|
Hi Graeme,
I want to keep the load balancer on its own network if at all possible
as this is a shared solution (multiple client networks) and its going to
mean additional cabling and complexity if I use
LVS-DR and it requires assigning the VIP to the realservers.
Am I barking up the wrong tree here then, expecting this configuration
to work, even if I could somehow get the load balancer to SNAT outgoing
packets?
Perhaps if I had another physical interface on the load balancers and
SNAT'ed outgoing packets leaving via that interface to avoid the ARP
problem?
Thanks.
Andy.
Graeme Fowler wrote:
> On Tue, 2008-02-26 at 14:44 +0000, Andy Ashley wrote:
>
>> The realservers are using the inside interface of thier firewall as the
>> default gateway. The firewall then has the L3 switch as it's default
>> gateway.
>>
>
> Right. I made a hash of my previous reply since I missed the -NAT (-m)
> option on your setup.
>
>
>> I can assign the ip to lo without issue. However,
>>
>
> If you're using LVS-NAT you don't need to. However...
>
>
>> xxxx-lb1-lbr01 ha.d # echo 1 > /proc/sys/net/ipv4/conf/all/hidden
>> -bash: /proc/sys/net/ipv4/conf/all/hidden: No such file or directory
>>
>> xxxx-lb1-lbr01 ha.d # echo 1 > /proc/sys/net/ipv4/conf/lo/hidden
>> -bash: /proc/sys/net/ipv4/conf/lo/hidden: No such file or directory
>>
>> Distro is Gentoo Linux, kernel 2.6.23-r8
>>
>
> Yah, yah, cut'n'paste from the web pages... that's the 2.4 method. On
> 2.6.x you need:
>
> /proc/sys/net/ipv4/conf/all/arp_ignore
> /proc/sys/net/ipv4/conf/lo/arp_ignore
>
>
>> At present, the packets are being forwarded to the realservers with the
>> client ip as the source ip.
>>
>
> Yes, this is the normal way of doing things.
>
>
>> The realservers are actually responding directly to the client ip.
>>
>
> Indeed they will do. Their default gateway is, as you mention:
>
>
>> The realservers are using the inside interface of thier firewall as the
>> default gateway. The firewall then has the L3 switch as it's default
>> gateway.
>>
>
> And therein lies the problem. For LVS-NAT to work the replies MUST
> traverse the director on the way out to be un-NATted.
>
> In this case I would simplify things for yourself - making the responses
> go back via the director requires an infrastructure change; you know the
> SNAT approach doesn't work already.
>
> Switch to LVS-DR - put the VIP on the realservers, forget SNAT and have
> the realservers respond directly. Problem solved.
>
> Joe, did I get this one right?
>
> Graeme
>
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
|
