|
Hello,
On Wed, 22 Nov 2000, John Lukac wrote:
> and this, of course, then becomes a NAT method instead of a DR, right?
> This makes more sense now. But I'd still like to hear an answer to my
> first question: is it possible to use DR with only one "real" (i.e.
> routable) IP? By what you've written, my guess is "no" because that
> would imply the real-servers then have the ability to spoof. Right?
Yes, you need at least one uniq (real) IP in the real server.
This IP can be private, for example 192.168.0.2 and your gateway
192.168.0.1 for example. You can use ipchains redirect to accept the
traffic for VIP or to add the 2nd IP in your real server: the VIP.
Of course, you need a loopback device too.
From your emails I don't understand where is the problem.
You can start the LVS debugging (echo 2 > /proc/.../vs/debug_level).
You claim there is no ARP problem but I'm not sure. Some tests:
run
tcpdump -len arp [-i DEVICE]
on the director and on the real servers (don't forget to run tcpdump
on all devices, may be the routing is wrong)
on each host try to delete the used arp entries:
arp -d VIP (in the client)
arp -d RIP (in the director)
arp -d DIP (in the real server)
you can test with "telnet" as virtual service and to see what
real server is displayed after "telnet vip". Check if the MACs
are correct, i.e. whether the client sends the requests to the
director and not to one of the real servers. Make sure you don't
have reverse DNS problems or hosts not listed in /etc/hosts.allow
You can expect these ARP talks:
client:
who-has VIP tell CIP
director:
who-has RIP tell DIP
real server:
who-has GIP tell RIP
where:
DIP: director IP
GIP: real server's gateway IP
RIP: real server IP
CIP: client IP
Can you provide such tcpdump outputs from the ARP talks?
You can try on the director:
ip route get RIP
ip route get from CIP iif INDEV to RIP
Is the output device displayed correctly?
What are the /proc/sys/net/ipv4/conf/*/rp_filter values?
Regards
--
Julian Anastasov <ja@xxxxxx>
|
