我需要帮助重新路由在并行上运行的 ubuntu 虚拟机上的流量，将隧道 URL 连接到同一台 ubuntu 机器上的端口 1111，端口 443 的流量通过隧道 URL 转发。成功后，1111 处的服务器应将请求转发到隧道 URL。出于某种原因，当我尝试使用 iptables 和 HAProxy 时，它不起作用

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.2 LTS
Release:    20.04
Codename:   focal

对于IPTables

我已经尝试设置ip_forward config flag to 1如果这就是你所说的。

我尝试将预路由配置设置为以下内容：

sudo iptables -t nat -A PREROUTING -p tcp -d rnqhc-adas-ads-ed01-cb00-sada-asdds-asdd-iii.a.free.pinggy.link --dport 443 -j DNAT --to-destination 127.0.0.1:1111

Then I've masqueraded it.

并补充说

sudo iptables -t nat -A OUTPUT -p tcp --dport 443 -d rnqhc-adas-ads-ed01-cb00-sada-asdds-asdd-iii.a.free.pinggy.link -j ACCEPT

我也看到了以下答案： IPTables 重新路由流量不起作用 ，但它没有帮助。

对于HAProxy，我尝试过：

frontend https_front
    bind *:443 ssl crt /home/devhouse/Developer/mycert_combined.pem
    acl host_mydomain hdr(host) rnqhc-adas-ads-ed01-cb00-sada-asdds-asdd-iii.a.free.pinggy.link
    use_backend my_backend if host_mydomain

backend my_backend
    server local_proxy 127.0.0.1:1111

我觉得我错过了什么

我有一个 Ubuntu 24.04.1 LTS 服务器，运行 Strongswan。

我后来了解到，它的防火墙使用的是 nftables 而不是 iptables。

在设置 VPN 时，我可以连接客户端，但无法通过 IP 地址访问互联网上的主机，也无法解析名称。

我想我遗漏了一些转发规则，但我不确定如何以 nft 格式翻译/应用它们。

我需要应用什么规则才能让 IPV4 和 IPV6 为客户端服务？

下面的配置源自 wireguard 指南，我对其进行了修改，以包括机器上的其他服务。我找到了一些 openwrt 和 strongswan 的参考资料，并尝试将其翻译出来，但我认为我还没有达到标准。我很感激任何建议。

谢谢。

我添加了这些内容是为了尝试传递 ipsec 流量

链式预路由

 meta ipsec exists ip saddr $IKE_NETS counter accept

链入站世界

    meta l4proto ah accept
    meta l4proto esp accept

/etc/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

define DEV_WG = wg0
define DEV_OVPN = tun0
define DEV_VPN = { $DEV_WG, $DEV_OVPN }
define DEV_WORLD = eth0
define IP_OVPN = 10.8.0.0/24
define IP_WORLD_V4 = public_v4_ip
define IP_WORLD_V6 = public_v6_ip
define PORT_IKE = { 500, 4500 }
define PORT_WG = 51820
define PORT_OVPN = 1194
define PORT_VPN = { $PORT_IKE, $PORT_WG, $PORT_OVPN  }
define DEV_LOCAL_NETS = { $DEV_VPN }
define DEV_OUT_NETS = { $DEV_WORLD }
#define IKE_NETS = { 172.16.252.0/24, fd5a:4c1f:8d73:f583::/64 } <- did not like the Ipv6 address
define IKE_NETS = { 172.16.252.0/24 }


# `inet` applies to both IPv4 and IPv6.
table inet global {
    map port_forwards_tcp_ipv4 {
        type ipv4_addr . inet_service : ipv4_addr . inet_service
        # lets forward port for our torrent. Our 12345 to 12345 on 172.16.0.2
        elements = { $IP_WORLD_V4 . 12345 : 172.16.0.2 . 12345 }
    }

    map port_forwards_tcp_ipv6 {
        type ipv6_addr . inet_service : ipv6_addr . inet_service
        # lets forward port for our torrent. Our 12345 to 12345 on fdf5:6028:947d:1234::2
        elements = { $IP_WORLD_V6 . 12345 : [fdf5:6028:947d:1234::2] . 12345}
    }

    map port_forwards_udp_ipv4 {
        type ipv4_addr . inet_service : ipv4_addr . inet_service
        # lets forward port for our torrent. Our 12345 to 12345 on 172.16.0.2
        elements = { $IP_WORLD_V4 . 12345 : 172.16.0.2 . 12345 }
    }

    map port_forwards_udp_ipv6 {
        type ipv6_addr . inet_service : ipv6_addr . inet_service
        # lets forward port for our torrent. Our 12345 to 12345 on fdf5:6028:947d:1234::2
        elements = { $IP_WORLD_V6 . 12345 : [fdf5:6028:947d:1234::2] . 12345}
    }

    chain inbound_world {
        # accepting ping (icmp-echo-request) for diagnostic purposes.
        # However, it also lets probes discover this host is alive.
        # This sample accepts them within a certain rate limit:
        #
        # icmp type echo-request limit rate 5/second accept

        # Allow IPv6 configuration packets
        icmpv6 type {nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit, 
             nd-router-advert,mld-listener-query,destination-unreachable,
             packet-too-big,time-exceeded,parameter-problem} accept

        # allow SSH
        tcp dport { 22 } accept

        # http, https
        tcp dport 80 accept
        tcp dport 443 accept

        # smtp, submission, smtps
        tcp dport 25 accept
        tcp dport 587 accept
        tcp dport 465 accept

        # pop3, pop3s
        tcp dport 110 accept
        tcp dport 995 accept

        # imap, imaps
        tcp dport 143 accept
        tcp dport 993 accept

       # allow VPN connection
    udp dport { $PORT_VPN } accept

    meta l4proto ah accept
    meta l4proto esp accept
    }

    chain inbound_vpn {
        # accepting ping (icmp-echo-request) for diagnostic purposes.
        icmp type echo-request limit rate 5/second accept

        # Allow IPv6 configuration packets
        icmpv6 type {nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,
             nd-router-advert,mld-listener-query,destination-unreachable,
             packet-too-big,time-exceeded,parameter-problem} accept

        # allow DNS and SSH from the private network
        tcp dport { 22, 53 } accept
        udp dport { 53 } accept
    }

    chain inbound {
        # drop all traffic by default
        type filter hook input priority filter; policy drop;

        # Allow traffic from established and related packets, drop invalid
        ct state vmap { established : accept, related : accept, invalid : drop }
        # Allow dnat (port forwarding)
        ct status dnat accept

        # allow loopback traffic, anything else jump to chain for further evaluation
        iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_VPN : jump inbound_vpn}

        # the rest is dropped by the above policy
    }

    chain forward {
        type filter hook forward priority filter; policy drop;

        # Allow traffic from established and related packets, drop invalid
        ct state vmap { established : accept, related : accept, invalid : drop }
        # Allow port forwarding
        ct status dnat accept

        # connections from the internal nets to the out nets are allowed
        iifname $DEV_LOCAL_NETS oifname $DEV_OUT_NETS accept
        # the rest is dropped by the above policy
        meta ipsec exists ip saddr $IKE_NETS counter accept


    }

    chain prerouting {
       type nat hook prerouting priority dstnat; policy accept;
       dnat ip addr . port to ip daddr . tcp dport map @port_forwards_tcp_ipv4
       dnat ip6 addr . port to ip6 daddr . tcp dport map @port_forwards_tcp_ipv6
       dnat ip addr . port to ip daddr . udp dport map @port_forwards_udp_ipv4
       dnat ip6 addr . port to ip6 daddr . udp dport map @port_forwards_udp_ipv6
       meta ipsec exists ip saddr $IKE_NETS counter accept
    }

    chain postrouting {
        type nat hook postrouting priority srcnat; policy accept;
        # Hide IPs from local nets to the internet.
        # We are using SNAT because we have static IP and it wil work faster than MASQUERADE
        iifname $DEV_LOCAL_NETS oifname $DEV_WORLD snat ip to $IP_WORLD_V4
        iifname $DEV_LOCAL_NETS oifname $DEV_WORLD snat ip6 to $IP_WORLD_V6
    }
}

Strongswan 泳池：

pools {
    primary-pool-ipv4 {
        addrs = 172.16.252.0/24
        dns = 172.16.252.1, 8.8.8.8, 9.9.9.9
        split_exclude = 172.16.0.0/12
    }
    primary-pool-ipv6 {
        addrs = fd5a:4c1f:8d73:f583::/64
    dns = 2620:fe::fe, 2620:fe::9

    }

这是计时器 vsftpd-restart.timer

[Unit]
Description=Restart vsftpd daily at 6 AM
After=network.target

[Timer]
Unit=vsftpd-restart.service
OnCalendar=*-*-* 06:00:00
Persistent=true

[Install]
WantedBy=timers.target

这是脚本 vsftpd-restart.service

[Unit]
Description=Restart vsftpd daily at 6 AM
After=network.target

[Service]
Type=oneshot
ExecStart=/bin/bash -c 'systemctl stop vsftpd; systemctl start vsftpd'

[Install]
WantedBy=vsftpd-restart.timer

以下是 vsftpd systemctl 日志

Oct 07 06:00:01 test systemd[1]: Stopping vsftpd.service - vsftpd FTP server...
Oct 07 06:00:01 test systemd[1]: vsftpd.service: Deactivated successfully.
Oct 07 06:00:01 test systemd[1]: Stopped vsftpd.service - vsftpd FTP server.
Oct 07 06:00:01 test systemd[1]: Starting vsftpd.service - vsftpd FTP server...
Oct 07 06:00:01 test systemd[1]: Started vsftpd.service - vsftpd FTP server.
Oct 07 06:01:01 test systemd[1]: Stopping vsftpd.service - vsftpd FTP server...
Oct 07 06:01:01 test systemd[1]: vsftpd.service: Deactivated successfully.
Oct 07 06:01:01 test systemd[1]: Stopped vsftpd.service - vsftpd FTP server.
Oct 07 06:01:01 test systemd[1]: Starting vsftpd.service - vsftpd FTP server...
Oct 07 06:01:01 test systemd[1]: Started vsftpd.service - vsftpd FTP server.
Oct 07 06:02:01 test systemd[1]: Stopping vsftpd.service - vsftpd FTP server...
Oct 07 06:02:01 test systemd[1]: vsftpd.service: Deactivated successfully.
Oct 07 06:02:01 test systemd[1]: Stopped vsftpd.service - vsftpd FTP server.
Oct 07 06:02:01 test systemd[1]: Starting vsftpd.service - vsftpd FTP server...
Oct 07 06:02:01 test systemd[1]: Started vsftpd.service - vsftpd FTP server.
Oct 07 06:03:01 test systemd[1]: Stopping vsftpd.service - vsftpd FTP server...
Oct 07 06:03:01 test systemd[1]: vsftpd.service: Deactivated successfully.
Oct 07 06:03:01 test systemd[1]: Stopped vsftpd.service - vsftpd FTP server.
Oct 07 06:03:01 test systemd[1]: Starting vsftpd.service - vsftpd FTP server...
Oct 07 06:03:02 test systemd[1]: Started vsftpd.service - vsftpd FTP server.
Oct 07 06:04:01 test systemd[1]: Stopping vsftpd.service - vsftpd FTP server...
Oct 07 06:04:01 test systemd[1]: vsftpd.service: Deactivated successfully.
Oct 07 06:04:01 test systemd[1]: Stopped vsftpd.service - vsftpd FTP server.
Oct 07 06:04:01 test systemd[1]: Starting vsftpd.service - vsftpd FTP server...
Oct 07 06:04:01 test systemd[1]: Started vsftpd.service - vsftpd FTP server.
Oct 07 06:05:01 test systemd[1]: Stopping vsftpd.service - vsftpd FTP server...
Oct 07 06:05:01 test systemd[1]: vsftpd.service: Deactivated successfully.
Oct 07 06:05:01 test systemd[1]: Stopped vsftpd.service - vsftpd FTP server.
Oct 07 06:05:01 test systemd[1]: Starting vsftpd.service - vsftpd FTP server...
Oct 07 06:05:01 test systemd[1]: Started vsftpd.service - vsftpd FTP server.
Oct 07 06:06:01 test systemd[1]: Stopping vsftpd.service - vsftpd FTP server...
Oct 07 06:06:01 test systemd[1]: vsftpd.service: Deactivated successfully.
Oct 07 06:06:01 test systemd[1]: Stopped vsftpd.service - vsftpd FTP server.
Oct 07 06:06:01 test systemd[1]: Starting vsftpd.service - vsftpd FTP server...
Oct 07 06:06:01 test systemd[1]: Started vsftpd.service - vsftpd FTP server.
Oct 07 06:07:01 test systemd[1]: Stopping vsftpd.service - vsftpd FTP server...
Oct 07 06:07:01 test systemd[1]: vsftpd.service: Deactivated successfully.
Oct 07 06:07:01 test systemd[1]: Stopped vsftpd.service - vsftpd FTP server.
Oct 07 06:07:01 test systemd[1]: Starting vsftpd.service - vsftpd FTP server...
Oct 07 06:07:01 test systemd[1]: Started vsftpd.service - vsftpd FTP server.
Oct 07 06:08:01 test systemd[1]: Stopping vsftpd.service - vsftpd FTP server...
Oct 07 06:08:01 test systemd[1]: vsftpd.service: Deactivated successfully.
Oct 07 06:08:01 test systemd[1]: Stopped vsftpd.service - vsftpd FTP server.
Oct 07 06:08:01 test systemd[1]: Starting vsftpd.service - vsftpd FTP server...
Oct 07 06:08:01 test systemd[1]: Started vsftpd.service - vsftpd FTP server.
Oct 07 06:09:01 test systemd[1]: Stopping vsftpd.service - vsftpd FTP server...
Oct 07 06:09:01 test systemd[1]: vsftpd.service: Deactivated successfully.
Oct 07 06:09:01 test systemd[1]: Stopped vsftpd.service - vsftpd FTP server.
Oct 07 06:09:01 test systemd[1]: Starting vsftpd.service - vsftpd FTP server...
Oct 07 06:09:01 test systemd[1]: Started vsftpd.service - vsftpd FTP server.
Oct 07 06:10:01 test systemd[1]: Stopping vsftpd.service - vsftpd FTP server...
Oct 07 06:10:01 test systemd[1]: vsftpd.service: Deactivated successfully.

我已经更新了 ubuntu 22.04 -- >> 24.04 现在出现此错误，而 phpmyadmin 无法加载到浏览器中

2024 年 9 月 23 日星期一 18：30：18.060029] [php：error] [pid 11672] [client 192.168.1.150:54278] PHP 致命错误：未捕获 TypeError：PhpMyAdmin\\Menu::__construct()：参数 #1 ($dbi) 必须是 PhpMyAdmin\\DatabaseInterface 类型，给定为空，在 /usr/share/phpmyadmin/libraries/classes/Header.php 的第 114 行调用并在 /usr/share/phpmyadmin/libraries/classes/Menu.php:57\nStack trace:\n#0 /usr/share/phpmyadmin/libraries/classes/Header.php(114): PhpMyAdmin\\Menu->__construct()\n#1 /usr/share/phpmyadmin/libraries/classes/ResponseRenderer.php(168): PhpMyAdmin\\Header->__construct()\n#2 /usr/share/phpmyadmin/libraries/classes/ResponseRenderer.php(199): PhpMyAdmin\\ResponseRenderer->__construct()\n#3 /usr/share/phpmyadmin/libraries/classes/ErrorHandler.php(335): PhpMyAdmin\\ResponseRenderer::getInstance()\n#4 /usr/share/phpmyadmin/libraries/classes/ErrorHandler.php(307): PhpMyAdmin\\ErrorHandler->dispFatalError()\n#5 /usr/share/phpmyadmin/libraries/classes/ErrorHandler.php(237): PhpMyAdmin\\ErrorHandler->addError()\n#6 [内部函数]: PhpMyAdmin\\ErrorHandler->handleException()\n#7 {main}\n 在 /usr/share/phpmyadmin/libraries/classes/Menu.php 第 57 行被抛出
[2024 年 9 月 23 日星期一 18：30：18.060184] [php：error] [pid 11672] [客户端 192.168.1.150：54278] PHP 致命错误：未捕获错误：在 /usr/share/phpmyadmin/libraries/classes/ResponseRenderer.php:293\n 中对成员函数 getDisplay() 的调用为 null 堆栈跟踪:\n#0 /usr/share/phpmyadmin/libraries/classes/ResponseRenderer.php(411): PhpMyAdmin\\ResponseRenderer->getDisplay()\n#1 [内部函数]：PhpMyAdmin\\ResponseRenderer->response()\n#2 {main}\n 在 /usr/share/phpmyadmin/libraries/classes/ResponseRenderer.php 第 293 行中抛出

尝试了所有方法，在网上找到了它。

之前我们使用的是 php7.4，现在我们设置了 php8.3（所以当 php7.4 时甚至不允许加载网站）但 PHP v8.3 至少允许我们连接到网站并在浏览器中加载它（因为这是更新的）

但是当我们执行http://192.168.1.100/phpmyadmin/（或 localhost/phpmyadmin）时

此页面无法正常工作 192.168.1.100 目前无法处理此请求。HTTP 错误 500

有人能帮助我们吗？

在我的路由器（ubuntu/NFTables）上，我配置了两个 WAN，每个 ISP 一个。

在当前配置下，我可以确保子网中的任何机器都可以根据 NFTables 中的规则使用第一个或第二个链接进行导航。

注意不是特定的LAN接口（任何LAN接口上的任何机器都可以根据NFTables中的规则浏览任意两个具有公网IP的链接）

一切正常，好的。

我现在面临的问题是子网上的机器应该互相看到，但它们甚至无法互相 ping 通。

有人知道我该如何修复它，以便除了保持这样的互联网浏览之外，我还可以让连接到 LAN1、LAN2、LAN3 和 LAN4 的机器能够相互通信？

以下是 netplan 配置：

network:
ethernets:
    wan1:
        addresses:
        - 111.31.111.2/28
        - 111.31.111.3/28
        - 111.31.111.4/28
        - 111.31.111.5/28
        - 111.31.111.6/28
        - 111.31.111.7/28
        - 111.31.111.8/28
        - 111.31.111.9/28
        - 111.31.111.10/28
        - 111.31.111.11/28
        - 111.31.111.12/28
        - 111.31.111.13/28
        - 111.31.111.14/28
        nameservers:
            addresses:
            - 8.8.8.8
            - 8.8.4.4
            search: []
        routes:
        - to: default
          via: 111.31.111.1
          metric: 100
        - to: default
          via: 111.31.111.1
          metric: 100
          table: 100
        routing-policy:
        - from: 192.168.10.0/24
          table: 100
        - from: 192.168.20.0/24
          table: 100
        - from: 192.168.30.0/24
          table: 100
        - from: 192.168.40.0/24
          table: 100
    wan2:
        addresses:
        - 222.63.222.10/29
        - 222.63.222.11/29
        - 222.63.222.12/29
        - 222.63.222.13/29
        - 222.63.222.14/29
        nameservers:
            addresses:
            - 8.8.8.8
            - 8.8.4.4
            search: []
        routes:
        - to: default
          via: 222.63.222.9
          metric: 200
        - to: default
          via: 222.63.222.9
          metric: 200
          table: 200
        routing-policy:
        - from: 192.168.10.0/24
          table: 200
        - from: 192.168.20.0/24
          table: 200
        - from: 192.168.30.0/24
          table: 200
        - from: 192.168.40.0/24
          table: 200
    lan1:
        addresses:
        - 192.168.10.1/24
    lan2:
        addresses:
        - 192.168.20.1/24
    lan3:
        addresses:
        - 192.168.30.1/24
    lan4:
        addresses:
        - 192.168.40.1/24
version: 2

下表和规则：

userrouter1@router1:~$ ip route
default via 111.31.111.1 dev wan1 proto static metric 100 
default via 222.63.222.9 dev wan2 proto static metric 200 
192.168.10.0/24 dev lan1 proto kernel scope link src 192.168.10.1 
192.168.40.0/24 dev lan4 proto kernel scope link src 192.168.40.1 
111.31.111.0/28 dev wan1 proto kernel scope link src 111.31.111.2 
222.63.222.8/29 dev wan2 proto kernel scope link src 222.63.222.10

userrouter1@router1:~$ ip rule
0:  from all lookup local
32756:  from 192.168.30.0/24 lookup 200 proto static
32757:  from 192.168.40.0/24 lookup 200 proto static
32758:  from 192.168.20.0/24 lookup 200 proto static
32759:  from 192.168.10.0/24 lookup 200 proto static
32760:  from 192.168.30.0/24 lookup 100 proto static
32761:  from 192.168.10.0/24 lookup 100 proto static
32762:  from 192.168.40.0/24 lookup 100 proto static
32763:  from 192.168.20.0/24 lookup 100 proto static
32766:  from all lookup main
32767:  from all lookup default

userrouter1@router1:~$ ip route show table 100
default via 111.31.111.1 dev wan1 proto static metric 100 

userrouter1@router1:~$ ip route show table 200
default via 222.63.222.9 dev wan2 proto static metric 200 

userrouter1@router1:~$ ip rule show table 100
32760:  from 192.168.30.0/24 lookup 100 proto static
32761:  from 192.168.10.0/24 lookup 100 proto static
32762:  from 192.168.40.0/24 lookup 100 proto static
32763:  from 192.168.20.0/24 lookup 100 proto static

userrouter1@router1:~$ ip rule show table 200
32756:  from 192.168.30.0/24 lookup 200 proto static
32757:  from 192.168.40.0/24 lookup 200 proto static
32758:  from 192.168.20.0/24 lookup 200 proto static
32759:  from 192.168.10.0/24 lookup 200 proto static

就目前情况而言，如果我在机器 192.168.10.10 上，我无法 PING 192.168.20.10，反之亦然...我需要解决这个问题，像这样维持到外部 IP 的导航。

有人能帮助我吗？

问题

我想使用 Wireguard 作为 VPN，以便能够远程访问我的 LAN 设备，同时能够通过我的本地 Pi-hole 路由流量以阻止广告并在不受信任的网络上确保安全。

因此，我按照 Pi-hole的 Wireguard 教程，在 Pi-hole 上设置了 Wireguard 。我严格遵循了所有步骤，在设置完所有步骤后，我可以通过10.100.0.1客户端访问服务器，但无法访问其他任何内容 - 无论是网站还是本地设备。

我目前所做的：

• 按照此处所述创建 Wireguard 配置
• 按照此处所述创建客户端配置
• 让我的客户端能够按照此处所述通过 Wireguard 传输所有互联网流量
• 修改99-sysctl.conf文件以启用 IP 转发，并在服务器上启用 NAT，如此处所述

我不知道缺少了什么。

这是我的配置文件的内容：

wg0.conf

Address = 10.100.0.1/24, fd08:4711::1/64
ListenPort = 47111
PrivateKey = redacted

PostUp = nft add table ip wireguard; nft add chain ip wireguard wireguard_chain {type nat hook postrouting priority srcnat\; policy accept\;}; nft add rule ip wireguard wireguard_chain counter packets 0 bytes 0 masquerade; nft add table ip6 wireguard; nft add chain ip6 wireguard wireguard_chain {type nat hook postrouting priority srcnat\; policy accept\;}; nft add rule ip6 wireguard wireguard_chain counter packets 0 bytes 0 masquerade
PostDown = nft delete table ip wireguard; nft delete table ip6 wireguard

[Peer]
PublicKey = redacted
PresharedKey = redacted
AllowedIPs = 10.100.0.2/32, fd08:4711::2/128

客户端配置文件

[Interface]
Address = 10.100.0.2/32, fd08:4711::2/128
DNS = 10.100.0.1
PrivateKey = redacted

[Peer]
#AllowedIPs = 10.100.0.1/32, fd08:4711::1/128
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = mydoma.in:47111
PersistentKeepalive = 25
PublicKey = redacted
PresharedKey = redacted

输出ip route

default via 192.24.0.1 dev enp6s0 proto dhcp src 192.24.0.3 metric 100 
10.0.0.0/24 dev br-2747fb0d94d8 proto kernel scope link src 10.0.0.1 
10.100.0.0/24 dev wg0 proto kernel scope link src 10.100.0.1 
10.178.40.0/24 dev tun0 proto kernel scope link src 10.178.40.1 
192.17.0.0/16 dev docker0 proto kernel scope link src 192.17.0.1 linkdown 
192.18.0.0/16 dev br-cb5d7cb9fc9b proto kernel scope link src 192.18.0.1 
192.19.0.0/16 dev br-6fa7708a9945 proto kernel scope link src 192.19.0.1 
192.20.0.0/16 dev br-0003ef5216eb proto kernel scope link src 192.20.0.1 
192.21.0.0/16 dev br-5779db6c38ec proto kernel scope link src 192.21.0.1 
192.22.0.0/16 dev br-0b6ecf5437f9 proto kernel scope link src 192.22.0.1 linkdown 
192.23.0.0/16 dev br-9813798ea15d proto kernel scope link src 192.23.0.1 
192.24.0.0/24 dev enp6s0 proto kernel scope link src 192.24.0.3 metric 100 
192.25.0.0/16 dev br-bd655dfed23b proto kernel scope link src 192.25.0.1 linkdown 

wireguard 客户端日志输出

--------- beginning of main
09-17 15:55:49.839 27728 27791 I WireGuard/GoBackend: Bringing tunnel wireguard_vpn UP
09-17 15:55:49.840 27728 27791 D WireGuard/GoBackend: Requesting to start VpnService
09-17 15:55:49.935 27728 27791 D WireGuard/GoBackend: Go backend 2163620
09-17 15:55:49.937 27728 27791 D WireGuard/GoBackend/wireguard_vpn: Attaching to interface tun0
09-17 15:55:49.941 27728 27791 D WireGuard/GoBackend/wireguard_vpn: UAPI: Updating private key
09-17 15:55:49.942 27728 27791 D WireGuard/GoBackend/wireguard_vpn: UAPI: Removing all peers
09-17 15:55:49.942 27728 31398 D WireGuard/GoBackend/wireguard_vpn: Routine: handshake worker 3 - started
09-17 15:55:49.942 27728 27803 D WireGuard/GoBackend/wireguard_vpn: Routine: handshake worker 6 - started
09-17 15:55:49.942 27728 27797 D WireGuard/GoBackend/wireguard_vpn: Routine: decryption worker 1 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: decryption worker 3 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: encryption worker 3 - started
09-17 15:55:49.942 27728 27803 D WireGuard/GoBackend/wireguard_vpn: Routine: handshake worker 4 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: decryption worker 2 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: handshake worker 1 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: handshake worker 5 - started
09-17 15:55:49.942 27728 27803 D WireGuard/GoBackend/wireguard_vpn: Routine: encryption worker 5 - started
09-17 15:55:49.942 27728 31398 D WireGuard/GoBackend/wireguard_vpn: Routine: encryption worker 4 - started
09-17 15:55:49.942 27728 31398 D WireGuard/GoBackend/wireguard_vpn: Routine: decryption worker 6 - started
09-17 15:55:49.942 27728 31398 D WireGuard/GoBackend/wireguard_vpn: Routine: encryption worker 8 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: decryption worker 5 - started
09-17 15:55:49.942 27728 27803 D WireGuard/GoBackend/wireguard_vpn: Routine: encryption worker 6 - started
09-17 15:55:49.942 27728 27959 D WireGuard/GoBackend/wireguard_vpn: Routine: encryption worker 1 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: decryption worker 7 - started
09-17 15:55:49.942 27728 27803 D WireGuard/GoBackend/wireguard_vpn: Routine: handshake worker 8 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: handshake worker 7 - started
09-17 15:55:49.942 27728 27797 D WireGuard/GoBackend/wireguard_vpn: Routine: encryption worker 2 - started
09-17 15:55:49.942 27728 27803 D WireGuard/GoBackend/wireguard_vpn: Routine: decryption worker 8 - started
09-17 15:55:49.942 27728 27959 D WireGuard/GoBackend/wireguard_vpn: Routine: TUN reader - started
09-17 15:55:49.942 27728 31398 D WireGuard/GoBackend/wireguard_vpn: Routine: encryption worker 7 - started
09-17 15:55:49.942 27728 27956 D WireGuard/GoBackend/wireguard_vpn: Routine: event worker - started
09-17 15:55:49.943 27728 27957 D WireGuard/GoBackend/wireguard_vpn: Routine: handshake worker 2 - started
09-17 15:55:49.943 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - UAPI: Created
09-17 15:55:49.943 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - UAPI: Adding allowedip
09-17 15:55:49.943 27728 27955 D WireGuard/GoBackend/wireguard_vpn: Routine: decryption worker 4 - started
09-17 15:55:49.944 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - UAPI: Adding allowedip
09-17 15:55:49.944 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - UAPI: Updating endpoint
09-17 15:55:49.944 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - UAPI: Updating persistent keepalive interval
09-17 15:55:49.944 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - UAPI: Updating preshared key
09-17 15:55:49.947 27728 27791 D WireGuard/GoBackend/wireguard_vpn: UDP bind has been updated
09-17 15:55:49.947 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - Starting
09-17 15:55:49.947 27728 27955 D WireGuard/GoBackend/wireguard_vpn: Routine: receive incoming v6 - started
09-17 15:55:49.947 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - Sending keepalive packet
09-17 15:55:49.947 27728 27791 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - Sending handshake initiation
09-17 15:55:49.947 27728 31398 D WireGuard/GoBackend/wireguard_vpn: Routine: receive incoming v4 - started
09-17 15:55:49.947 27728 27803 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - Routine: sequential sender - started
09-17 15:55:49.947 27728 27957 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - Routine: sequential receiver - started
09-17 15:55:49.948 27728 27791 D WireGuard/GoBackend/wireguard_vpn: Interface state was Down, requested Up, now Up
09-17 15:55:49.948 27728 27791 D WireGuard/GoBackend/wireguard_vpn: Device started
09-17 15:55:49.968 27728 27957 D WireGuard/GoBackend/wireguard_vpn: peer(5jcX…pTiU) - Received handshake response

系统信息

服务器

• Xubuntu 24.04.1 LTS
• 64GB 内存
• 通过安装脚本安装 Pi-hole （非 dockerized）
• 通过安装脚本安装 Wireguard （非 dockerized）
• UFW 已启用，udp allow 47111/udp完成

路由器

• FRITZ!Box 已启用 47111/UDP 端口转发

客户

• GrapheneOS / Android 14
• Wireguard F-Droid
• 通过二维码解析配置

如果有人能给我提供任何类型的提示，我将不胜感激。

提前致谢。

我购买了一台具有两个千兆端口的设备作为家庭服务器。

• 端口 1（enp1s0）连接到直接至路由器的 LAN 电缆。
• 端口 2（enp2s0）现在要连接到京瓷打印机。

该设备现在应配置如下：

• 端口 1（enp1s0）：固定 DHCP IP 地址192.168.0.250。
• 端口 2（enp2s0）：将所有连接直接路由到路由器，以便设备在此处通过 DHCP 分配 IP 地址。

路由器正在监听 IP 192.168.0.1。这也是默认网关以及默认名称服务器。

我已经配置了 Netplan，如下所示：

/etc/netplan/50-cloud-init.yaml

network:
    version: 2
    ethernets:

        # LAN-Port 1
        enp1s0:
            dhcp4: false
            dhcp6: false
            wakeonlan: true
            addresses: [192.168.0.250/24]
            routes:
                - to: 192.168.0.1
                  via: 192.168.0.250

        # LAN-Port 2
        enp2s0:
            dhcp4: true

    bridges:
        br0:
            interfaces: [enp1s0, enp2s0]
            dhcp4: true
            optional: true

网络计划状态

在网络扫描仪上，将找到以下设备：

打印机在这里运行良好，可以从整个网络访问，并由路由器分配动态 IP 地址。

问题

• 无法通过 IP 地址访问该设备192.168.0.250。
• 为什么这里给出的 IP 地址是“192.168.0.28”（这也无法访问）？
• 所有服务（例如 Apache2-Webserver、SSH-Daemon 等，均在全球范围内监听）无法访问。

我的公司已经实施了一个执行解密的上游设备，这要求所有盒子都安装了根 CA 证书。

我复制了 pem 格式的 ca 证书并执行以下操作。更新确认已添加一个证书。/etc/ssl/certs/ca-certifcates.crt 中的最后一个证书显示 root.crt 证书。我还安装了中间证书。

sudo apt-get install -y ca-certificates
sudo cp root.crt /usr/local/share/ca-certificates
sudo update-ca-certificates 

但是，使用 Firefox 或 Brave 时会出现以下错误。此错误来自 Firefox。这显然是证书问题，我认为浏览器没有看到证书？

“未连接：潜在的安全问题”

有人可能试图冒充该网站，您不应继续。

网站通过证书证明其身份。Firefox 不信任 www.google.com，因为其证书颁发者不明、证书是自签名的，或者服务器未发送正确的中间证书。

错误代码：SEC_ERROR_UNKNOWN_ISSUER

我试图将 ceph 从 17 升级到 18.2.4，如下所述

ceph orch upgrade start --ceph-version 18.2.4
Initiating upgrade to quay.io/ceph/ceph:v18.2.4

但此后，协调器不再响应

ceph orch upgrade status
Error ENOENT: Module not found

将后端重新设置为 orchestrator 或 cephadm 失败，因为服务显示为“已禁用”。Ceph mgr 却表示服务已开启。

据我目前所知，我被困在一个运行 reef 的 mgr 守护进程上，而集群的其余部分在 quincy 上运行。

ceph versions
{
    "mon": {
        "ceph version 17.2.7 (b12291d110049b2f35e32e0de30d70e9a4c060d2) quincy (stable)": 5
    },
    "mgr": {
        "ceph version 18.2.4 (e7ad5345525c7aa95470c26863873b581076945d) reef (stable)": 1
    },
    "osd": {
        "ceph version 17.2.7 (b12291d110049b2f35e32e0de30d70e9a4c060d2) quincy (stable)": 31
    },
    "mds": {
        "ceph version 17.2.7 (b12291d110049b2f35e32e0de30d70e9a4c060d2) quincy (stable)": 4
    },
    "overall": {
        "ceph version 17.2.7 (b12291d110049b2f35e32e0de30d70e9a4c060d2) quincy (stable)": 40,
        "ceph version 18.2.4 (e7ad5345525c7aa95470c26863873b581076945d) reef (stable)": 1
    }
}

如何将集群恢复到健康状态？

编辑1 Ceph健康：

  cluster:
    id:     16249ca6-4060-11ef-a8a1-7509512e051b
    health: HEALTH_WARN
            insufficient standby MDS daemons available
            mon gpu001 is low on available space
            1/5 mons down, quorum ***
            Degraded data redundancy: 92072087/608856489 objects degraded (15.122%), 97 pgs degraded, 97 pgs undersized
            7 pgs not deep-scrubbed in time

  services:
    mon: 5 daemons, quorum ***
    mgr: cpu01.fcxjpi(active, since 5m)
    mds: 4/4 daemons up
    osd: 34 osds: 31 up (since 45h), 31 in (since 46h); 31 remapped pgs
 
  data:
    volumes: 1/1 healthy
    pools:   4 pools, 193 pgs
    objects: 121.96M objects, 32 TiB
    usage:   36 TiB used, 73 TiB / 108 TiB avail
    pgs:     92072087/608856489 objects degraded (15.122%)
             29422795/608856489 objects misplaced (4.832%)
             97 active+undersized+degraded
             65 active+clean
             31 active+clean+remapped
  io:
    client:   253 KiB/s rd, 51 KiB/s wr, 3 op/s rd, 2 op/s wr

注意：该问题最初是在 SO [https://stackoverflow.com/posts/78949269] 上提出的，我被建议将其移到这里。我目前正在搜索 MGR 日志以调查状态，并最终强制降级。

我想使用 LVM 设置 RAID5，具有不同的磁盘大小：
2 x 2TB
3 x 1TB

我的第一个问题是，对于我的实际配置来说，最佳/安全的设置是什么：

1. 将 2TB 分区为 1TB/分区
   • 7 个 PV，每个 1TB，放入一个 VG
   • 1 个 LV 使用 RAID5 : lvcreate --stripes 6 --type raid5 --size 100%VG --name lv-name vg-name
     => 结果大小为6TB
2. 将 1TB 重新组合成 2TB（留下 1 个磁盘），但我不知道如何做到这一点...以及是否有可能？？？
   • 也许...合并 1 个 4TB 的 VG（2 x 2TB：vg-name）和 1 个 2TB 的 VG（2 x 1TB：new-vg）：vgmerge -v vg-name new-vg
   • 然后是 1 LV RAID5 : => 结果应该是5TBlvcreate --stripes 2 --type raid5 --size 100%VG --name lv-name vg-name
     的大小

实际上，为了进行测试，我设置了第一个解决方案，其中包含 7 个 PV，第一次同步需要很长时间，已经过去了将近 24 小时，而且只有 39.45%。
所以我想知道为什么，我想获得一些关于我的配置的输出/统计/报告，以便更好地理解它。所以我的第二个问题是，如何获得一些关于统计数据的信息（速度 I/O、同步状态、健康状况等...）？
我知道：

• lvs -a -o name,copy_percent,health_status,devices vg-name
• 一些有用的链接，例如有关 LVM 报告的 Red Hat Doc
• lvm fullreport（但输出不可读...我的意思是它显示得根本不好），Red Hat Doc 正在讨论它，但没有示例，也没有提示来自定义输出...

感谢您的时间。