我有 2 个网络并希望将它们相互连接。应该有可能网络 A 中的所有设备都可以与网络 B 上的设备通信,反之亦然。一个网络由 USG200“管理”,另一个由 Pfsense 机器“管理”。每个路由器/防火墙使用:
- 1 个接口提供 DHCP 并将交换机与所有网络设备连接到
- 1 连接到其他路由器/防火墙
我知道的
- 我能够 ping 同一网络中的每个设备,包括相关路由器/防火墙上的接口。
- 我可以从 Pfsense CLI ping Zyxel 后面的网络,但不能从后面的网络(10.128.10.x)。
- 我无法从后面网络的 Zyxel (192.168.104.x) ping 后面网络的 Pfsense
为什么我无法 ping、ssh 或浏览到其他网络中的设备?
我做了一个图表,勾勒了我上面描述的内容:
pfSense 的导出:
<?xml version="1.0"?>
<pfsense>
<version>19.1</version>
<lastchange></lastchange>
<system>
<optimization>normal</optimization>
<hostname>axx-psen-wal01</hostname>
<domain>localdomain</domain>
<group>
<name>all</name>
<description><![CDATA[All Users]]></description>
<scope>system</scope>
<gid>1998</gid>
<member>0</member>
</group>
<group>
<name>admins</name>
<description><![CDATA[System Administrators]]></description>
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv>
</group>
<user>
<name>admin</name>
<descr><![CDATA[System Administrator]]></descr>
<scope>system</scope>
<groupname>admins</groupname>
<bcrypt-hash>***********OBFUSCATED**********</bcrypt-hash>
<uid>0</uid>
<priv>user-shell-access</priv>
</user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
<timeservers>2.pfsense.pool.ntp.org</timeservers>
<disablenatreflection>yes</disablenatreflection>
<disablesegmentationoffloading></disablesegmentationoffloading>
<disablelargereceiveoffloading></disablelargereceiveoffloading>
<ipv6allow></ipv6allow>
<maximumtableentries>400000</maximumtableentries>
<powerd_ac_mode>hadp</powerd_ac_mode>
<powerd_battery_mode>hadp</powerd_battery_mode>
<powerd_normal_mode>hadp</powerd_normal_mode>
<bogons>
<interval>monthly</interval>
</bogons>
<already_run_config_upgrade></already_run_config_upgrade>
<timezone>Europe/Amsterdam</timezone>
<language>en_US</language>
<dnsserver>8.8.8.8</dnsserver>
<dnsallowoverride></dnsallowoverride>
<dns1gw>none</dns1gw>
<maximumstates></maximumstates>
<aliasesresolveinterval></aliasesresolveinterval>
<maximumfrags></maximumfrags>
<reflectiontimeout></reflectiontimeout>
</system>
<interfaces>
<wan>
<if>igb0</if>
<blockpriv></blockpriv>
<blockbogons></blockbogons>
<descr><![CDATA[WAN1]]></descr>
<alias-address></alias-address>
<alias-subnet>32</alias-subnet>
<spoofmac></spoofmac>
<enable></enable>
<ipaddr>dhcp</ipaddr>
<dhcphostname></dhcphostname>
<dhcprejectfrom></dhcprejectfrom>
<adv_dhcp_pt_timeout></adv_dhcp_pt_timeout>
<adv_dhcp_pt_retry></adv_dhcp_pt_retry>
<adv_dhcp_pt_select_timeout></adv_dhcp_pt_select_timeout>
<adv_dhcp_pt_reboot></adv_dhcp_pt_reboot>
<adv_dhcp_pt_backoff_cutoff></adv_dhcp_pt_backoff_cutoff>
<adv_dhcp_pt_initial_interval></adv_dhcp_pt_initial_interval>
<adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values>
<adv_dhcp_send_options></adv_dhcp_send_options>
<adv_dhcp_request_options></adv_dhcp_request_options>
<adv_dhcp_required_options></adv_dhcp_required_options>
<adv_dhcp_option_modifiers></adv_dhcp_option_modifiers>
<adv_dhcp_config_advanced></adv_dhcp_config_advanced>
<adv_dhcp_config_file_override></adv_dhcp_config_file_override>
<adv_dhcp_config_file_override_path></adv_dhcp_config_file_override_path>
<ipaddrv6>dhcp6</ipaddrv6>
<dhcp6-duid></dhcp6-duid>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
<adv_dhcp6_prefix_selected_interface>lan</adv_dhcp6_prefix_selected_interface>
</wan>
<lan>
<if>igb1</if>
<descr><![CDATA[WAN2]]></descr>
<spoofmac>c1:9b:43:75:5a:65</spoofmac>
<alias-address></alias-address>
<alias-subnet>32</alias-subnet>
<enable></enable>
<ipaddr>192.168.222.2</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<track6-interface>wan</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
</lan>
<opt1>
<descr><![CDATA[LAN1]]></descr>
<if>igb2</if>
<enable></enable>
<spoofmac></spoofmac>
</opt1>
<opt2>
<descr><![CDATA[LAN2]]></descr>
<if>igb3</if>
<enable></enable>
<ipaddr>192.168.200.1</ipaddr>
<subnet>24</subnet>
<spoofmac></spoofmac>
</opt2>
<opt3>
<descr><![CDATA[axn_mgmt]]></descr>
<if>igb2.5</if>
<enable></enable>
<spoofmac></spoofmac>
</opt3>
<opt4>
<descr><![CDATA[axn_intra]]></descr>
<if>igb2.10</if>
<enable></enable>
<ipaddr>10.128.10.1</ipaddr>
<subnet>24</subnet>
<spoofmac></spoofmac>
</opt4>
</interfaces>
<staticroutes>
<route>
<network>192.168.104.0/24</network>
<gateway>gw_to_old_network</gateway>
<descr><![CDATA[Zyxel compatibility rule]]></descr>
</route>
</staticroutes>
<dhcpd>
<lan>
<range>
<from>192.168.1.10</from>
<to>192.168.1.245</to>
</range>
<dhcpleaseinlocaltime></dhcpleaseinlocaltime>
<failover_peerip></failover_peerip>
<defaultleasetime></defaultleasetime>
<maxleasetime></maxleasetime>
<netmask></netmask>
<gateway></gateway>
<domain></domain>
<domainsearchlist></domainsearchlist>
<ddnsdomain></ddnsdomain>
<ddnsdomainprimary></ddnsdomainprimary>
<ddnsdomainkeyname></ddnsdomainkeyname>
<ddnsdomainkeyalgorithm>hmac-md5</ddnsdomainkeyalgorithm>
<ddnsdomainkey></ddnsdomainkey>
<mac_allow></mac_allow>
<mac_deny></mac_deny>
<ddnsclientupdates>allow</ddnsclientupdates>
<tftp></tftp>
<ldap></ldap>
<nextserver></nextserver>
<filename></filename>
<filename32></filename32>
<filename64></filename64>
<rootpath></rootpath>
<numberoptions></numberoptions>
</lan>
<opt2>
<range>
<from>192.168.200.30</from>
<to>192.168.200.199</to>
</range>
<failover_peerip></failover_peerip>
<defaultleasetime></defaultleasetime>
<maxleasetime></maxleasetime>
<netmask></netmask>
<gateway></gateway>
<domain></domain>
<domainsearchlist></domainsearchlist>
<ddnsdomain></ddnsdomain>
<ddnsdomainprimary></ddnsdomainprimary>
<ddnsdomainkeyname></ddnsdomainkeyname>
<ddnsdomainkeyalgorithm>hmac-md5</ddnsdomainkeyalgorithm>
<ddnsdomainkey></ddnsdomainkey>
<mac_allow></mac_allow>
<mac_deny></mac_deny>
<ddnsclientupdates>allow</ddnsclientupdates>
<tftp></tftp>
<ldap></ldap>
<nextserver></nextserver>
<filename></filename>
<filename32></filename32>
<filename64></filename64>
<rootpath></rootpath>
<numberoptions></numberoptions>
<enable></enable>
<dhcpleaseinlocaltime></dhcpleaseinlocaltime>
</opt2>
<opt4>
<range>
<from>10.128.10.30</from>
<to>10.128.10.199</to>
</range>
<enable></enable>
<failover_peerip></failover_peerip>
<defaultleasetime></defaultleasetime>
<maxleasetime></maxleasetime>
<netmask></netmask>
<gateway></gateway>
<domain></domain>
<domainsearchlist></domainsearchlist>
<ddnsdomain></ddnsdomain>
<ddnsdomainprimary></ddnsdomainprimary>
<ddnsdomainkeyname></ddnsdomainkeyname>
<ddnsdomainkeyalgorithm>hmac-md5</ddnsdomainkeyalgorithm>
<ddnsdomainkey></ddnsdomainkey>
<mac_allow></mac_allow>
<mac_deny></mac_deny>
<ddnsclientupdates>allow</ddnsclientupdates>
<tftp></tftp>
<ldap></ldap>
<nextserver></nextserver>
<filename></filename>
<filename32></filename32>
<filename64></filename64>
<rootpath></rootpath>
<numberoptions></numberoptions>
<dhcpleaseinlocaltime></dhcpleaseinlocaltime>
<dnsserver>8.8.8.8</dnsserver>
</opt4>
</dhcpd>
<dhcpdv6>
<lan>
<enable></enable>
<range>
<from>::1000</from>
<to>::2000</to>
</range>
<ramode>assist</ramode>
<rapriority>medium</rapriority>
</lan>
</dhcpdv6>
<snmpd>
<syslocation></syslocation>
<syscontact></syscontact>
<rocommunity>public</rocommunity>
</snmpd>
<diag>
<ipv6nat>
<ipaddr></ipaddr>
</ipv6nat>
</diag>
<syslog>
<filterdescriptions>1</filterdescriptions>
</syslog>
<nat>
<outbound>
<mode>advanced</mode>
<rule>
<interface>wan</interface>
<source>
<network>10.128.10.0/24</network>
</source>
<dstport>500</dstport>
<target></target>
<destination>
<any></any>
</destination>
<staticnatport></staticnatport>
<descr><![CDATA[Auto created rule for ISAKMP - AXN_INTRA to WAN1]]></descr>
<created>
<time>1589543460</time>
<username><![CDATA[Manual Outbound NAT Switch]]></username>
</created>
</rule>
<rule>
<interface>wan</interface>
<source>
<network>10.128.10.0/24</network>
</source>
<sourceport></sourceport>
<target></target>
<destination>
<any></any>
</destination>
<natport></natport>
<descr><![CDATA[Auto created rule - AXN_INTRA to WAN1]]></descr>
<created>
<time>1589543460</time>
<username><![CDATA[Manual Outbound NAT Switch]]></username>
</created>
</rule>
<rule>
<interface>lan</interface>
<source>
<network>192.168.104.0/24</network>
</source>
<dstport>500</dstport>
<target></target>
<destination>
<any></any>
</destination>
<staticnatport></staticnatport>
<descr><![CDATA[Auto created rule for ISAKMP - static route to WAN2]]></descr>
<created>
<time>1589792091</time>
<username><![CDATA[Manual Outbound NAT Switch]]></username>
</created>
</rule>
<rule>
<interface>lan</interface>
<source>
<network>192.168.104.0/24</network>
</source>
<sourceport></sourceport>
<target></target>
<destination>
<any></any>
</destination>
<natport></natport>
<descr><![CDATA[Auto created rule - static route to WAN2]]></descr>
<created>
<time>1589792091</time>
<username><![CDATA[Manual Outbound NAT Switch]]></username>
</created>
</rule>
<rule>
<interface>lan</interface>
<source>
<network>10.128.10.0/24</network>
</source>
<dstport>500</dstport>
<target></target>
<destination>
<any></any>
</destination>
<staticnatport></staticnatport>
<descr><![CDATA[Auto created rule for ISAKMP - AXN_INTRA to WAN2]]></descr>
<created>
<time>1589792091</time>
<username><![CDATA[Manual Outbound NAT Switch]]></username>
</created>
</rule>
<rule>
<interface>lan</interface>
<source>
<network>10.128.10.0/24</network>
</source>
<sourceport></sourceport>
<target></target>
<destination>
<any></any>
</destination>
<natport></natport>
<descr><![CDATA[Auto created rule - AXN_INTRA to WAN2]]></descr>
<created>
<time>1589792091</time>
<username><![CDATA[Manual Outbound NAT Switch]]></username>
</created>
</rule>
</outbound>
</nat>
<filter>
<rule>
<id></id>
<tracker>1589535222</tracker>
<type>pass</type>
<interface>lan</interface>
<ipprotocol>inet</ipprotocol>
<tag></tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<source>
<any></any>
</source>
<destination>
<any></any>
</destination>
<descr><![CDATA[test rule]]></descr>
<created>
<time>1589535222</time>
<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
</created>
<updated>
<time>1589537043</time>
<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
</updated>
</rule>
<rule>
<id></id>
<tracker>1589534465</tracker>
<type>pass</type>
<interface>opt2</interface>
<ipprotocol>inet</ipprotocol>
<tag></tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<source>
<any></any>
</source>
<destination>
<any></any>
</destination>
<descr></descr>
<updated>
<time>1589534465</time>
<username><![CDATA[admin@192.168.1.100 (Local Database)]]></username>
</updated>
<created>
<time>1589534465</time>
<username><![CDATA[admin@192.168.1.100 (Local Database)]]></username>
</created>
</rule>
<rule>
<id></id>
<tracker>1589536898</tracker>
<type>pass</type>
<interface>opt4</interface>
<ipprotocol>inet</ipprotocol>
<tag></tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<protocol>icmp</protocol>
<icmptype>any</icmptype>
<source>
<any></any>
</source>
<destination>
<any></any>
</destination>
<descr><![CDATA[test rule]]></descr>
<created>
<time>1589536898</time>
<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
</created>
<updated>
<time>1589537026</time>
<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
</updated>
</rule>
<rule>
<id></id>
<tracker>1589535642</tracker>
<type>pass</type>
<interface>opt4</interface>
<ipprotocol>inet</ipprotocol>
<tag></tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<source>
<any></any>
</source>
<destination>
<any></any>
</destination>
<descr><![CDATA[test rule]]></descr>
<created>
<time>1589535642</time>
<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
</created>
<updated>
<time>1589537018</time>
<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
</updated>
</rule>
<rule>
<id></id>
<tracker>1589535105</tracker>
<type>pass</type>
<interface>opt4</interface>
<ipprotocol>inet</ipprotocol>
<tag></tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<source>
<network>opt4</network>
</source>
<destination>
<address>192.168.104.0/24</address>
</destination>
<descr><![CDATA[Zyxel compatibility rule]]></descr>
<created>
<time>1589535105</time>
<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
</created>
<updated>
<time>1589536984</time>
<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
</updated>
</rule>
<rule>
<id></id>
<tracker>1589535574</tracker>
<type>pass</type>
<interface>opt4</interface>
<ipprotocol>inet</ipprotocol>
<tag></tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<source>
<network>opt4</network>
</source>
<destination>
<any></any>
</destination>
<descr><![CDATA[axn_mgmt to all rule]]></descr>
<created>
<time>1589535574</time>
<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
</created>
<updated>
<time>1589537000</time>
<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
</updated>
</rule>
<rule>
<id></id>
<tracker>1589534846</tracker>
<type>pass</type>
<interface>opt4</interface>
<ipprotocol>inet</ipprotocol>
<tag></tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<source>
<network>opt4</network>
</source>
<destination>
<network>opt4ip</network>
</destination>
<descr><![CDATA[axn_intra to axn_intra]]></descr>
<created>
<time>1589534846</time>
<username><![CDATA[admin@192.168.200.30 (Local Database)]]></username>
</created>
<updated>
<time>1589536973</time>
<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
</updated>
</rule>
<separator>
<opt2></opt2>
<opt4></opt4>
<lan></lan>
<wan></wan>
</separator>
<bypassstaticroutes>yes</bypassstaticroutes>
</filter>
<shaper></shaper>
<ipsec></ipsec>
<aliases></aliases>
<proxyarp></proxyarp>
<cron>
<item>
<minute>1,31</minute>
<hour>0-5</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 adjkerntz -a</command>
</item>
<item>
<minute>1</minute>
<hour>3</hour>
<mday>1</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh</command>
</item>
<item>
<minute>1</minute>
<hour>1</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 /etc/rc.dyndns.update</command>
</item>
<item>
<minute>*/60</minute>
<hour>*</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot</command>
</item>
<item>
<minute>30</minute>
<hour>12</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 /etc/rc.update_urltables</command>
</item>
<item>
<minute>1</minute>
<hour>0</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 /etc/rc.update_pkg_metadata</command>
</item>
</cron>
<wol></wol>
<rrd>
<enable></enable>
<category>left=system-processor&right=&resolution=300&timePeriod=-1d&startDate=&endDate=&startTime=0&endTime=0&graphtype=line&invert=true&refresh-interval=0</category>
</rrd>
<load_balancer>
<monitor_type>
<name>ICMP</name>
<type>icmp</type>
<descr><![CDATA[ICMP]]></descr>
<options></options>
</monitor_type>
<monitor_type>
<name>TCP</name>
<type>tcp</type>
<descr><![CDATA[Generic TCP]]></descr>
<options></options>
</monitor_type>
<monitor_type>
<name>HTTP</name>
<type>http</type>
<descr><![CDATA[Generic HTTP]]></descr>
<options>
<path>/</path>
<host></host>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>HTTPS</name>
<type>https</type>
<descr><![CDATA[Generic HTTPS]]></descr>
<options>
<path>/</path>
<host></host>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>SMTP</name>
<type>send</type>
<descr><![CDATA[Generic SMTP]]></descr>
<options>
<send></send>
<expect>220 *</expect>
</options>
</monitor_type>
</load_balancer>
<widgets>
<sequence>system_information:col1:open:0,interfaces:col2:open:0</sequence>
<period>10</period>
</widgets>
<openvpn></openvpn>
<dnshaper></dnshaper>
<unbound>
<enable></enable>
<dnssec></dnssec>
<active_interface></active_interface>
<outgoing_interface></outgoing_interface>
<custom_options></custom_options>
<hideidentity></hideidentity>
<hideversion></hideversion>
<dnssecstripped></dnssecstripped>
</unbound>
<revision>
<time>1589875412</time>
<description><![CDATA[admin@10.128.10.30 (Local Database): Saved static route configuration.]]></description>
<username><![CDATA[admin@10.128.10.30 (Local Database)]]></username>
</revision>
<cert>
<refid>5ebe5df4744c4</refid>
<descr><![CDATA[webConfigurator default (5ebe5df4744c4)]]></descr>
<type>server</type>
<crt>***********OBFUSCATED**********==</crt>
<prv>***********OBFUSCATED**********==</prv>
</cert>
<ppps></ppps>
<gateways>
<defaultgw4></defaultgw4>
<defaultgw6></defaultgw6>
<gateway_group>
<name>gw_group_test</name>
<item>WAN1_DHCP|1|address</item>
<trigger>downlosslatency</trigger>
<descr></descr>
</gateway_group>
<gateway_item>
<interface>lan</interface>
<gateway>192.168.222.1</gateway>
<name>gw_to_old_network</name>
<weight>1</weight>
<ipprotocol>inet</ipprotocol>
<descr></descr>
</gateway_item>
</gateways>
<vlans>
<vlan>
<if>igb2</if>
<tag>5</tag>
<pcp></pcp>
<descr><![CDATA[axn_mgmt]]></descr>
<vlanif>igb2.5</vlanif>
</vlan>
<vlan>
<if>igb2</if>
<tag>10</tag>
<pcp></pcp>
<descr><![CDATA[axn_intra]]></descr>
<vlanif>igb2.10</vlanif>
</vlan>
</vlans>
</pfsense>
我还想提供 Zyxel 的导出,但由于该网络已全面运行,因此配置非常庞大,并且可能存在一些漏洞(该设备已经在我加入公司的地方使用,我的前任离开了)。出于这个原因,我添加了一些带有我所做设置的打印屏幕。我找不到在 Zyxel 中配置网关的地方,就像我使用 Pfsense 的 ip 为 Pfsense 所做的那样。我只能找到如何在静态路由上设置“下一跳”。
合勤接口1配置:
配置路由(网关:pfsense代表ip 192.168.222.2):
防火墙规则:
