|
Hi ALL,
This question has been asked previously and answered maybe with the IPS blocked
the VIP packets. I have a similar setup
to be deploy and stuck in a same position. In my test environment, everything
is works fine.
The main advantage of using lvs-tun is we can connect realserver in different
networks or geophysically separated networks.
But this is not possible due to ant-spoofing on the routers -- VIP=src_add
blocking by Internet router; else am I wrong..?
I have followed the Julian's LVS-Tun write up but some of them I can't do it --
I ran on realserver
$ip route get from CIP to VIP iif tunl0
local VIP from CIP dev lo src VIP
cache <local> iif tunl0
What does this mean..?
I did
$traceroute -n -s VIP CIP
And I looked for unreachable packets sent by the client on the director using
tcpdump -ln -- but I don't see anything related
to this..!
Basically I don't administrate the firewalls, routers on the realserver resides
ISP. I think this is obvious --
most of people doesn't have network control on the ISP. But I can tell them the
situation. I would like to know what
would be on firewalls and routers to be eligible to establish lvs-tun. What
should I tell them..?
Is there a way we could work this on real-world..? I have read and understood
we can use this on nontunneling environment --
by using VPN..! But people are really using in this way..? and other method is
layer2 network spanned..! Please let me
know the scenarios -- I really don't understand.
I would appreciate all your comments on this..
Thanks in advance
-+> Hirantha
-----Original Message-----
From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Kalpin
Erlangga Silaen
Sent: Thursday, June 28, 2007 1:50 PM
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: [lvs-users] Problem with LVS-TUN different network
Hello lvs-users,
I have problem to setup LVS-TUN with different network. Before I have success
to \
implement LVS-TUN with same network. My existing topology is
Internet --- Router --- PIX Firewall ---- Swicth ---- LDirector
|
|
RealServer 1 ... RealServer 3
in LDirector:
OS : FC 5 + ultramonkey
RIP: 192.168.32.5
VIP: 192.168.32.7
sysctl.conf:
net.ipv4.ip_forward = 1
in Realserver 1:
OS: FC 5
RIP: 192.168.32.9
TUNL0: 192.168.32.7
sysctl.conf:
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.eth0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.tunl0.arp_ignore = 1
net.ipv4.conf.tunl0.arp_announce = 2
in Realserver 2:
OS: FC 5
RIP: 192.168.32.11
TUNL0: 192.168.32.7
sysctl.conf:
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.eth0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.tunl0.arp_ignore = 1
net.ipv4.conf.tunl0.arp_announce = 2
in Realserver 3:
OS: FC 5
RIP: 192.168.32.15
TUNL0: 192.168.32.7
sysctl.conf:
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.eth0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.tunl0.arp_ignore = 1
net.ipv4.conf.tunl0.arp_announce = 2
/etc/ha.d/ldirectord.conf:
checktimeout=10
checkinterval=2
autoreload=yes
logfile="/var/log/ldirectord.log"
quiescent=yes
virtual=192.168.32.7:25
fallback=127.0.0.1:25
real=192.168.32.9:25 ipip
real=192.168.32.11:25 ipip
real=192.168.32.15:25 ipip
service=smtp
scheduler=wlc
#persistent=600
protocol=tcp
And works without any problem.
Later I am trying to implement LVS-TUN but over network, with topology like
below:
RealServer 1 at ISP A
|
Internet - Router - LDirector
|
RealServer 2 at ISP B
in LDirector:
OS : FC 5 + ultramonkey
RIP: 202.154.0.3
VIP: 202.154.0.5
sysctl.conf:
net.ipv4.ip_forward = 1
in Realserver 1 at ISP A:
OS: FC 5
RIP: 219.83.0.7
TUNL0: 202.154.0.5
sysctl.conf:
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.eth0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.tunl0.arp_ignore = 1
net.ipv4.conf.tunl0.arp_announce = 2
in Realserver 1:
OS: FC 5
RIP: 124.56.9.21
TUNL0: 202.154.0.5
sysctl.conf:
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.eth0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.tunl0.arp_ignore = 1
net.ipv4.conf.tunl0.arp_announce = 2
/etc/ha.d/ldirectord.conf:
checktimeout=10
checkinterval=2
autoreload=yes
logfile="/var/log/ldirectord.log"
quiescent=yes
virtual=202.154.0.5:25
fallback=127.0.0.1:25
real=124.56.9.21:25 ipip
real=219.83.0.7:25 ipip
service=smtp
scheduler=wlc
#persistent=600
protocol=tcp
BUT it doesn't work. All firewall in all servers (ldirector and realserver) has
been \
flushed. Mail services in realservers are running very well (I tested with
telnet to \
port 25 from outside (other ISP for independen issue) to the real ips, and
responses \
very well).
But after implement this thing, I can't connect to VIP IP on ldirector from
outside \
(time out). I checked ldirectord.log:
[Thu Jun 28 09:45:55 2007|ldirectord|2187] Added virtual server: 202.154.0.5:25
[Thu Jun 28 09:45:55 2007|ldirectord|2187] Added fallback server: 127.0.0.1:25
( x \
202.154.0.5:25) (Weight set to 1) [Thu Jun 28 09:45:55 2007|ldirectord|2187] \
Quiescent real server: 124.56.9.21:25 ( x 202.154.0.5:25) (Weight set to 0)
[Thu Jun \
28 09:45:55 2007|ldirectord|2187] Restored real server: 124.56.9.21:25 ( x \
202.154.0.5:25) (Weight set to 1) [Thu Jun 28 09:45:55 2007|ldirectord|2187]
Deleted \
fallback server: 127.0.0.1:25 ( x 202.154.0.5:25)
TCP 202.154.0.5:25 wlc
-> 124.56.9.21:25 Tunnel 1 0 3
-> 219.83.0.7:25 Tunnel 1 0 2
Is it possible if blocked at ISP ? how do I check it ?
Need your help. Thank you.
--
Best regards,
Kalpin mailto:kalpin@xxxxxxxxxxxxx
|
