LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

RE: How to NAT The FTP-DATA Connection?

from [Mark de Vries] [Permanent Link]
To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: How to NAT The FTP-DATA Connection?
From: Mark de Vries <mark@xxxxxxxxxx>
Date: Mon, 25 Dec 2006 12:29:28 +0100 
On Mon, 2006-12-25 at 07:49 +0000, Graeme Fowler wrote:
> On Sun, 2006-12-24 at 21:35 -0800, Robinson, Eric wrote:
> > I'm not sure they are ever going INTO the director. I think they're
> > bypassing it and being routed instead.
> 
> Aha - it all becomes (sort of) clear.

Hmmm.... no, I think there's a misunderstanding. For "us" loadbalancer
== director. I think Robin means the lvs layer/subsystem/wherever, as in
"the director runs on the loadbalancer". Robin?

Robin, you stated that the realserver only has "only has a default route
that points to 192.168.10.100, the inside interface of the
load-balancer.". Although strictly speaking this does not unambiguously
tell us there is only _one_ route, I think that is what you mean? The
dumps you show seem to support this notion but, as Graeme explains, this
is important so pls verify/confirm. If in doubt show the result of an
"ip ro get 10.0.0.109" on the real-server...

> In LVS-NAT, the return packets from the realservers to the clients
> _must_ traverse the director or they will not get NATted back to an
> address/port pair for the right client.
> 
> For the FTP helper to work it must see the PORT packet so it can work
> its' magic to change the address. This is why I asked you if there were

Do you have the ip_vs_ftp module loaded? 

Any NAT rules in iptables? (iptables -t nat -L)

Can you show the output of "ipvsadm -lcn" during a download? (I don't
have a system available to test but I think this should show a
connection template used to NAT the data connection.)

Regards & A Merry Christmas everyone,

Mark.

> routes involved in a previous post - if the realservers have explicit
> routes back to the clients, and those routes avoid the director, NAT
> simply won't work (it might work partially if there's another NAT device
> involved mapping the realserver/service back to a NAT IP/service, but
> not completely).
> 
> This is the key difference between NAT and TUN or DR - in TUN & DR, the
> packets return directly (by hook or by crook) to the client. In NAT,
> they go via the director.
> 
> Merry Christmas, list!
> 
> Graeme
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: How to NAT The FTP-DATA Connection?, Graeme Fowler
Next by Date:  Re: How to NAT The FTP-DATA Connection?, Antonio Forster
Previous by Thread:  RE: How to NAT The FTP-DATA Connection?, Graeme Fowler
Next by Thread:  Re: How to NAT The FTP-DATA Connection?, Antonio Forster
Indexes:  [Date] [Thread] [Top] [All Lists]