Hi,
I've successfully setup an LVS-Tun. Here's my current setup:
------------
| client |
| |
------------
|90.0.0.3
|
|
|90.0.0.40
------------------ 192.168.32.250
| Router | ----------------------
------------------ |
| |
| |
|90.0.0.30(eth0) |
-------------------------- |
| Director | |
| VIP: 90.0.0.35 (eth0:0)| |
-------------------------- |
|DIP:192.168.32.150 (eth1) |
| |
--------------------------------------------
| DMZ Network |
| 192.168.32.0/20 |
| |
-------------------------- ---------------------------
| Real Srvr 1 | | Real Server 2 |
| RIP: 192.168.32.1 | | RIP: 192.168.32.6 |
| VIP (tunl0): 90.0.0.35 | | VIP (tunl0): 90.0.0.35 |
| GW: 192.168.32.250 | | GW: 192.168.32.250 |
-------------------------- ---------------------------
However, what I would really like to do is to modify my configuration to use
Fwmarks, remove the local router (90.0.0.40) and use the Director machine as
the router. Here's how I attempted to set it up:
------------
| client |
| |
------------
|90.0.0.3
|
|
|90.0.0.30 (eth0)
------------
| Director |
| |
------------
|DIP:192.168.32.150(eth1)
|
|
----------------------------------
| DMZ Network |
| 192.168.32.0/20 |
| |
-------------------------- ---------------------------
| Real Srvr 1 | | Real Server 2 |
| RIP: 192.168.32.1 | | RIP: 192.168.32.6 |
| VIP (tunl0): 90.0.0.35 | | VIP (tunl0): 90.0.0.35 |
| GW: 192.168.32.150 | | GW: 192.168.32.150 |
-------------------------- ---------------------------
I used the following iptables commands on the Director:
iptables ?F ?t mangle
iptables ?t mangle ?A PREROUTING ?i eth0 ?p tcp ?s 0.0.0.0/0 ?d
90.0.0.35/32 --dport http ?j MARK --set-mark 1
iptables ?t mangle ?A PREROUTING ?i eth0 ?p tcp ?s 0.0.0.0/0 ?d
90.0.0.35/32 --dport https ?j MARK --set-mark 1
followed by the following ipvsadm commands:
ipvsadm ?A ?f 1 ?s wlc ?p 1200
ipvsadm ?a ?f 1 ?r 192.168.32.1:0 ?i
ipvsadm ?a ?f 1 ?r 192.168.32.6:0 ?i
On the real servers, I entered the following:
ifconfig tunl0 90.0.0.35 netmask 255.255.255.255 broadcast 90.0.0.35 up
route add -host 90.0.0.35 dev tunl0
Unfortunately, I'm missing something. I believe it may have to do with the
lack of a VIP on the Director because when I try and access 90.0.0.35 from
the client, using tcpdump on eth0 of the Director, I can see the arp request
for 90.0.0.35, but the Director doesn't answer. Somehow I must need to
locally route all traffic destined for the VIP to 90.0.0.30 and then
iptables (Fwmarks) should do its stuff, right? Well, I've been pounding my
head against the desk and I need some assistance. Everything I've tried on
my own has failed (i.e. no active or inactive entries in ipvsadm). Thank
you in advance for any assistance you can provide.
Jeff
|