Re: SNAT Confusion

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: SNAT Confusion
Cc: jkrzyszt@xxxxxxxxxxxx
From: "Rodre Ghorashi-Zadeh" <rodrico7@xxxxxxxxxxx>
Date: Sat, 17 Mar 2007 17:47:33 -0700

For my application the first request, from the initial client on the internet, comes in as an http request and hits the VIP and gets loadbalanced via LVS-NAT as intended. The second request, from the real server, is an LDAP request that get's sent to an LVS-DR VIP to perform authentication as part of the initial client connection. I need the 2nd layer of load balancing more for high availability than for actual balancing of the load. This is a requirement that I can't get around, therefore I have no choice but to face any dificulties in getting it to work. What are these difficulties?

Also, on a side note, at the risk of sounding like I am critiquing LVS (which I am not, I have been a big fan and user for years and have implemented it over an appliance from a big name 9 times out of 10), I read somewhere that since LVS's inception into the mainstream Kernel that it "sit's on top of the Netfilter framework". If this is true then one would think that: if what goes up, in this case the packet flow, must come down, then one would logically think that if the packets traverse the iptables PREROUTING and INPUT tables, then they would also come down the OUTPUT and POSTROUIING tables as well on their way out of the system. Again, I don't want to sound like I am critisizing LVS at all but the framework/architechture does'nt seem complete. Just an opinion, and I hope that I didn't offend anybody especially in my time of need. Thanks.


From: Joseph Mack NA3T <jmack@xxxxxxxx>
Reply-To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx> To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
CC: jkrzyszt@xxxxxxxxxxxx
Subject: Re: SNAT Confusion
Date: Sat, 17 Mar 2007 17:23:55 -0700 (PDT)

On Fri, 16 Mar 2007, Rodre Ghorashi-Zadeh wrote:


I have been able to get the "Janusz" patch to work on Fedora 2.6.19-1.2288.2.4.fc5, but it looks like my problem still isn't solved. It looks like this may be the time to explain my setup and requirement:

I am in the situation where my real servers are clients of the VIP, and have the potential to loop back via the director onto themselves. It is not a problem if:

realserver1 RIP -> Director VIP -> realserver2 RIP


realserver2 RIP -> Director VIP -> realserver1 RIP

but both:

realserver1 RIP -> Director VIP -> realserver1 RIP


realserver2 RIP -> Director VIP -> realserver2 RIP

fail miserably.

people are always wanting the realserver to be a client of the VIP to balance a 2nd layer of requests. This is a little difficult to do with LVS. Since the first connection is already reasonably balanced, it occurs to me that the 2nd request can just stay on the realserver (eg LVS-DR, when the VIP is on the realserver). Possibly the 2nd connection won't be perfectly balanced, but for the trouble you have to go to, to get it balanced, would it be balanced well enough?


Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at
Homepage It's GNU/Linux!

Get Out Of The House - Ski, Skate & Sun!147

<Prev in Thread] Current Thread [Next in Thread>