|
Hi,
First off many thanks to all those contribute to Keepalived, first class
open software!
For the first time I am attempting to use LVS in a WAN environment so
Load Balance two Web RealServers.
KL is in location A, RS1 in location B and RS2 in location C.
All these locations are geographically separate and all systems have
public IPs.
Having read the documentation it seems TUN is the appropriate choice for
lb_kind.
The problem is both Real Servers are running Windows 2003 Server.
Windows 2003 does not support IPIP encapsulation, Win2k used to.
However both Windows servers sit behind Linux Firewalls which do support
IPIP. So wondered if I could use the firewalls to decapsulate the IPIP
datagrams and the forward them to the RS.
I've succeeded in getting one tunnel operational. The KL healthchecker
is successfully executing a simple TCP check on Port 80 of RS1 every 20
seconds.
The problem is the Linux firewall will not forward browser client
requests to RS1.
Tcpdump shows the requests are being delivered to tun0 on the firewall
connected to RS1:
14:50:42.225285 IP 10.200.0.1 > 10.200.0.2: IP 62.100.54.4.1174 >
62.100.52.101.http: S 126909974:126909974(0) win 65535 <mss
1260,nop,nop,sackOK> (ipip-proto-4)
Note that 62.100.52.101 is the KL VIP, 10.200.0.2 is the firewall tunnel
address, 10.200.0.1 is the KL tunnel address. I've added an IPTABLES
rule to DNAT all traffic sent to 10.200.0.2:20 to RS1 (10.1.40.10), this
works for the KL TCP check, but not for browser requests.
First question is: Can is use Linux Firewalls in this way?
Second question: If the answer to question one is yes how can I get the
firewall to forward the browser requests to RS1?
TIA
Shaun
The firewall interfaces are configured as follows:
38: eth1.11:
inet 62.100.15.4/24 scope global eth1.11
40: tunl0: <NOARP> mtu 1480 qdisc noop
link/ipip 0.0.0.0 brd 0.0.0.0
42: tun0@NONE: <POINTOPOINT,NOARP,UP> mtu 1480 qdisc noqueue
link/ipip 62.100.15.4 peer 62.100.52.101
inet 10.200.0.2 peer 10.200.0.1/32 scope global tun0
KL Network Interfaces look like this:
2: eth0:
inet 62.100.52.99/28 brd 62.100.52.111 scope global eth0
inet 62.100.52.101/28 scope global secondary eth0
3: eth1:
inet 10.0.0.1/24 brd 10.0.0.255 scope global eth1
inet 10.0.0.3/24 scope global secondary eth1
4: tunl0: <NOARP> mtu 1480 qdisc noop
link/ipip 0.0.0.0 brd 0.0.0.0
5: tun0@NONE: <POINTOPOINT,NOARP,UP> mtu 1480 qdisc noqueue
link/ipip 62.100.52.101 peer 62.100.15.4
inet 10.200.0.1 peer 10.200.0.2/32 scope global tun0
KL config:
vrrp_instance VI_0 {
state MASTER
interface eth0
track_interface {
eth0
}
virtual_router_id 3
priority 150
advert_int 10
authentication {
auth_type PASS
auth_pass XXXX
}
virtual_ipaddress {
10.0.0.3/24 dev eth1
}
virtual_ipaddress_excluded {
62.100.52.101/28 dev eth0
}
}
virtual_server 62.100.52.101 80 {
delay_loop 20
lb_algo wlc
lb_kind TUN
persistence_timeout 86400
protocol TCP
real_server 10.200.0.2 80 {
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 20
}
}
}
Op dit e-mailbericht is een disclaimer van toepassing, welke te vinden is op
http://www.xb.nl/disclaimer.html
|
