本文介绍如何在OpenBSD系统上配置双ADSL线路的负载均衡,包括pppoe连接设置、pf防火墙规则及流量控制,并实现线路故障自动切换。
来自http://www.kuqin.com/article/05bsd/746001.html
用了7 8 天,把单位上的互联网连接改造了一下
原先,一个电信 ADSL -->nat-->5台客户机 (电信限制了连接数)
一个铁通 ADSL-->nat-->10台客户机
现在改为
电信 ADSL----+
|------- NAT ( OpenBSD ) --- 局域网
铁通 ADSL----+
在NAT中作了负载均衡,现将设置介绍一下
NAT服务器: Pentium 166 32M RAM 1G HD DISK
网卡 rl0 -->电信ADSL rl1-->铁通ADSL
ne0 --> 局域网 :老机子上4个PCI插槽,使用dc0,老是起不来
ppp.conf
引用:
default:
set log Phase Chat LCP IPCP CCP tun command
# Client side PPP
#
# Although the PPP protocol is a peer to peer protocol, we normally
# A PPPoE (PPP over Ethernet) setup may look like this:
# Dian Xin
ppp0:
set device "!/usr/sbin/pppoe -i rl0"
set mtu max 1492
set mru max 1492
set speed sync
disable acfcomp protocomp
deny acfcomp
set authname "xy_*******"
set authkey "1111111"
#set crtscts off
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
add! default HISADDR
# enable dns
enable mssfixup
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255 0.0.0.0
# A PPPoE (PPP over Ethernet) setup may look like this:
# Tie Tong
ppp1:
set device "!/usr/sbin/pppoe -i rl1"
set mtu max 1492
set mru max 1492
set speed sync
disable acfcomp protocomp
deny acfcomp
set authname "p********"
set authkey "892672"
#set crtscts off
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
add! default HISADDR
# enable dns
enable mssfixup
pf.conf pf2.conf 是当只有一个ADSL连接时使用的PF 设置文件,他们内容一致,只是虚拟连接接口 一个是"tun0" 一个是"tun1"
pf.conf:引用:
# $OpenBSD: pf.conf,v 1.29 2005/08/23 02:52:58 henning Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if0="tun0"
int_if="ne0"
lan_net="192.168.123.0/24"
dis_net="{127.0.0.0/8,192.168.0.0/24,172.16.0.0/12,10.0.0.0/8}"
scrub in on $ext_if0 all fragment reassemble #TCP 连接标准化整形
nat on $ext_if0 from $lan_net to any -> ($ext_if0)
block out on $ext_if0 all
block in on $ext_if0 all
antispoof quick for $int_if inet
pass quick on lo0 all
block return-rst out log on $ext_if0 proto tcp all
block return-rst in log on $ext_if0 proto tcp all
block return-icmp out log on $ext_if0 proto udp all
block return-icmp in log on $ext_if0 proto udp all
pass quick on $int_if all
block drop in quick on $ext_if0 from $dis_net to any
block drop out quick on $ext_if0 from any to $dis_net
pass out on $ext_if0 proto tcp all flags S/SA modulate state
pass out on $ext_if0 proto {udp,icmp} from any to any keep state
pf1.conf 双ASL负载均衡 引用:
# $OpenBSD: pf.conf,v 1.29 2005/08/23 02:52:58 henning Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if0="tun0"
ext_if1="tun1"
int_if="ne0"
lan_net="192.168.123.0/24"
ext_gw0="tun0:peer"
ext_gw1="tun1:peer"
admi_addr="192.168.123.101"
#no_addr=" 192.168.123.212"
set block-policy drop
set optimization aggressive
set timeout interval 6
set timeout frag 12
set state-policy if-bound
scrub in on $ext_if0 all fragment reassemble min-ttl 128 max-mss 1470
scrub in on $ext_if1 all fragment reassemble min-ttl 128 max-mss 1470
scrub on $int_if all reassemble tcp random-id no-df
scrub out on $ext_if0 random-id
scrub out on $ext_if1 random-id
scrub on $ext_if0 all reassemble tcp no-df random-id
scrub on $ext_if1 all reassemble tcp no-df random-id
################################
altq on $int_if cbq bandwidth 2048Kb queue {hi_in,low_in}
queue hi_in on $int_if bandwidth 1500Kb cbq(borrow)
queue low_in on $int_if bandwidth 500Kb cbq(default,borrow)
##############################
nat on $ext_if0 from $lan_net to any -> ($ext_if0)
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
block on $ext_if0 all
block on $ext_if1 all
###############################
#pass in quick on $int_if proto tcp from $no_addr to any port 80 ####
#block in quick on $int_if from $no_addr to any #############
############################## LAN config
pass in quick on $int_if proto icmp from $admi_addr to any
pass quick on lo0 all
block in quick on $int_if proto icmp from $lan_net to any
pass out on $int_if from any to $lan_net
pass in quick on $int_if from any to $lan_net
pass in on $int_if route-to /
{ ($ext_if0 $ext_gw0),($ext_if1 $ext_gw1) } round-robin /
proto tcp from $lan_net to any flags S/SA modulate state
pass in on $int_if route-to /
{($ext_if0 $ext_gw0),($ext_if1 $ext_gw1)} round-robin /
proto {udp,icmp } from $lan_net to any keep state
pass out on $int_if proto {tcp,udp} from any port {80,8080,53,22} to /
$lan_net queue hi_in
pass out on $int_if proto {tcp,udp} from any port {!=80,8080,53,22} to /
$lan_net queue low_in
######################### ext_if config
pass out on $ext_if0 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if0 proto {udp,icmp} from any to any keep state
pass out on $ext_if1 proto {udp,icmp} from any to any keep state
pass out on $ext_if1 route-to ($ext_if0 $ext_gw0) from $ext_if0 to any
pass out on $ext_if0 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
因为只是NAT,局域网内没有服务器,所以过滤规则以简单实用为主 (注:添加了简单的流量控制,将HTTP的流量保证了1500Kb的速度)
=============================================
为了能够在ADSL连接出现问题时自动进行PF切换
编了一个shell文件 nat.sh
#!/bin/sh
sleep 5 # wait the ADSL connetc
fg0=0
fg1=0
echo ====start=== `date` > /root/nat.log
/sbin/pfctl -F all -f /etc/pf1.conf
file=1
test_addr="202.101.224.69"
while :
do
if_add0="192.168.1.1"
if_add1="192.168.1.2"
ifconfig tun0 | grep inet >>/dev/null
if [ $? -eq 0 ];then
if_add0="`ifconfig tun0 | grep inet | awk '{printf $2}'`"
fi
ifconfig tun1 | grep inet >>/dev/null
if [ $? -eq 0 ];then
echo a
if_add1="`ifconfig tun1 | grep inet | awk '{printf $2}'`"
fi
ping -w 1 -c2 -I $if_add0 $test_addr >> /dev/null
fg0=$?
ping -w 1 -c2 -I $if_add1 $test_addr >> /dev/null
fg1=$?
echo "1.<< $if_add0 :$fg0 ,$if_add1 :$fg1 >> "
#=================================================#
echo $fg0,$fg1
if [ $fg0 -eq $fg1 ];then
echo 2. $file
if [ $fg0 -eq 0 ];then
if [ $file -ne 1 ];then
/sbin/pfctl -d
/sbin/pfctl -e -f /etc/pf1.conf ;
echo "chang to --> /etc/pf1.conf :" `date` >> /root/nat.log
file=1
fi
fi
else
echo 3.
if [ $fg0 -eq 0 ]; then
echo 4. $file
if [ $file -ne 0 ];then
/sbin/pfctl -d
/sbin/pfctl -e -f /etc/pf.conf
echo "chang to --> /etc/pf.conf:" `date` >> /root/nat.log
file=0
fi
else
echo 5.
if [ $file -ne 2 ];then
/sbin/pfctl -d
/sbin/pfctl -e -f /etc/pf2.conf
echo "chang to --> /etc/pf2.conf:" `date`>>/root/nat.log
file=2
fi
fi
fi
echo "=============================================="
if [ $fg0 -eq $fg1 ] ; then
sleep 600
else
if [ $fg0 -ne 0 ] ;then
PID= `ps -x | grep 'unit 0' | grep ppp0 | awk '{print $1}'`
kill $PID
ifconfig tun0 down
ifconfig tun0 up
/usr/sbin/ppp -unit 0 -auto ppp0
echo ADSL _____ INTERNET tun0 `date` >> /root/nat.log
else
PID=`ps -x | grep 'unit 1' | grep ppp1 | awk '{print $1}'`
kill $PID
ifconfig tun1 down
ifconfig tun1 up
/usr/sbin/ppp -unit 1 -auto ppp1
echo ADSL _____ INTERNET tun1 `date` >> /root/nat.log
fi
fi
echo "=============================================="
done
=====================================
在/etc/rc.local 添加引用:
ppp -unit 0 -auto ppp0
ppp -unit 1 -auto ppp1
/etc/nat.sh &
注:rc.conf中将 PF =YES ,
再在/etc下为三个网卡设好配置文件,保证在启动时把网卡激活.
(我都给它们设了IP地址,反正没出错 ;)
=====================================
以上是几天来的成果,很是粗糙,但也是花费了许多时间在Google和Chinaunix上
对以前各位版主的帮助,谢谢了.
效果:负载均衡 使用几次traceroute www.google.com
可以看见不同的路由 = 成功
scrub in on $ext_if0 all fragment reassemble 在用电信ADSL下可以同时挂12台机子了,突破电信5台的限制 =成功
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
