More than 3 years have passed since last update.

Ubuntu16.04でDHCP兼NATルーターの構築

Last updated at 2020-12-21Posted at 2020-12-19

普段は有線LANの固定IP運用だが、一部の会議室で無線LANを導入することになった。
利用者に都度NICの設定変更いただくのは難しそうだったため、無線利用時のみDHCPで払い出されるよう環境を構築したので以下記載。

###前提

既存ルーターの設定変更はしたくない。
無線で接続したPCにのみDHCPでIPを払い出したい。
コストは極力かけたくない（最重要）。

###環境

無線AP（Cisco WAP150）
Buffalo 外付けLANアダプタ
ノートPC（廃棄予定PCを再利用）

	Ubuntu 16.04 LTS
メモリ	4GB
HDD	320GB
CPU	Core i5

###構成

無線用セグメント（192.168.100.0/24）は拠点Aセグメント（192.168.2.0/24）に1対1NAT

###DHCPサーバーインストール

$ sudo apt-get install isc-dhcp-server

↓払い出すIPのレンジを指定

$ cat /etc/dhcp/dhcpd.conf

ddns-update-style none;

option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

shared-network 224-29 {
  subnet 192.168.100.0 netmask 255.255.255.0 {
    range dynamic-bootp 192.168.100.10 192.168.100.29;
    option routers 192.168.100.1;
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.100.255;
    option domain-name "test";
    option domain-name-servers 192.168.2.1;
    default-lease-time 6000;
    max-lease-time 72000;
  }
}

###NAT、ルーティング
再起動するとNATとルーティングが消えてしまうので、
OUTSIDE側のインターフェース（192.168.2.250）がUPするとNATが追加されるようinterfacesを編集。

$ sudo cat /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

auto enx58278cbe7441
iface enx58278cbe7441 inet static
  address 192.168.2.250
  netmask 255.255.255.0
  broadcast 192.168.2.255
  dns-nameservers 192.168.2.1
  pre-up /etc/init.d/isc-dhcp-server stop
  post-up /etc/init.d/isc-dhcp-server start
  post-up route add -net 192.168.0.0/16 gw 192.168.2.1
  post-up route add default gw 192.168.2.1 metric 10000
  post-up route del -net 192.168.2.0/24
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.10 -j DNAT --to-destination 192.168.100.10
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.11 -j DNAT --to-destination 192.168.100.11
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.12 -j DNAT --to-destination 192.168.100.12
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.13 -j DNAT --to-destination 192.168.100.13
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.14 -j DNAT --to-destination 192.168.100.14
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.15 -j DNAT --to-destination 192.168.100.15
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.16 -j DNAT --to-destination 192.168.100.16
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.17 -j DNAT --to-destination 192.168.100.17
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.18 -j DNAT --to-destination 192.168.100.18
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.19 -j DNAT --to-destination 192.168.100.19
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.20 -j DNAT --to-destination 192.168.100.20
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.21 -j DNAT --to-destination 192.168.100.21
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.22 -j DNAT --to-destination 192.168.100.22
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.23 -j DNAT --to-destination 192.168.100.23
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.24 -j DNAT --to-destination 192.168.100.24
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.25 -j DNAT --to-destination 192.168.100.25
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.26 -j DNAT --to-destination 192.168.100.26
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.27 -j DNAT --to-destination 192.168.100.27
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.28 -j DNAT --to-destination 192.168.100.28
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.29 -j DNAT --to-destination 192.168.100.29
  post-up /sbin/iptables -t nat -A PREROUTING -d 192.168.2.200 -j DNAT --to-destination 192.168.100.250
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.10 -j SNAT --to-source 192.168.2.10
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.11 -j SNAT --to-source 192.168.2.11
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.12 -j SNAT --to-source 192.168.2.12
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.13 -j SNAT --to-source 192.168.2.13
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.14 -j SNAT --to-source 192.168.2.14
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.15 -j SNAT --to-source 192.168.2.15
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.16 -j SNAT --to-source 192.168.2.16
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.17 -j SNAT --to-source 192.168.2.17
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.18 -j SNAT --to-source 192.168.2.18
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.19 -j SNAT --to-source 192.168.2.19
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.20 -j SNAT --to-source 192.168.2.20
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.21 -j SNAT --to-source 192.168.2.21
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.22 -j SNAT --to-source 192.168.2.22
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.23 -j SNAT --to-source 192.168.2.23
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.24 -j SNAT --to-source 192.168.2.24
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.25 -j SNAT --to-source 192.168.2.25
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.26 -j SNAT --to-source 192.168.2.26
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.27 -j SNAT --to-source 192.168.2.27
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.28 -j SNAT --to-source 192.168.2.28
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.29 -j SNAT --to-source 192.168.2.29
  post-up /sbin/iptables -t nat -A POSTROUTING -s 192.168.100.250 -j SNAT --to-source 192.168.2.200

iface enx58278cbe7441 inet static
  address 192.168.2.11
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.12
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.13
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.14
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.15
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.16
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.17
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.18
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.19
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.20
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.21
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.22
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.23
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.24
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.25
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.26
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.27
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.28
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.29
  netmask 255.255.255.0

iface enx58278cbe7441 inet static
  address 192.168.2.200
  netmask 255.255.255.0

auto enp1s0f0
iface enp1s0f0 inet static
  address 192.168.100.1
  netmask 255.255.255.0
  broadcast 192.168.100.255
  dns-nameservers 192.168.2.1
  pre-up /sbin/sysctl net.ipv4.conf.all.forwarding=1
  pre-up /etc/init.d/isc-dhcp-server stop
  post-up /etc/init.d/isc-dhcp-server start
  post-down /sbin/sysctl net.ipv4.conf.all.forwarding=0

###確認コマンド
NATテーブルの確認

$ iptables -t nat -n -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       all  --  0.0.0.0/0            192.168.2.10       to:192.168.100.10
DNAT       all  --  0.0.0.0/0            192.168.2.11       to:192.168.100.11
DNAT       all  --  0.0.0.0/0            192.168.2.12       to:192.168.100.12
DNAT       all  --  0.0.0.0/0            192.168.2.13       to:192.168.100.13
DNAT       all  --  0.0.0.0/0            192.168.2.14       to:192.168.100.14
DNAT       all  --  0.0.0.0/0            192.168.2.15       to:192.168.100.15
DNAT       all  --  0.0.0.0/0            192.168.2.16       to:192.168.100.16
DNAT       all  --  0.0.0.0/0            192.168.2.17       to:192.168.100.17
DNAT       all  --  0.0.0.0/0            192.168.2.18       to:192.168.100.18
DNAT       all  --  0.0.0.0/0            192.168.2.19       to:192.168.100.19
DNAT       all  --  0.0.0.0/0            192.168.2.20       to:192.168.100.20
DNAT       all  --  0.0.0.0/0            192.168.2.21       to:192.168.100.21
DNAT       all  --  0.0.0.0/0            192.168.2.22       to:192.168.100.22
DNAT       all  --  0.0.0.0/0            192.168.2.23       to:192.168.100.23
DNAT       all  --  0.0.0.0/0            192.168.2.24       to:192.168.100.24
DNAT       all  --  0.0.0.0/0            192.168.2.25       to:192.168.100.25
DNAT       all  --  0.0.0.0/0            192.168.2.26       to:192.168.100.26
DNAT       all  --  0.0.0.0/0            192.168.2.27       to:192.168.100.27
DNAT       all  --  0.0.0.0/0            192.168.2.28       to:192.168.100.28
DNAT       all  --  0.0.0.0/0            192.168.2.29       to:192.168.100.29
DNAT       all  --  0.0.0.0/0            192.168.2.200       to:192.168.100.250

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  192.168.100.10         0.0.0.0/0            to:192.168.2.10
SNAT       all  --  192.168.100.11         0.0.0.0/0            to:192.168.2.11
SNAT       all  --  192.168.100.12         0.0.0.0/0            to:192.168.2.12
SNAT       all  --  192.168.100.13         0.0.0.0/0            to:192.168.2.13
SNAT       all  --  192.168.100.14         0.0.0.0/0            to:192.168.2.14
SNAT       all  --  192.168.100.15         0.0.0.0/0            to:192.168.2.15
SNAT       all  --  192.168.100.16         0.0.0.0/0            to:192.168.2.16
SNAT       all  --  192.168.100.17         0.0.0.0/0            to:192.168.2.17
SNAT       all  --  192.168.100.18         0.0.0.0/0            to:192.168.2.18
SNAT       all  --  192.168.100.19         0.0.0.0/0            to:192.168.2.19
SNAT       all  --  192.168.100.20         0.0.0.0/0            to:192.168.2.20
SNAT       all  --  192.168.100.21         0.0.0.0/0            to:192.168.2.21
SNAT       all  --  192.168.100.22         0.0.0.0/0            to:192.168.2.22
SNAT       all  --  192.168.100.23         0.0.0.0/0            to:192.168.2.23
SNAT       all  --  192.168.100.24         0.0.0.0/0            to:192.168.2.24
SNAT       all  --  192.168.100.25         0.0.0.0/0            to:192.168.2.25
SNAT       all  --  192.168.100.26         0.0.0.0/0            to:192.168.2.26
SNAT       all  --  192.168.100.27         0.0.0.0/0            to:192.168.2.27
SNAT       all  --  192.168.100.28         0.0.0.0/0            to:192.168.2.28
SNAT       all  --  192.168.100.29         0.0.0.0/0            to:192.168.2.29
SNAT       all  --  192.168.100.250        0.0.0.0/0            to:192.168.2.200

もっといいやり方は他にもあると思いますが、備忘録もかねて投稿します。
最後までお読みいただきありがとうございました。

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up