LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] Problems implementing "Lars' Method"

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] Problems implementing "Lars' Method"
From: Joseph Mack NA3T <jmack@xxxxxxxx>
Date: Mon, 24 Nov 2008 19:08:29 -0800 (PST)
On Mon, 24 Nov 2008, Eli Ben-Shoshan wrote:

> I am trying to not have to have a public IP on the realserver.

apart from the VIP?

For the LVS you should setup with private IPs on the RIP 
network. If you need public IPs on the realservers for some 
other reason (ruining security) then these public IPs are 
independant of the LVS.

> My problem is that I can get the realserver to reply back 
> to the client.

For an LVS to work, there must be no way that the client can 
send packets directly to the realserver. With Lar's method 
the router has a host route to the VIP on the outside of the 
director. The various ways of handing the arp problem, all 
result in the realservers not replying to arp requests 
broadcast by the router.

> I know the director is getting packets to the realserver 
> but I can't get the realserver to reply back to the 
> client.

this contradicts the first sentence in the paragraph.

> Is there an example somewhere that is similar to mine? I 
> think my director is setup correct. My problem is with the 
> realserver.

for Lar's method you do nothing to the realserver, you 
reconfigure the router.

> When the realserver arps for the gateway's mac address, it 
> does not get a response. The reason for this is that the 
> realserver's IP address is not on the same network as the 
> gateway.

for routing to work, the router must have an IP in the 
network of the node using it as a router.

> The realserver's IP address is 192.168.74.81 and
> the IP of the gateway is 128.227.74.126.

hmm. Is 128.x.x.x in the same network as the VIP?

> Here is the relevant section of the
> tcpdump:
>
> 16:00:52.119149 arp who-has 128.227.74.126 tell 192.168.74.81

Well dang. I haven't setup Lar's method, and it looked so 
simple and obvious at the time, I didn't think through any 
of these details, or ask him how he'd got it to work. 
Presumably it wasn't a major sweat or he would have told us 
about it.

I assume from here you're going to have to do one of these

o Put an address 192.168.74.0/24 on the router and use this 
address as the default gw (acceptable). Remember that the 
outbound packets from the realserver come from the VIP not 
the RIP. You only need this address on the router to allow 
you to have a default route from the realserver.

o put an address in the 128.227.74.0/24 network on the 
realserver (bad from the point of view of security)

o put a host route on the realserver to the router 
(acceptable). You seem to be able to do this across 
networks.

71.111.216.83 is the IP on the outside of my home router.

Here's a node inside the network, with a private IP

dennis: # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0

dennis: # route add -host 71.111.216.83 eth0
dennis: # route del default gw 192.168.1.254
dennis: # route add default gw 71.111.216.83

dennis:#  route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
71.111.216.83   0.0.0.0         255.255.255.255 UH    0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         71.111.216.83   0.0.0.0         UG    0      0        0 eth0

dennis: # ping 71.111.216.83
PING 71.111.216.83 (71.111.216.83): 56 octets data
64 octets from 71.111.216.83: icmp_seq=0 ttl=64 time=1.2 ms
64 octets from 71.111.216.83: icmp_seq=1 ttl=64 time=0.8 ms

The only remaining question is how did Lar's do it?

I'd suggest the last method would be the best, since you 
won't have to rely on the routing people to maintain this 
part of the configuration.

> After talking to my network people, they tell me that this 
> is explicitly not allowed by their current configs.

Well yes :-)

Joe

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!


<Prev in Thread] Current Thread [Next in Thread>