LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] internal network behind direct routing instead of nat.

To: Horms <horms@xxxxxxxxxxxx>
Subject: Re: [lvs-users] internal network behind direct routing instead of nat.
Cc: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
From: tc lewis <tim@xxxxxxxxxx>
Date: Thu, 20 Jan 2000 12:46:59 -0500 (EST)

On Thu, 20 Jan 2000, Horms wrote:

> On Thu, Jan 20, 2000 at 10:51:42AM -0500, tc lewis wrote:
> > director:      199.199.199.2 (eth0?) and 199.168.199.4 (eth1?) (shrug)
> > vip:           199.199.199.3
> > real server 1: 199.168.199.2 (whatever)
> > real server 2: 199.168.199.3 (whatever)
> > subnetting:    normal class C, /24 block, netmask 255.255.255.0 (for both 
> > networks)
> > router:        199.199.199.1, no special firewall action going on, etc.
> > internal network's gateway: 199.168.199.1 (ethX?) and 199.199.199.4 (ethY?) 
> > (shrug)
> > 
> > the director would be setup with ipvsadm -g commands for direct routing,
> > and the gateway on the real servers would be configured as that "internal
> > network's gateway", 199.168.199.1, which would presumably be setup as a
> > [linux] machine to forward packets from 199.168.199/24 back out to the
> > real world (via masquerading?).
> > 
> > would this work?  what kind of problems would be involved?  any thoughts
> > on the matter or suggestions would be greatly appreciated, as always.
> 
> The problem is that with Direct routing the reply from the real
> server has the vip as the source address. As this is an address
> of one of the interfaces on the director it will drop it if you
> try and forward it through the director. It appears from
> experimentation week with /proc/sys/net/ipv4/conf/*/rp_filter
> that at least on 2.2.14, there is no way to turn this behaviour
> off.


ok, that makes sense, but what if i'm not forwarding through the
director--i'd be forwarding through a separate machine altogether, without
interfaces that match the ip of the vip.  perhaps ipchains masquerading
rules would need to be made to accept/allow masquerading (would one even
need masquerading, or just forwarding?) from the vip as well as/instead of
the ips of the real servers?

-tcl.


----------------------------------------------------------------------
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
To unsubscribe, e-mail: lvs-users-unsubscribe@xxxxxxxxxxxxxxxxxxxxxx
For additional commands, e-mail: lvs-users-help@xxxxxxxxxxxxxxxxxxxxxx

<Prev in Thread] Current Thread [Next in Thread>