Wireguard PBR 2 внешних IP
Привет ! Есть Ubuntu, на нем стоит Wireguard с интерфейсом wg0. В системе 2 сетевых интерфейса - ens160 (IP 10.40.1.16/16) и ens192 (10.41.3.17/16), все смотрят наружу. Задача - при обращении к 1-му IP, чтобы WG выходил через первый интерфейс, ко второму - через второй интерфейс. Пробую вопрос решить PBR. В итоге WG всегда выходит через 1-й интерфейс. Может ткнете куда, что не так делаю…
rt_tables
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
101 rt_ens160
102 rt_ens192
ip rule show
0: from all lookup local
32764: from 10.40.1.16 lookup rt_ens160 proto static
32765: from 10.41.3.17 lookup rt_ens192 proto static
32766: from all lookup main
32767: from all lookup default
wg0.conf
[Interface]
Table = off
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 57751
PrivateKey = yL8IvnIgf3kew1YYYRp5pvuh2gF4NawB8FVaCXg8inU=
PostUp = iptables -I INPUT -p udp --dport 57751 -j ACCEPT
PostUp = iptables -I FORWARD -i ens160 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i ens192 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE
PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o ens160 -j MASQUERADE
PostUp = ip6tables -t nat -A POSTROUTING -o ens192 -j MASQUERADE
PostDown = iptables -D INPUT -p udp --dport 57751 -j ACCEPT
PostDown = iptables -D FORWARD -i ens160 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i ens192 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens160 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o ens192 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o ens160 -j MASQUERADE
PostDown = ip6tables -t nat -D POSTROUTING -o ens192 -j MASQUERADE
netplan
network:
version: 2
renderer: networkd
ethernets:
ens160:
addresses: [10.40.1.16/16]
routes:
- to: default
via: 10.40.0.1
table: 101
routing-policy:
- from: 10.40.1.16
table: 101
ens192:
addresses: [10.41.3.17/16]
routes:
- to: default
via: 10.41.0.1
table: 102
routing-policy:
- from: 10.41.3.17
table: 102
nameservers:
addresses:
- 10.40.0.3
- 10.40.0.11
netplan status
Online state: online
DNS Addresses: 127.0.0.53 (stub)
DNS Search: corp.levitek.ru
● 1: lo ethernet UNKNOWN/UP (unmanaged)
MAC Address: 00:00:00:00:00:00
Addresses: 127.0.0.1/8
::1/128
● 2: ens160 ethernet UP (networkd: ens160)
MAC Address: 00:0c:29:39:4c:a0 (VMware)
Addresses: 10.40.1.16/16
10.40.1.6/16 (dynamic, dhcp)
fe80::20c:29ff:fe39:4ca0/64 (link)
DNS Addresses: 10.40.0.3
10.40.0.11
DNS Search: corp.levitek.ru
Routes: default via 10.40.0.1 from 10.40.1.6 metric 100 (dhcp)
10.40.0.0/16 from 10.40.1.16 (link)
10.40.0.1 from 10.40.1.6 metric 100 (dhcp, link)
10.40.0.3 from 10.40.1.6 metric 100 (dhcp, link)
10.40.0.11 from 10.40.1.6 metric 100 (dhcp, link)
fe80::/64 metric 256
● 3: ens192 ethernet UP (networkd: ens192)
MAC Address: 00:0c:29:39:4c:aa (VMware)
Addresses: 10.41.3.17/16 (dynamic, dhcp)
fe80::20c:29ff:fe39:4caa/64 (link)
DNS Addresses: 10.40.0.3
10.40.0.11
DNS Search: corp.levitek.ru
Routes: default via 10.41.0.1 from 10.41.3.17 metric 100 (dhcp)
10.40.0.3 via 10.41.0.1 from 10.41.3.17 metric 100 (dhcp)
10.40.0.11 via 10.41.0.1 from 10.41.3.17 metric 100 (dhcp)
10.41.0.0/16 from 10.41.3.17 metric 100 (link)
10.41.0.1 from 10.41.3.17 metric 100 (dhcp, link)
fe80::/64 metric 256