Re: doing both NAT and DR, I need help.

To: Jeremy Hansen <jeremy@xxxxxxxxxxxx>
Subject: Re: doing both NAT and DR, I need help.
Cc: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
From: Joseph Mack <mack@xxxxxxxxxxx>
Date: Fri, 22 Sep 2000 16:47:38 -0400 (EDT)
On Fri, 22 Sep 2000, Jeremy Hansen wrote:

> Yes, I am using LVS-DR and actually that part of it is working fine.  DR
> is working, but the problem is that I cannot initiate outgoing connections
> from my real servers.

sorry about this. I didn't understand the problem (I couldn't understand
why you were having the problem I thought you were having, I was sure you 
understood all of that stuff). 

* You want to INITIATE outgoing connections *
never mind (groan).

Specifically in your example below you want to initiate connections for
https from a real-server on a LVS which is forwarding all services on the
VIP (if that's what your fwmark is doing). I presume these connections
from the real-servers have nothing to do with the LVS, you just want the
real-servers to do double duty?

Well that's a new one. Just for my interest why do you want to do this?

I'm going to have to think about this. In the mean time my half baked

ipvs uses ipchains/masq behind the scenes to do its work. Thus any 
packets travelling on the 10.x.x.x network with ports under the control
of LVS will not obey standard tcpip rules. You should avoid messing with
these packets.

If you set up a VS-DR LVS to forward only http with (simple service to
check from the client), then the only packets under the control of the LVS
have dest_port=http. The default gw for the real-server is the router.

Now you can NAT telnet from the real-server by running on the director
something like

$ echo "masquerading tcp real-server:telnet:tcp to outside world"
$ ipchains -A forward -p tcp -j MASQ -s real-server telnet -d

where real-server resolves to a RIP.

for this to work you have to make the director the default gw, which
will kill VS-DR. To restore functioning of the VS-DR, you have
to make the VS-DR LVS work with the director as default gw. To do this
you can use one of Julian's 2 martian modifications. The simplest of which
is to get the director to accept packets on the VIP by transparent proxy
(I also haven't tried this method, I tried Julian's 2nd method which
involves patching the kernel, I know that works).

So: set up a VS-DR LVS accepting packets on the VIP by transparent proxy
and forward only http. When that works, then try NAT'ing telnet from the

Am we talking about the ssame thing yet?


Joseph Mack mack@xxxxxxxxxxx

<Prev in Thread] Current Thread [Next in Thread>