分享本人虚拟机群晖不能外部访问的问题 外部网络已经有外部IP,DDNS也做好,端口映射也配置好 局域网网络如图,其它不相关的网口和虚拟switch没画,其实主要包含两个子网, - WIFI路由器的192.168.31.0/24 - Openwrt的192.168.100.0/24 现在的问题是标红的那个端口映射在外网环境访问不了 下面一些测试和尝试的信息值得分享的 1. 所有的端口映射在内网环境下是可以访问的 例如我的手机(192.168.31.x)是可以通过DDNS的域名+端口访问局域网配置的所有映射服务都是可以的 但是手机切换到数据网络(模拟外部网络),其它服务都还是可以的,就是标红的那个映射服务访问不了,后面会附上Wireshark的局域网分析 2. 曾经‘:20001->153:5001’的映射也是一样情况,外部网络访问不了 所以原来我的所有DSM外部访问都需要经过Openwrt的再一次映射来实现,也就是映射到192.168.100.0/24网段。后来嫌弃配置太复杂,实在不服气,将DS918的所有网口逐个删掉重新配置一边,还加多个网口,DS918服务端口的映射重新配置成直接映射,将DS918自己的网络配置,防火墙配置,涉及外部访问的配置重新检查一遍,放到最开放状态,再次测试竟然可以了,但是根本原因还是不知道 3. 按照一样的操作将DS3617也折腾一轮,将window的防火墙都关掉了,但是DS3617的就是不行,DS3617的192.168.31.0/24网段的两个地址映射都外部访问不了 4. 我两个系统都半洗白的 会不会因为官方检测到这种情况,在DSM系统级别屏蔽了我的外网访问? 5. 还有一个情况,无论是DS918还是DS3617,时不时都会有外部IP连续登录失败导致IP block的记录(的确那段时间是本人在访问,应该不是有人hack我),但是其实我并没有输入过错误密码 不知道这个问题会不会相关 Wireshark局域网分析(这些结果是用netcat从外网测试服务和端口,例如nc -zv my.ddns.domain.name 20001,然后在局域网用Wireshark抓到的包信息),但是我不懂怎么看是怎么回事 - 20001是成功的端口映射,20011是不行的 代码: "No.","Time","Source","Destination","Protocol","Length","Info" "1","0.000000","61.140.185.98","192.168.31.153","TCP","74","21485 > 5001 [SYN] Seq=0 Win=64240 Len=0 MSS=1440 SACK_PERM=1 TSval=935662672 TSecr=0 WS=128" "2","0.000612","192.168.31.153","61.140.185.98","TCP","74","5001 > 21485 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=34648180 TSecr=935662672 WS=128" "3","0.000622","192.168.31.153","61.140.185.98","TCP","74","[TCP Out-Of-Order] 5001 > 21485 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=34648180 TSecr=935662672 WS=128" "4","0.013599","61.140.185.98","192.168.31.153","TCP","66","21485 > 5001 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=935662695 TSecr=34648180" "5","0.013599","61.140.185.98","192.168.31.153","TCP","66","21485 > 5001 [FIN, ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=935662696 TSecr=34648180" "6","0.014605","192.168.31.153","61.140.185.98","TCP","66","5001 > 21485 [FIN, ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=34648194 TSecr=935662696" "7","0.014615","192.168.31.153","61.140.185.98","TCP","66","[TCP Out-Of-Order] 5001 > 21485 [FIN, ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=34648194 TSecr=935662696" "8","0.027268","61.140.185.98","192.168.31.153","TCP","66","21485 > 5001 [ACK] Seq=2 Ack=2 Win=64256 Len=0 TSval=935662709 TSecr=34648194" "9","6.144685","61.140.185.98","192.168.31.152","TCP","74","21490 > 5001 [SYN] Seq=0 Win=64240 Len=0 MSS=1440 SACK_PERM=1 TSval=935668738 TSecr=0 WS=128" "10","7.168159","61.140.185.98","192.168.31.152","TCP","74","[TCP Retransmission] [TCP Port numbers reused] 21490 > 5001 [SYN] Seq=0 Win=64240 Len=0 MSS=1440 SACK_PERM=1 TSval=935669787 TSecr=0 WS=128" "11","9.216389","61.140.185.98","192.168.31.152","TCP","74","[TCP Retransmission] [TCP Port numbers reused] 21490 > 5001 [SYN] Seq=0 Win=64240 Len=0 MSS=1440 SACK_PERM=1 TSval=935671867 TSecr=0 WS=128" "12","13.313116","61.140.185.98","192.168.31.152","TCP","74","[TCP Retransmission] [TCP Port numbers reused] 21490 > 5001 [SYN] Seq=0 Win=64240 Len=0 MSS=1440 SACK_PERM=1 TSval=935675947 TSecr=0 WS=128" "13","21.752172","61.140.185.98","192.168.31.152","TCP","74","21501 > 5001 [SYN] Seq=0 Win=64240 Len=0 MSS=1440 SACK_PERM=1 TSval=935684426 TSecr=0 WS=128" - 15000和15011是类似的为新加的虚拟网口作映射访问的结果 代码: "No.","Time","Source","Destination","Protocol","Length","Info" "1","0.000000","61.140.185.98","192.168.31.148","TCP","74","17519 > 5001 [SYN] Seq=0 Win=64240 Len=0 MSS=1440 SACK_PERM=1 TSval=935847124 TSecr=0 WS=128" "2","0.000687","192.168.31.148","61.140.185.98","TCP","74","5001 > 17519 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=34832708 TSecr=935847124 WS=128" "3","0.000697","192.168.31.148","61.140.185.98","TCP","74","[TCP Out-Of-Order] 5001 > 17519 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=34832708 TSecr=935847124 WS=128" "4","0.014774","61.140.185.98","192.168.31.148","TCP","66","17519 > 5001 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=935847230 TSecr=34832708" "5","0.014774","61.140.185.98","192.168.31.148","TCP","66","17519 > 5001 [FIN, ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=935847231 TSecr=34832708" "6","0.016322","192.168.31.148","61.140.185.98","TCP","66","5001 > 17519 [FIN, ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=34832723 TSecr=935847231" "7","0.016334","192.168.31.148","61.140.185.98","TCP","66","[TCP Out-Of-Order] 5001 > 17519 [FIN, ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=34832723 TSecr=935847231" "8","0.028284","61.140.185.98","192.168.31.148","TCP","66","17519 > 5001 [ACK] Seq=2 Ack=2 Win=64256 Len=0 TSval=935847245 TSecr=34832723" "9","6.450973","61.140.185.98","192.168.31.133","TCP","74","17522 > 5001 [SYN] Seq=0 Win=64240 Len=0 MSS=1440 SACK_PERM=1 TSval=935853657 TSecr=0 WS=128" "10","7.474921","61.140.185.98","192.168.31.133","TCP","74","[TCP Retransmission] [TCP Port numbers reused] 17522 > 5001 [SYN] Seq=0 Win=64240 Len=0 MSS=1440 SACK_PERM=1 TSval=935854667 TSecr=0 WS=128" "11","9.530464","61.140.185.98","192.168.31.133","TCP","74","[TCP Retransmission] [TCP Port numbers reused] 17522 > 5001 [SYN] Seq=0 Win=64240 Len=0 MSS=1440 SACK_PERM=1 TSval=935856746 TSecr=0 WS=128" "12","13.611045","61.140.185.98","192.168.31.133","TCP","74","[TCP Retransmission] [TCP Port numbers reused] 17522 > 5001 [SYN] Seq=0 Win=64240 Len=0 MSS=1440 SACK_PERM=1 TSval=935860827 TSecr=0 WS=128" "13","22.222826","61.140.185.98","192.168.31.133","TCP","74","17575 > 5001 [SYN] Seq=0 Win=64240 Len=0 MSS=1440 SACK_PERM=1 TSval=935869387 TSecr=0 WS=128" 希望有大牛能帮忙看一下究竟怎么回事,我猜是不是AX3600的防火墙问题,还是DS3617的防火墙问题 最后不知道上面有没泄露敏感信息,如果有,请求大牛放过不要hack我的局域网,本人也是穷困的小程序猿一枚,求放过不要打击一枚努力学习报效祖国的良好青年
DS918的外部访问刚好了两三天,再发完这篇文章之后突然间不行了, 我什么东西都没改。我的Openwrt的外部访问就从来没出过问题 WireShark捕获的失败包跟ds3617一样: 更令我相信是DSM主动屏蔽外部访问的。。。 有大牛知道是什么回事,或者应该怎么查吗?
最新更新 2022-05-01 好消息 将两个群晖的ethenet0 和 ethernet1调转了一下 ethernet0的MAC是和群晖序列号配对的那个, 然后两个群晖的外部访问都可以了 看看后面还会不会出问题
查一下访问你群晖的客户端地址是经过转换之后的内网地址,还是仍然是外网地址。如果是外网地址,有可能群晖真的有限制只有(半)洗白了的那个网口才能外网访问,建议将洗白了的网口作为端口映射的目标试试 不知道有没高手可以解释一下
