LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: LVS-DR / LVS-NAT / FW questions

To: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: LVS-DR / LVS-NAT / FW questions
From: "Nicolas Chiappero" <Nicolas.Chiappero@xxxxxxxxx>
Date: Wed, 29 Jan 2003 13:39:33 +0100
Julian Anastasov wrote:
> Hello,
>
> - proxy ARP is used when the traffic should be routed at Layer 3
> with the help from ARP. The packets reach the routing after the
> box answers ARP probes asking for foreign addresses.
>
> - transparent proxy has mostly Layer 5-7 semantic, it is used
> to intercept traffic destined to foreign addresses and to deliver
> it to sockets.
>

OK, thanks for these explanations. I can't remember (read too many
docs :) where I saw the term "transparent proxy" which was not
used in a proxy (squid) context... Nevertheless, it is now clear.

>>  - If so, I found a document
>> (http://www.sjdjweis.com/linux/proxyarp/) explaining how to do proxy
>> arp on a 2.4 kernel. Will this method be compatible with LVS as long
>> as director would also be the default GW for realservers ?
>
> No. The spoofing checks performed from routing will drop
> the traffic.
>

OK.

>
> Solution 1:
> You can use Linux Bridging. In such case the traffic from
> real servers to the ROUTER passes only Layer 2, i.e. the routing
> is not reached and you avoid the spoofing checks. If you don't
> want Bridging or the link to the ROUTER is not ARP aware, then
> you can use solutions that avoid the spoofing checks for this
> traffic. One of them is the forward_shared flag (Solution 2).
>

I'd rather keep the simplest possible setup and it seems to me
a little bit complicated.

>
> The difference in the NAT/DR speed is very small in Linux 2.4,
> nearly nothing. My recommendation is:
>
> - DR or NAT (depending on other factors, mostly real server setup
> complexity)
>
> - forward_shared: 1 in all/forward_shared and in eth1/forward_shared,
> assuming eth1 is the private interface.
>

To be sure: is forward_shared patch mandatory even in an LVS-NAT setup
(at least the following one) ?

I setup the following LVS-NAT :

                         CLIENT  YYY.YYY.YYY.YYY
                           |
                        INTERNET
                           |
                        (SWITCH)
                       ____|_____
                      |          | VIP=XXX.XXX.XXX.XXX (eth1)
                      | DIRECTOR |
                      |__________| DIP=192.168.0.20 (eth0)
                           |
          -----------------------------------
          |                |                |
   RIP1=192.168.0.30 RIP2=192.168.0.31 RIP3=192.168.0.32 (all eth0)
    _____________     _____________    _____________
   |             |   |             |   |             |
   | realserver  |   | realserver  |   | realserver  |
   |_____________|   |_____________|   |_____________|

                     GW for all RIPs is DIP

I can see this tcpdump trace on director when I issue the following command:
CLIENT# telnet VIP 80

DIRECTOR# tcpdump
CLIENT:HIGH_PORT > VIP:HTTP:S 1:1(0) win 5480 <mss 1460,sackOK,timestamp
77782103 0,nop,wscale 0> (DF)
CLIENT:HIGH_PORT > RIP1:HTTP:S 1:1(0) win 5480 <mss 1460,sackOK,timestamp
77782103 0,nop,wscale 0> (DF)
RIP1:HTTP > CLIENT:HIGH_PORT:S 10:10(0) ack 2 win 5792 <mss
1460,sackOK,timestamp 2 77782103 0,nop,wscale 0> (DF)
DIP > RIP1: icmp: net CLIENT unreachable [tos 0xc0]

I don't know what to do on director to correct this issue (2 NICs, 2
Networks).

Regards,
Nicolas.



<Prev in Thread] Current Thread [Next in Thread>