FAQ o OpenWrt | Sprzedam różne routery | Oddam

WMP · 2020-03-18 20:57:53

WMP
Użytkownik
Nieaktywny

Zarejestrowany: 2008-12-13
Posty: 66

Temat: Routing z sieci LAN do vlanu

Cześć, mam LAN i vlan Automatyka. Ten vlan automatyka ma nie mieć dostępu do internetu. Z sieci LAN chce móc się połączyć do urządzeń w sieci automatyka, czyli icmp, tcp, udp. Nie wiem dlaczego, ale ping nie dochodzi gdy mam komputer w sieci LAN, i telefon w sieci Automatyka. Gdy oba urządzenia są w tej samej sieci, telefon odpowiada na pingi.

Gdy ustawię global firewall wszędzie na allow, to również nie działa.

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option network 'Automatyka'
        option name 'automatyka'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'ACCEPT'

config zone
        option network 'kamery'
        option forward 'REJECT'
        option name 'kamery'
        option output 'ACCEPT'
        option input 'ACCEPT'

config forwarding
        option dest 'kamery'
        option src 'lan'

config forwarding
        option dest 'automatyka'
        option src 'lan'

Cezary · 2020-03-18 21:18:19

Cezary
...
Nieaktywny

Skąd: Warszawa
Zarejestrowany: 2006-02-25
Posty: 116,075

Odp: Routing z sieci LAN do vlanu

Przy takich ustawieniach jak pokazałeś klient z lanu może pingować urządzenie w sieci automatyka, sprawdziłem właśnie:

$ ping 192.168.12.109
PING 192.168.12.109 (192.168.12.109) 56(84) bytes of data.
64 bytes from 192.168.12.109: icmp_seq=1 ttl=63 time=448 ms
64 bytes from 192.168.12.109: icmp_seq=2 ttl=63 time=10.8 ms
64 bytes from 192.168.12.109: icmp_seq=3 ttl=63 time=8.36 ms
config zone
        option network 'automatyka'
        option name 'automatyka'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'ACCEPT'

config forwarding
        option dest 'automatyka'
        option src 'lan'

config interface 'automatyka'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.12.1'

config dhcp 'automatyka'
    option interface 'automatyka'
    option start '100'
    option limit '150'
    option leasetime '12h'

Więc to ze się nie pinguje jest albo spowodowane błędem konfiguracji klienta (np. nie ustawiony gateway) albo klient ma zablokowane odpowiedzi na ping. Postaw sobie tcpdumpa i zobacz które pakiety idą a których nie widać.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

WMP · 2020-03-18 21:56:14

WMP
Użytkownik
Nieaktywny

Zarejestrowany: 2008-12-13
Posty: 66

Odp: Routing z sieci LAN do vlanu

root@Archer-C5-V4:/tmp# tcpdump  -i any icmp and  host 192.168.1.233 or host 192.168.123.122 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes


06:42:07.037520 ethertype IPv4, IP 192.168.1.233 > 192.168.123.122: ICMP echo request, id 4296, seq 63, length 64
06:42:07.037520 IP 192.168.1.233 > 192.168.123.122: ICMP echo request, id 4296, seq 63, length 64
06:42:07.037520 IP 192.168.1.233 > 192.168.123.122: ICMP echo request, id 4296, seq 63, length 64
06:42:07.038480 ARP, Request who-has 192.168.123.122 tell 192.168.123.64, length 28
06:42:07.038520 ARP, Request who-has 192.168.123.122 tell 192.168.123.64, length 28
06:42:07.038560 ARP, Request who-has 192.168.123.122 tell 192.168.123.64, length 28
06:42:07.038580 ethertype ARP, ARP, Request who-has 192.168.123.122 tell 192.168.123.64, length 28
06:42:08.065560 ethertype IPv4, IP 192.168.1.233 > 192.168.123.122: ICMP echo request, id 4296, seq 64, length 64
06:42:08.065560 IP 192.168.1.233 > 192.168.123.122: ICMP echo request, id 4296, seq 64, length 64
06:42:08.065560 IP 192.168.1.233 > 192.168.123.122: ICMP echo request, id 4296, seq 64, length 64
06:42:09.085500 ethertype IPv4, IP 192.168.1.233 > 192.168.123.122: ICMP echo request, id 4296, seq 65, length 64
06:42:09.085500 IP 192.168.1.233 > 192.168.123.122: ICMP echo request, id 4296, seq 65, length 64
06:42:09.085500 IP 192.168.1.233 > 192.168.123.122: ICMP echo request, id 4296, seq 65, length 64
06:42:09.085680 ARP, Request who-has 192.168.123.122 tell 192.168.123.64, length 28
06:42:09.085700 ARP, Request who-has 192.168.123.122 tell 192.168.123.64, length 28
06:42:09.085740 ARP, Request who-has 192.168.123.122 tell 192.168.123.64, length 28
06:42:09.085760 ethertype ARP, ARP, Request who-has 192.168.123.122 tell 192.168.123.64, length 28
06:42:10.109500 ethertype IPv4, IP 192.168.1.233 > 192.168.123.122: ICMP echo request, id 4296, seq 66, length 64
06:42:10.109500 IP 192.168.1.233 > 192.168.123.122: ICMP echo request, id 4296, seq 66, length 64
06:42:10.109500 IP 192.168.1.233 > 192.168.123.122: ICMP echo request, id 4296, seq 66, length 64
06:42:10.158420 ARP, Request who-has 192.168.123.122 tell 192.168.123.64, length 28
06:42:10.158460 ARP, Request who-has 192.168.123.122 tell 192.168.123.64, length 28
06:42:10.158500 ARP, Request who-has 192.168.123.122 tell 192.168.123.64, length 28
06:42:10.158520 ethertype ARP, ARP, Request who-has 192.168.123.122 tell 192.168.123.64, length 28
06:42:10.749680 IP 192.168.1.1 > 192.168.1.233: ICMP net 172.17.3.251 unreachable, length 68
06:42:10.749720 IP 192.168.1.1 > 192.168.1.233: ICMP net 172.17.3.251 unreachable, length 68

Pinguję z 192.168.1.233 do 192.168.123.122. Żeby nie było, że mój telefon nie odpowiada na pingi, podłazcyłem komputer do 192.168.123.64/26:

root@Archer-C5-V4:/tmp# tcpdump  -i any icmp and  host 192.168.123.123 or host 192.168.123.122 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
06:46:04.685560 IP 192.168.123.122 > 192.168.123.123: ICMP echo reply, id 4296, seq 296, length 64
06:46:04.685620 IP 192.168.123.122 > 192.168.123.123: ICMP echo reply, id 4296, seq 296, length 64
06:46:05.492520 IP 192.168.123.123 > 192.168.123.122: ICMP echo request, id 4296, seq 297, length 64
06:46:05.492580 IP 192.168.123.123 > 192.168.123.122: ICMP echo request, id 4296, seq 297, length 64

Config /etc/config/network:

root@Archer-C5-V4:/tmp# cat /etc/config/network 

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9b:80bf:9e8c::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'b0:be:76:02:68:15'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '0'

config switch
        option name 'switch1'
        option reset '1'
        option enable_vlan '1'
        option enable_vlan4k '1'

config switch_vlan
        option device 'switch1'
        option vlan '1'
        option ports '7t 1t 0'

config switch_vlan
        option device 'switch1'
        option vlan '2'
        option ports '7t 1t 4'

config switch_vlan
        option device 'switch1'
        option vlan '3'
        option ports '7t 1t'

config switch_vlan
        option device 'switch1'
        option vlan '4'
        option ports '7t 1t'

config switch_vlan
        option device 'switch1'
        option vlan '5'
        option ports '7t 1t'

config interface 'kamery'
        option ifname 'eth0.3'
        option proto 'static'
        option ipaddr '192.168.123.16'
        option netmask '255.255.255.240'

config interface 'Automatyka'
        option ifname 'eth0.4'
        option proto 'static'
        option netmask '255.255.255.192'
        option delegate '0'
        option ipaddr '192.168.123.64'
        option type 'bridge'

Jeszcze config switcha:

mar_w · 2020-03-19 14:59:21

mar_w
Użytkownik
Nieaktywny

Zarejestrowany: 2014-08-16
Posty: 2,124

Odp: Routing z sieci LAN do vlanu

WMP napisał/a:

...
Config /etc/config/network:

root@Archer-C5-V4:/tmp# cat /etc/config/network 

...

config interface 'Automatyka'
        option ifname 'eth0.4'
        option proto 'static'
        option netmask '255.255.255.192'
        option delegate '0'
        option ipaddr '192.168.123.64'
        option type 'bridge'

...

Kłaniają się podstawy sieci
Adres 192.168.123.64 przy masce /26 to ADRES SIECI a nie HOSTA.
Router powinien mieć adres minimum 192.168.123.65

Xiaomi AX3000T @ Netgear R6220
* DVBT2 - T230C *

WMP · 2020-03-19 15:32:17

WMP
Użytkownik
Nieaktywny

Zarejestrowany: 2008-12-13
Posty: 66

Odp: Routing z sieci LAN do vlanu

A ja przed nimi klękam Dziękuję! Ja już debugowałem sterownik do switcha...

FAQ o OpenWrt | Sprzedam różne routery | Oddam

Routing z sieci LAN do vlanu

Posty: 5

1 Temat przez WMP 2020-03-18 20:57:53 (edytowany przez WMP 2020-03-18 21:10:55)

Temat: Routing z sieci LAN do vlanu

2 Odpowiedź przez Cezary 2020-03-18 21:18:19

Odp: Routing z sieci LAN do vlanu

3 Odpowiedź przez WMP 2020-03-18 21:56:14 (edytowany przez WMP 2020-03-18 21:59:11)

Odp: Routing z sieci LAN do vlanu

4 Odpowiedź przez mar_w 2020-03-19 14:59:21

Odp: Routing z sieci LAN do vlanu

5 Odpowiedź przez WMP 2020-03-19 15:32:17

Odp: Routing z sieci LAN do vlanu

Posty: 5