🔗 在 FreeBSD 路由器上策略路由 Web 流量

🔗 目录

本示例概述了如何配置 FreeBSD 路由器以策略路由流量（此处为 Web 流量）到使用 tproxy 模式的 Squid 代理。

🔗 pf 示例规则

“no state” 对于逐个数据包的重路由决策非常重要。

ext_if = "em0"
int_if = "em2"
proxy_if = "em1"
lan_net = "192.168.12.0/24"
proxy1 = "192.168.11.1"
proxy_net = "192.168.11.0/24"
upstream_router= "192.168.15.254"

pass in quick on $ext_if route-to ($proxy_if $proxy1) proto tcp from any port 80 to $lan_net no state
pass in quick on $int_if route-to ($proxy_if $proxy1) proto tcp from $lan_net to any port 80 no state

🔗 路由器 rc.conf 示例

hostname="edge1"
ifconfig_em0="inet 192.168.15.1 netmask 255.255.255.0"
defaultrouter="192.168.15.254"
ifconfig_em1="inet 192.168.11.254 netmask 255.255.255.0"
ifconfig_em2="inet 192.168.12.254 netmask 255.255.255.0"
ifconfig_em3="inet 192.168.13.254 netmask 255.255.255.0"

gateway_enable="YES"
sshd_enable="YES"
pflog_enable="YES"
pf_enable="YES"
##PF default rules file is: /etc/pf.conf

dhcpd_enable="YES"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_withumasl="022"

# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

🔗 FreeBSD Virtio 网卡驱动问题

由于未知原因，FreeBSD virtio 网卡驱动在路由时会创建无效的数据包。为了防止这种损坏发生，需要禁用两个接口选项

• rxcsum
• txcsum

我编写了一个小型启动脚本来禁用 vtnet (virtio) 设备的这些选项。

#!/bin/sh

. /etc/rc.subr

name="vtnet"
rcvar=vtnet_enable
start_cmd="${name}_start"
stop_cmd=":"

vtnet_start()
{
        echo "VTNET started."
        ifconfig |grep "^vtnet"|awk '{print $1}'|sed s/\://g |xargs -n1 |       while read INTERFACE
        do
                ifconfig $INTERFACE -rxcsum
                ifconfig $INTERFACE -txcsum
        done

}

load_rc_config $name
run_rc_command "$1"

🔗 OpenBSD 上的类似配置

🔗 PF 规则

ext_if = "em0"
int_if = "em2"
proxy_if = "em1"
lan_net = "192.168.12.0/24"
proxy1 = "192.168.11.2"
proxy_net = "192.168.11.0/24"
upstream_router= "192.168.15.254"

pass in quick on $int_if proto tcp from $lan_net to any port 80 route-to ($proxy_if $proxy1) no state
pass in quick on $ext_if proto tcp from any port 80 to $lan_net route-to ($proxy_if $proxy1) no state

路由器模式的附加设置

sysctl -w net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets
sysctl -w net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets

🔗 OpenBSD Virtio 网卡驱动问题

与 FreeBSD 类似，OpenBSD 的 virtio 驱动程序也存在问题，会导致数据包损坏。

我将尝试联系 OpenBSD 邮件列表，看看是否可以做些什么。

我已经在 IRC 频道上联系了某人，在测试了最新的（2015/08/27）current（5.8）版本后，问题似乎得到了解决，数据包不再是畸形的。

---

⚠️ Disclaimer: Any example presented here is provided "as-is" with no support
or guarantee of suitability. If you have any further questions about
these examples please email the squid-users mailing list.

类别： ConfigExample

导航：站点搜索、站点页面、分类、🔼 向上