Knowledge Base/Use Case/Multi-WAN

Aus FunkFeuer Wiki
< Knowledge Base‎ | Use Case
Version vom 8. Oktober 2018, 15:45 Uhr von Damadmai (Diskussion | Beiträge) (Konfigurationen hinzugefügt)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen

Multi-WAN

Aufbau und VLAN-Übersicht

PB Edgerouter OpenWRT Multiwan Pi.JPG Edgerouter Multi WAN.png

VLAN-Config für OpenWRT-Router

OpenWRT Mulit WAN.png

VLAN-Config für EdgeOS-Router

Bridges:

br0 193.238.15z.zzz/32
br1 10.xx.yy.100/24
br2

Interfaces:

eth0 br0
 vlan 100  192.168.100.1/24
 vlan 200  br2
 vlan 1100 br1
eth1 br2
eth2 br0
 vlan 1100 br1
eth3 br0
 vlan 1100 br1
eth4 br0
 vlan 1100 br1

Firewall:

WAN: br0
LAN: eth0.100

Relevante Abschnitte aus config.boot für EdgeOS-Router

interfaces {
    bridge br0 {
        address 193.238.15.....
    }
    bridge br1 {
        address 10.xx.yy.100/24
    }
    bridge br2 {
    }
    ethernet eth0 {
        bridge-group {
            bridge br0
        }
        vif 100 {
            address 192.168.100.1/24
        }
        vif 200 {
            bridge-group {
                bridge br2
            }
        }
        vif 1100 {
            bridge-group {
                bridge br1
            }
        }
    }
    ethernet eth1 {
        bridge-group {
            bridge br2
        }
    }
    ethernet eth2 {
        bridge-group {
            bridge br0
        }
        vif 1100 {
            bridge-group {
                bridge br1
            }
        }
    }
    ethernet eth3 {
        bridge-group {
            bridge br0
        }
        vif 1100 {
            bridge-group {
                bridge br1
            }
        }
    }
    ethernet eth4 {
        bridge-group {
            bridge br0
        }
        poe {
            output 24v
        }
        vif 1100 {
            bridge-group {
                bridge br1
            }
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth0.100
    wan-interface br0
}
service {
    nat {
        rule 5000 {
            description WAN_FF
            log disable
            outbound-interface br0
            protocol all
            source {
                address 192.168.100.0/24
            }
            type masquerade
        }
    }
}
system {
    name-server 193.238.157.16
    name-server 78.41.116.121
    ntp {
        server bevtime1.metrologie.at {
        }
        server bevtime2.metrologie.at {
        }
        server time.metrologie.at {
        }
    }
    time-zone Europe/Vienna
}

Relevante Abschnitte aus OpenWRT config

system:

config system
	option ttylogin '0'
	option log_size '64'
	option urandom_seed '0'
	option hostname 'archer'
	option zonename 'Europe/Vienna'
	option timezone 'CET-1CEST,M3.5.0,M10.5.0/3'
	option log_proto 'udp'
	option conloglevel '8'
	option cronloglevel '8'

config timeserver 'ntp'
	option enabled '1'
	list server 'bevtime1.metrologie.at'
	list server 'bevtime2.metrologie.at'
	list server 'time.metrologie.at'

network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.48.1'

config interface 'wan'
	option proto 'static'
	option ipaddr '192.168.100.2'
	option netmask '255.255.255.0'
	option gateway '192.168.100.1'
	option broadcast '192.168.100.255'
	option ifname 'eth0.100'
	option dns '193.238.157.16 78.41.116.121'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 1t'
	option vid '100'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 1t'
	option vid '200'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '1000'
	option ports '1 5'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option vid '1100'
	option ports '1t 5t'

config interface 'wanb'
	option proto 'dhcp'
	option ifname 'eth0.200'

mwan3:

config rule 'secure'
	option proto 'tcp'
	option sticky '0'
	option use_policy 'wan_wanb'
	option dest_port '22,443,587,853,993'

config rule 'default_rule'
	option dest_ip '0.0.0.0/0'
	option proto 'all'
	option sticky '0'
	option use_policy 'wanb_only'

config globals 'globals'
	option mmx_mask '0x3F00'
	option local_source 'lan'

config interface 'wan'
	option enabled '1'
	list track_ip '208.67.222.222'
	list track_ip '208.67.220.220'
	option family 'ipv4'
	option reliability '2'
	option count '1'
	option timeout '2'
	option failure_latency '1000'
	option recovery_latency '500'
	option failure_loss '20'
	option recovery_loss '5'
	option interval '5'
	option down '3'
	option up '8'

config interface 'wanb'
	option family 'ipv4'
	option reliability '1'
	option count '1'
	option timeout '2'
	option interval '5'
	option down '3'
	option up '8'
	option initial_state 'online'
	list track_ip '208.67.222.222'
	list track_ip '208.67.220.220'
	option track_method 'ping'
	option size '56'
	option check_quality '0'
	option failure_interval '5'
	option recovery_interval '5'
	option flush_conntrack 'never'
	option enabled '1'

config member 'wan_m1_w3'
	option interface 'wan'
	option metric '1'
	option weight '3'

config member 'wan_m2_w3'
	option interface 'wan'
	option metric '2'
	option weight '3'

config member 'wanb_m1_w2'
	option interface 'wanb'
	option metric '1'
	option weight '2'

config member 'wanb_m2_w2'
	option interface 'wanb'
	option metric '2'
	option weight '2'

config policy 'wan_only'
	option last_resort 'unreachable'
	list use_member 'wan_m1_w3'

config policy 'wanb_only'
	list use_member 'wanb_m1_w2'
	option last_resort 'unreachable'

config policy 'balanced'
	list use_member 'wan_m1_w3'
	list use_member 'wanb_m1_w2'
	option last_resort 'unreachable'

config policy 'wan_wanb'
	list use_member 'wan_m1_w3'
	list use_member 'wanb_m2_w2'
	option last_resort 'unreachable'

config policy 'wanb_wan'
	option last_resort 'unreachable'
	list use_member 'wan_m2_w3'
	list use_member 'wanb_m1_w2'

firewall:

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan wan6 wanb'

config forwarding
    option src 'lan'
    option dest 'wan'