VPN + load balance

1. VPN + load balance

maillan
(usa Fedora)

Enviado em 09/06/2015 - 12:37h

Tenho seguinte cenario:
2 links com balance e uma filial q conecta através de uma VPN, está VPN funcionava antes do balance, e se desconectar um link ela volta a funcionar, mas com os dois links ativos no balance não conecta.
vejam meu arquivo de firewall e o que posso fazer para solucionar.

firewall_start() {
echo "==========================================="
echo "| :: SETANDO A CONFIGURACAO DO IPTABLES : |"
echo "==========================================="

# Limpa as regras
echo -n "Limpando todas as regras ................."

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
iptables -F
iptables -X
route del -net 10.0.0.0/9 gw 172.17.24.250
echo "[ OK ]"

# Carregando os modulos basicos do iptables
echo -n "Carregando modulos do iptables ..........."
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_MASQUERADE

echo "[ OK ]"

# Definindo a politica default das cadeias
iptables -P INPUT DROP
iptables -P FORWARD DROP #comentar para permitir proxy transparente
iptables -P OUTPUT ACCEPT
echo "Setando as regras padrão .................[ OK ]"

## Desabilitando o trafego IP
#echo "0" > /proc/sys/net/ipv4/ip_forward
#echo "Setando ip_foward ........................[ OK ]"

# Configurando a protecao anti-spoofing
for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $spoofing
done
echo "Setando a protecao anti-spoofing .........[ OK ]"

# Impedindo que um atacante possa maliciosamente alterar alguma rota
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "Setando anti-redirecionamento ............[ OK ]"

# Utilizado em diversos ataques, isso possibilita que o atacante determine o "caminho" que seu
# pacote vai percorrer (roteadores) ate seu destino. Junto com spoof, isso se torna muito perigoso.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "Setando anti_source_route.................[ OK ]"

# Protecao contra responses bogus
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Setando anti-bogus_response ..............[ OK ]"

# Protecao contra ataques de syn flood (inicio da conexão TCP). Tenta conter ataques de DoS.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "Setando proteção anti_synflood ...........[ OK ]"

## Agora, vamos definir o que pode passar e o que nao pode

## Cadeia de entrada
# LOCALHOST - ACEITA TODOS OS PACOTES
iptables -A INPUT -i lo -j ACCEPT

# PORTA 80 - ACEITA PARA A REDE LOCAL
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT #rede contil
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT #rede embratel
iptables -A INPUT -i tap0 -p tcp --dport 80 -j ACCEPT #REDE VPN
iptables -A INPUT -i eth0 -p tcp --dport 587 -j ACCEPT #REDE smtp
iptables -A INPUT -i eth1 -p tcp --dport 587 -j ACCEPT #REDE smtp
#iptables -A OUTPUT -i eth0 -p tcp --dport 587 -j ACCEPT #REDE smtp
# PORTA 22 - ACEITA PARA A REDE LOCAL
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i tap0 -p tcp --dport 22 -j ACCEPT #VPN (sem efeito)
iptables -A INPUT -i tap0 -p tcp --dport 5008 -j ACCEPT #VPN (sem efeito)
#iptables -A INPUT -i eth0 -p tcp --dport 5008 -j ACCEPT #VPN
iptables -A INPUT -i eth1 -p tcp --dport 5008 -j ACCEPT #VPN (sem efeito)
## No iptables, temos de dizer quais sockets sao validos em uma conexão
iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
#echo "Setando regras para INPUT ................[ OK ]"

# HABILITANDO O PROXY TRANSPARENTE
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3129
echo "Habilitando Proxy transparente ...........[ OK ]"
################################
# Cadeia de reenvio (FORWARD).

#regra para IP nao passar pelo proxy SMARTPHONES WHATSAPP=#=#=#=#=#==#=#=#=#==#=#=#=#=#==#=#=#=#=#==#=#=#=#=#=#=#=#=#=#=#=
## iptables -t nat -I PREROUTING -s 172.17.24.45 -j ACCEPT
## ATIVAR DEPOIS

# Agora dizemos quem e o que pode acessar externamente
# No iptables, o controle do acesso a rede externa e feito na cadeia "FORWARD"

# PORTA 3128 - ACEITA PARA A REDE LOCAL -- PROXY
iptables -A FORWARD -i eth2 -p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -i eth2 -p tcp --dport 3129 -j ACCEPT

# PORTA 53 - ACEITA PARA A REDE LOCAL -- DNS
iptables -A FORWARD -i eth2 -p udp --dport 53 -j ACCEPT
# PORTA 80 - ACEITA PARA A REDE LOCAL --APACHE
iptables -A FORWARD -i eth2 -p tcp --dport 80 -j ACCEPT

# PORTA 21 - ACEITA PARA A REDE LOCAL - FTP
iptables -A FORWARD -i eth2 -p tcp --dport 21 -j ACCEPT

# No iptables, temos de dizer quais sockets sao vaidos em uma conexão
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

##LIBERAR TRAFICO VPN PARA REDE LOCAL
iptables -t nat -s 192.168.255.3 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 192.168.255.4 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 192.168.255.5 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 192.168.255.6 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 192.168.255.7 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 192.168.255.8 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 192.168.255.9 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 192.168.255.2 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 172.17.0.0 -A POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -s 192.68.24.0 -A POSTROUTING -o tap0 -j MASQUERADE
iptables -t nat -s 10.0.0.0 -A POSTROUTING -o eth2 -j MASQUERADE

echo "Setando regras para FOWARD ...............[ OK ]"

# Finalmente: Habilitando o trafego IP, entre as Interfaces de rede
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Setando ip_foward: ON ....................[ OK ]"
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Marcando pacotes
echo -n "Marcando pacotes.........................."
#iptables -t mangle -A OUTPUT -p udp -i tap0 -d ! 0/0 --sport 5008 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 587 -j MARK --set-mark 1 # smtp
iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 21 -j MARK --set-mark 2 # ftp
iptables -t mangle -A PREROUTING -i tap0 -p udp --dport 5008 -j MARK --set-mark 2 # VPN entrada link contil
iptables -t mangle -A PREROUTING -i tap0 -p udp --sport 5008 -j MARK --set-mark 2 # VPN saida pelo link contil
iptables -t mangle -A PREROUTING -i eth2 -p udp --sport 5008 -j MARK --set-mark 2 # VPN saida pelo link contil
iptables -t mangle -A PREROUTING -i eth2 -p udp --dport 5008 -j MARK --set-mark 2 # VPN
iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 993 -j MARK --set-mark 1 # IMAPS
iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 995 -j MARK --set-mark 1 # POPS

#IPTABLES -A PREROUTING -t mangle -s 192.168.255.0/24 -d 0/0 --dport 25 -j MARK --set-mark 2
#iptables -A PREROUTING -t mangle -i eth0 -d 0/0 -j MARK --set-mark 1
echo "[ OK ]"

echo "Firewall configurado com sucesso .........[ OK ]"
######################Balançeamento de carga################################
# Link embratel
ip route add 172.17.24.250 dev eth0 src 172.17.24.251 table embratel
ip route add default via 172.17.24.250 table embratel
ip rule add fwmark 1 table embratel prio 10
# Link contil
ip route add 10.151.252.1 dev eth1 src 10.151.252.2 table contil
ip route add default via 10.151.252.1 table contil
ip rule add fwmark 2 table contil prio 20

# Link vpn
ip route add 192.168.255.0/24 dev tap0 src 10.151.252.2 table contil

# Colocando os links na tabela principal de roteamento
ip route add 172.17.24.250 dev eth0 src 172.17.24.251
ip route add 10.151.252.1 dev eth1 src 10.151.252.2
# regras das tabelas
ip rule add from 172.17.24.251 table embratel
ip rule add from 10.151.252.2 table contil
################## saida do voip pela embrate
#ip rule add from 172.17.24.7 table embratel
################# saida serpro pela embratel
#ip route add from 10.0.0.0/9 table embratel
route add -net 10.0.0.0/9 gw 172.17.24.250 #ADCIONA REDE 10 PARA SAIR ATRAVES DO 250

# balanceamento de link
ip rule add fwmark 3 lookup interna prio 3
ip route add default scope global nexthop via 10.151.252.1 dev eth1 weight 2 nexthop via 172.17.24.250 dev eth0 weight 1
ip route flush cache
##############################################################################################################################

1 0

Quote

2. Estou com um problema muito parecido

glmstz
(usa Debian)

Enviado em 12/08/2015 - 16:53h

Boa tarde.

Tinha apenas um link com uma VPN.
Agora tenho 2 links fazendo balanceamento de carga, a VPN conecta normal, "pinga" no gateway dela, mas não acessa a minha rede interna.

Segue abaixo o meu arquivo de rotas:



#!/bin/bash

 

# DEFINICAO DOS GATEWAYS

GW_LINK1=177.185.59.62

GW_LINK2=189.112.98.198



# PLACAS DE REDE

ETH_LINK1=eth2 

ETH_LINK2=eth0 

 

function start() {

  ip route flush cache



  ip rule add fwmark 1 prio 20 table link1

  ip rule add fwmark 2 prio 21 table link2



  ip route add default via $GW_LINK1 dev $ETH_LINK1 table link1

  ip route add default via $GW_LINK2 dev $ETH_LINK2 table link2



  route add default gw $GW_LINK1

  

  ip route flush cached



  echo "Tabela de roteamento criada [OK]"

}

 

function stop() {

  ip route flush cache



  ip rule del fwmark 1

  ip rule del fwmark 2



  ip route del default via $GW_LINK1 dev $ETH_LINK1 table link1

  ip route del default via $GW_LINK2 dev $ETH_LINK2 table link2



  route del default

  echo "Limpeza da tabela de roteamento concluida [OK]"

}

 

case $1 in

  'start') start; exit ;;

  'stop') stop; exit ;;

  'restart') stop; start; exit ;;

  *) echo "Utilizar: rotas stop|start|restart"; exit ;;

esac

Segue meu arquivo de firewall reduzido:



#!/bin/bash



# Carregando Rotas

/etc/init.d/rotas $1



# modprobe

MOD=$(which modprobe)



# iptables

IPT=$(which iptables)



# Interfaces de Rede

I_LINK1="eth2" 

I_LINK2="eth0" 

I_LAN="eth1"   



function stop() {

  # Limpa a tabela mangle

  $IPT -t mangle -F

  $IPT -t mangle -X

  $IPT -F

  $IPT -t nat -F

  $IPT -X

  $IPT -t filter -F



  echo "Firewall parado [OK]"

}



function start() {



### Módulos ###

for MODULOS in ip_conntrack ip_tables ip_conntrack_ftp ip_nat_ftp ipt_string

do

    modprobe $MODULOS

done



echo 1 > /proc/sys/net/ipv4/ip_forward



### Políticas ###

$IPT -P INPUT   DROP

$IPT -P FORWARD DROP

$IPT -P OUTPUT  ACCEPT



### INPUT ###

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -i $I_LAN -s 192.168.0.0/24   -p icmp --icmp-type 8 -j ACCEPT

$IPT -A INPUT -i $I_LAN -s 192.168.0.0/24   -p tcp -m multiport --dport 80,3128         -j ACCEPT

$IPT -A INPUT -i $I_LAN -s 192.168.0.20/32  -p tcp -m multiport --dport 1322,3000,10000 -j ACCEPT 

$IPT -A INPUT -i $I_LAN -s 192.168.0.21/32  -p tcp -m multiport --dport 1322,3000,10000 -j ACCEPT 

$IPT -A INPUT -i $I_LINK1 -s 0/0 -p tcp --dport 8383 -j ACCEPT



# Protecao contra port scanners ocultos

$IPT -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT 

$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "Nmap-Xmas Scan: " --log-tcp-options --log-ip-options

$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE        -j LOG --log-prefix "Nmap Null Scan: " --log-tcp-options --log-ip-options

$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Syn/Rst Scan: "   --log-tcp-options --log-ip-options

$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "Syn/Fin Scan: "   --log-tcp-options --log-ip-options

$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP 

$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE        -j DROP

$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP



# Protecoes contra ataques

$IPT -A INPUT -m state --state INVALID -j DROP



# Gerando LOG's de Backdoors

$IPT -A INPUT -p tcp --dport 21       -j LOG --log-prefix "Servico de FTP: "

$IPT -A INPUT -p tcp --dport 23       -j LOG --log-prefix "Servico de TELNET: "

$IPT -A INPUT -p tcp --dport 5042     -j LOG --log-prefix "Wincrash: "

$IPT -A INPUT -p tcp --dport 12345    -j LOG --log-prefix "BackOrifice: "

$IPT -A INPUT -p tcp --dport 12346    -j LOG --log-prefix "BackOrifice: "

$IPT -A INPUT -p tcp --dport 22       -j LOG --log-prefix "SSH-Log: "

$IPT -A INPUT -p icmp --icmp-type any -j LOG --log-prefix "PING: "



### FORWARD ###



# Dropando pacotes NEW sem syn

$IPT -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW sem syn: "

$IPT -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP



$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A FORWARD -i $I_LAN -s 192.168.0.0/24 -o $I_LINK1 -p tcp --dport 443  -j ACCEPT

$IPT -A FORWARD -i $I_LAN -s 192.168.0.0/24 -o $I_LINK1 -p udp --dport 53   -j ACCEPT



# Office 365, Microsoft Online, Exchange

for ips_ms in `cat /root/scripts/firewall/microsoft.txt`; do $IPT -A FORWARD -i $I_LAN -o $I_LINK1 -s 192.168.0.0/24 -d $ips_ms -j ACCEPT; done



# LIBERANDO FORWARD DA TUN0 PARA REDE MASK /25 - VPN

$IPT -A FORWARD -i tun0 -o $I_LAN -s 172.16.100.4/32 -d 192.168.0.0/24 -m state --state NEW -j ACCEPT 

$IPT -A FORWARD -i tun0 -o $I_LAN -s 172.16.100.5/32 -d 192.168.0.0/24 -m state --state NEW -j ACCEPT 

$IPT -A FORWARD -i tun0 -o $I_LAN -s 172.16.100.6/32 -d 192.168.0.0/24 -m state --state NEW -j ACCEPT 

$IPT -A FORWARD -i tun0 -o $I_LAN -s 172.16.100.7/32 -d 192.168.0.0/24 -m state --state NEW -j ACCEPT 

$IPT -A FORWARD -i tun0 -o $I_LAN -s 172.16.100.8/32 -d 192.168.0.0/24 -m state --state NEW -j ACCEPT 



# IPs livres (NAT)

$IPT -A FORWARD -i $I_LAN -o $I_LINK2 -s "192.168.0.2/32"   -d 0/0 -j ACCEPT 

$IPT -A FORWARD -i $I_LAN -o $I_LINK1 -s "192.168.0.5/32"   -d 0/0 -j ACCEPT 

$IPT -A FORWARD -i $I_LAN -o $I_LINK1 -s "192.168.0.3/32"   -d 0/0 -j ACCEPT 

$IPT -A FORWARD -i $I_LAN -o $I_LINK1 -s "192.168.0.4/32"   -d 0/0 -j ACCEPT 



# Portais Fiscais

$IPT -A FORWARD -i $I_LAN -o $I_LINK1 -s "192.168.0.0/24" -d portaltributario.com.br  -j ACCEPT

$IPT -A FORWARD -i $I_LAN -o $I_LINK1 -s "192.168.0.0/24" -d robertodiasduarte.com.br -j ACCEPT



### Acesso SEFAZ ###

SEFAZ=201.55.62.86

$IPT -A FORWARD -i $I_LAN -s 192.168.0.0/24 -d $SEFAZ -p tcp --dport 443 -j ACCEPT



### Acesso SERPRO (At. Tab. SPED Contrib. e Entrega SPED) ###

SERPRO=200.198.239.0/24

$IPT -A FORWARD -i $I_LAN -s 192.168.0.0/24 -d $SERPRO -p tcp --dport 80   -j ACCEPT

$IPT -A FORWARD -i $I_LAN -s 192.168.0.0/24 -d $SERPRO -p tcp --dport 3456 -j ACCEPT



# Liberando o TeamViewer

$IPT -t filter -A FORWARD -i $I_LAN -o $I_LINK1 -s 192.168.0.0/24 -p tcp --dport 5938 -j ACCEPT

$IPT -t filter -A FORWARD -i $I_LINK1 -o $I_LAN -p tcp --sport 5938 -j ACCEPT



# FORWARD via MAC ADDRESS

/root/scripts/firewall/macs_livres.sh



# Distribuindo os links para os Clientes

$IPT -t mangle -A PREROUTING -s 192.168.0.1/32 -i $I_LAN -j MARK --set-mark 1

$IPT -t mangle -A PREROUTING -s 192.168.0.2/32 -i $I_LAN -j MARK --set-mark 2

$IPT -t mangle -A PREROUTING -m iprange --src-range 192.168.0.3-192.168.0.23   -i $I_LAN -j MARK --set-mark 1

$IPT -t mangle -A PREROUTING -m iprange --src-range 192.168.0.24-192.168.0.28  -i $I_LAN -j MARK --set-mark 2

$IPT -t mangle -A PREROUTING -m iprange --src-range 192.168.0.29-192.168.0.30  -i $I_LAN -j MARK --set-mark 1

$IPT -t mangle -A PREROUTING -m iprange --src-range 192.168.0.31-192.168.0.34  -i $I_LAN -j MARK --set-mark 2

$IPT -t mangle -A PREROUTING -m iprange --src-range 192.168.0.35-192.168.0.48  -i $I_LAN -j MARK --set-mark 1

$IPT -t mangle -A PREROUTING -s 192.168.0.49/32 -i $I_LAN -j MARK --set-mark 2

$IPT -t mangle -A PREROUTING -m iprange --src-range 192.168.0.50-192.168.0.75  -i $I_LAN -j MARK --set-mark 1

$IPT -t mangle -A PREROUTING -m iprange --src-range 192.168.0.76-192.168.0.77  -i $I_LAN -j MARK --set-mark 2

$IPT -t mangle -A PREROUTING -m iprange --src-range 192.168.0.78-192.168.0.254 -i $I_LAN -j MARK --set-mark 1



### NAT ###

$IPT -t nat -A POSTROUTING -s 192.168.0.1/32 -o $I_LINK1 -j MASQUERADE

$IPT -t nat -A POSTROUTING -s 192.168.0.2/32 -o $I_LINK2 -j MASQUERADE

$IPT -t nat -A POSTROUTING -m iprange --src-range 192.168.0.3-192.168.0.23   -o $I_LINK1 -j MASQUERADE

$IPT -t nat -A POSTROUTING -m iprange --src-range 192.168.0.24-192.168.0.28  -o $I_LINK2 -j MASQUERADE

$IPT -t nat -A POSTROUTING -m iprange --src-range 192.168.0.29-192.168.0.30  -o $I_LINK1 -j MASQUERADE

$IPT -t nat -A POSTROUTING -m iprange --src-range 192.168.0.31-192.168.0.34  -o $I_LINK2 -j MASQUERADE

$IPT -t nat -A POSTROUTING -m iprange --src-range 192.168.0.35-192.168.0.48  -o $I_LINK1 -j MASQUERADE

$IPT -t nat -A POSTROUTING -s 192.168.0.49/32 -o $I_LINK2 -j MASQUERADE

$IPT -t nat -A POSTROUTING -m iprange --src-range 192.168.0.50-192.168.0.75  -o $I_LINK1 -j MASQUERADE

$IPT -t nat -A POSTROUTING -m iprange --src-range 192.168.0.76-192.168.0.77  -o $I_LINK2 -j MASQUERADE

$IPT -t nat -A POSTROUTING -m iprange --src-range 192.168.0.78-192.168.0.254 -o $I_LINK1 -j MASQUERADE

$IPT -t nat -A POSTROUTING -s 172.16.100.0/25 -o tun0 -j MASQUERADE



# OPENVPN

$IPT -A INPUT -p udp --dport 1194 -j ACCEPT

$IPT -A INPUT -i tun0 -s 172.16.100.5/32 -p icmp --icmp-type 8 -j ACCEPT

$IPT -A INPUT -i tun0 -s 172.16.100.5/32 -p tcp -m multiport --dport 1322,80,3128,10000 -j ACCEPT



echo "Firewall iniciado [OK]"

}



case $1 in

  'start') start; exit ;;

  'stop') stop; exit ;;

  'restart') stop; start; exit ;;

  *) echo "Utilizar: firewall.sh stop|start|restart"; exit ;;

esac

Alguém tem ideia do que posso fazer para a minha VPN voltar a acessar a minha rede interna?

Obrigado.

0 0

Quote

3. RESOLVIDO

glmstz
(usa Debian)

Enviado em 13/08/2015 - 11:18h

Bom dia.

Consegui resolver meu problema adicionando alguns comandos no meu arquivo de rotas conforme abaixo:



#!/bin/bash

 

# DEFINICAO DOS GATEWAYS

GW_LINK1=177.185.59.62

GW_LINK2=189.112.98.198

GW_VPN=172.16.100.1



# PLACAS DE REDE

ETH_LINK1=eth2 

ETH_LINK2=eth0

ETH_VPN=tun0

 

function start() {

  ip route flush cache



  ip rule add fwmark 1 prio 20 table link1

  ip rule add fwmark 2 prio 21 table link2



  ip route add default via $GW_LINK1 dev $ETH_LINK1 table link1

  ip route add default via $GW_LINK2 dev $ETH_LINK2 table link2



  ip route add 172.16.100.0/24 via $GW_VPN dev $ETH_VPN table link1

  ip route add 172.16.100.0/24 via $GW_VPN dev $ETH_VPN table link2



  route add default gw $GW_LINK1

  

  ip route flush cached



  echo "Tabela de roteamento criada [OK]"

}

 

function stop() {

  ip route flush cache



  ip rule del fwmark 1

  ip rule del fwmark 2



  ip route del default via $GW_LINK1 dev $ETH_LINK1 table link1

  ip route del default via $GW_LINK2 dev $ETH_LINK2 table link2



  ip route del 172.16.100.0/24 via $GW_VPN dev $ETH_VPN table link1

  ip route del 172.16.100.0/24 via $GW_VPN dev $ETH_VPN table link2



  route del default

  echo "Limpeza da tabela de roteamento concluida [OK]"

}

 

case $1 in

  'start') start; exit ;;

  'stop') stop; exit ;;

  'restart') stop; start; exit ;;

  *) echo "Utilizar: rotas stop|start|restart"; exit ;;

esac

Obrigado.

Abraço.

Att.,
Gustavo L. Moraes

1 0

Quote

4. Re: VPN + load balance

maillan
(usa Fedora)

Enviado em 04/10/2015 - 01:42h

vou testar isso na segunda...

2 0

Quote

5. Re: VPN + load balance

maillan
(usa Fedora)

Enviado em 19/10/2015 - 13:38h

não deu certo pra mim, vi q vc usa uma tabela de roteamento diferente da minha, tipo, vc rotea individualmente os links e cria uma rota default para o link q roda a VPN.
Mas no meu caso, eu uso uma rota dinamica e isso não estou conseguindo rodar a VPN.
tem alguma ideia de como resolve isso?
veja a regra de minha rota q esta no meu firewal la em cima:
ip route add default scope global nexthop via 10.151.252.1 dev eth1 weight 2 nexthop via 172.17.24.250 dev eth0 weight 1

MacMaillan

0 0

Quote