RE: SNAT / Masquerading problems using LVS-NAT

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: SNAT / Masquerading problems using LVS-NAT
From: "Rudd, Michael" <Michael.Rudd@xxxxxxxxxxx>
Date: Tue, 22 May 2007 08:58:02 -0500
Upon further testing of this, I've found a problem. 

Without the iptables rules doing the SNAT, basically what I see is
perfect loadbalancing between my 2 real servers but absolutely no SNAT
happening. The return packets have the source IP address of the real

With this Iptables rule on the director "/sbin/iptables -t nat -A
POSTROUTING -p udp --source-port 53 -j SNAT --to-source VIP:53"
I see the packets get SNAT'ed correctly. However I don't see any
loadbalancing. It just chooses a server and continuously sends it to
that server. Also no stats are shown via ipvsadm -L --stats. They just
sit there like they are doing no work. The incoming packets are source
port 32794 and destination port 53. So they should just bypass the
iptables rule. Why this rule is messing up LVS from working correctly I
have no clue. It should only be affecting the outgoing packets from the
realservers back to the directors. 

Anybody got any clues as to what this rule is doing to my LVS setup? 


-----Original Message-----
From: Rudd, Michael 
Sent: Thursday, April 26, 2007 9:34 AM
To: ' users mailing list.'
Subject: RE: SNAT / Masquerading problems using LVS-NAT

Followup after some testing. 

First off yeah I found out the application doing the DNS queries is
bound to So its pretty much choosing whatever interface it
wants to go out from. Probably why the SNAT isnt working from the
realserver for LVS-DR. I may see if I can get this working cause I
ultimately want to use LVS-DR someday. 

As for LVS-NAT, I had the idea to do the SNAT for LVS since its not
working because of the OPS patch I need. So implemented an iptables rule
that whenever it receives a source port of 53, it snats it to the VIP:53
and sends it out. This should pick up all traffic coming back from my
realservers. I tried this and it works. So this is an acceptable
workaround for me right now.

I'll post when I get the LVS-DR testing done and verify it is SNATing
when I have it configured correctly and bound to the correct interface. 

Thanks for the help guys.

-----Original Message-----
From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Graeme
Sent: Wednesday, April 18, 2007 8:46 AM
To: users mailing list.
Subject: RE: SNAT / Masquerading problems using LVS-NAT

On Wed, 2007-04-18 at 07:01 -0500, Rudd, Michael wrote:
> My setup is 2 bonds: 1 with 2 vlans, 1 with 1 vlan Bond0.200 (public)
> Bond0.202 (private)
> Bond1.201 (public and vlan DNS traffic is used on)
> So I send my DNS query to my VIP on my directors. It gets routed to a 
> realserver which I've attached the vip to bond1.201:0. According to 
> others I've talked to I shouldn't need an iptables rule but I still 
> don't see the packet out with the source ip address of the VIP. I see 
> the packet with the source IP of the actual realserver. Its possible 
> it is a routing issue though so I plan on digging deeper on that
> Should I need an iptables rule at all for LVS-DR? 


Dumb question: you haven't configured BIND to send responses from the
RIP. have you (by allowing it to bind to interfaces as it sees fit)?
Also, have you solved the ARP problem for LVS-DR? You don't want your
realservers ARPing the VIP, especially as you have it bound to a "real"
interface rather than loopback.

I have a sneaking feeling here that the application itself is the
problem, not LVS.


<Prev in Thread] Current Thread [Next in Thread>
  • RE: SNAT / Masquerading problems using LVS-NAT, Rudd, Michael <=