負載平衡 PPTP 連接

November 18, 2016

我正在嘗試對連接到同一台伺服器的兩個 PPTP 連接進行負載平衡。我使用以下腳本，但沒有通過 PPTP 連接發送和接收。我做錯了什麼？有沒有更好的方法來實現這一點？我也nexthop使用了命令模式，ip route但問題是到同一個 IP 的多個連接是通過同一個介面路由的。

#!/bin/bash

VPNSERVER=x.x.x.x

# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
echo 0 &gt; /proc/sys/net/ipv4/conf/all/rp_filter

# Create a new table for physical interface
physip=$(ip addr show eth0 | grep inet | grep -v inet6 | cut -d' ' -f6 | cut -d'/' -f1)
echo "Physical interface's IP: $physip"
ip route flush table 10
ip route add default via $physip dev eth0 table 10
ip rule add from $physip table 10
ip rule add fwmark 10 table 10

# Replace default gateway
ip route replace default via 127.0.0.1

# Do not mark packets going to pptp server
iptables -A OUTPUT -d $VPNSERVER -p gre -j ACCEPT
iptables -A OUTPUT -d $VPNSERVER -p tcp --dport 1723 -j ACCEPT

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT

pppd unit 101 noauth refuse-eap refuse-pap refuse-chap \
   refuse-mschap require-mschap-v2 name "user01" remotename \
   vpnserver file /etc/ppp/options.pptp maxfail 1 updetach \
   pty "pptp $VPNSERVER --localbind $physip --nolaunchpppd" &&gt; /dev/null

pppd unit 102 noauth refuse-eap refuse-pap refuse-chap \
   refuse-mschap require-mschap-v2 name "user01" remotename \
   vpnserver file /etc/ppp/options.pptp maxfail 1 updetach \
   pty "pptp $VPNSERVER --localbind $physip --nolaunchpppd" &&gt; /dev/null

# Get interface IP addresses
ifip1=$(ip addr show ppp101 | grep inet | grep -v inet6 | cut -d' ' -f6 | cut -d'/' -f1)
ifip2=$(ip addr show ppp102 | grep inet | grep -v inet6 | cut -d' ' -f6 | cut -d'/' -f1)

# Create a unique routing table for each connection
ip route flush table 101
ip route add default dev ppp101 table 101
ip rule add from $ifip1 table 101
ip rule add fwmark 101 table 101

# Create a unique routing table for each connection
ip route flush table 102
ip route add default dev ppp102 table 102
ip rule add from $ifip2 table 102
ip rule add fwmark 102 table 102

# Load balance connections
iptables -t mangle -A OUTPUT -m state --state NEW -m statistic --mode nth --every 2 --packet 0 -j MARK --set-mark 101
iptables -t mangle -A OUTPUT -m state --state NEW -m statistic --mode nth --every 2 --packet 1 -j MARK --set-mark 102

iptables -t nat -A POSTROUTING -m mark --mark 101 -j SNAT --to-source $ifip1
iptables -t nat -A POSTROUTING -m mark --mark 102 -j SNAT --to-source $ifip2

iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

這是我使用的最終解決方案：

server=x.x.x.x
physip=$(ip addr show $dev | grep inet | grep -v inet6 | cut -d' ' -f6 | cut -d'/' -f1)

pppd unit 101 noauth refuse-eap refuse-pap refuse-chap \
       refuse-mschap require-mschap-v2 name user01 remotename \
       vpnserver file /etc/ppp/options.pptp persist maxfail 1 updetach \
       pty "pptp $server --localbind $physip --nolaunchpppd" &&gt; /dev/null

pppd unit 102 noauth refuse-eap refuse-pap refuse-chap \
       refuse-mschap require-mschap-v2 name user01 remotename \
       vpnserver file /etc/ppp/options.pptp persist maxfail 1 updetach \
       pty "pptp $server --localbind $physip --nolaunchpppd" &&gt; /dev/null

ifip1=$(ip addr show ppp101 | grep inet | grep -v inet6 | cut -d' ' -f6 | cut -d'/' -f1)
ifip2=$(ip addr show ppp102 | grep inet | grep -v inet6 | cut -d' ' -f6 | cut -d'/' -f1)

iptables -t nat -A POSTROUTING -o ppp101 -j SNAT --to-source $ifip1
iptables -t nat -A POSTROUTING -o ppp102 -j SNAT --to-source $ifip2

ip route flush cache
ip route replace default scope global nexthop dev ppp101 weight 1 nexthop dev ppp102 weight 1

引用自：https://serverfault.com/questions/571367

負載平衡 PPTP 連接

相關問答

兩個路由器的埠轉發

如何使用 NAT 將 Linux 伺服器設置為路由器

iptables PREROUTING 無效

將 ipv4 路由到 ipv6 作為機制來克服在前提 k8s 上不擁有 ipv4 塊以實現負載平衡（無 aws/gcp）

VPN路由流量，響應超出VPN？

在不影響主機的情況下使用 iptables + OpenVPN 進行 NAT