[lvs-users] LVS-DR - internal network to remote network setup through VP

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: [lvs-users] LVS-DR - internal network to remote network setup through VPN
From: Claudinei Matos <claudineimatos@xxxxxxxxxxxxxxxxx>
Date: Wed, 30 Jul 2008 10:05:28 -0300

I'm trying to do a setup of LVS-DR through a vpn but I'm having no 
success. Let's explain my scenario:

On my local network (network A) I have host C which is my machine and
host B as the internet gateway and vpn client.

In a datacenter I have "network D", where I have host E which is
a LVS-DR server. This machine also works as vpn server.
I'm running web servers on hosts F and G, and host E is able to balance
connections between them both.
All the network D hosts have both internal and public addresses.

With my vpn/nat setup I can connect from any host on network A to any
host on network D, as well as from any machine on network D I can 
connect on
any machine of network A.

That's the scenario:

   network A   -
      host B   -   gateway/firewall/vpn client
      host C   -   user machine

   network D   -
      host E   -   LVS-DR/gateway/firewall/vpn server -
      host F   -   real http server 1 -
      host G   -   real http server 2 -

On "host E" I have a LVS-DR setup as all my machine have public IP.

If I want to connect to my website from "network A", through "internet", 
I can choose to connect to the LVS (host E) address (balanced) or 
directly to hosts F and G public addresses.

I can also connect to my website within the "network D" internal address
due to my VPN setup but I can't balance through LVS-DR on this case as
LVS address is public.

This setup is working really fine and both my network users and all my
clients can access my website.

Now, I want to change this setup a bit. I need to log some extra info
when my network users do access my website.

That's not exact a problem since my users can access website on host F
and host G internal address though the vpn, but I can't balance those

I've tried to create a new LVS-DR setup using the network D internal
address, so my network users would be allowed to connect to host E on
network D and get redirected to host F or G.

That's where the problem begins: If I try to connect to my website
through vpn LVS-DR address, I can't establish a connection.

Looking at the tcpdump output, I can see that if I try to connect from 
A/host C to network D/LVS-DR the packages arrives on host F or G but 
stops at "host E" (the reverse gateway) and don't get back to my network 
A. Also, both they see my IP as the vpn client IP (network A/host B).

If I undo this new setup, looking again at tcpdump, I can see that if I
try to connect from network A direct to hosts F or G (also through the
vpn), my IP is identified with the vpn server IP (network D/host E) and
the connection is fully established.

I've tried a lot of routes combinations and firewall settings but I
think my problem is not with route/firewall as if I use direct
connection to webservers instead of LVS-DR everything works fine.

Is there any test I can do? Isn't this kind of setup allowed to ipvs? Or 
maybe I
have to setup IPVS-TUN on my network A/host D machine?

Any advices are welcome.


Claudinei Matos

*Claudinei Matos | Coordenador de TI*

claudinei.matos@xxxxxxxxxxxxxxxxx <mailto:claudinei.matos@xxxxxxxxxxxxxxxxx>

(21) *2195 0612*

        HóspedeVIP <> <> | *(21) 2195 0600*

<Prev in Thread] Current Thread [Next in Thread>