我有一个非常简单的设置,需要将流量从 WireGuard 接口(wg0)转发到连接到 LAN 接口(enp0s25)的主机。
[ other LAN host ] <---> enp0s25 [ server ] wg0 <---> [ remote peer]
10.131.12.2 10.131.12.19 10.131.6.6 10.131.6.1
# sysctl -n net.ipv4.ip_forward
1
# nft list ruleset
table inet firewall {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
iifname "wg0" masquerade
oifname "wg0" masquerade
}
}
这很好用。但是,我想使用虚拟机,因此我在 中创建了一个桥接接口/etc/network/interfaces,其 mac 地址与 相同enp0s25:
allow-hotplug enp0s25
iface enp0s25 inet manual
auto br0
iface br0 inet dhcp
bridge_ports enp0s25
hwaddress ether d0:50:99:89:8d:e0
[ other LAN host ] <---> enp0s25/br0 [ server ] wg0 <---> [ remote peer]
10.131.12.2 10.131.12.19 10.131.6.6 10.131.6.1
现在,我只能从 访问机器本身wg0,而不能访问 LAN 中的任何其他机器。
tcpdump 显示(为清楚起见,在 IP 地址中添加了描述):
# tcpdump -i wg0 icmp
11:48:35.968486 IP 10.131.6.1 (remote wg peer) > 10.131.12.2 (other LAN host): ICMP echo request, id 18176, seq 1072, length 64
11:48:37.049028 IP 10.131.6.1 (remote wg peer) > 10.131.12.2 (other LAN host): ICMP echo request, id 18176, seq 1073, length 64
11:48:37.966377 IP 10.131.6.1 (remote wg peer) > 10.131.12.2 (other LAN host): ICMP echo request, id 18176, seq 1074, length 64
# tcpdump -i enp0s25 icmp
11:48:35.968513 IP 10.131.12.19 (this host) > 10.131.12.2 (other LAN host): ICMP echo request, id 18176, seq 1072, length 64
11:48:35.968752 IP 10.131.12.2 (other LAN host) > 10.131.12.19 (this host): ICMP echo reply, id 18176, seq 1072, length 64
11:48:37.049057 IP 10.131.12.19 (this host) > 10.131.12.2 (other LAN host): ICMP echo request, id 18176, seq 1073, length 64
11:48:37.049300 IP 10.131.12.2 (other LAN host) > 10.131.12.19 (this host): ICMP echo reply, id 18176, seq 1073, length 64
11:48:37.966399 IP 10.131.12.19 (this host) > 10.131.12.2 (other LAN host): ICMP echo request, id 18176, seq 1074, length 64
请求从远程 WG 主机发送到另一个 LAN 主机,并返回到服务器,但由于某种原因无法返回到远程 WG 主机。
破坏此转发设置的桥接接口有何不同?
我添加了一些日志记录规则,试图找出通过 nftables 的路径。红线是 ICMP 回显请求,蓝线是回显回复。它似乎在 inet 预路由阶段“消失”,它没有出现在输入钩子或转发钩子中。
