提问人:Anon Ymous 提问时间:4/1/2023 更新时间:4/1/2023 访问量:161
如果UDP/TCP数据包位于同一交换机的同一网段上,是否会将其发送到路由器/防火墙?[关闭]
Do UDP/TCP packets get sent to router/firewall if its on same network segment of same switch? [closed]
问:
一个假设的网络...
- ISP 的 Internet 路由器/调制解调器连接到运行 Pfsense 的防火墙设备的 1Gb/s 入站端口。
- 防火墙设备具有额外的两个 1Gb/s 以太网端口,每个端口都分配单独的 IP 范围。(例如 192.168.100.x、192.168.101.x)
- 防火墙的每个出站端口都以物理方式连接到同一个 24 端口 10Gb/s 交换机。
- 交换机已分段为 2 个不同的 LAN(即每个 12 个端口,LAN1 和 LAN2)
- 计算机 A 和 B 位于 LAN1 上(在交换机 IP 范围 192.168.100.x 上)
- 计算机 X 位于 LAN2 上(位于同一物理交换机上,但 IP 范围不同,即 192.168.101.x)
- 所有计算机都运行 Web 服务器
- 所有计算机都使用相同的交换机,但 IP 范围不同。
我密切相关的问题。
如果将文件从计算机 A 复制到计算机 B(同一 LAN 网段),是否所有数据包都需要先通过防火墙才能到达?换句话说,尽管位于同一台 10Gb/s 交换机上,但流量是否以较慢的 1 Gb/s 防火墙端口速度传输?
如果我从计算机 A 复制到 X(即不同的网段和不同的 IP 范围),是否所有数据包都需要先通过防火墙才能到达?换句话说,尽管位于同一台 10Gb/s 交换机上,但流量是否以较慢的 1 Gb/s 防火墙端口速度传输?
答:
2赞
Iłya Bursov
4/1/2023
#1
顶级域名:
- 否,数据包将以 10Gbs 的线速直接在主机之间运行
- 是的,数据包将通过防火墙,因此限制为 1Gbs
加长版:
一些假设:
- WAN - 连接ISP调制解调器的物理端口
- LAN1 - 连接 192.168.100.x 子网的物理端口
- LAN2 - 连接 192.168.101.x 子网的物理端口
通常交换机在 L2 级别工作(让我们省略 L3 级别的“智能”交换机,它们实际上是常用术语中的路由器)。
当交换机获取数据包时,它会检查数据包并将此信息保留在内部表中,因此它与物理端口<=>关联。source MAC address
下一步是将收到的包裹转发到目的地,交换机使用该地址,如果该地址已经在内部表中 - 数据包仅转发到已知的物理端口,如果不是 - 转发到所有物理端口(注意:数据包通过专用硬件芯片按原样转发,无需修改,因此非常快)。destination MAC
如您所见 - 此过程中不涉及任何类型的 IP 地址,因此,要使事情真正起作用,首先发件人的主机,然后通过电线将包裹发送到交换机。converts destination IP address into MAC
要执行此转换,发送方会检查目标 IP 是否与其自己的地址位于同一子网中,这就是网络掩码发挥作用的地方。如果网络掩码是 255.255.255.0(从您的示例中可以看出),那么对于同一子网中的地址(即地址中的前 3 个数字相同),发送方将获得目的地的真实 MAC 地址(通过 ARP),并将数据包直接发送到该 MAC 地址。
因此,回答第一个问题 - 源 (A) 和目标 (B) IP 位于同一子网 (192.168.100.0/24) 上,因此数据包将包含实际的发送方/接收方 MAC 地址,因此交换机将以 10Gbs 线速将其直接转发到正确的物理端口(假设所有主机的端口均为 10GB,交换机的端口为 10GB,并且交换机的内部表已填充, 通常是)。
In second case networks are different, sender cannot get real MAC address of destination, the only thing it can use - default gateway, which is your pfsense firewall, so it sends packet to firewall's MAC address (MAC address of LAN1 port), thus switch will forward it only to that physical port (pfsense LAN1) at 1Gbs speed.
Then, pfsense will perform routing (software will read full packet into memory, inspect its IP, apply internal rules, etc), in simple case - as soon as it knows physical port for subnet 192.168.101.0/24, thus it can obtain real destination's MAC address and firewall will send , this new packet will have source MAC set to pfsense LAN2, destination - real MAC address of X. Switch will then happily forward it to real physical port where X is connected.new packet from LAN2 physical port to switch
So, in second case you have much slower communication, not only because router's 1GBs ports, and that packet has to travel twice via them (switch->LAN1->LAN2->switch), but there is also software involved which is much slower in comparison to hardware switching chip.
If pfsense doesn't know to which physical port some network is connected (all other addresses except your local subnets, basically - internet) - then it will use WAN port to route traffic to in similar fashion as A->X, ie it will send packet to ISP's modem (which is default gateway for pfsense) and then modem will perform routing.
评论
0赞
Anon Ymous
4/2/2023
Thanks for the thorough reply which answers my question . Out of curiosity do any of what you call "smart switches" have a feature to cheat by checking the mac/ip mappings of another segment on the same switch? In other words, fake being on same segment temporarily solely to facilitate the file transfer (ergo - not require forwarding to firewall thus speeding up the transfer not to mention reduce the chance of bottleneck on firewall)
0赞
Iłya Bursov
4/2/2023
@AnonYmous I haven't seen such exact feature, but some L3 switches actually able to perform basic routing on hardware level, thus reaching max speed, probably look at cisco 350 series (like CBS350-8XT) or mikrotik routers (like CCR2004-1G-12S+2XS), but they come with price and learning curve, maybe the cheapest option is to insert dual port 10gbs card into X host, so it will be connected to both networks?
评论