router在虚拟网络中就是路由器,实现三层通信作用。
Linux 本身开启转发功能后就是一个路由器。
# 开启转发策略
[root@public ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@public ~]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
[root@public ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@public ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@public ~]#
使用测试用例,模拟验证router功能,拓扑图如下:
根据拓扑图创建对应设备:
# 开启转发后,根据拓扑进行配置
[root@public ~]#
[root@public ~]# ip link add tap1 type veth peer name tap1_peer
[root@public ~]# ip link add tap2 type veth peer name tap2_peer
[root@public ~]#
[root@public ~]# ip netns add ns1
[root@public ~]# ip netns add ns2
[root@public ~]#
[root@public ~]# ip link set tap1 netns ns1
[root@public ~]# ip link set tap2 netns ns2
[root@public ~]#
[root@public ~]# ip addr add 192.168.1.1/24 dev tap1_peer
[root@public ~]# ip addr add 192.168.2.1/24 dev tap2_peer
[root@public ~]# ip netns exec ns1 ip addr add 192.168.1.100/24 dev tap1
[root@public ~]# ip netns exec ns2 ip addr add 192.168.2.100/24 dev tap2
[root@public ~]#
[root@public ~]# ip link set tap1_peer up
[root@public ~]# ip link set tap2_peer up
[root@public ~]# ip netns exec ns1 ip link set tap1 up
[root@public ~]# ip netns exec ns2 ip link set tap2 up
[root@public ~]#
[root@public ~]# ip netns exec ns1 ping 192.168.2.100
connect: Network is unreachable
[root@public ~]#
配置好ip后,发现直接通信,无法成功,检查路由信息后,发现没有去另一网段的路由,配置路由再进行测试。
[root@public ~]# ip netns exec ns1 route -nee
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface MSS Window irtt
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1 0 0 0
[root@public ~]#
[root@public ~]# ip netns exec ns1 route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.1
[root@public ~]# ip netns exec ns2 route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.1
[root@public ~]#
[root@public ~]# ip netns exec ns1 route -nee
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface MSS Window irtt
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1 0 0 0
192.168.2.0 192.168.1.1 255.255.255.0 UG 0 0 0 tap1 0 0 0
[root@public ~]#
[root@public ~]# ip a s
1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether fa:16:3e:08:0b:39 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.93/24 brd 192.168.10.255 scope global noprefixroute dynamic eth0
valid_lft 70616sec preferred_lft 70616sec
inet6 fe80::f816:3eff:fe08:b39/64 scope link
valid_lft forever preferred_lft forever
3: tap1_peer@if4: mtu 1500 qdisc noqueue state UP qlen 1000
link/ether ca:6c:92:02:af:32 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.1.1/24 scope global tap1_peer
valid_lft forever preferred_lft forever
inet6 fe80::c86c:92ff:fe02:af32/64 scope link
valid_lft forever preferred_lft forever
5: tap2_peer@if6: mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 42:c6:2a:f3:7e:37 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet 192.168.2.1/24 scope global tap2_peer
valid_lft forever preferred_lft forever
inet6 fe80::40c6:2aff:fef3:7e37/64 scope link
valid_lft forever preferred_lft forever
[root@public ~]#
[root@public ~]#
[root@public ~]#
[root@public ~]# ip netns exec ns1 ping 192.168.2.100
PING 192.168.2.100 (192.168.2.100) 56(84) bytes of data.
64 bytes from 192.168.2.100: icmp_seq=1 ttl=63 time=0.020 ms
64 bytes from 192.168.2.100: icmp_seq=2 ttl=63 time=0.025 ms
64 bytes from 192.168.2.100: icmp_seq=3 ttl=63 time=0.030 ms
^C
--- 192.168.2.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.020/0.025/0.030/0.004 ms
[root@public ~]#
[root@public ~]# ip netns exec ns2 ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=63 time=0.020 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=63 time=0.036 ms
64 bytes from 192.168.1.100: icmp_seq=3 ttl=63 time=0.034 ms
^C
--- 192.168.1.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.020/0.030/0.036/0.007 ms
[root@public ~]#
tun是一个网络层的点对点的设备,它启用了ip层隧道功能。Linux原生支持的三层隧道,可以通过命令行ip tunnel help查看:
[root@public ~]# lsmod | grep ip
ip_tables 27115 0
[root@public ~]# modprobe ipip
[root@public ~]# lsmod | grep ipip
ipip 13465 0
tunnel4 13252 1 ipip
ip_tunnel 25163 1 ipip
[root@public ~]#
[root@public ~]# ip tunnel
tunl0: ip/ip remote any local any ttl inherit nopmtudisc
[root@public ~]# ip tunnel help
Usage: ip tunnel { add | change | del | show | prl | 6rd } [ NAME ]
[ mode { ipip | gre | sit | isatap | vti } ] [ remote ADDR ] [ local ADDR ]
[ [i|o]seq ] [ [i|o]key KEY ] [ [i|o]csum ]
[ prl-default ADDR ] [ prl-nodefault ADDR ] [ prl-delete ADDR ]
[ 6rd-prefix ADDR ] [ 6rd-relay_prefix ADDR ] [ 6rd-reset ]
[ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ dev PHYS_DEV ]
Where: NAME := STRING
ADDR := { IP_ADDRESS | any }
TOS := { STRING | 00..ff | inherit | inherit/STRING | inherit/00..ff }
TTL := { 1..255 | inherit }
KEY := { DOTTED_QUAD | NUMBER }
[root@public ~]#
Linux一共原生支持5种三层隧道(tunnel),ipip、gre、sit、isatap、vti。
加载ipip模块模块,创建对应的设备进行验证:
# 在ns1上创建 tun1 和 ipip tunnel
[root@public ~]# ip netns exec ns1 ip tunnel add tun1 mode ipip remote 192.168.2.100 local 192.168.1.100 ttl 255
[root@public ~]# ip netns exec ns1 ip link set tun1 up
[root@public ~]# ip netns exec ns1 ip addr add 192.168.90.70 peer 192.168.70.70 dev tun1
[root@public ~]#
# 在ns2 上创建 tun2 和 ipip tunnel
[root@public ~]# ip netns exec ns2 ip tunnel add tun2 mode ipip remote 192.168.1.100 local 192.168.2.100 ttl 255
[root@public ~]# ip netns exec ns2 ip link set tun2 up
[root@public ~]# ip netns exec ns2 ip addr add 192.168.70.70 peer 192.168.90.70 dev tun2
[root@public ~]#
[root@public ~]# ip netns exec ns1 ping 192.168.70.70
PING 192.168.70.70 (192.168.70.70) 56(84) bytes of data.
64 bytes from 192.168.70.70: icmp_seq=1 ttl=64 time=0.051 ms
64 bytes from 192.168.70.70: icmp_seq=2 ttl=64 time=0.069 ms
64 bytes from 192.168.70.70: icmp_seq=3 ttl=64 time=0.048 ms
64 bytes from 192.168.70.70: icmp_seq=4 ttl=64 time=0.046 ms
^C
--- 192.168.70.70 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.046/0.053/0.069/0.011 ms
[root@public ~]# ip netns exec ns2 ping 192.168.90.70
PING 192.168.90.70 (192.168.90.70) 56(84) bytes of data.
64 bytes from 192.168.90.70: icmp_seq=1 ttl=64 time=0.033 ms
64 bytes from 192.168.90.70: icmp_seq=2 ttl=64 time=0.051 ms
64 bytes from 192.168.90.70: icmp_seq=3 ttl=64 time=0.045 ms
64 bytes from 192.168.90.70: icmp_seq=4 ttl=64 time=0.100 ms
^C
--- 192.168.90.70 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.033/0.057/0.100/0.026 ms
[root@public ~]#
ip tunnel add命令详解:
ip tunnel add tun1 mode ipip:创建一个tun类型的设备tun1,并隧道模式是ipip
remote 192.168.1.100 local 192.168.2.100:这个隧道的外层ip地址是:远端192.168.1.100,本地192.168.2.100。
如果将命令中的ipip换成gre,其余不变,就创建了一个gre隧道的tun设备。