2 LAN, 2 WAN - jak nastavit?

nufinuf · November 11, 2017, 11:31am

Mám prosbu, řeším situaci, kdy na Turris Omnia na:

LAN0, LAN1 mám domácí síť 10.0.0.0/24
LAN4 mám síť 10.90.90.0/24 připojenou na L3 managed switch, kde jsou i další sítě (192.168.10.0/24, …)
na WAN (eth1) mám výstup k modemu (IP 78.x.x.x přidělená od UPC)
chtěl bych na jednom z volných portů mít záložní WAN.

Poradíte, prosím, jak udělat, aby LAN0,LAN1,LAN4 měla přístup k internetu WAN (resp. i k záložnímu připojení) a aby bylo možné se z 10.0.0.0/24 připojit na 192.168.10.0/24? Switch (10.90.90.90) je nastavený s defaultní branou na 10.90.90.10, což by měla být IP přidělená LAN4.

Současné nastavení přikládám; z LAN0,1 se na WAN dostanu, ale na LAN4 ne.

Díky!
Martin

/etc/network:
config interface 'loopback’
option ifname 'lo’
option proto 'static’
option ipaddr '127.0.0.1’
option netmask ‘255.0.0.0’

config globals 'globals’
option ula_prefix ‘fd87:c828:3270::/48’

config interface 'lan’
option force_link '1’
option proto 'static’
option netmask '255.255.255.0’
option ip6assign '60’
option ipaddr '10.0.0.1’
option gateway '10.0.0.1’
option _orig_ifname 'eth0 eth2 wlan0 wlan1’
option _orig_bridge 'true’
option ifname 'eth0’
option delegate '0’
option type ‘bridge’

config interface 'wan’
option ifname 'eth1’
option _orig_ifname 'eth1’
option _orig_bridge 'false’
option proto 'static’
option ipaddr '78.x.x.x’
option netmask '255.255.255.0’
option gateway ‘78.x.x.1’

config switch
option name 'switch0’
option reset '1’
option enable_vlan ‘1’

config switch_vlan
option device 'switch0’
option vlan '1’
option ports '0 1 2 3 5’
option vid ‘1’

config switch_vlan
option device 'switch0’
option vlan '2’
option vid '2’
option ports ‘0t 1t 2t 4 6’

config interface 'svj’
option enabled '1’
option proto 'static’
option ipaddr '10.90.90.10’
option netmask '255.255.255.0’
option bridge_empty '1’
option gateway '10.90.90.90’
option _orig_ifname 'eth2 svj_0’
option _orig_bridge 'true’
option delegate '0’
option ifname ‘eth2’

config route
option target '192.168.10.0’
option netmask '255.255.255.0’
option gateway '10.90.90.90’
option interface ‘lan’

config route
option target '192.168.0.0’
option netmask '255.255.255.0’
option interface 'lan’
option gateway ‘10.90.90.90’

config route
option interface 'wan’
option target '0.0.0.0’
option netmask '0.0.0.0’
option gateway ‘78.x.x.1’

/etc/firewall:
config rule
option target 'ACCEPT’
option src 'svj’
option dest 'lan’
option name ‘cam’

config rule
option target 'ACCEPT’
option proto 'tcp udp’
option name 'lan->svj’
option src 'lan’
option dest ‘svj’

config rule
option name 'Allow-DHCP-Renew’
option src 'wan’
option proto 'udp’
option dest_port '68’
option target 'ACCEPT’
option family ‘ipv4’

config rule
option name 'Allow-Ping’
option src 'wan’
option proto 'icmp’
option icmp_type 'echo-request’
option family 'ipv4’
option target ‘ACCEPT’

config rule
option name 'Allow-IGMP’
option src 'wan’
option proto 'igmp’
option family 'ipv4’
option target ‘ACCEPT’

config rule
option name 'Allow-DHCPv6’
option src 'wan’
option proto 'udp’
option src_ip 'fe80::/10’
option src_port '547’
option dest_ip 'fe80::/10’
option dest_port '546’
option family 'ipv6’
option target ‘ACCEPT’

config rule
option name 'Allow-MLD’
option src 'wan’
option proto 'icmp’
option src_ip 'fe80::/10’
list icmp_type '130/0’
list icmp_type '131/0’
list icmp_type '132/0’
list icmp_type '143/0’
option family 'ipv6’
option target ‘ACCEPT’

config rule
option name 'Allow-ICMPv6-Input’
option src 'wan’
option proto 'icmp’
list icmp_type 'echo-request’
list icmp_type 'echo-reply’
list icmp_type 'destination-unreachable’
list icmp_type 'packet-too-big’
list icmp_type 'time-exceeded’
list icmp_type 'bad-header’
list icmp_type 'unknown-header-type’
list icmp_type 'router-solicitation’
list icmp_type 'neighbour-solicitation’
list icmp_type 'router-advertisement’
list icmp_type 'neighbour-advertisement’
option limit '1000/sec’
option family 'ipv6’
option target ‘ACCEPT’

config rule
option name 'Allow-ICMPv6-Forward’
option src 'wan’
option dest '*'
option proto 'icmp’
list icmp_type 'echo-request’
list icmp_type 'echo-reply’
list icmp_type 'destination-unreachable’
list icmp_type 'packet-too-big’
list icmp_type 'time-exceeded’
list icmp_type 'bad-header’
list icmp_type 'unknown-header-type’
option limit '1000/sec’
option family 'ipv6’
option target ‘ACCEPT’

config rule
option src 'wan’
option dest 'lan’
option proto 'esp’
option target ‘ACCEPT’

config rule
option src 'wan’
option dest 'lan’
option dest_port '500’
option proto 'udp’
option target ‘ACCEPT’

config defaults
option input 'ACCEPT’
option output 'ACCEPT’
option drop_invalid '0’
option forward ‘DROP’

config zone
option name 'lan’
option input 'ACCEPT’
option output 'ACCEPT’
option forward 'ACCEPT’
option network ‘lan’

config zone
option name 'wan’
option output 'ACCEPT’
option masq '1’
option mtu_fix '1’
option input 'ACCEPT’
option network 'wan wan6’
option forward ‘ACCEPT’

config include
option path ‘/etc/firewall.user’

config include
option path '/usr/share/firewall/turris’
option reload ‘1’

config include
option path '/etc/firewall.d/with_reload/firewall.include.sh’
option reload ‘1’

config include
option path '/etc/firewall.d/without_reload/firewall.include.sh’
option reload ‘0’

config include 'miniupnpd’
option type 'script’
option path '/usr/share/miniupnpd/firewall.include’
option family 'any’
option reload ‘1’

config redirect
option target 'DNAT’
option src 'wan’
option dest 'lan’
option proto 'tcp udp’
option src_dport '25’
option dest_ip '10.0.0.10’
option dest_port '25’
option name ‘SMTP’

config redirect
option target 'DNAT’
option src 'wan’
option dest 'lan’
option proto 'tcp udp’
option src_dport '110’
option dest_ip '10.0.0.10’
option dest_port '110’
option name ‘POP3’

config redirect
option target 'DNAT’
option src 'wan’
option dest 'lan’
option proto 'tcp udp’
option src_dport '53’
option dest_ip '10.0.0.10’
option dest_port '53’
option name ‘DNS’

config redirect
option target 'DNAT’
option src 'wan’
option dest 'lan’
option proto 'tcp’
option src_dport '80’
option dest_ip '10.0.0.10’
option dest_port '80’
option name ‘HTTP’

config redirect
option target 'DNAT’
option src 'wan’
option dest 'lan’
option proto 'tcp’
option src_dport '443’
option dest_ip '10.0.0.10’
option dest_port '443’
option name ‘HTTPS’

config redirect
option target 'DNAT’
option src 'wan’
option dest 'lan’
option proto 'tcp’
option src_dport '22’
option dest_ip '10.0.0.10’
option dest_port '22’
option name ‘SSH’

config redirect
option target 'DNAT’
option src 'wan’
option dest 'lan’
option proto 'tcp udp’
option src_dport '1194’
option dest_ip '10.0.0.10’
option dest_port '1194’
option name ‘OpenVPN’

config redirect
option target 'DNAT’
option src 'wan’
option dest 'lan’
option proto 'tcp udp’
option src_dport '161’
option dest_ip '10.0.0.10’
option dest_port '161’
option name ‘SNMP’

config redirect
option target 'DNAT’
option src 'wan’
option dest 'lan’
option proto 'tcp udp’
option src_dport '162’
option dest_ip '10.0.0.10’
option dest_port '162’
option name ‘SNMPv2’

config redirect
option target 'DNAT’
option src 'wan’
option dest 'lan’
option proto 'tcp’
option src_dport '8443’
option dest_ip '10.0.0.10’
option dest_port '8443’
option name ‘ISIR’

config zone
option input 'ACCEPT’
option output 'ACCEPT’
option name 'svj’
option forward 'ACCEPT’
option network ‘svj’

config forwarding
option dest 'lan’
option src ‘wan’

config forwarding
option dest 'wan’
option src ‘lan’

config forwarding
option dest 'lan’
option src ‘svj’

config forwarding
option dest 'wan’
option src ‘svj’

config forwarding
option dest 'svj’
option src ‘lan’

config forwarding
option dest 'svj’
option src ‘wan’