Nick,
Actually I lied... I was just remembered that you will need to disable
the source and destination checks on the load balancer:
https://loadbalancer.org/uk/blog/transparent-load-balancing-with-haproxy-on-amazon-ec2
• Disable the source / Destination check on the instance in AWS. To do
this go to the EC2 console and select your load balancer instance.
Then select “Actions > Network > Change source/Dest. check” and
Disable this option. Doing so enables the instance to receive traffic
which has a destination IP it does not own.
On 21 November 2016 at 19:49, Malcolm Turnbull <malcolm@xxxxxxxxxxxxxxxx> wrote:
> Nick,
>
> AWS is a good place to use a one arm nat configuration (because all
> the clients are usually remote)
>
> As long as the real server has the default gateway set as the load
> balancer it should be fine?
>
>
>
>
> On 21 November 2016 at 19:13, Nick Leli <nicholasleli@xxxxxxxxx> wrote:
>> Thanks Malcom. So in this scenario, the client is in a different subnet;
>> it's coming from the public Internet. I am looking for the easiest route
>> to get something running so any logical recommendations are greatly
>> appreciated. Here is the current topology:
>>
>> my laptop, connected to public
>> internet
>> |
>> |
>> |
>> V
>> LVS host in AWS with public IP
>> |
>> |
>> |
>> V
>> Real server in AWS within same
>> VPC/subnet
>>
>> What routing rules are needed on the backend server to get this to at least
>> work in this simple setup. Are iptables rules still required to masquerade
>> on eth0 or do you need to permanently change the routes?
>>
>> On Mon, Nov 21, 2016 at 10:53 AM, Malcolm Turnbull <malcolm@xxxxxxxxxxxxxxxx
>>> wrote:
>>
>>> Usually for MASQ/NAT mode the real server would be in a different
>>> subnet with the LVS server set as the default gateway.
>>>
>>> If you want to do one-arm i.e. same subnet MASQ then the test client
>>> needs to be in a separate subnet OR you need to have special routing
>>> rules on the real (backend) server.
>>>
>>>
>>>
>>>
>>>
>>> On 21 November 2016 at 18:26, Nick Leli <nicholasleli@xxxxxxxxx> wrote:
>>> > Hi Everyone,
>>> >
>>> > I am trying to learn LVS and have created the setup below (better
>>> > formatting at Server Fault http://serverfault.com/
>>> questions/816026/lvs-load-
>>> > balancer-not-getting-response). The LVS setup seems correct, but it
>>> > appears that the connections never make it to the real server, even
>>> though
>>> > traffic is being sent from the director. I am under the impression that
>>> no
>>> > iptables rules are required since the real server is added with
>>> > masquerade. Is this incorrect? I have read through the HOWTO multiple
>>> > times but am not clear on what is needed.
>>> >
>>> > **Director Host**
>>> >
>>> > root@ip-172-31-16-196:/home/ubuntu# cat /proc/sys/net/ipv4/ip_forward
>>> > 1
>>> >
>>> > root@ip-172-31-16-196:/home/ubuntu# ifconfig
>>> > eth0 Link encap:Ethernet HWaddr 06:a0:5b:48:1b:f5
>>> > inet addr:172.31.16.196 Bcast:172.31.31.255
>>> > Mask:255.255.240.0
>>> > inet6 addr: fe80::4a0:5bff:fe48:1bf5/64 Scope:Link
>>> > UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
>>> > RX packets:4211 errors:0 dropped:0 overruns:0 frame:0
>>> > TX packets:3692 errors:0 dropped:0 overruns:0 carrier:0
>>> > collisions:0 txqueuelen:1000
>>> > RX bytes:416625 (416.6 KB) TX bytes:406446 (406.4 KB)
>>> >
>>> > lo Link encap:Local Loopback
>>> > inet addr:127.0.0.1 Mask:255.0.0.0
>>> > inet6 addr: ::1/128 Scope:Host
>>> > UP LOOPBACK RUNNING MTU:65536 Metric:1
>>> > RX packets:173 errors:0 dropped:0 overruns:0 frame:0
>>> > TX packets:173 errors:0 dropped:0 overruns:0 carrier:0
>>> > collisions:0 txqueuelen:1
>>> > RX bytes:12776 (12.7 KB) TX bytes:12776 (12.7 KB)
>>> >
>>> > root@ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln
>>> > IP Virtual Server version 1.2.1 (size=4096)
>>> > Prot LocalAddress:Port Scheduler Flags
>>> > -> RemoteAddress:Port Forward Weight ActiveConn InActConn
>>> > TCP 172.31.16.196:80 rr
>>> > -> 172.31.16.195:80 Masq 1 0 0
>>> >
>>> > root@ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln --stats
>>> > IP Virtual Server version 1.2.1 (size=4096)
>>> > Prot LocalAddress:Port Conns InPkts OutPkts InBytes
>>> > OutBytes
>>> > -> RemoteAddress:Port
>>> > TCP 172.31.16.196:80 23 122 0 6436
>>> > 0
>>> > -> 172.31.16.195:80 23 122 0 6436
>>> > 0
>>> >
>>> > root@ip-172-31-16-196:/home/ubuntu# curl 172.31.16.195-vv
>>> > * Rebuilt URL to: 172.31.16.195/
>>> > * Trying 172.31.16.195...
>>> > * Connected to 172.31.16.195 (172.31.16.195) port 80 (#0)
>>> >> GET / HTTP/1.1
>>> >> Host: 172.31.16.195
>>> >> User-Agent: curl/7.47.0
>>> >> Accept: */*
>>> >>
>>> > * HTTP 1.0, assume close after body
>>> > < HTTP/1.0 200 OK
>>> > < Server: SimpleHTTP/0.6 Python/2.7.12
>>> > < Date: Mon, 21 Nov 2016 04:59:04 GMT
>>> > < Content-type: text/html
>>> > < Content-Length: 26
>>> > < Last-Modified: Mon, 21 Nov 2016 00:58:21 GMT
>>> > <
>>> > >From server 172.31.16.195
>>> > * Closing connection 0
>>> >
>>> > # Show the public IP of this host
>>> > root@ip-172-31-16-196:/home/ubuntu# wget http://ipinfo.io/ip -qO -
>>> > 52.15.105.107
>>> >
>>> > **Backend Server**
>>> >
>>> > root@ip-172-31-16-195:/home/ubuntu# netstat -tnlp
>>> > Active Internet connections (only servers)
>>> > Proto Recv-Q Send-Q Local Address Foreign Address State
>>> > PID/Program name
>>> > tcp 0 0 0.0.0.0:80 0.0.0.0:*
>>> LISTEN
>>> > 2444/python
>>> > tcp 0 0 0.0.0.0:22 0.0.0.0:*
>>> LISTEN
>>> > 1221/sshd
>>> > tcp6 0 0 :::22 :::*
>>> LISTEN
>>> > 1221/sshd
>>> >
>>> > root@ip-172-31-16-195:/home/ubuntu# iptables -L -t nat
>>> > Chain PREROUTING (policy ACCEPT)
>>> > target prot opt source destination
>>> >
>>> > Chain INPUT (policy ACCEPT)
>>> > target prot opt source destination
>>> >
>>> > Chain OUTPUT (policy ACCEPT)
>>> > target prot opt source destination
>>> >
>>> > Chain POSTROUTING (policy ACCEPT)
>>> > target prot opt source destination
>>> > >From Remote Client
>>> >
>>> > # Hitting the public IP
>>> > $ curl -vvv http://52.15.105.107/
>>> > * Trying 52.15.105.107...
>>> > * Connected to 52.15.105.107 (127.0.0.1) port 80 (#0)
>>> >> GET / HTTP/1.1
>>> >> Host: 52.15.105.107
>>> >> User-Agent: curl/7.43.0
>>> >> Accept: */*
>>> >>
>>> > < HTTP/1.1 504 Gateway Time-out
>>> > < Server: ScanSafe
>>> > < Mime-Version: 1.0
>>> > < Date: Mon, 21 Nov 2016 05:40:50 GMT
>>> > < Content-Type: text/html
>>> > < Content-Length: 1664
>>> > < X-ScanSafe-Error: ERR_CONNECT_FAIL 110
>>> > < Keep-Alive: 60
>>> > < Via: HTTP/1.1 proxy10829
>>> > _______________________________________________
>>> > Please read the documentation before posting - it's available at:
>>> > http://www.linuxvirtualserver.org/
>>> >
>>> > LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
>>> > Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
>>> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>>
>>>
>>>
>>> --
>>> Regards,
>>>
>>> Malcolm Turnbull.
>>>
>>> Loadbalancer.org Ltd.
>>> Phone: +44 (0)330 380 1064
>>> http://www.loadbalancer.org/
>>>
>>> _______________________________________________
>>> Please read the documentation before posting - it's available at:
>>> http://www.linuxvirtualserver.org/
>>>
>>> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
>>> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
>>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>>
>> _______________________________________________
>> Please read the documentation before posting - it's available at:
>> http://www.linuxvirtualserver.org/
>>
>> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
>> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>
>
> --
> Regards,
>
> Malcolm Turnbull.
>
> Loadbalancer.org Ltd.
> Phone: +44 (0)330 380 1064
> http://www.loadbalancer.org/
--
Regards,
Malcolm Turnbull.
Loadbalancer.org Ltd.
Phone: +44 (0)330 380 1064
http://www.loadbalancer.org/
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|