LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

RE: Direct Routing from behind a firewall?

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: RE: Direct Routing from behind a firewall?
From: "Matthew S. Crocker" <matthew@xxxxxxxxxxx>
Date: Thu, 26 Jul 2001 15:48:14 -0400 (EDT)
On Thu, 26 Jul 2001, Ricardo Kleemann wrote:

> Thanks!
> 
> Ok, so if we don't want to take up public IP space, then DR can't be
> done... correct?
> 
> I'd like to get some opinions from the experts... my feeling is that DR is
> the "fastest" method because it goes straight out, no management by the
> LVS server... Am I correct in assuming that?

Yes it can,

With this setup

INTERNET -> FIREWALL -> SWITCH -> LVS
                            +---> Real Server 1
                            +---> Real Server 2

The firewall has a public IP address and a private IP address.
LVS has a private address on eth0 and it's alias (VIP)
Real Servers have private address on eth0 and its alias (VIP).

LVS is arping for VIP, realservers are not arping
Firewall has a static NAT setting to map a public IP to the VIP

inbound connections go through NAT map to LVS which directs them to a real
server.  The real server gets the connection on its VIP interface and
returns the data to the firewall from the VIP interface. The firewall the
NAT maps it back to the public IP address and out it goes.

For example

Firewall.public = 204.97.12.123
Firewall.private = 192.168.1.1
Firewall.static.map = 204.97.12.254 <-> 192.168.1.254

LVS.private = 192.168.1.2
LVS.vip = 192.168.1.254

RS1.private = 192.168.1.3
RS1.vip = 192.168.1.254
RS2.private = 192.168.1.4
RS2.vip = 192.168.1.254

should work just fine.

> What are the advantages/disadvantages between the different routing
> methods?

DR is faster, less resource intensive but has issues with configuration
because of the age old 'arp problem'

-Matt

> 
> 
> On Thu, 26 Jul 2001, Bowie Bailey wrote:
> 
> > It works just find from behind a firewall.  Your firewall will need to map a
> > public IP to your real server's private IP and your real server will need a
> > path back out to the firewall.
> > 
> > Bowie
> > 
> > > -----Original Message-----
> > > From:     Ricardo Kleemann [SMTP:ricardo@xxxxxxxxxxx]
> > > Sent:     Thursday, July 26, 2001 3:06 PM
> > > To:       lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > > Subject:  Direct Routing from behind a firewall?
> > > 
> > > 
> > > Hi,
> > > 
> > > Is it possible to do DR from behind a firewall? I mean the idea of DR is
> > > that the real server maintains a direct connection... but if the real
> > > server "really" has a private IP behind a firewall, does that create an
> > > issue with DR ?
> > > 
> > > I'm a little confused about that, but I would like to use DR
> > > 
> > > Thanks
> > > Ricardo
> > > 
> > > 
> > > _______________________________________________
> > > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > > or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> > 
> > _______________________________________________
> > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> > or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> > 
> 
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> 

-- 
----------------------------------------------------------------------
Matthew S. Crocker 
Vice President / Internet Division         Email: matthew@xxxxxxxxxxx
Crocker Communications                     Phone: (413) 587-3350
PO BOX 710                                 Fax:   (413) 587-3352
Greenfield, MA 01302-0710                  http://www.crocker.com
----------------------------------------------------------------------



<Prev in Thread] Current Thread [Next in Thread>