Re: [lvs-users] problem accessing realservers through VIP

To:	"L.S. Keijser" <leon@xxxxxxxx>
Subject:	Re: [lvs-users] problem accessing realservers through VIP
Cc:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From:	Simon Horman <horms@xxxxxxxxxxxx>
Date:	Fri, 16 Jul 2010 17:11:21 +0900

On Fri, Jul 16, 2010 at 09:50:23AM +0200, L.S. Keijser wrote:
> Hi,
> 
> I'm facing a problem with accessing services from one realserver (rs_a1)
> through the director to another realserver (rs_b1). The setup is
> something like this:
> 
>         VIP_1  VIP_2
>         +----------+
>         | director |
>         +----------+
>     DIP_1 /        \ DIP_2
>   +-------+       +-------+
> V | rs_a1 |       | rs_b1 | V
> L +-------+       +-------+ L
> A +-------+       +-------+ A
> N | rs_a2 |       | rs_b2 | N
> 1 +-------+       +-------+ 2

Nice diagram :-)

> Really simple. Two VIPs on the director, two 'sets' of realservers
> behind them,  all LVS-NAT. Realservers rs_aX are in a seperate vlan and
> have a different network address:
> 
> VIP_1 10.0.0.11 DIP_1 192.168.11.1
> VIP_2 10.0.0.22 DIP_2 192.168.22.1
> 
> rs_aX 192.168.11.0/24 vlan_A
> rs_bX 192.168.22.0/24 vlan_B
> 
> Now something happens. A realserver in vlan_A wants to access a webpage
> that is loadbalanced behind VIP_2. So it does a:
> 
> rs_a1 $ wget http://VIP_2/page
> 
> And gets a timeout. Probably because the director receives the request
> coming from 192.168.11.0/24 for 10.0.0.22 (which it has configured
> locally) and forwards it without source NAT'ting it. Pure speculation
> here because i can't seem to properly capture the traffic. 
> 
> I see the request entering DIP_1 from rs_a1 with a destination of VIP_2.
> But when i tell nmap to capture traffic (on the director) for the
> interface where VIP_2 is configured, i see nothing with either a src_ip
> of 192.168.11.0/24 or 10.0.0.11.
> 
> Anyone with some insight? :)

Hi,

I think that you have hit a known limitation which is that LVS can't
load-balance requests from a real-sever when LVS-NAT is in use.
Well, not without a work-around.

There was a recent discussion of this on this list[1]
And there is also a discussion of the problem and work-arounds
in the HOWTO[2]. As stated in that thread, my personal feeling
is that this problem can be resolved with full-nat support which
I am currently trying to get merged[3]

[1] http://archive.linuxvirtualserver.org/html/lvs-users/2010-07/msg00000.html
[2] 
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.lvs_clients_on_realservers.html#lvs_clients_on_LVS-NAT_realserver_contacting_services_on_VIP
[3] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/34529

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] problem accessing realservers through VIP, L.S. Keijser Re: [lvs-users] problem accessing realservers through VIP, Simon Horman <= Re: [lvs-users] problem accessing realservers through VIP, L.S. Keijser

Previous by Date:	[lvs-users] problem accessing realservers through VIP, L.S. Keijser
Next by Date:	Re: [lvs-users] ldirectord and oracle, Simon Horman
Previous by Thread:	[lvs-users] problem accessing realservers through VIP, L.S. Keijser
Next by Thread:	Re: [lvs-users] problem accessing realservers through VIP, L.S. Keijser
Indexes:	[Date] [Thread] [Top] [All Lists]