|
Hello,
On Fri, 16 Jun 2000, Mailing Manager wrote:
>
> Hi all,
> i have readed the tread lvs works great ..but, and for th efirst i
> thinked to have the same problem, but reading well i see tha i have a
> similar cofniguration but the soluton seem to be not that.
If you read again my reply you will solve your
problem. It is similar. The difference is that you have two
routers between the networks. Your route from 192.168.1.0 to
192.168.0.0 (and may be vice versa if needed) must be
NAT-ed. If it is not NAT-ed you have to switch your LVS to
DR or TUN method. This is the rule: intranet clients (being
on the LAN or not) can't use LVS/NAT. They must use the
other forwarding methods. The other rule is that you can't
use the director as def gw when not in VS/NAT mode.
> I have on emachine that is a router -nat machien for users on the intranet
> (192.168.0.0) and onther machien that is the lvs server for another net
> (192.168.1.0).
> Well from a machine on the intranet i can ping the server lvs, the servers
> on the lvs net and vice versa, but when i try to connect to the port 80 on
> the lvs server , that is working for the nternet users , i can't see
> anything.
> The lvs machine works well for the internet users, i can see the connection
> and so on, i have the routing table that know how to reach the intranet
> (infact i can telnet from a pc on the intranet to a server ont the other net
> and viceversa), butu the intranet users have to use the intrenl name of the
> web servers to connect.
> Is htis right?? i remember that the port forwarding haved this problem, but
> this is a problem of the users connected directly on the server, but the
This is a problem in your configuration. The portfw
module is restricted only in a NAT-ed environment. Where you
can use portfw you can use LVS/NAT too. In the other cases
you have to switch to LVS/DR or TUN. The LVS method can be
differentiated by client's and by the real server's
location:
LVS/NAT LVS/DR LVS/TUN
Client on No Yes Yes
intranet
Client on Yes Yes Yes
internet
Real server Yes Yes Yes
on intranet
Real server No No Yes
on internet
Director as Yes No No
def gw
The difference intranet - internet is related to the
routes "real servers -> cleints" and "director -> real
servers" in the director. For LVS/NAT it means whether the
traffic to client is NAT-ed or not. If it is not NAT-ed this
is intranet (what I'm talking about? this is silly).
This table is not perfect but shows the usual
cases. The end real server still can be on other physical
network for all methods. Think for the "Real server" in this
table as the first local or remote (only for LVS/TUN) hop to
the real server.
You see that with LVS/DR and LVS/TUN your client
can be everywhere. But your director can't be everywhere :(
It must be after the router :( Until director is patched to
allow using it as def gw.
> intranet users come from another server and itis not working well.
> On the list of th econnection masqueraded when i try to use the lvs server
> form intranet i can see the entry for my machinand i think this is not
> right.
Yes, the portfw and LVS/NAT job is to demasquerade,
your job is to make ipchains to masquerade :) The result:
the entry is created and packets demasqueraded but the
traffic from the real servers to clients is not masqueraded
which is wrong.
> Thnaks for any help, and excuse me for bad english.....
The problem is that you forgot to attach some
settings and explanation. If your read the thread you
already know what is the result from one missing command
from the setup. But in your case all your commands are
missing :) But you said, the setup is similar.
Is the above helps or we have to talk with examples?
You still can use one logical network (192.168.2) which is
masqueraded and the rest which is not masqueraded. Put the
real servers in this logical network (they still can talk
with 192.168.0 clients without masquerading if they listen
both to 192.168.1 and 192.168.2). Put your MASQ rule before
the ACCEPT rule in the forward chain.
Regards
--
Julian Anastasov <uli@xxxxxxxxxxxxxxxxxxxxxx>
|
