On Mon, 2006-09-25 at 05:58 -0700, Joseph Mack NA3T wrote:
> On Sun, 24 Sep 2006, Dan McCormick wrote:
> > I have an existing public IP (VIP #1)
> > owned by an existing director (DIP #1) hitting a group of eight web
> > servers. I'm moving to a second IP (VIP #2) owned by a separate
> > director (DIP #2) hitting the same group of eight web servers.
> OK how about this:
> add a 2nd RIP to each realserver (I assume they're on
> private IPs, so you have plenty of IPs) - just put a 2nd
> IP onto the NIC with `ip addr add ...`. You'll need to
> activate the service on the realservers on the new IP too.
> Set up the new director to load balance the new set of IPs.
> You now have to get the packets back from the realservers to
> the right DIP.
> On each realserver, instead of a default gateway have a
> route from RIP1:80 to DIP1 and from RIP2:80 to DIP2 (this
> will need the iproute2 tools), You may be able to set up a
> route from RIP1 to DIP1 and RIP2 to DIP2 (ie all ports).
Ah, interesting. (And thanks to Siim for a similar suggestion.)
That sounds like it would work, but another solution occured to me:
don't use DIP #2 as a director at all, just as a firewall. Use it to
DNAT and SNAT incoming connections (DNAT to a virtual local IP, like
192.168.0.198; SNAT to the firewall IP's, 192.168.0.140).
Then, DIP #1 can respond to requests for 192.168.0.198 -- so I can use
the existing director. This seems to work well. The only hitch I
discovered is I needed to go from masq to gate (and add .198 to the real
servers' loopback address) -- other than that, all seems good.
So I think I'm set. Thanks for the help,