Matthias Weidle wrote:
>
> hi!
>
> i would like to use lvs to load balance several firewall/vpn boxes. after
> reading all the excellent documentation on this project i have learnt that
> in most of the cases lvs is used to do load sharing between a bunch of
> servers, so you usually have only one lvs director (or 2 for failover) in
> front of your server cluster.
>
> doing load balancing between firewalls/vpn boxes would require a slightly
> different setup: one director in front of the cluster and one behind. ok,
> lets have some ascii art to illustrate this:
>
> ________
> | |
> | host A |
> |________| on the internet
> |
> |
> (router)
> |
> |
> __________
> | |
> | LVS-DR 1 |
> |__________|
> |
> |
> -------------------------------------
> | | |
> | | |
> ____________ ____________ ____________
> | | | | | |
> | fw/vpn box | | fw/vpn box | | fw/vpn box |
> |____________| |____________| |____________|
>
> | | |
> | | |
> -------------------------------------
> |
> |
> __________
> | |
> | LVS-DR 2 |
> |__________|
> |
> | internal network
> -------------------------------------
> | | |
> | | |
> ________
> | |
> | host B |
> |________|
>
> lets say host A on the internet wants to talk to host B on the internal
> LAN. in case of a new connection the connection setup traffic would arrive
> on DR1 which has no table entry for host A yet and hence decides according
> to the choosen strategy which fw/vpn box is next to use. after the packet
> has been processed on that fw/vpn box it would arrive on DR 2 which in turn
> forwards the packet to the internal lan where it reaches host B. now B
> wants to acknowledge the packet of host A.
I'm OK to here.
the response would pass DR2 who
> thinks that this packet is for a new ip flow and therefor choses one of the
> boxes according to the configured strategy.
I don't understand this sentence. What does "pass DR2" mean?
The connect request packet from A will go through DR-1, fw, DR-2 and arrive
on host B. The response from B will go to its default gw (which it seems
you understand).
and this is definitly _not_
> what you want to happen here! the expected behaviour for this setup would
> be to forward the packet from host B to the box where the traffic from host
> A arrived in the first place.
I assume this means fw-1, fw-2, fw-3?
I'm assuming that the fw boxes (after doing their checking) as just passing
packets
transparently.
When the connect request arrives at B, there is no evidence of the route it took
to get there. It only has the destination IP and the source IP (the client's IP)
to identify it. If the fw started a proxy session with its own IP's and sent
them to DR-2 then you could put 3 VIPs on DR-2.
> is there any way to tell DR2 to remember where the initial packets came
> from?
From what I understand of this setup at the moment, no.
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|