寫在前面的話:
ADSL捆綁的功能有很多工具可以實現,RouteOS、vyatta、panabit等等。但平時我公司用Linux系統用的多。我從RouteOS上得到啟發,遂驗證一下看Linux能不能實現。經過在網上查找資料,發現可行。今天終於有時間把這個東西寫一寫。閒話少說,開整。
拓撲圖如下:
一、RouteOS 內網口設置trunk,允許多個vlan,上網設置。
#設置RouteOS ether2 為trunk,模擬多個接口
實驗中使用了vlan 10 - vlan 15
#配置PPPoE服務器模擬運營商
# 配置RouteOS 上網
設置地址:
設置路由
設置NAT
IP -- Firewall -- NAT -- +
到此,RouteOS配置完畢。
二、Linux配置撥號
# 設置Linux 跟RouteOS互聯的網卡為trunk,加載8021q模塊支持vlan tag
[root@LB-2 ~]# modprobe 8021q
# 為接口添加vlan tag,
添加vlan10的命令:vconfig add eth1 10,為方便起見,下面用for循環;
[root@LB-2 ~]# for i in {10..15}; do vconfig add eth1 $i ; done
#安裝pppoe客戶端,需要軟件包:rp-pppoe,插入光盤
[root@LB-2 ~]# mount -o loop /dev/cdrom /mnt
[root@LB-2 ~]#cd /etc/yum.repos.d/
[root@LB-2 yum.repos.d]# rm -f *
[root@LB-2 yum.repos.d]# vi local.repo
[localcd]
name=local cd
baseurl=file:///mnt/
enabled=1
[root@LB-2 yum.repos.d]# yum clean all
[root@LB-2 yum.repos.d]# yum install rp-pppoe -y --nogpgcheck
設置撥號:
[root@LB-2 ~]# adsl-setup
[root@LB-2 ~]# adsl-setup
Welcome to the ADSL client setup. First, I will run some checks on
your system to make sure the PPPoE client is installed properly...
The following DSL config was found on your system:
#我已經配置過一遍了,這裡有幾個配置好的。
Device: Name:
ppp0 DSLppp0
ppp1 DSLppp1
ppp2 DSLppp2
ppp3 DSLppp3
ppp4 DSLppp4
ppp5 DSLppp5
Please enter the device if you want to configure the present DSL config
(default ppp0) or enter 'n' if you want to create a new one: n
LOGIN NAME
Enter your Login Name: ppp6 #Login Name就是聯通/電信給的賬號
INTERFACE
Enter the Ethernet interface connected to the ADSL modem
For Solaris, this is likely to be something like /dev/hme0.
For Linux, it will be ethX, where 'X' is a number.
(default eth0): eth1.16
Do you want the link to come up on demand, or stay up continuously?
If you want it to come up on demand, enter the idle time in seconds
after which the link should be dropped. If you want the link to
stay up permanently, enter 'no' (two letters, lower-case.)
NOTE: Demand-activated links do not interact well with dynamic IP
addresses. You may have some problems with demand-activated links.
Enter the demand value (default no): no #按需撥號,no
DNS
Please enter the IP address of your ISP's primary DNS server.
If your ISP claims that 'the server will provide dynamic DNS addresses',
enter 'server' (all lower-case) here.
If you just press enter, I will assume you know what you are
doing and not modify your DNS setup.
Enter the DNS information here: # DNS留空
PASSWORD
Please enter your Password: # 賬號的密碼
Please re-enter your Password:
USERCTRL
Please enter 'yes' (three letters, lower-case.) if you want to allow
normal user to start or stop DSL connection (default yes): no #是否允許普通用戶啟動或停止,no
FIREWALLING
Please choose the firewall rules to use. Note that these rules are
very basic. You are strongly encouraged to use a more sophisticated
firewall setup; however, these will provide basic security. If you
are running any servers on your machine, you must choose 'NONE' and
set up firewalling yourself. Otherwise, the firewall rules will deny
access to all standard servers like Web, e-mail, ftp, etc. If you
are using SSH, the rules will block outgoing SSH connections which
allocate a privileged source port.
The firewall choices are:
0 - NONE: This script will not set any firewall rules. You are responsible
for ensuring the security of your machine. You are STRONGLY
recommended to use some kind of firewall rules.
1 - STANDALONE: Appropriate for a basic stand-alone web-surfing workstation
2 - MASQUERADE: Appropriate for a machine acting as an Internet gateway
for a LAN
Choose a type of firewall (0-2): 0 # 防火牆設置,0
Start this connection at boot time
Do you want to start this connection at boot time?
Please enter no or yes (default no):yes # 是否開機撥號,yes
** Summary of what you entered **
Ethernet Interface: eth1.16
User name: ppp6
Activate-on-demand: No
DNS: Do not adjust
Firewalling: NONE
User Control: no
Accept these settings and adjust configuration files (y/n)? y
Adjusting /etc/sysconfig/network-scripts/ifcfg-ppp6
Adjusting /etc/ppp/chap-secrets and /etc/ppp/pap-secrets
(But first backing it up to /etc/ppp/chap-secrets.bak)
(But first backing it up to /etc/ppp/pap-secrets.bak)
Congratulations, it should be all set up!
Type '/sbin/ifup ppp6' to bring up your xDSL link and '/sbin/ifdown ppp6'
to bring it down.
Type '/sbin/adsl-status /etc/sysconfig/network-scripts/ifcfg-ppp6'
to see the link status.
[root@LB-2 ~]# cd /etc/sysconfig/network-scripts/
[root@LB-2 network-scripts]# vi ifcfg-ppp6
USERCTL=no
BOOTPROTO=dialup
NAME=DSLppp6
DEVICE=ppp6
TYPE=xDSL
ONBOOT=yes
PIDFILE=/var/run/pppoe-adsl.pid #注意,這個地方要改,否則多個ADSL的pid一樣會啟動不了
PIDFILE=/var/run/pppoe-adsl6.pid
FIREWALL=NONE
PING=.
PPPOE_TIMEOUT=80
LCP_FAILURE=3
LCP_INTERVAL=20
CLAMPMSS=1412
CONNECT_POLL=6
CONNECT_TIMEOUT=60
DEFROUTE=no #不用下發的默認路由,
SYNCHRONOUS=no
ETH=eth1.16
PROVIDER=DSLppp6
USER=ppp6
PEERDNS=no
DEMAND=no
~
下面就可以撥號了
[root@LB-2 network-scripts]# ifup ppp6
如果不出意外,就能撥上號了。
# ifdown ppp0 斷開撥號
# ifup ppp0 撥號
以此類推,設置多個撥號連接。
根據NTH機制(PS:NTH是什麼鬼,請自行腦補),直接上命令:
iptables-tmangle-APREROUTING-ieth0-mconntrack--ctstateNEW-mstatistic--modenth--every6--packet5-jCONNMARK--set-mark1 iptables-tmangle-APREROUTING-ieth0-mconntrack--ctstateNEW-mstatistic--modenth--every6--packet4-jCONNMARK--set-mark2 iptables-tmangle-APREROUTING-ieth0-mconntrack--ctstateNEW-mstatistic--modenth--every6--packet3-jCONNMARK--set-mark3 iptables-tmangle-APREROUTING-ieth0-mconntrack--ctstateNEW-mstatistic--modenth--every6--packet2-jCONNMARK--set-mark4 iptables-tmangle-APREROUTING-ieth0-mconntrack--ctstateNEW-mstatistic--modenth--every6--packet1-jCONNMARK--set-mark5 iptables-tmangle-APREROUTING-ieth0-mconntrack--ctstateNEW-mstatistic--modenth--every6--packet0-jCONNMARK--set-mark6 iptables-tmangle-APREROUTING-ieth0-mconnmark--mark1-jMARK--set-mark1 iptables-tmangle-APREROUTING-ieth0-mconnmark--mark2-jMARK--set-mark2 iptables-tmangle-APREROUTING-ieth0-mconnmark--mark3-jMARK--set-mark3 iptables-tmangle-APREROUTING-ieth0-mconnmark--mark4-jMARK--set-mark4 iptables-tmangle-APREROUTING-ieth0-mconnmark--mark5-jMARK--set-mark5 iptables-tmangle-APREROUTING-ieth0-mconnmark--mark6-jMARK--set-mark6
可以這麼理解哈:這個機制給第1一個新建連接打上連接標記1,第二個新建連接打上2,有幾條寫幾條;
然後再給連接標記打上防火牆標記。
然後用策略路由對防火牆標記進行策略路由,說到策略路由就有路由表
[root@LB-2 ~]# vi /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
10 v10
11 v11
12 v12
13 v13
14 v14
15 v15
定義完路由表,就得有路由條目
[root@LB-2 ~]# ip route add default dev ppp0 table v10
[root@LB-2 ~]# ip route add default dev ppp1 table v11
[root@LB-2 ~]# ip route add default dev ppp2 table v12
[root@LB-2 ~]# ip route add default dev ppp3 table v13
[root@LB-2 ~]# ip route add default dev ppp4 table v14
[root@LB-2 ~]# ip route add default dev ppp5 table v15
快速方法:for i in {0..5}; do ip route add default dev ppp$i table v1$i ; done
設置策略:
[root@LB-2 ~]# ip rule add fwmark 1 table v10 pref 10000
[root@LB-2 ~]# ip rule add fwmark 2 table v11 pref 10000
[root@LB-2 ~]# ip rule add fwmark 3 table v12 pref 10000
[root@LB-2 ~]# ip rule add fwmark 4 table v13 pref 10000
[root@LB-2 ~]# ip rule add fwmark 5 table v14 pref 10000
#快速方法: for i in {0..5}; do ip rule add fwmark $((i+1)) table v1$i pref 10000 ; done
順便設置一個檢測的地址,用來檢測各個出口的通斷情況;如果其中一條斷了就發郵件神馬的就比較easy了。
# for i in {0..5}; do ip addr add 1.1.1.$i/32 dev lo ; done
# ip addr show | grep lo
# for i in {0..5}; do ip rule add from 1.1.1.$i table v1$i pref 10000 ; done
設置NAT ,獲取的地址為非固定IP,所以
iptables-tnat-APOSTROUTING-oppp0-jMASQUERADE iptables-tnat-APOSTROUTING-oppp1-jMASQUERADE iptables-tnat-APOSTROUTING-oppp2-jMASQUERADE iptables-tnat-APOSTROUTING-oppp3-jMASQUERADE iptables-tnat-APOSTROUTING-oppp4-jMASQUERADE iptables-tnat-APOSTROUTING-oppp5-jMASQUERADE
剛開始我設置的-o是eth1.10 -- eth1.15結果nat策略不生效。
測試情況如下:
[root@LB-2 ~]# ping 202.97.0.1 -I 1.1.1.0
[root@LB-2 ~]# ping 202.97.0.1 -I 1.1.1.1
[root@LB-2 ~]# ping 202.97.0.1 -I 1.1.1.2
[root@LB-2 ~]# ping 202.97.0.1 -I 1.1.1.3
[root@LB-2 ~]# ping 202.97.0.1 -I 1.1.1.4
[root@LB-2 ~]# ping 202.97.0.1 -I 1.1.1.5
最後上兩張效果圖:
1、實驗截圖:這是我用自己的電腦開迅雷測試。不是很理想,因為有的連接快,有的就慢,但在實際生產環境中效果就很好啦
2、下面是生產環境下截圖,效果還是蠻好的。這裡的多個接口用的是固定IP,但用的跟上面同樣的負載均衡機制,這種基於連接的負載均衡要比基於數據包的負載均衡要好的多,不會出現網銀登不上的情況。(網銀提示IP經常變化)