Knowledge Base/Use Case/Multi-WAN

Aus FunkFeuer Wiki
< Knowledge Base‎ | Use Case
Version vom 12. Oktober 2022, 22:33 Uhr von Damadmai (Diskussion | Beiträge) (Remove 78.41.116.121 from DNS Server List)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen

Multi-WAN

Aufbau und VLAN-Übersicht

PB Edgerouter OpenWRT Multiwan Pi.JPG Edgerouter Multi WAN.png

VLAN-Config für OpenWRT-Router

OpenWRT Mulit WAN.png

VLAN-Config für EdgeOS-Router

Bridges:

br0 193.238.15z.zzz/32
br1 10.xx.yy.100/24
br2

Interfaces:

eth0 br0
 vlan 100  192.168.100.1/24
 vlan 200  br2
 vlan 1100 br1
eth1 br2
eth2 br0
 vlan 1100 br1
eth3 br0
 vlan 1100 br1
eth4 br0
 vlan 1100 br1

Firewall:

WAN: br0
LAN: eth0.100

Relevante Abschnitte aus config.boot für EdgeOS-Router

interfaces {
    bridge br0 {
        address 193.238.15.....
    }
    bridge br1 {
        address 10.xx.yy.100/24
    }
    bridge br2 {
    }
    ethernet eth0 {
        bridge-group {
            bridge br0
        }
        vif 100 {
            address 192.168.100.1/24
        }
        vif 200 {
            bridge-group {
                bridge br2
            }
        }
        vif 1100 {
            bridge-group {
                bridge br1
            }
        }
    }
    ethernet eth1 {
        bridge-group {
            bridge br2
        }
    }
    ethernet eth2 {
        bridge-group {
            bridge br0
        }
        vif 1100 {
            bridge-group {
                bridge br1
            }
        }
    }
    ethernet eth3 {
        bridge-group {
            bridge br0
        }
        vif 1100 {
            bridge-group {
                bridge br1
            }
        }
    }
    ethernet eth4 {
        bridge-group {
            bridge br0
        }
        poe {
            output 24v
        }
        vif 1100 {
            bridge-group {
                bridge br1
            }
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth0.100
    wan-interface br0
}
service {
    nat {
        rule 5000 {
            description WAN_FF
            log disable
            outbound-interface br0
            protocol all
            source {
                address 192.168.100.0/24
            }
            type masquerade
        }
    }
}
system {
    name-server 193.238.157.16
    ntp {
        server bevtime1.metrologie.at {
        }
        server bevtime2.metrologie.at {
        }
        server time.metrologie.at {
        }
    }
    time-zone Europe/Vienna
}

GUI / CLI Setup

set date mmddhhmmyyyy

Upload Setup0xFF-Wizard as 0xFF
IP: 193.238.158.28
Node-ID: 3011
Routername: haid-router
Username: damadmai
Disable DHCP-Server
Disable all Forwardings

Change Password & Add SSH key
Set name servers to 193.238.157.16
delete system ntp server 0.ubnt.pool.ntp.org
delete system ntp server 1.ubnt.pool.ntp.org
delete system ntp server 2.ubnt.pool.ntp.org
delete system ntp server 3.ubnt.pool.ntp.org
set system ntp server bevtime1.metrologie.at
set system ntp server bevtime2.metrologie.at
set system ntp server time.metrologie.at

set interfaces ethernet eth0 bridge-group bridge br0
set interfaces ethernet eth0 vif 100 address 192.168.100.1/24
set interfaces ethernet eth0 vif 200 bridge-group bridge br2
set interfaces ethernet eth0 vif 1100 bridge-group bridge br1

delete interfaces ethernet eth1 description OLSR
set interfaces ethernet eth1 description WAN
delete interfaces ethernet eth1 bridge-group bridge br0
delete interfaces ethernet eth1 vif
delete interfaces ethernet eth1 address dhcp
set interfaces bridge br2 description WAN
set interfaces ethernet eth1 bridge-group bridge br2

delete interfaces ethernet eth2 poe output off
delete interfaces ethernet eth3 poe output off
delete interfaces ethernet eth4 poe output off
set interfaces ethernet eth2 poe output 24v
set interfaces ethernet eth3 poe output 24v
set interfaces ethernet eth4 poe output 24v

delete service nat rule 5001 source address 192.168.1.0/24
set service nat rule 5001 source address 192.168.100.0/24

set service gui listen-address 127.0.0.1
WSLE: Orig-Server-Ports: 443->10443, Custom-Server-Ports: 8443->443
OLSRd V1: Disable all plugins

Connect via SSH
Autoupdate: self, then all
WSLE: Register FQDN, then restart both
ebtables: Allow br2

delete interfaces ethernet eth0 address 192.168.1.1/24
delete interfaces ethernet eth0 poe output off
set interfaces ethernet eth0 poe output 24v

Relevante Abschnitte aus OpenWRT config

system:

config system
	option ttylogin '0'
	option log_size '64'
	option urandom_seed '0'
	option hostname 'archer'
	option zonename 'Europe/Vienna'
	option timezone 'CET-1CEST,M3.5.0,M10.5.0/3'
	option log_proto 'udp'
	option conloglevel '8'
	option cronloglevel '8'

config timeserver 'ntp'
	option enabled '1'
	list server 'bevtime1.metrologie.at'
	list server 'bevtime2.metrologie.at'
	list server 'time.metrologie.at'

network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.48.1'

config interface 'wan'
	option proto 'static'
	option ipaddr '192.168.100.2'
	option netmask '255.255.255.0'
	option gateway '192.168.100.1'
	option broadcast '192.168.100.255'
	option ifname 'eth0.100'
	option dns '193.238.157.16'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 1t'
	option vid '100'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 1t'
	option vid '200'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '1000'
	option ports '1 5'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option vid '1100'
	option ports '1t 5t'

config interface 'wanb'
	option proto 'dhcp'
	option ifname 'eth0.200'

mwan3:

config rule 'secure'
	option proto 'tcp'
	option sticky '0'
	option use_policy 'wan_wanb'
	option dest_port '22,443,587,853,993'

config rule 'default_rule'
	option dest_ip '0.0.0.0/0'
	option proto 'all'
	option sticky '0'
	option use_policy 'wanb_only'

config globals 'globals'
	option mmx_mask '0x3F00'
	option local_source 'lan'

config interface 'wan'
	option enabled '1'
	list track_ip '208.67.222.222'
	list track_ip '208.67.220.220'
	option family 'ipv4'
	option reliability '2'
	option count '1'
	option timeout '2'
	option failure_latency '1000'
	option recovery_latency '500'
	option failure_loss '20'
	option recovery_loss '5'
	option interval '5'
	option down '3'
	option up '8'

config interface 'wanb'
	option family 'ipv4'
	option reliability '1'
	option count '1'
	option timeout '2'
	option interval '5'
	option down '3'
	option up '8'
	option initial_state 'online'
	list track_ip '208.67.222.222'
	list track_ip '208.67.220.220'
	option track_method 'ping'
	option size '56'
	option check_quality '0'
	option failure_interval '5'
	option recovery_interval '5'
	option flush_conntrack 'never'
	option enabled '1'

config member 'wan_m1_w3'
	option interface 'wan'
	option metric '1'
	option weight '3'

config member 'wan_m2_w3'
	option interface 'wan'
	option metric '2'
	option weight '3'

config member 'wanb_m1_w2'
	option interface 'wanb'
	option metric '1'
	option weight '2'

config member 'wanb_m2_w2'
	option interface 'wanb'
	option metric '2'
	option weight '2'

config policy 'wan_only'
	option last_resort 'unreachable'
	list use_member 'wan_m1_w3'

config policy 'wanb_only'
	list use_member 'wanb_m1_w2'
	option last_resort 'unreachable'

config policy 'balanced'
	list use_member 'wan_m1_w3'
	list use_member 'wanb_m1_w2'
	option last_resort 'unreachable'

config policy 'wan_wanb'
	list use_member 'wan_m1_w3'
	list use_member 'wanb_m2_w2'
	option last_resort 'unreachable'

config policy 'wanb_wan'
	option last_resort 'unreachable'
	list use_member 'wan_m2_w3'
	list use_member 'wanb_m1_w2'

firewall:

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan wan6 wanb'

config forwarding
    option src 'lan'
    option dest 'wan'