主路由访问二级路由下的网段不通排错思路
1、问题如下:主路由openwrt的LAN口接了一个二级路由Padavan,现在想要实现PC 1访问PC 2,我在openwrt里面配置静态路由去往 192.168.2.0/24 下一跳地址为二级路由WAN口ip 192.168.1.2,pc 1能ping通pc 2的网关,但是pc 1却ping不通pc 2,pc 2能ping通pc 1,只能单向通信,请大佬帮我看看什么问题?
解决思路:
1、ssh登入到openwrt上,输入route命令,查看有去往192.168.2.0/24的路由,,如下红色字体路由;于是我ping了PC 2的网关地址,可以通,那可以肯定主路由没问题
root@OpenWrt:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.100.250 0.0.0.0 UG 0 0 0 wan 10.0.0.0 * 255.0.0.0 U 0 0 0 vnt-tun 10.26.0.0 * 255.255.255.0 U 0 0 0 vnt-tun 192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan 192.168.2.0 192.168.1.2 255.255.255.0 UG 0 0 0 br-lan 192.168.100.0 * 255.255.255.0 U 0 0 0 wan 192.168.123.0 * 255.255.255.0 U 0 0 0 vnt-tun 224.0.0.0 * 240.0.0.0 U 0 0 0 vnt-tun 255.255.255.255 * 255.255.255.255 UH 0 0 0 vnt-tun
2、ssh登入Padavan上,输入route命令,192.168.1.0/24和192.168.2.0/24两条直连路由都有,路由表也没问题,再ping下PC 2的ip,能ping通
root@K2P:/etc/config# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan root@K2P:/etc/config#
3、以上排查结果断定是Padavan从wan口到lan口数据转发的问题,随机查看iptables防火墙配置,因为防火墙的默认配置是拒绝转发,看红色字体 ,而且forward也没有从WAN到LAN规则,只有LAN To WAN的
config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'lan' list network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' config zone option name 'wan' list network 'wan' list network 'wan6' list network 'vpn_cc' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' config forwarding option src 'lan' option dest 'wan' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Drop DNS from wan' option src 'wan' option proto 'udp' option dest_port '53' option target 'DROP' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT'
4、知道问题所在,那我们就解决呗,修改之前先备份配置文件,备份命令 cp /etc/config/firewall firewall.back ,修改命令 vi /etc/config/firewall ,修改完成后记得 :wq 保存
config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'lan' list network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' config zone option name 'wan' list network 'wan' list network 'wan6' list network 'vpn_cc' option input 'ACCEPT' #入站改为接受 option output 'ACCEPT' option forward 'ACCEPT' #转发改为接受 option masq '1' option mtu_fix '1' config forwarding option src 'lan' option dest 'wan' config forwarding #新增WAN To LAN转发规则 option src 'wan' option dest 'lan' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Drop DNS from wan' option src 'wan' option proto 'udp' option dest_port '53' option target 'DROP' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT'
5、最后记得重启防火墙使配置生效,然后就可以实现主路由访问二级路由网络
/etc/init.d/firewall restart
