VPN + load balance

1. VPN + load balance

MacMaillan Diniz
maillan

(usa Fedora)

Enviado em 09/06/2015 - 12:37h

Tenho seguinte cenario:
2 links com balance e uma filial q conecta através de uma VPN, está VPN funcionava antes do balance, e se desconectar um link ela volta a funcionar, mas com os dois links ativos no balance não conecta.
vejam meu arquivo de firewall e o que posso fazer para solucionar.


firewall_start() {
echo "==========================================="
echo "| :: SETANDO A CONFIGURACAO DO IPTABLES : |"
echo "==========================================="

# Limpa as regras
echo -n "Limpando todas as regras ................."

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
iptables -F
iptables -X
route del -net 10.0.0.0/9 gw 172.17.24.250
echo "[ OK ]"

# Carregando os modulos basicos do iptables
echo -n "Carregando modulos do iptables ..........."
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_MASQUERADE

echo "[ OK ]"


# Definindo a politica default das cadeias
iptables -P INPUT DROP
iptables -P FORWARD DROP #comentar para permitir proxy transparente
iptables -P OUTPUT ACCEPT
echo "Setando as regras padrão .................[ OK ]"

## Desabilitando o trafego IP
#echo "0" > /proc/sys/net/ipv4/ip_forward
#echo "Setando ip_foward ........................[ OK ]"

# Configurando a protecao anti-spoofing
for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $spoofing
done
echo "Setando a protecao anti-spoofing .........[ OK ]"

# Impedindo que um atacante possa maliciosamente alterar alguma rota
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "Setando anti-redirecionamento ............[ OK ]"

# Utilizado em diversos ataques, isso possibilita que o atacante determine o "caminho" que seu
# pacote vai percorrer (roteadores) ate seu destino. Junto com spoof, isso se torna muito perigoso.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "Setando anti_source_route.................[ OK ]"

# Protecao contra responses bogus
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Setando anti-bogus_response ..............[ OK ]"

# Protecao contra ataques de syn flood (inicio da conexão TCP). Tenta conter ataques de DoS.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "Setando proteção anti_synflood ...........[ OK ]"

## Agora, vamos definir o que pode passar e o que nao pode

## Cadeia de entrada
# LOCALHOST - ACEITA TODOS OS PACOTES
iptables -A INPUT -i lo -j ACCEPT

# PORTA 80 - ACEITA PARA A REDE LOCAL
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT #rede contil
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT #rede embratel
iptables -A INPUT -i tap0 -p tcp --dport 80 -j ACCEPT #REDE VPN
iptables -A INPUT -i eth0 -p tcp --dport 587 -j ACCEPT #REDE smtp
iptables -A INPUT -i eth1 -p tcp --dport 587 -j ACCEPT #REDE smtp
#iptables -A OUTPUT -i eth0 -p tcp --dport 587 -j ACCEPT #REDE smtp
# PORTA 22 - ACEITA PARA A REDE LOCAL
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i tap0 -p tcp --dport 22 -j ACCEPT #VPN (sem efeito)
iptables -A INPUT -i tap0 -p tcp --dport 5008 -j ACCEPT #VPN (sem efeito)
#iptables -A INPUT -i eth0 -p tcp --dport 5008 -j ACCEPT #VPN
iptables -A INPUT -i eth1 -p tcp --dport 5008 -j ACCEPT #VPN (sem efeito)
## No iptables, temos de dizer quais sockets sao validos em uma conexão
iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
#echo "Setando regras para INPUT ................[ OK ]"

# HABILITANDO O PROXY TRANSPARENTE
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3129
echo "Habilitando Proxy transparente ...........[ OK ]"
################################
# Cadeia de reenvio (FORWARD).

#regra para IP nao passar pelo proxy SMARTPHONES WHATSAPP=#=#=#=#=#==#=#=#=#==#=#=#=#=#==#=#=#=#=#==#=#=#=#=#=#=#=#=#=#=#=
## iptables -t nat -I PREROUTING -s 172.17.24.45 -j ACCEPT
## ATIVAR DEPOIS

# Agora dizemos quem e o que pode acessar externamente
# No iptables, o controle do acesso a rede externa e feito na cadeia "FORWARD"


# PORTA 3128 - ACEITA PARA A REDE LOCAL -- PROXY
iptables -A FORWARD -i eth2 -p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -i eth2 -p tcp --dport 3129 -j ACCEPT


# PORTA 53 - ACEITA PARA A REDE LOCAL -- DNS
iptables -A FORWARD -i eth2 -p udp --dport 53 -j ACCEPT
# PORTA 80 - ACEITA PARA A REDE LOCAL --APACHE
iptables -A FORWARD -i eth2 -p tcp --dport 80 -j ACCEPT


# PORTA 21 - ACEITA PARA A REDE LOCAL - FTP
iptables -A FORWARD -i eth2 -p tcp --dport 21 -j ACCEPT

# No iptables, temos de dizer quais sockets sao vaidos em uma conexão
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

##LIBERAR TRAFICO VPN PARA REDE LOCAL
iptables -t nat -s 192.168.255.3 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 192.168.255.4 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 192.168.255.5 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 192.168.255.6 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 192.168.255.7 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 192.168.255.8 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 192.168.255.9 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 192.168.255.2 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 172.17.0.0 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 192.68.24.0 -A POSTROUTING -o tap0 -j MASQUERADE
iptables -t nat -s 10.0.0.0 -A POSTROUTING -o eth2 -j MASQUERADE

echo "Setando regras para FOWARD ...............[ OK ]"

# Finalmente: Habilitando o trafego IP, entre as Interfaces de rede
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Setando ip_foward: ON ....................[ OK ]"
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Marcando pacotes
echo -n "Marcando pacotes.........................."
#iptables -t mangle -A OUTPUT -p udp -i tap0 -d ! 0/0 --sport 5008 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 587 -j MARK --set-mark 1 # smtp
iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 21 -j MARK --set-mark 2 # ftp
iptables -t mangle -A PREROUTING -i tap0 -p udp --dport 5008 -j MARK --set-mark 2 # VPN entrada link contil
iptables -t mangle -A PREROUTING -i tap0 -p udp --sport 5008 -j MARK --set-mark 2 # VPN saida pelo link contil
iptables -t mangle -A PREROUTING -i eth2 -p udp --sport 5008 -j MARK --set-mark 2 # VPN saida pelo link contil
iptables -t mangle -A PREROUTING -i eth2 -p udp --dport 5008 -j MARK --set-mark 2 # VPN
iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 993 -j MARK --set-mark 1 # IMAPS
iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 995 -j MARK --set-mark 1 # POPS

#IPTABLES -A PREROUTING -t mangle -s 192.168.255.0/24 -d 0/0 --dport 25 -j MARK --set-mark 2
#iptables -A PREROUTING -t mangle -i eth0 -d 0/0 -j MARK --set-mark 1
echo "[ OK ]"

echo "Firewall configurado com sucesso .........[ OK ]"
######################Balançeamento de carga################################
# Link embratel
ip route add 172.17.24.250 dev eth0 src 172.17.24.251 table embratel
ip route add default via 172.17.24.250 table embratel
ip rule add fwmark 1 table embratel prio 10
# Link contil
ip route add 10.151.252.1 dev eth1 src 10.151.252.2 table contil
ip route add default via 10.151.252.1 table contil
ip rule add fwmark 2 table contil prio 20

# Link vpn
ip route add 192.168.255.0/24 dev tap0 src 10.151.252.2 table contil

# Colocando os links na tabela principal de roteamento
ip route add 172.17.24.250 dev eth0 src 172.17.24.251
ip route add 10.151.252.1 dev eth1 src 10.151.252.2
# regras das tabelas
ip rule add from 172.17.24.251 table embratel
ip rule add from 10.151.252.2 table contil
################## saida do voip pela embrate
#ip rule add from 172.17.24.7 table embratel
################# saida serpro pela embratel
#ip route add from 10.0.0.0/9 table embratel
route add -net 10.0.0.0/9 gw 172.17.24.250 #ADCIONA REDE 10 PARA SAIR ATRAVES DO 250

# balanceamento de link
ip rule add fwmark 3 lookup interna prio 3
ip route add default scope global nexthop via 10.151.252.1 dev eth1 weight 2 nexthop via 172.17.24.250 dev eth0 weight 1
ip route flush cache
##############################################################################################################################



  


2. Estou com um problema muito parecido

Gustavo L. Moraes
glmstz

(usa Debian)

Enviado em 12/08/2015 - 16:53h

Boa tarde.

Tinha apenas um link com uma VPN.
Agora tenho 2 links fazendo balanceamento de carga, a VPN conecta normal, "pinga" no gateway dela, mas não acessa a minha rede interna.

Segue abaixo o meu arquivo de rotas:

#!/bin/bash

# DEFINICAO DOS GATEWAYS
GW_LINK1=177.185.59.62
GW_LINK2=189.112.98.198

# PLACAS DE REDE
ETH_LINK1=eth2
ETH_LINK2=eth0

function start() {
ip route flush cache

ip rule add fwmark 1 prio 20 table link1
ip rule add fwmark 2 prio 21 table link2

ip route add default via $GW_LINK1 dev $ETH_LINK1 table link1
ip route add default via $GW_LINK2 dev $ETH_LINK2 table link2

route add default gw $GW_LINK1

ip route flush cached

echo "Tabela de roteamento criada [OK]"
}

function stop() {
ip route flush cache

ip rule del fwmark 1
ip rule del fwmark 2

ip route del default via $GW_LINK1 dev $ETH_LINK1 table link1
ip route del default via $GW_LINK2 dev $ETH_LINK2 table link2

route del default
echo "Limpeza da tabela de roteamento concluida [OK]"
}

case $1 in
'start') start; exit ;;
'stop') stop; exit ;;
'restart') stop; start; exit ;;
*) echo "Utilizar: rotas stop|start|restart"; exit ;;
esac


Segue meu arquivo de firewall reduzido:

#!/bin/bash

# Carregando Rotas
/etc/init.d/rotas $1

# modprobe
MOD=$(which modprobe)

# iptables
IPT=$(which iptables)

# Interfaces de Rede
I_LINK1="eth2"
I_LINK2="eth0"
I_LAN="eth1"

function stop() {
# Limpa a tabela mangle
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -F
$IPT -t nat -F
$IPT -X
$IPT -t filter -F

echo "Firewall parado [OK]"
}

function start() {

### Módulos ###
for MODULOS in ip_conntrack ip_tables ip_conntrack_ftp ip_nat_ftp ipt_string
do
modprobe $MODULOS
done

echo 1 > /proc/sys/net/ipv4/ip_forward

### Políticas ###
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

### INPUT ###
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $I_LAN -s 192.168.0.0/24 -p icmp --icmp-type 8 -j ACCEPT
$IPT -A INPUT -i $I_LAN -s 192.168.0.0/24 -p tcp -m multiport --dport 80,3128 -j ACCEPT
$IPT -A INPUT -i $I_LAN -s 192.168.0.20/32 -p tcp -m multiport --dport 1322,3000,10000 -j ACCEPT
$IPT -A INPUT -i $I_LAN -s 192.168.0.21/32 -p tcp -m multiport --dport 1322,3000,10000 -j ACCEPT
$IPT -A INPUT -i $I_LINK1 -s 0/0 -p tcp --dport 8383 -j ACCEPT

# Protecao contra port scanners ocultos
$IPT -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "Nmap-Xmas Scan: " --log-tcp-options --log-ip-options
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "Nmap Null Scan: " --log-tcp-options --log-ip-options
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Syn/Rst Scan: " --log-tcp-options --log-ip-options
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "Syn/Fin Scan: " --log-tcp-options --log-ip-options
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Protecoes contra ataques
$IPT -A INPUT -m state --state INVALID -j DROP

# Gerando LOG's de Backdoors
$IPT -A INPUT -p tcp --dport 21 -j LOG --log-prefix "Servico de FTP: "
$IPT -A INPUT -p tcp --dport 23 -j LOG --log-prefix "Servico de TELNET: "
$IPT -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Wincrash: "
$IPT -A INPUT -p tcp --dport 12345 -j LOG --log-prefix "BackOrifice: "
$IPT -A INPUT -p tcp --dport 12346 -j LOG --log-prefix "BackOrifice: "
$IPT -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH-Log: "
$IPT -A INPUT -p icmp --icmp-type any -j LOG --log-prefix "PING: "

### FORWARD ###

# Dropando pacotes NEW sem syn
$IPT -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW sem syn: "
$IPT -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $I_LAN -s 192.168.0.0/24 -o $I_LINK1 -p tcp --dport 443 -j ACCEPT
$IPT -A FORWARD -i $I_LAN -s 192.168.0.0/24 -o $I_LINK1 -p udp --dport 53 -j ACCEPT

# Office 365, Microsoft Online, Exchange
for ips_ms in `cat /root/scripts/firewall/microsoft.txt`; do $IPT -A FORWARD -i $I_LAN -o $I_LINK1 -s 192.168.0.0/24 -d $ips_ms -j ACCEPT; done

# LIBERANDO FORWARD DA TUN0 PARA REDE MASK /25 - VPN
$IPT -A FORWARD -i tun0 -o $I_LAN -s 172.16.100.4/32 -d 192.168.0.0/24 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i tun0 -o $I_LAN -s 172.16.100.5/32 -d 192.168.0.0/24 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i tun0 -o $I_LAN -s 172.16.100.6/32 -d 192.168.0.0/24 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i tun0 -o $I_LAN -s 172.16.100.7/32 -d 192.168.0.0/24 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i tun0 -o $I_LAN -s 172.16.100.8/32 -d 192.168.0.0/24 -m state --state NEW -j ACCEPT

# IPs livres (NAT)
$IPT -A FORWARD -i $I_LAN -o $I_LINK2 -s "192.168.0.2/32" -d 0/0 -j ACCEPT
$IPT -A FORWARD -i $I_LAN -o $I_LINK1 -s "192.168.0.5/32" -d 0/0 -j ACCEPT
$IPT -A FORWARD -i $I_LAN -o $I_LINK1 -s "192.168.0.3/32" -d 0/0 -j ACCEPT
$IPT -A FORWARD -i $I_LAN -o $I_LINK1 -s "192.168.0.4/32" -d 0/0 -j ACCEPT

# Portais Fiscais
$IPT -A FORWARD -i $I_LAN -o $I_LINK1 -s "192.168.0.0/24" -d portaltributario.com.br -j ACCEPT
$IPT -A FORWARD -i $I_LAN -o $I_LINK1 -s "192.168.0.0/24" -d robertodiasduarte.com.br -j ACCEPT

### Acesso SEFAZ ###
SEFAZ=201.55.62.86
$IPT -A FORWARD -i $I_LAN -s 192.168.0.0/24 -d $SEFAZ -p tcp --dport 443 -j ACCEPT

### Acesso SERPRO (At. Tab. SPED Contrib. e Entrega SPED) ###
SERPRO=200.198.239.0/24
$IPT -A FORWARD -i $I_LAN -s 192.168.0.0/24 -d $SERPRO -p tcp --dport 80 -j ACCEPT
$IPT -A FORWARD -i $I_LAN -s 192.168.0.0/24 -d $SERPRO -p tcp --dport 3456 -j ACCEPT

# Liberando o TeamViewer
$IPT -t filter -A FORWARD -i $I_LAN -o $I_LINK1 -s 192.168.0.0/24 -p tcp --dport 5938 -j ACCEPT
$IPT -t filter -A FORWARD -i $I_LINK1 -o $I_LAN -p tcp --sport 5938 -j ACCEPT

# FORWARD via MAC ADDRESS
/root/scripts/firewall/macs_livres.sh

# Distribuindo os links para os Clientes
$IPT -t mangle -A PREROUTING -s 192.168.0.1/32 -i $I_LAN -j MARK --set-mark 1
$IPT -t mangle -A PREROUTING -s 192.168.0.2/32 -i $I_LAN -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -m iprange --src-range 192.168.0.3-192.168.0.23 -i $I_LAN -j MARK --set-mark 1
$IPT -t mangle -A PREROUTING -m iprange --src-range 192.168.0.24-192.168.0.28 -i $I_LAN -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -m iprange --src-range 192.168.0.29-192.168.0.30 -i $I_LAN -j MARK --set-mark 1
$IPT -t mangle -A PREROUTING -m iprange --src-range 192.168.0.31-192.168.0.34 -i $I_LAN -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -m iprange --src-range 192.168.0.35-192.168.0.48 -i $I_LAN -j MARK --set-mark 1
$IPT -t mangle -A PREROUTING -s 192.168.0.49/32 -i $I_LAN -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -m iprange --src-range 192.168.0.50-192.168.0.75 -i $I_LAN -j MARK --set-mark 1
$IPT -t mangle -A PREROUTING -m iprange --src-range 192.168.0.76-192.168.0.77 -i $I_LAN -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -m iprange --src-range 192.168.0.78-192.168.0.254 -i $I_LAN -j MARK --set-mark 1

### NAT ###
$IPT -t nat -A POSTROUTING -s 192.168.0.1/32 -o $I_LINK1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 192.168.0.2/32 -o $I_LINK2 -j MASQUERADE
$IPT -t nat -A POSTROUTING -m iprange --src-range 192.168.0.3-192.168.0.23 -o $I_LINK1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -m iprange --src-range 192.168.0.24-192.168.0.28 -o $I_LINK2 -j MASQUERADE
$IPT -t nat -A POSTROUTING -m iprange --src-range 192.168.0.29-192.168.0.30 -o $I_LINK1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -m iprange --src-range 192.168.0.31-192.168.0.34 -o $I_LINK2 -j MASQUERADE
$IPT -t nat -A POSTROUTING -m iprange --src-range 192.168.0.35-192.168.0.48 -o $I_LINK1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 192.168.0.49/32 -o $I_LINK2 -j MASQUERADE
$IPT -t nat -A POSTROUTING -m iprange --src-range 192.168.0.50-192.168.0.75 -o $I_LINK1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -m iprange --src-range 192.168.0.76-192.168.0.77 -o $I_LINK2 -j MASQUERADE
$IPT -t nat -A POSTROUTING -m iprange --src-range 192.168.0.78-192.168.0.254 -o $I_LINK1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 172.16.100.0/25 -o tun0 -j MASQUERADE

# OPENVPN
$IPT -A INPUT -p udp --dport 1194 -j ACCEPT
$IPT -A INPUT -i tun0 -s 172.16.100.5/32 -p icmp --icmp-type 8 -j ACCEPT
$IPT -A INPUT -i tun0 -s 172.16.100.5/32 -p tcp -m multiport --dport 1322,80,3128,10000 -j ACCEPT

echo "Firewall iniciado [OK]"
}

case $1 in
'start') start; exit ;;
'stop') stop; exit ;;
'restart') stop; start; exit ;;
*) echo "Utilizar: firewall.sh stop|start|restart"; exit ;;
esac


Alguém tem ideia do que posso fazer para a minha VPN voltar a acessar a minha rede interna?

Obrigado.


3. RESOLVIDO

Gustavo L. Moraes
glmstz

(usa Debian)

Enviado em 13/08/2015 - 11:18h

Bom dia.

Consegui resolver meu problema adicionando alguns comandos no meu arquivo de rotas conforme abaixo:

#!/bin/bash

# DEFINICAO DOS GATEWAYS
GW_LINK1=177.185.59.62
GW_LINK2=189.112.98.198
GW_VPN=172.16.100.1

# PLACAS DE REDE
ETH_LINK1=eth2
ETH_LINK2=eth0
ETH_VPN=tun0

function start() {
ip route flush cache

ip rule add fwmark 1 prio 20 table link1
ip rule add fwmark 2 prio 21 table link2

ip route add default via $GW_LINK1 dev $ETH_LINK1 table link1
ip route add default via $GW_LINK2 dev $ETH_LINK2 table link2

ip route add 172.16.100.0/24 via $GW_VPN dev $ETH_VPN table link1
ip route add 172.16.100.0/24 via $GW_VPN dev $ETH_VPN table link2

route add default gw $GW_LINK1

ip route flush cached

echo "Tabela de roteamento criada [OK]"
}

function stop() {
ip route flush cache

ip rule del fwmark 1
ip rule del fwmark 2

ip route del default via $GW_LINK1 dev $ETH_LINK1 table link1
ip route del default via $GW_LINK2 dev $ETH_LINK2 table link2

ip route del 172.16.100.0/24 via $GW_VPN dev $ETH_VPN table link1
ip route del 172.16.100.0/24 via $GW_VPN dev $ETH_VPN table link2

route del default
echo "Limpeza da tabela de roteamento concluida [OK]"
}

case $1 in
'start') start; exit ;;
'stop') stop; exit ;;
'restart') stop; start; exit ;;
*) echo "Utilizar: rotas stop|start|restart"; exit ;;
esac


Obrigado.

Abraço.

Att.,
Gustavo L. Moraes


4. Re: VPN + load balance

MacMaillan Diniz
maillan

(usa Fedora)

Enviado em 04/10/2015 - 01:42h


vou testar isso na segunda...


5. Re: VPN + load balance

MacMaillan Diniz
maillan

(usa Fedora)

Enviado em 19/10/2015 - 13:38h

não deu certo pra mim, vi q vc usa uma tabela de roteamento diferente da minha, tipo, vc rotea individualmente os links e cria uma rota default para o link q roda a VPN.
Mas no meu caso, eu uso uma rota dinamica e isso não estou conseguindo rodar a VPN.
tem alguma ideia de como resolve isso?
veja a regra de minha rota q esta no meu firewal la em cima:
ip route add default scope global nexthop via 10.151.252.1 dev eth1 weight 2 nexthop via 172.17.24.250 dev eth0 weight 1

MacMaillan






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts