这可能已经被问过,但我不知道这叫什么或使用什么搜索词
(这个答案似乎是我需要的,但我不确定)
我有一个运行OpenWrt 23.05 的WRT1900ACS,它有五个 LAN 子网:
lan:10.1.0.0/19net1:10.1.15.0/28net2:10.1.20.0/27net3:10.1.25.0/27net4:10.1.25.28/30
我希望对net1 - 4子网进行合理编号,这就是为什么lan的 CIDR 是/19,因为我的理解(可能不正确)是,如果lan设置为包含 的子网的子网掩码net3 - 4并net3设置为包含 的子网掩码net4,我会是能够从 上的设备lan和 上的设备访问它们上的设备net3:
- PC [
lan] → Airplay 服务器 [net3] - 电脑 [
lan] → 打印机 [net4] - 电脑 [
net3] → 打印机 [net4]
我在防火墙中分别和一起尝试过的内容(在防火墙配置中注释掉):
- 允许域间转发
- 指定各个域间转发规则
配置:
/etc/config/network:# ##::[[--- OpenWrt WAN Network Config ---]]::## # =========================================================== ##----- Global -----## # =========================================================== # https://jodies.de/ipcalc?host=10.0.0.1&mask1=19&mask2= # =========================================================== ##----- Active Networks w/ WAN -----## # =========================================================== # Loopback # # ----------------------------------------------------------- config interface 'loopback' option device 'lo' option proto 'static' option ipaddr 127.0.0.1 option netmask 255.0.0.0 # =========================================================== # vLAN: WAN # # ----------------------------------------------------------- config device option name 'wan' config interface 'wan' option device 'wan' option proto 'dhcp' config interface 'wan6' option ifname 'wan' option proto 'dhcpv6' # =========================================================== # vLAN: LAN # # ----------------------------------------------------------- config device option name 'br-lan' option type 'bridge' list ports 'lan1' list ports 'lan4' config interface 'lan' option device 'br-lan' option proto 'static' option dns '208.67.222.222 208.67.220.220' option force_link 1 option ip6assign 60 option broadcast 10.1.31.255 option ipaddr 10.1.0.1 option netmask 255.255.224.0 # =========================================================== # vLAN: net1 # # ----------------------------------------------------------- config interface 'net1' option ifname 'net1' option type 'bridge' option proto 'static' option dns '208.67.222.222 208.67.220.220' option broadcast 10.1.15.15 option delegate 0 option ipaddr 10.1.15.1 option netmask 255.255.255.240 # vLAN: net2 # # ----------------------------------------------------------- config device option name 'br-net2' option type 'bridge' list ports 'lan2' config interface 'net3' option device 'br-net2' option proto 'static' option dns '208.67.222.222 208.67.220.220' option broadcast 10.1.20.31 option ipaddr 10.1.20.1 option netmask 255.255.255.224 # vLAN: net3 # # ----------------------------------------------------------- config device option name 'br-net3' option type 'bridge' list ports 'lan3' config interface 'net3' option device 'br-net3' option proto 'static' option dns '208.67.222.222 208.67.220.220' option broadcast 10.1.25.31 option ipaddr 10.1.25.1 option netmask 255.255.255.224 # vLAN: net4 # # ----------------------------------------------------------- config interface 'net4' option ifname 'net4' option type 'bridge' option proto 'static' option broadcast 10.1.25.31 option delegate 0 option ipaddr 10.1.25.29 option netmask 255.255.255.252
/etc/config/firewall:# ##::[[--- OpenWrt WAN Firewall Config ---]]::## # =========================================================== ##----- Scripts -----## # =========================================================== config include option path '/etc/firewall. User' # =========================================================== ##----- Default Zone -----## # =========================================================== config defaults option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' option log_limit '10/second' option custom_chains 1 option drop_invalid 1 option log 1 option synflood_protect 1 option tcp_syncookies 1 option tcp_window_scaling 1 # =========================================================== ##----- NAT Redirects -----## # =========================================================== # SSH # # ----------------------------------------------------------- # =========================================================== ##----- Zones -----## # =========================================================== # WAN # # ----------------------------------------------------------- config zone option name 'wan' list network 'wan' list network 'wan6' option input 'REJECT' option forward 'REJECT' option output 'ACCEPT' option masq 1 option mtu_fix 1 # =========================================================== # LAN # # ----------------------------------------------------------- config zone option name 'lan' list network 'lan' option input 'ACCEPT' option forward 'ACCEPT' option output 'ACCEPT' config rule option target 'ACCEPT' option proto 'udp' option src 'lan' option dest '*' option dest_port '67:68' option name 'Allow LAN → WRT1900ACS (DHCP Requests)' config rule option target 'ACCEPT' option proto 'udp' option src '*' option dest 'lan' option dest_port '67:68' option name 'Allow WRT1900ACS → LAN (DHCP Renew)' config rule option target 'ACCEPT' option proto 'tcp udp' option src 'lan' option dest '*' option dest_port '53' option name 'Allow LAN → WRT1900ACS (DNS)' config rule option target 'ACCEPT' option proto 'icmp' option src 'lan' option dest '*' option name 'Allow LAN → WRT1900ACS (ICMP)' config rule option target 'ACCEPT' option proto 'all' option src 'lan' option dest '*' option name 'Allow LAN → WRT1900ACS' # config rule # option target 'ACCEPT' # option proto 'all' # option src 'lan' # option dest 'net3' # option name 'Allow LAN → net3' # =========================================================== ##----- Rules -----## # =========================================================== # vLAN: net1 # # ----------------------------------------------------------- config zone option name 'net1' list network 'net1' option input 'REJECT' option forward 'REJECT' option output 'ACCEPT' config rule option target 'ACCEPT' option proto 'udp' option src 'net1' option dest '*' option dest_port '67:68' option name 'Allow net1 → WRT1900ACS (DHCP Requests)' config rule option target 'ACCEPT' option proto 'udp' option src '*' option dest 'net1' option dest_port '67:68' option name 'Allow WRT1900ACS → net1 (DHCP Renew)' config rule option target 'ACCEPT' option proto 'tcp udp' option src 'net1' option dest '*' option dest_port '53' option name 'Allow net1 → WRT1900ACS (DNS)' config rule option target 'ACCEPT' option proto 'icmp' option src 'net1' option dest '*' option name 'Allow net1 → WRT1900ACS (ICMP)' config rule option target 'DROP' option proto 'all' option src 'net1' option dest '*' option dest_ip '10.1.15.15' option name 'Drop net1 → WRT1900ACS (Broadcast)' config rule option target 'REJECT' option proto 'all' option src 'net1' option dest 'lan' option name 'Reject net1 → LAN' config rule option target 'REJECT' option proto 'all' option src 'net1' option dest 'net2' option name 'Reject net1 → net2' config rule option target 'REJECT' option proto 'all' option src 'net1' option dest 'net3' option name 'Reject net1 → net3' config rule option target 'REJECT' option proto 'all' option src 'net1' option dest 'net4' option name 'Reject net1 → net4' # =========================================================== # vLAN: net2 # # ----------------------------------------------------------- config zone option name 'net2' list network 'net2' option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' config rule option target 'ACCEPT' option proto 'udp' option src 'net2' option dest '*' option dest_port '67:68' option name 'Allow net2 → WRT1900ACS (DHCP Requests)' config rule option target 'ACCEPT' option proto 'udp' option src '*' option dest 'net2' option dest_port '67:68' option name 'Allow WRT1900ACS → net2 (DHCP Renew)' config rule option target 'ACCEPT' option proto 'tcp udp' option src 'net2' option dest '*' option dest_port '53' option name 'Allow net2 → WRT1900ACS (DNS)' config rule option target 'ACCEPT' option proto 'icmp' option src 'net2' option dest '*' option name 'Allow net2 → WRT1900ACS (ICMP)' config rule option target 'REJECT' option proto 'all' option src 'net2' option dest 'net1' option name 'Reject net2 → net1' # =========================================================== # vLAN: net3 # # ----------------------------------------------------------- config zone option name 'net3' list network 'net3' option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' config rule option target 'ACCEPT' option proto 'udp' option src 'net3' option dest '*' option dest_port '67:68' option name 'Allow net3 → WRT1900ACS (DHCP Requests)' config rule option target 'ACCEPT' option proto 'udp' option src '*' option dest 'net3' option dest_port '67:68' option name 'Allow WRT1900ACS → net3 (DHCP Renew)' config rule option target 'ACCEPT' option proto 'tcp udp' option src 'net3' option dest '*' option dest_port '53' option name 'Allow net3 → WRT1900ACS (DNS)' config rule option target 'ACCEPT' option proto 'icmp' option src 'net3' option dest '*' option name 'Allow net3 → WRT1900ACS (ICMP)' config rule option target 'REJECT' option proto 'all' option src 'net3' option dest 'lan' option name 'Reject net3 → LAN' config rule option target 'REJECT' option proto 'all' option src 'net3' option dest 'net1' option name 'Reject net3 → net1' # =========================================================== # vLAN: net4 # # ----------------------------------------------------------- config zone option name 'net4' list network 'net4' option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' config rule option target 'ACCEPT' option proto 'udp' option src 'net4' option dest '*' option dest_port '67:68' option name 'Allow net4 → WRT1900ACS (DHCP Requests)' config rule option target 'ACCEPT' option proto 'udp' option src '*' option dest 'net4' option dest_port '67:68' option name 'Allow WRT1900ACS → net4 (DHCP Renew)' config rule option target 'ACCEPT' option proto 'tcp udp' option src 'net4' option dest '*' option dest_port '53' option name 'Allow net4 → WRT1900ACS (DNS)' config rule option target 'ACCEPT' option proto 'icmp' option src 'net4' option dest '*' option name 'Allow net4 → WRT1900ACS (ICMP)' # =========================================================== ##----- Interzone Forwarding -----## # =========================================================== # vLAN: LAN # # ----------------------------------------------------------- config forwarding option src 'lan' option dest 'wan' # config forwarding # option src 'lan' # option dest 'net3' # config forwarding # option src 'lan' # option dest 'net4' # =========================================================== # vLAN: net1 # # ----------------------------------------------------------- config forwarding option src 'net1' option dest 'wan' # =========================================================== # vLAN: net2 # # ----------------------------------------------------------- config forwarding option src 'net2' option dest 'wan' # =========================================================== # vLAN: net3 # # ----------------------------------------------------------- config forwarding option src 'net3' option dest 'wan' # config forwarding # option src 'net3' # option dest 'net4' # =========================================================== # vLAN: net4 # # ----------------------------------------------------------- # config forwarding # option src 'net4' # option dest 'lan' # config forwarding # option src 'net4' # option dest 'net3'
/etc/config/dhcp:# ##::[[--- OpenWrt WAN DHCP #config ---]]::## # =========================================================== ##----- IPv4 DNS Server -----## # =========================================================== # DNS Masq # # ----------------------------------------------------------- config dnsmasq option domain 'WRT' option configdir '/tmp/dnsmasq.d' option local '/lan/' option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' option ednspacket_max 1232 option authoritative 1 option boguspriv 1 option domainneeded 1 option cachesize 1000 option expandhosts 1 option filter_aaaa 0 option filter_a 0 option filterwin2k 1 option localise_queries 1 option localservice 1 option logquerries 0 option nonegcache 0 option nonwildcard 1 option quietdhcp 1 option readethers 1 option rebind_localhost 1 option rebind_protection 1 option sequential_ip 1 # =========================================================== ##----- IPv6 DNS Server -----## # =========================================================== # oDHCPd # # ----------------------------------------------------------- config odhcpd 'odhcpd' option leasefile '/tmp/hosts/odhcpd' option leasetrigger '/usr/sbin/odhcpd-update' option loglevel 4 option maindhcp 0 # =========================================================== ##----- DHCP Settings -----## # =========================================================== # WAN # # ----------------------------------------------------------- config dhcp 'wan' option interface 'wan' option ignore 1 # =========================================================== # VLAN: LAN # # ----------------------------------------------------------- config dhcp 'lan' option interface 'lan' option dhcpv4 'server' option dhcpv6 'server' option leasetime '24h' option ra 'server' list ra_flags 'managed-config' list ra_flags 'other-config' option force 1 option limit 1 option ra_management 1 option ra_slaac 1 option start 21 # Static IPs # ----------------------------------------------------------- # =========================================================== # vLAN: net1 # # ----------------------------------------------------------- config dhcp 'net1' option interface 'net1' option leasetime '24h' option force 1 option limit 12 option start 3 # =========================================================== # vLAN: net2 # # ----------------------------------------------------------- config dhcp 'net2' option interface 'net2' option leasetime '24h' option force 1 option limit 12 option start 2 # Static IPs # ----------------------------------------------------------- # =========================================================== # vLAN: net3 # # ----------------------------------------------------------- config dhcp 'net3' option interface 'net3' option leasetime '24h' option force 1 option limit 1 option start 25 # Static IPs # ----------------------------------------------------------- # =========================================================== # vLAN: net4 # # ----------------------------------------------------------- config dhcp 'net4' option interface 'net4' option leasetime '24h' option force 1 option limit 1 option start 30 # Static IPs # -----------------------------------------------------------
No, that's the exact opposite of what you want; subnets should never overlap in any way. Don't think of
lanas a "parent" of other subnets. (Routes can overlap though; it's still valid to have a single /19 or /16 route 'via some other gateway' that encompasses all subnets.)Subnets are connected only through the router; in order for hosts from subnet A to access anything in subnet B, they must go through the router (i.e. send packets to the router's MAC address).
But if the subnets overlap, then hosts in subnet A will think that the destination (belonging to subnet B) is in the same subnet as them (i.e. looking as if it's part of subnet A) – and same-subnet hosts by definition are accessible without going through the gateway, in general.
So the source host will instead try to make ARP queries for the destination IP directly, coming up with nothing – well, unless the router had proxy-ARP enabled (which is normally not enabled; I think only ancient Cisco IOS defaulted to enabling it).
It doesn't matter that the router knows the correct routes (
10.1.15.0/28 via net1will take priority over10.1.0.0/17 via lan) if the packets never make it to the router to begin with.That aside, this doesn't quite look "sanely numbered" in general. With only five subnets, you have plenty of space to make all of them nice round /24's; there is no need to squeeze them to the smallest possible size – there is exactly zero difference in performance between a /16 with five hosts and a /29 with five hosts.
Also, as I recall, AirPlay was strongly reliant on mDNS-based auto-discovery, which does not work across subnets unless the router has a repeater specifically for that. (Regular IP routing won't do it, not even multicast routing.) For OpenWrt, umdns seems to do this; for general Linux, avahi-daemon can act as a relay.