LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] lvs NAT mode - real server to (different) virtual server

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] lvs NAT mode - real server to (different) virtual server public IP web requests fail
From: James H <jeh1965@xxxxxxxxx>
Date: Thu, 26 Nov 2009 10:12:19 -0800
Hi,

I anticipated this question and should have answered this before it
was asked. In a nutshell, the two websites that need to communicate
with one another are owned by different entities that may not be aware
they are on the same cluster. So website 1 needs to be able to call
website 2 without any knowledge of the underlying infrastructure.

I'd like to back up to one of my original configurations that works -
for just a minute or so! Perhaps there is an ARP issue I need to
resolve in that configuration.

When I said it was a fairly stock setup, well that's not entirely
true. I actually have two private nets connected to the real servers.
192.168.1.x which I call a "management net" that lets me access the
real servers even if LVS routing is off, and 192.168.2.x which handles
the LVS traffic. The default gateway is on the 192.168.2.x (LVS)
router net.

I have a routing tabled defined to 192.168.1.x and a rule that any
traffic originating from the 192.168.1.x interface is routed via
192.168.1.1. ex: (the real server is 192.168.1.104, here are the
if-cfg rules and routes defined)

rule-eth1: from 192.168.1.104 table InternalNet
route-eth1: default table InternalNet via 192.168.1.1

This works fine and is nice to have so that I can run some local
traffic between machines on a private net.

Now, I add this next rule trying to solve the problem of real servers
as clients (assuming xxx.xxx.xxx.xxx/26 is my "live" IP network
range).
route-eth1: xxx.xxx.xxx.xxx/26 via 192.168.1.1 dev eth1

This will direct requests for the VIPs out the 192.168.1.x interface
via 192.168.1.1. That happens to be another simple NAT firewall, whose
public IP is in the same public subnet as the VIPs. When I put this
in, and restart the network on the real server, I CAN use lynx on a
real server to browse a website on the public IP address. The request
goes OUT the 192.168.1.x InternalNet, via 192.168.1.1, NATs out to the
public side and makes the request to the VIP on the LVS director.
Reply presumably comes full circle back out the LVS director, back
through my 192.168.1.1 firewall and into the real server via
192.168.1.104.

But after a minute or so, the connection breaks down and will begin to timeout.

Suggestions?

Thanks,
James

On Thu, Nov 26, 2009 at 5:50 AM, Graeme Fowler <graeme@xxxxxxxxxxx> wrote:
> On Wed, 2009-11-25 at 20:17 -0800, James H wrote:
>> Suggestions?
>
> See the section in the HOWTO on "realservers as clients". It's a
> difficult one to solve, and adds extra complexity to the system.
>
> Here's a thought for you, though - why do the internal requests need to
> be load balanced? If the service is located on all of the realservers,
> can it not just be called locally?
>
> Graeme

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>