This thing is a pretty complicated firewall(yes I know that means it could
be something else affecting this), and has quite a few ipchains rules. Which
types of things were you thinking of? Here are some of the pertinent
commands:
The forward chain has these two rules(among others)
ipchains -A forward -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
ipchains -A forward -s 192.168.10.0/24 -j MASQ
ipchains -A forward -s 192.168.1.0/24 -j MASQ
For the portfw serviced example:
ifconfig lo:14 $EXTIP netmask 255.255.255.255
ipmasqadm portfw -a -P tcp -L $EXTIP 80 -R 192.168.10.4 80
For the ipvs services example:
ifconfig lo:10 $EXTIP netmask 255.255.255.255
ipvsadm -A -t $EXTIP:80 -s wlc -p
ipvsadm -a -t $EXTIP:80 -r 192.168.10.2:80 -m
ipvsadm -a -t $EXTIP:80 -r 192.168.10.3:80 -m
What else do you need?
-----Original Message-----
From: Wensong Zhang [mailto:wensong@xxxxxxxxxxxx]
Sent: Thursday, June 15, 2000 8:27 AM
To: Clint Byrum
Cc: Lvs-Users
Subject: Re: LVS working great.. but...
On Wed, 14 Jun 2000, Clint Byrum wrote:
> Ok, I'm using IPVS 0.9.12 w/ kernel 2.2.15 in my firewall to load balance
a
> couple of web servers. This works great, from the outside, but when
clients
> on the "internal" segment try to access the loadbalanced web servers using
> their VIP's, things break down. Let me explain a little further.
>
>
>
>
> _____DMZ(192.168.10.0/24)
> |
> Internet-----Firewall/Loadbalancer----Internal Clients(192.168.1.0/24
>
> The firewall has all of the real IP addresses as loopback's with netmasks
of
> 255.255.255.255. Masquerading is used for the Internal Clients to get out.
> For non load balanced servers, 'ipmasqadm portfw' is used to forward
traffic
> through. For the load balanced machines, LVS/NAT is used.
>
> If 192.168.1.100 tries to access 192.168.10.100(load balanced) directly,
> things work great, as the firewall just filters and routes this traffic.
If
> 192.168.1.100 tries to access the VIP that 192.168.10.100 services, the
> reply packets don't seem to get rewritten to seem to come from the VIP.
When
> using ipmasqadm portfw, the replies do get rewritten, and things work.
Here
> is the only difference I noticed:
>
I don't see why the portfw can and the lvs cannot. Would you please tell
us the configuration with ipchains commands, ipmasqadm portfw commands,
and ipvsadm commands? It can help us to locate the problem.
Thanks,
Wensong
> the output of netstat -Mn gives these selected entries:
>
> tcp 44:56.77 192.168.10.4 192.168.1.225 80 -> 1645 (80)
> tcp 5:40.65 192.168.10.2 192.168.1.225 80 -> * (80)
> tcp 0:49.65 192.168.10.2 192.168.1.225 80 -> 1643 (80)
>
> the first entry is for one serviced by portfw, the other two are for an
LVS
> serviced machine.
>
> Is this a problem with lvs, or a problem with masq in general? Or have a I
> mucked things up? here's the script that brings up the particular virtual
> server:
> ipvsadm -A -t $EXTIP:80 -s wlc -p
> ipvsadm -a -t $EXTIP:80 -r 192.168.10.2:80 -m
> ipvsadm -a -t $EXTIP:80 -r 192.168.10.3:80 -m
>
> Thanks a million for the load balancing though. :)
>
>
>
|