|
Ok, I'm using IPVS 0.9.12 w/ kernel 2.2.15 in my firewall to load balance a
couple of web servers. This works great, from the outside, but when clients
on the "internal" segment try to access the loadbalanced web servers using
their VIP's, things break down. Let me explain a little further.
_____DMZ(192.168.10.0/24)
|
Internet-----Firewall/Loadbalancer----Internal Clients(192.168.1.0/24
The firewall has all of the real IP addresses as loopback's with netmasks of
255.255.255.255. Masquerading is used for the Internal Clients to get out.
For non load balanced servers, 'ipmasqadm portfw' is used to forward traffic
through. For the load balanced machines, LVS/NAT is used.
If 192.168.1.100 tries to access 192.168.10.100(load balanced) directly,
things work great, as the firewall just filters and routes this traffic. If
192.168.1.100 tries to access the VIP that 192.168.10.100 services, the
reply packets don't seem to get rewritten to seem to come from the VIP. When
using ipmasqadm portfw, the replies do get rewritten, and things work. Here
is the only difference I noticed:
the output of netstat -Mn gives these selected entries:
tcp 44:56.77 192.168.10.4 192.168.1.225 80 -> 1645 (80)
tcp 5:40.65 192.168.10.2 192.168.1.225 80 -> * (80)
tcp 0:49.65 192.168.10.2 192.168.1.225 80 -> 1643 (80)
the first entry is for one serviced by portfw, the other two are for an LVS
serviced machine.
Is this a problem with lvs, or a problem with masq in general? Or have a I
mucked things up? here's the script that brings up the particular virtual
server:
ipvsadm -A -t $EXTIP:80 -s wlc -p
ipvsadm -a -t $EXTIP:80 -r 192.168.10.2:80 -m
ipvsadm -a -t $EXTIP:80 -r 192.168.10.3:80 -m
Thanks a million for the load balancing though. :)
|
