|
hi!
i would like to use lvs to load balance several firewall/vpn boxes. after
reading all the excellent documentation on this project i have learnt that
in most of the cases lvs is used to do load sharing between a bunch of
servers, so you usually have only one lvs director (or 2 for failover) in
front of your server cluster.
doing load balancing between firewalls/vpn boxes would require a slightly
different setup: one director in front of the cluster and one behind. ok,
lets have some ascii art to illustrate this:
________
| |
| host A |
|________| on the internet
|
|
(router)
|
|
__________
| |
| LVS-DR 1 |
|__________|
|
|
-------------------------------------
| | |
| | |
____________ ____________ ____________
| | | | | |
| fw/vpn box | | fw/vpn box | | fw/vpn box |
|____________| |____________| |____________|
| | |
| | |
-------------------------------------
|
|
__________
| |
| LVS-DR 2 |
|__________|
|
| internal network
-------------------------------------
| | |
| | |
________
| |
| host B |
|________|
lets say host A on the internet wants to talk to host B on the internal
LAN. in case of a new connection the connection setup traffic would arrive
on DR1 which has no table entry for host A yet and hence decides according
to the choosen strategy which fw/vpn box is next to use. after the packet
has been processed on that fw/vpn box it would arrive on DR 2 which in turn
forwards the packet to the internal lan where it reaches host B. now B
wants to acknowledge the packet of host A. the response would pass DR2 who
thinks that this packet is for a new ip flow and therefor choses one of the
boxes according to the configured strategy. and this is definitly _not_
what you want to happen here! the expected behaviour for this setup would
be to forward the packet from host B to the box where the traffic from host
A arrived in the first place.
is there any way to tell DR2 to remember where the initial packets came
from?
and if it's not in the code: would it be much of a hassle to implement this?
there is an additional requirement i should not forget to mention: i want
to use _direct routing_ on both of the directors since the other methods
(nat and tunneling) would most likely break the vpn software (ipsec) on the
boxes. i've already applied julian's martian patch so that i can have the
director as a gateway for the return traffic of the boxes.
i hope you can help me out on this issue!
thanks!
best regards
-- matt.
| 