|
Hi,
I have a LVS-NAT director working very well in a structure like this:
________
| |
| client |
|________|
CIP=189.X.X.10
|
(router)
|
____|_____ Eth0 Public IP=201.X.X.25
| |
| Firewall | (iptables dnat 201.X.X.25 to
192.168.40.11)
|__________|
| Eth1=192.168.40.10
|
____|_____ Eth0=192.168.40.11 (VIP)
| |
| Director |
|__________|
| Eth1=10.1.1.9 (DIP)
|
|
|
-----------------------------------
| | |
| | |
RIP1=10.1.1.2 RIP2=10.1.1.3 RIP3=10.1.1.4 (all eth0)
_____________ _____________ _____________
| | | | | |
| realserver | | realserver | | realserver |
|_____________| |_____________| |_____________|
My website IP is 201.X.X.25 and I have a DNAT rule to redirect port 80
to 192.168.40.11 (VIP).
In this case every request from client 189.X.X.10 gets to the real
servers and returns ok. The client package gets to the real servers
carrying the client IP 189.X.X.10.
Thats working.
What I'm trying to do is move the director to the firewall box and use
the current director as a redundant server.
On the firewall I have the public IP (201.X.X.25) of my website and the
only thing I did was to remove the DNAT from 201.X.X.25 to 192.168.40.11
and accept inputs coming to port 80 directly on the public IP
(201.X.X.25). Something like this:
________
| |
| client |
|________|
CIP=189.X.X.10
|
(router)
|
____|_____ Eth0 Public IP=201.X.X.25 (VIP)
| |
| FW / Dir | (firewall and director on the same box)
|__________|
| Eth1=10.1.1.9 (DIP)
|
|
|
-----------------------------------
| | |
| | |
RIP1=10.1.1.2 RIP2=10.1.1.3 RIP3=10.1.1.4 (all eth0)
_____________ _____________ _____________
| | | | | |
| realserver | | realserver | | realserver |
|_____________| |_____________| |_____________|
This way did not work. With TCPDUMP I see that the client package
reaches the virtual server (VIP 201.X.X.25) an reaches the real server.
The problem is that the request gets to the VIP this way:
17:19:24.892819 IP 189.X.X.10.47505 > 201.X.X.25.80: S
3715440259:3715440259(0) win 5840 <mss 1460,sackOK,timestamp 72467850
0,nop,wscale 6>
17:19:24.892929 IP 201.X.X.25 > 189.X.X.10: ICMP 201.X.X.25 tcp port 80
unreachable, length 68
17:19:27.889300 IP 189.X.X.10.47505 > 201.X.X.25.80: S
3715440259:3715440259(0) win 5840 <mss 1460,sackOK,timestamp 72468600
0,nop,wscale 6>
17:19:27.889331 IP 201.X.X.25 > 189.X.X.10: ICMP 201.X.X.25 tcp port 80
unreachable, length 68
17:19:33.888540 IP 189.X.X.10.47505 > 201.X.X.25.80: S
3715440259:3715440259(0) win 5840 <mss 1460,sackOK,timestamp 72470100
0,nop,wscale 6>
17:19:33.888571 IP 201.X.X.25 > 189.X.X.10: ICMP 201.X.X.25 tcp port 80
unreachable, length 68
but passes to the real server like this:
17:20:00.763514 IP 10.1.1.9.58438 > 10.1.1.2.80: . ack 1 win 183
<nop,nop,timestamp 1570035160 0>
17:20:00.763823 IP 10.1.1.9.58438 > 10.1.1.2.80: P 1:137(136) ack 1 win
183 <nop,nop,timestamp 1570035160 0>
17:20:00.764188 IP 10.1.1.2.80 > 10.1.1.9.58438: . 1:1449(1448) ack 137
win 65399 <nop,nop,timestamp 30493978 1570035160>
17:20:00.764206 IP 10.1.1.9.58438 > 10.1.1.2.80: . ack 1449 win 273
<nop,nop,timestamp 1570035160 30493978>
17:20:00.764188 IP 10.1.1.2.80 > 10.1.1.9.58438: P 1449:1796(347) ack
137 win 65399 <nop,nop,timestamp 30493978 1570035160>
the "client" ip (10.1.1.9) that reaches the web server is the director
internal IP and it never get back to the actual client (189.X.X.10).
I'm using slackware linux with vanilla kernel 2.6.20.3 and ipvsadm v1.24.
am I doing something wrong?
thanks,
Gustavo
|
