|
The director is the default route for all of the mentioned machines. It, of
course, has a route to each of the internal subnets, so things get routed as
they should. It just seems like there's a tiny piece missing that doesn't
demasquerade the replies from the load-balanced server, but instead, just
routes it. So, to answer succinctly,
1. no
2. yes
-----Original Message-----
From: Joseph Mack [mailto:mack@xxxxxxxxxxx]
Sent: Wednesday, June 14, 2000 4:51 PM
To: Clint Byrum
Cc: Lvs-Users
Subject: Re: LVS working great.. but...
On Wed, 14 Jun 2000, Clint Byrum wrote:
> Ok, I'm using IPVS 0.9.12 w/ kernel 2.2.15 in my firewall to load balance
a
> couple of web servers. This works great, from the outside, but when
clients
> on the "internal" segment try to access the loadbalanced web servers using
> their VIP's, things break down. Let me explain a little further.
The simple questions first...
With the internal clients (I assume you're using VS-NAT)
1. Are there any routes from the realservers to your internal clients
that don't go through the director (ie when you're on the realserver,
and you traceroute to the internal client, is the director in the path)?
You want this.
2. Is the director the default route for the realservers? You want this
too. Having a route to the director is not enough.
Joe
>
>
>
> _____DMZ(192.168.10.0/24)
> |
> Internet-----Firewall/Loadbalancer----Internal Clients(192.168.1.0/24
>
> The firewall has all of the real IP addresses as loopback's with netmasks
of
> 255.255.255.255. Masquerading is used for the Internal Clients to get out.
> For non load balanced servers, 'ipmasqadm portfw' is used to forward
traffic
> through. For the load balanced machines, LVS/NAT is used.
>
> If 192.168.1.100 tries to access 192.168.10.100(load balanced) directly,
> things work great, as the firewall just filters and routes this traffic.
If
> 192.168.1.100 tries to access the VIP that 192.168.10.100 services, the
> reply packets don't seem to get rewritten to seem to come from the VIP.
When
> using ipmasqadm portfw, the replies do get rewritten, and things work.
Here
> is the only difference I noticed:
>
> the output of netstat -Mn gives these selected entries:
>
> tcp 44:56.77 192.168.10.4 192.168.1.225 80 -> 1645 (80)
> tcp 5:40.65 192.168.10.2 192.168.1.225 80 -> * (80)
> tcp 0:49.65 192.168.10.2 192.168.1.225 80 -> 1643 (80)
>
> the first entry is for one serviced by portfw, the other two are for an
LVS
> serviced machine.
>
> Is this a problem with lvs, or a problem with masq in general? Or have a I
> mucked things up? here's the script that brings up the particular virtual
> server:
> ipvsadm -A -t $EXTIP:80 -s wlc -p
> ipvsadm -a -t $EXTIP:80 -r 192.168.10.2:80 -m
> ipvsadm -a -t $EXTIP:80 -r 192.168.10.3:80 -m
>
> Thanks a million for the load balancing though. :)
>
>
>
>
--
Joseph Mack mack@xxxxxxxxxxx
|
