Re: LVS-TUN setup - responses from realserver not being let through

[Per Jessen <per@xxxxxxxxxxxx>]

Roberto Nibali wrote:

>> On the director:  (presumably not interesting)
>> 
>> # ip route get 217.8.220.94 from 88.198.198.122
>> 217.8.220.94 from 88.198.198.122 via 88.198.41.97 dev eth1
>>     cache  mtu 1500 advmss 1460 fragtimeout 64
> 
> So the director has a different DGW than the RS?

Yes - they're both leased servers, but on different networks, perhaps
different datacenters etc. 

>> On the real server:
>> 
>> # ip route get 217.8.220.94 from 88.198.198.122
>> 217.8.220.94 from 88.198.198.122 via 88.198.7.129 dev eth1
>>     cache  mtu 1500 advmss 1460 fragtimeout 64
>> 
>> # ip rule show
>> 0:      from all lookup local
>> 32766:  from all lookup main
>> 32767:  from all lookup default
>> 
>> # ip route show
>> 88.198.7.128/27 dev eth1  proto kernel  scope link  src 88.198.7.133
> 
> Why is that? What's the primary address of eth1 on your RS?

That is 88.198.7.133.  

> Stupid questions:
> 
> o You took care of the arp problem, right?

I believe so - on the RS, I've got 

net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.all.arp_announce=2

> o There's no rp_filter enabled on the RS?

# cat /proc/sys/net/ipv4/conf/all/rp_filter
1

I had to go and read up on that setting - I'm getting a feeling it
should perhaps be 0, not 1?  Looks like my SUSE 10.1 sets it by
default.

> o ~.7.129 is your DGW in the data center?

At least for one server - the datacenter is remote, and more or less a
blackbox to me.

> o no NAT between the client and LVS?

There is, but I've also tried telnet'ing directly from the NAT-gateway.

> Could you send the 'ip addr show' output from your RS and director?

RS: 
# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:16:17:99:d3:54 brd ff:ff:ff:ff:ff:ff
    inet 88.198.7.133/27 brd 88.198.7.159 scope global eth1
    inet6 fe80::216:17ff:fe99:d354/64 scope link
       valid_lft forever preferred_lft forever
3: tunl0: <NOARP,UP> mtu 1480 qdisc noqueue
    link/ipip 0.0.0.0 brd 0.0.0.0
    inet 88.198.198.122/32 scope global tunl0
4: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

director:
# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:13:d3:c9:5e:b8 brd ff:ff:ff:ff:ff:ff
    inet 88.198.41.117/27 brd 88.198.41.127 scope global eth1
    inet 88.198.198.122/32 scope global eth1
    inet6 fe80::213:d3ff:fec9:5eb8/64 scope link
       valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0


>>> Where about in Zürich are you?
>> 
>> We're in Herrliberg, about 25mins south on the Goldcoast.
> 
> Just got booked for speeding from the police of that region; guess I
> was distracted by all those fancy rich ladies and the beautiful view
> on the lake :).

Well, if you help me sort this one out, beers are on me and you get to
enjoy the beautiful view of the pumpkin field just opposite :-)


/Per Jessen, Zürich