/etc/network/interfaces
will look something like this:
auto lo iface lo inet loopback post-up bash /etc/network/iprules.sh post-up ip route add blackhole 192.168.0.0/16 dns-nameservers 127.0.0.1 dns-search dz # lan, wan: trunk dot1q auto eth0 iface eth0 inet manual # lan auto vlan200 iface vlan200 inet static vlan_raw_device eth0 address 192.168.1.2 netmask 255.255.255.0 # Operator1 auto vlan110 iface vlan110 inet static vlan_raw_device eth0 address 1.1.1.2 netmask 255.255.255.252 post-up ip route add default via 1.1.1.1 table oper1 post-up sysctl net.ipv4.conf.$IFACE.rp_filter=0 post-down ip route flush table oper1 # Operator2 auto vlan120 iface vlan120 inet static vlan_raw_device eth0 address 2.2.2.2 netmask 255.255.255.252 post-up ip route add default via 2.2.2.1 table oper2 post-up sysctl net.ipv4.conf.$IFACE.rp_filter=0 post-down ip route flush table oper2
net.ipv4.conf.$IFACE.rp_filter=0
- needed for multi-wan to work correctly; iptables -t mangle -A PREROUTING -i vlan110 -m conntrack --ctstate NEW,RELATED -j CONNMARK --set-xmark 0x1/0x3 iptables -t mangle -A PREROUTING -i vlan120 -m conntrack --ctstate NEW,RELATED -j CONNMARK --set-xmark 0x2/0x3 iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff iptables -t mangle -A OUTPUT -o vlan110 -m conntrack --ctstate NEW,RELATED -j CONNMARK --set-xmark 0x1/0x3 iptables -t mangle -A OUTPUT -o vlan120 -m conntrack --ctstate NEW,RELATED -j CONNMARK --set-xmark 0x2/0x3 iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff iptables -t mangle -A POSTROUTING -o vlan110 -m conntrack --ctstate NEW,RELATED -j CONNMARK --set-xmark 0x1/0x3 iptables -t mangle -A POSTROUTING -o vlan120 -m conntrack --ctstate NEW,RELATED -j CONNMARK --set-xmark 0x2/0x3
iprules.sh
script when running ifup lo
(see above in /etc/network/interfaces
). Inside the script:
#!/bin/bash /sbin/ip rule flush #operator 1 /sbin/ip rule add priority 8001 iif vlan110 lookup main /sbin/ip rule add priority 10001 fwmark 0x1/0x3 lookup oper1 /sbin/ip rule add from 1.1.1.2 lookup oper1 #operator 2 /sbin/ip rule add priority 8002 iif vlan120 lookup main /sbin/ip rule add priority 10002 fwmark 0x2/0x3 lookup operator2 /sbin/ip rule add from 2.2.2.2 lookup operator2
/etc/iproute2/rt_tables
:
# reserved values 255 local 254 main 253 default 0 unspec # local 110 oper1 120 oper2
# $ sudo wget https://apt.flant.ru/apt/flant.trusty.common.list -O /etc/apt/sources.list.d/flant.common.list # $ wget https://apt.flant.ru/apt/archive.key -O- | sudo apt-key add - # HTTPS- β , $ sudo apt-get install apt-transport-https # netgwm $ sudo apt-get update && sudo apt-get install netgwm
/etc/netgwm/netgwm.yml
config that we have 2 operators, default routes for each of them, prioritization and settings for accessibility control:
# # () gateways: oper1: {ip: 1.1.1.1, priority: 1} oper2: {ip: 2.2.2.1, priority: 2} # , «» # online, offline, # -. ( ), # netgwm , min_uptime: 900 # , netgwm # check_sites: - 192.5.5.241 - 198.41.0.4
oper1
and oper2
are the names of the routing tables from /etc/iproute2/ip_tables
. Restartn netgwm service to start managing the default gateway for the system:
$ sudo service netgwm restart
/etc/keepalived/keepalived.conf
:
! ! Configuration File for keepalived global_defs { notification_email { admin@fromhabr.ru } notification_email_from keepalived@example.com smtp_server 127.0.0.1 smtp_connect_timeout 30 router_id MY_ROUTER } vrrp_instance VI_1 { interface vlan200 # VRRP VLAN virtual_router_id 17 # , Master Backup nopreempt # , . state MASTER # state BACKUP priority 200 # , 100 advert_int 1 # β β garp_master_delay 1 garp_master_refresh 60 authentication { auth_type PASS auth_pass qwerty # } virtual_ipaddress { # , # , VRRP- 192.168.1.1/24 broadcast 192.168.1.255 dev vlan200 } # Master, Backup, Fault # keepalived; notify_master /etc/keepalived/scripts/master.sh notify_backup /etc/keepalived/scripts/backup.sh notify_stop /etc/keepalived/scripts/stop.sh notify_fault /etc/keepalived/scripts/fault.sh }
nopreempt
parameter nopreempt
.
/etc/dhcp/dhcpd.conf
:
# DDNS ddns-updates on; ddns-update-style interim; do-forward-updates on; update-static-leases on; deny client-updates; # ignore, deny, allow update-conflict-detection false; update-optimization false; key "update-key" { algorithm hmac-md5; secret ""; # . }; zone 1.168.192.in-addr.arpa. { primary 192.168.1.1; key "update-key"; } zone mynet. { primary 192.168.1.1; key "update-key"; # failover peer "failover-partner" { primary; # secondary address 192.168.1.3; # port 519; peer address 192.168.1.2; # peer port 520; max-response-delay 60; max-unacked-updates 10; load balance max seconds 3; } default-lease-time 2400; max-lease-time 36000; log-facility local7; authoritative; option ntp-servers 192.168.1.1, ru.pool.ntp.org; # subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.51 192.168.1.150; # 100 , option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option domain-name-servers 192.168.1.1; option routers 192.168.1.1; ddns-domainname "mynet."; # β¦ . pool { failover peer "failover-partner"; range 192.168.1.151 192.168.1.250; } # β¦ leases host printer { hardware ethernet 00:26:73:47:94:d8; fixed-address 192.168.1.8; } }
update_key
key, with which we will update the mynet
zone. Generate it and display:
$ dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 64 -n HOST secret_key Ksecret_key.+157+64663 $ cat Ksecret_key.+*.private | grep ^Key | awk '{print $2}' bdvkG1HcHCM=
# MySQL CLI $ mysql -u root -p # , mysql> CREATE DATABASE IF NOT EXIST powerdns; mysql> GRANT ALL ON powerdns.* TO 'pdns_admin'@'localhost' IDENTIFIED BY 'pdns_password'; mysql> GRANT ALL ON powerdns.* TO 'pdns_admin'@'localhost.localdomain' IDENTIFIED BY 'pdns_password'; mysql> FLUSH PRIVILEGES; # mysql> USE powerdns;
mysql> CREATE TABLE IF NOT EXIST `domains` ( id INT auto_increment, name VARCHAR(255) NOT NULL, master VARCHAR(128) DEFAULT NULL, last_check INT DEFAULT NULL, type VARCHAR(6) NOT NULL, notified_serial INT DEFAULT NULL, account VARCHAR(40) DEFAULT NULL, primary key (id) ); mysql> CREATE TABLE `records` ( id INT auto_increment, domain_id INT DEFAULT NULL, name VARCHAR(255) DEFAULT NULL, type VARCHAR(6) DEFAULT NULL, content VARCHAR(255) DEFAULT NULL, ttl INT DEFAULT NULL, prio INT DEFAULT NULL, change_date INT DEFAULT NULL, primary key(id) ); mysql> CREATE TABLE `supermasters` ( ip VARCHAR(25) NOT NULL, nameserver VARCHAR(255) NOT NULL, account VARCHAR(40) DEFAULT NULL ); mysql> CREATE INDEX `domain_id` ON `records`(`domain_id`); mysql> CREATE INDEX `rec_name_index` ON `records`(`name`); mysql> CREATE INDEX `nametype_index` ON `records`(`name`,`type`); mysql> CREATE UNIQUE INDEX name_index` ON `domains`(`name`);
quit;
pdns-backend-mysql
package and change the /etc/powerdns/pdns.conf
config:
# allow-axfr-ips=127.0.0.0/8,192.168.1.0/24 allow-dnsupdate-from=127.0.0.0/8,192.168.1.0/24 allow-recursion=127.0.0.0/8,192.168.1.0/24 # config-dir=/etc/powerdns daemon=yes disable-axfr=no dnsupdate=yes guardian=yes local-address=0.0.0.0 local-address-nonexist-fail=no local-port=53 local-ipv6=::1 # master=yes slave=no recursor=127.0.0.1:5353 setgid=pdns setuid=pdns socket-dir=/var/run version-string=powerdns webserver=no # MySQL launch=gmysql # - , keepalived gmysql-host=192.168.1.1 gmysql-port=3306 # , gmysql-user=pdns_admin gmysql-password=pdns_password gmysql-dnssec=yes
/etc/powerdns/recursor.conf
file:
daemon=yes forward-zones-file=/etc/powerdns/forward_zones local-address=127.0.0.1 local-port=5353 quiet=yes setgid=pdns setuid=pdns
forward_zones
intranet zones into the forward_zones
file that are served by neighboring servers:
piter_filial.local=192.168.2.1 2.168.192.in-addr.arpa=192.168.2.1
pdns
and pdns-recursor
.
Source: https://habr.com/ru/post/331128/