LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

RE: LVS-TUN: How to test if ISP allows it?

To: "'LinuxVirtualServer.org users mailing list.'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: LVS-TUN: How to test if ISP allows it?
From: "Son Nguyen" <trungson@xxxxxxxxx>
Date: Thu, 23 Jun 2005 21:34:12 -0700
> > Hello,
> >
> > I'm trying to setup a simple LVS, one director and one realserver 
> > using LVS-TUN (these machines are on 2 different datacenters).
> 
> have you set up LVS-Tun with machines all local, just to test 
> that you can do it at all, before you try connecting to a 
> realserver out on the internet?

Son: it's not possible since we're renting these dedicated servers at
different ISPs (SAVVIS@Dallas and GNAX@Atlanta if that could identify any
issue with the blocking of spoofed packets)

> 
> > On the real, I had tunl0 up and also hidden. Debug:
> >
> > client# telnet VIP 80
> >
> > director# tcpdump -ln -i eth0 host RIP
> > tcpdump: listening on eth0
> 
> OK
> 
> > realserver# tcpdump port 80
> > tcpdump: listening on eth0
> > (and there is nothing coming in)
> 
> hmm,
> 
> > realserver# tcpdump -i tunl0 port 80
> > tcpdump: listening on tunl0
> > (and there is also nothing)
> 
> don't know whether the packet actually goes through tunl0, 
> with tunl0 not being a physical device, so don't know whether 
> you should expect to see anything here or not.
> 
> > director# ipvsadm -L -n
> > IP Virtual Server version 1.0.8 (size=65536) Prot LocalAddress:Port 
> > Scheduler Flags
> >   -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP  
> > VIP:80 wlc
> >   -> RIP:80             Tunnel  1      0          1
> 
> this is usually a routing problem (most people don't have the 
> route from the RIP to the CIP setup properly) and as you've 
> found you can't get IPIP packets to the realserver.
> Do you have routing from the DIP to the RIP? can you ping the RIP?

Son: I can ping both ways from DIP<=>RIP, CIP<=>RIP, CIP<=>DIP and also
CIP=>VIP.
Below is the ifconfig settings for the realserver and the director.

real# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0E:0C:70:9B:DC
          inet addr:RIP  Bcast:xxx.xx.xx.247  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:322827 errors:0 dropped:0 overruns:0 frame:0
          TX packets:303803 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:36903650 (35.1 Mb)  TX bytes:34936833 (33.3 Mb)
          Interrupt:17 Base address:0x3080 Memory:fa021000-fa021038

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:54575 errors:0 dropped:0 overruns:0 frame:0
          TX packets:54575 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:28934825 (27.5 Mb)  TX bytes:28934825 (27.5 Mb)

tunl0     Link encap:IPIP Tunnel  HWaddr
          inet addr:VIP  Mask:255.255.255.255
          UP RUNNING NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

director# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:01:80:0C:E1:0F
          inet addr:DIP  Bcast:xx.xxx.xx.127  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:368242 errors:0 dropped:0 overruns:0 frame:0
          TX packets:418233 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:42241984 (40.2 Mb)  TX bytes:50764463 (48.4 Mb)
          Interrupt:11 Base address:0xb000

eth0:1    Link encap:Ethernet  HWaddr 00:01:80:0C:E1:0F
          inet addr:VIP  Bcast:xx.xxx.xx.127  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:368242 errors:0 dropped:0 overruns:0 frame:0
          TX packets:418235 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:42241984 (40.2 Mb)  TX bytes:50764787 (48.4 Mb)
          Interrupt:11 Base address:0xb000

> 
> > I also wonder if it's the ISP that drops the ip-encapsulated packet?
> 
> The ISP doesn't know that it's an IPIP packet, unless it 
> opens it up and looks (which a router isn't going to do).
> All the ISP sees is a regular IP packet from DIP to RIP.
> 
> The usual problem with the ISP is that the realserver is 
> sending a packet back to the CIP with src_addr=VIP. Since the 
> VIP is usually not on the tunnelled realserver's network, the 
> ISP may block it on the outbound direction, thinking it to be 
> a spoofed packet.

Son: Is there any method to test the realserver's ISP for allowing
"src_addr=VIP" in the packets sending back to CIP?

Thanks
> 
> Joe
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - 
> lvs-users@xxxxxxxxxxxxxxxxxxxxxx Send requests to 
> lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> 


<Prev in Thread] Current Thread [Next in Thread>