현재 synology.me로 접근시 흐름도현재 iptime.org로 접근시 흐름도
제가 원하는 흐름도
위와 같이 네트워크가 구성되어있고
FW과 공유기는 별도의 외부 공인IP를 받은 상태이고 Synology NAS의 기본G/W는 FW를 타게 되어있습니다.
현재 외부에서 *.synology.me:5000로 접근시에는 FW을 타고 NAS로 접근하게 되어있는 상태이고,
공유기 *.iptime.org:5000를 통해서도 NAS로 접근하게끔 하고싶은데
*.iptime.org:5000로 접근하면 자꾸 디폴트GW로 빠져서 결국 통신이 되지 않습니다...
혹시 이런 네트워크 구조에서 공유기를 타고 NAS로 들어올경우 NAS에서 다시 공유기를 타고 외부로 나가게끔 할 수 있는 방법이 있을까요?
NAS ÀÔÀå¿¡¼ ¸ð¸£´Â IP¸¦ ¾îµð·Î º¸³¾Áö¸¦ °áÁ¤ÇÏ´Â °ÍÀÌ default g/w ¼³Á¤ÀÔ´Ï´Ù.
ÀÏ´Ü µÎ°³ÀÇ ·£Ä«µå Áß Çϳª°¡ µðÆúÆ®·Î ¼³Á¤µÇ´Âµ¥¿ä,
³ª¸ÓÁö´Â ´ë¿ªº°·Î ³ª´©¾î¼ ¶ó¿ìÆÿ¡ Ãß°¡ÇØÁÝ´Ï´Ù. ½Ã³î·ÎÁöµµ ³×Æ®¿öÅ©¿¡¼ Static Route¸¦ Àâ¾ÆÁÙ ¼ö ÀÖ½À´Ï´Ù.
±×·¡¼ ½ÇÁ¦·Î´Â Ãâ¹ßÁ¡ÀÌ ¾îµð³Ä¿¡ µû¶ó ¾î´À ÂÊÀ¸·Î Èê·Áº¸³¾°ÇÁö °áÁ¤ÇÒ ¼ö Àִµ¥¿ä. °°Àº °÷¿¡¼ fw, iptime ¿Ô´Ù°¬´Ù Á¢¼ÓÇÏ¸é¼ Á¦´ë·Î µÇ±â´Â ¾î·Á¿ï °Í °°½À´Ï´Ù.
ÇÑ°¡Áö ¹æ¹ýÀÌ ÀÖ´Ù¸é, vpnÀ» ÀÌ¿ëÇÏ¸é µÉ°Í °°Àºµ¥¿ä.
°øÀ¯±âÀÇ vpnÀ» ÀÌ¿ëÇϸé, ´Ü¸»ÀÌ 192 ip¸¦ ¹ÞÀ» °ÍÀ̱⠶§¹®¿¡ °øÀ¯±â¸¦ ÅëÇؼ ´Ù½Ã ³ª°¡°Ô µÇ´Â °ÅÁÒ.
¿ÜºÎ¿¡¼ IPtime °Åó¼ ½Ã³î·ÎÁö·Î µé¾î¿Ã¶§ ¼¼¼Ç Á¤º¸¸¦ ÅëÇØ
´Ù½Ã IPtimeÀ» ÅëÇؼ Á¢¼Ó µÇ´Â°Ô Á¤»óÀÔ´Ï´Ù...
Áï, iptime.org·Î Á¢±Ù½Ã È帧µµ ÀÚü°¡ ÀÌ»óÇÕ´Ï´Ù.
ÀÌ°Ô µÇ·Á¸é ÃÖ¼ÒÇÑ ISP¿Í ¿¬°áµÈ FW, IPtime »çÀÌ¿¡
VIP·Î °øÀÎIP¸¦ ÅëÀϽÃÄѼ ¿¬°áµÇ¾î¾ßµÇ¼ L4°¡ ÇÊ¿äÇÕ´Ï´Ù..
µðÆúÆ® GW´Â ½Ã³î·ÎÁö ÀÚü¿¡¼ ¿ÜºÎ Åë½Å ¿äû¿¡ ´ëÇؼ
ÇØ´ç µðÆúÆ® GW¸¦ ÅëÇØ Åë½ÅÀÌ ÀÌ·ïÁö°Ô ÇÏ´Â ´ÙÁß GW¿¡ ´ëÇÑ ¿ì¼±¼øÀ§ÀÏ »ÓÀÔ´Ï´Ù.
Ȥ½Ã ½Ã³î·ÎÁö GW ¼³Á¤ÀÌ Á¤»óÀÎÁö È®ÀÎÇØ º¸¼Ì³ª¿ä??
Ãß°¡ÀûÀ¸·Î...
*.iptime.org ¿Í *.synology.me¿¡ ´ëÇÑ IP°¡ µ¿ÀÏÇÑÁö È®ÀÎÇغ¸½Ã±â ¹Ù¶ø´Ï´Ù.
iptime.org
synology.me´Â °¢°¢ IP°¡ ´Ù¸£±¸¿ä
Àú´Â OpenWRT¿¡¼ ¾Æ·¡¿Í¿Í °°ÀÌ »ç¿ëÁßÀÔ´Ï´Ù.
2-WAN¿¡ 2-LANÀ¸·Î °¢°¢¿¡¼ ¿À´Â ÆÐŶÀ» fwmarkÇÏ¿© ¶ó¿ìÆÃÇÕ´Ï´Ù.
Á¦°¡ ¾²°í ÀÖ´Â ½ºÅ©¸³Æ®¸¦ Á¤¸®Çغôµ¥.. Â¥Áý±â ÇÏ¸é¼ Æ²¸°°Ô ÀÖÀ» ¼ö ÀÖ½À´Ï´Ù.
LAN_SERVER_IF=bond0.10
LAN_SERVER_NET=10.0.0.0/8
LAN_SERVER_RTNAME=rt_lan_server
LAN_SERVER_FWMARK=101
WAN_USER_IF=veth0_b
LAN_USER_IF=bond0.30
LAN_USER_NET=192.168.0.0/16
LAN_USER_RTNAME=rt_lan_user
LAN_USER_FWMARK=102
WAN_SERVER_IP=$(ip addr show dev $WAN_SERVER_IF | grep "inet " | grep brd | awk '{print $2}' | awk -F/ '{print $1}')
WAN_SERVER_GW=$(cat /var/run/net_${WAN_SERVER_IF}_router)
WAN_SERVER_NET=$(/sbin/ip route | grep $WAN_SERVER_IF | grep kernel | awk '{print $1}')
WAN_USER_IP=$(ip addr show dev $WAN_USER_IF | grep "inet " | grep brd | awk '{print $2}' | awk -F/ '{print $1}')
WAN_USER_GW=$(cat /var/run/net_${WAN_USER_IF}_router)
WAN_SERVER_NET=$(/sbin/ip route | grep $WAN_USER_IF | grep kernel | awk '{print $1}')
iptables -t mangle -N mangle_prerouting_lan_server
iptables -t mangle -A mangle_prerouting_lan_server -d $LAN_USER_NET -j RETURN
iptables -t mangle -A mangle_prerouting_lan_server -d $LAN_SERVER_NET -j RETURN
iptables -t mangle -A mangle_prerouting_lan_server -j MARK --set-mark $LAN_SERVER_FWMARK
iptables -t mangle -A PREROUTING -i $LAN_SERVER_IF -j mangle_prerouting_lan_server
iptables -t mangle -N mangle_prerouting_lan_user
iptables -t mangle -A mangle_prerouting_lan_user -d $LAN_USER_NET -j RETURN
iptables -t mangle -A mangle_prerouting_lan_user -d $LAN_SERVER_NET -j RETURN
iptables -t mangle -A mangle_prerouting_lan_user -j MARK --set-mark $LAN_USER_FWMARK
iptables -t mangle -A PREROUTING -i $LAN_USER_IF -j mangle_prerouting_lan_user
iptables -t mangle -I OUTPUT -m connmark ! --mark 0 -j CONNMARK --restore-mark
iptables -t nat -A postrouting_rule -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t nat -A postrouting_rule ! -s $WAN_SERVER_IP -o $WAN_SERVER_IF -j SNAT --to-source $WAN_SERVER_IP
iptables -t nat -A postrouting_rule ! -s $WAN_USER_IP -o $WAN_USER_IF -j SNAT --to-source $WAN_USER_IP
/sbin/ip route flush table $LAN_SERVER_RTNAME
/sbin/ip rule del from $LAN_SERVER_NET lookup $LAN_SERVER_RTNAME 2>/dev/null
/sbin/ip rule del fwmark $LAN_SEVER_FWMARK lookup $LAN_SERVER_RTNAME
/sbin/ip route flush table $LAN_USER_RTNAME
/sbin/ip rule del from $LAN_USER_NET lookup $LAN_USER_RTNAME 2>/dev/null
/sbin/ip rule del fwmark $LAN_USER_FWMARK lookup $LAN_USER_RTNAME
/sbin/ip route add $WAN_SERVER_GW dev $WAN_SERVER_IF src $WAN_SERVER_IP table $LAN_SERVER_RTNAME
/sbin/ip route add $WAN_SERVER_NET dev $WAN_SERVER_IF src $WAN_SERVER_IP table $LAN_SERVER_RTNAME
/sbin/ip route add default via $WAN_SERVER_GW dev $WAN_SERVER_IF src $WAN_SERVER_IP table $LAN_SERVER_RTNAME
/sbin/ip rule add fwmark $LAN_SERVER_FWMARK lookup $LAN_SERVER_RTNAME
/sbin/ip rule add from $WAN_SERVER_IP lookup $LAN_SERVER_RTNAME
/sbin/ip route add $WAN_USER_GW dev $WAN_USER_IF src $WAN_USER_IP table $LAN_USER_RTNAME
/sbin/ip route add $WAN_USER_NET dev $WAN_USER_IF src $WAN_USER_IP table $LAN_USER_RTNAME
/sbin/ip route add default via $WAN_USER_GW dev $WAN_USER_IF src $WAN_USER_IP table $LAN_USER_RTNAME
/sbin/ip rule add fwmark $LAN_USER_FWMARK lookup $LAN_USER_RTNAME
/sbin/ip rule add from $WAN_USER_IP lookup $LAN_USER_RTNAME
¿¹Àü¿¡ ¹®Á¦µÇ¾ú´ø ¸®´ª½º¿¡¼ ¸ÖƼ GW ¼³Á¤½Ã ¶ó¿ìÆà ¹®Á¦¿¡ ´ëÇÑ ºÎºÐÀ̳׿ä...;
±×³ªÀú³ª ÀÌ ºÎºÐÀ» Á¦Ç°È½ÃŲ ½Ã³î·ÎÁö¿¡¼ ¼³Á¤»ó ¾ÆÁ÷µµ ¸øÀâ¾Ò°í ÀÖ´Ù´Â°Ô ÀÌ»óÇϳ׿ä.
¹æȺ®ÂÊ¿¡¼´Â 2¼¼´ë Àåºñ°¡ µé¾î¼¸é¼ ÀϹÝȵÈ
Stateful inspection ±â´ÉÀ¸·Î ÀÎÇÑ ¼¼¼Ç±â¹Ý Åë½Å 󸮰¡
¸®´ª½º¿¡¼´Â ±×´ë·Î À̳׿ä;;;
¿ø¸® Âü°í..
¸ðµç ¿¬°áÀº °øÀ¯±â µÞÆí¿¡ ÀÖ¾î¾ß Á¤»ó ¾Æ´Ñ°¡¿ä?
FW´Â pfsense ¹æȺ®À̱¸¿ä