Re: ipvs and source nat

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: ipvs and source nat
From: Dan McCormick <dan@xxxxxxxxxx>
Date: Mon, 25 Sep 2006 11:52:28 -0400
On Mon, 2006-09-25 at 05:58 -0700, Joseph Mack NA3T wrote:
> On Sun, 24 Sep 2006, Dan McCormick wrote:
> > I have an existing public IP (VIP #1)
> > owned by an existing director (DIP #1) hitting a group of eight web
> > servers.  I'm moving to a second IP (VIP #2) owned by a separate
> > director (DIP #2) hitting the same group of eight web servers.
> OK how about this:
> add a 2nd RIP to each realserver (I assume they're on 
> private IPs, so you have plenty of IPs) - just put a 2nd 
> IP onto the NIC with `ip addr add ...`. You'll need to 
> activate the service on the realservers on the new IP too.
> Set up the new director to load balance the new set of IPs.
> You now have to get the packets back from the realservers to 
> the right DIP.
> On each realserver, instead of a default gateway have a 
> route from RIP1:80 to DIP1 and from RIP2:80 to DIP2 (this 
> will need the iproute2 tools), You may be able to set up a 
> route from RIP1 to DIP1 and RIP2 to DIP2 (ie all ports).

Ah, interesting.  (And thanks to Siim for a similar suggestion.)

That sounds like it would work, but another solution occured to me:
don't use DIP #2 as a director at all, just as a firewall.  Use it to
DNAT and SNAT incoming connections (DNAT to a virtual local IP, like; SNAT to the firewall IP's,

Then, DIP #1 can respond to requests for -- so I can use
the existing director.  This seems to work well.  The only hitch I
discovered is I needed to go from masq to gate (and add .198 to the real
servers' loopback address) -- other than that, all seems good.

So I think I'm set.  Thanks for the help,

<Prev in Thread] Current Thread [Next in Thread>