95:75:8c:fe:80 C vpn1
192.168.0.54 ether e6:3d:5a:ce:a9:fb C vpn1
root@sam-server:~#
Espero que isso seja informação suficiente, posso postar mais, se necessário.
Responder1
Tente adicionar o macaddress da interface conforme sugerido aquiA ponte do Ubuntu 22.04 com o netplan não funciona
# Let NetworkManager manage all devices on this system
network:
version: 2
renderer: networkd
ethernets:
enp3s0:
dhcp4: false
addresses:
- 192.168.0.54/24
bridges:
br0:
interfaces:
- enp3s0
routes:
- to: default
via: 192.168.0.1
- to: 192.168.0.0/24
nameservers:
addresses: [1.1.1.1, 8.8.8.8]
macaddress: 88:d7:f6:78:91:72
Responder2
Encontrei uma resposta para o meu problema. Acabou sendo algo muito simples. Basicamente, há duas semanas eu instalei o Docker. Eu não sabia disso, mas o Docker mexe com o iptables.
root@sam-server:~# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP) <----------- PROBLEM IS HERE
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Como o Docker é configurado automaticamente, FORWARDmeus DROPpacotes não estavam sendo encaminhados para a interface. Presumo que ARPesteja funcionando, pois não é afetado pelo iptables.
A correção foi apenas redefinir a política para aceitar:iptables --policy FORWARD ACCCEPT