|
If I understand all the VIP/RIP/CIP, than yes, that is the VIP. Those
two telnet commands should both work, if you sit and try it over and
over, it will succeed every other time. I'm not blocking it with IP
tables. tcpdump on ~.18 shows no packets when coming in this way. The
director has a dozen or so aliased interfaces (eth0:1-n). I bind those
aliased interfaces to other public IPs and use LVS to NAT to particular
machines on the private lan. So I can actually telnet directly to port
5222 on the IPs I have aliased for the two boxes in question. In this
particular case, I need to have one FQDN/IP to load balance between a
couple of them.
After one connection
TCP 66.150.129.229:5222 wrr
-> 192.162.10.18:5222 Masq 1 0 0
-> 192.168.10.17:5222 Masq 1 0 1
After 2nd attempt (says Trying 66.150.129.229... then nothing, so I
<Ctrl>+<c>)
TCP 66.150.129.229:5222 wrr
-> 192.162.10.18:5222 Masq 1 0 1
-> 192.168.10.17:5222 Masq 1 0 1
All of my ipvsadm rules are LVS-NAT, but they probably don't need to be.
I'm fully prepared to accept that I'm using lvs all wrong, but so far
it's been working for me. :) If there is a better configuration for me
to use, I'll certainly open to trying it.
Roberto Nibali wrote:
> This box is a firewall/gateway between public internet and my private
> lan. I'm trying to do a weighted round-robin. The FQDN resolves to the
> public IP of my LVS box, which has these rules configured
Just to make sure, 66.150.129.229 is your VIP and that's where your DNS
entry points to?
> -A -t :5222 -s wrr
> -a -t :5222 -r 192.168.10.17:5222 -m
> -a -t :5222 -r 192.162.10.18:5222 -m
So assuming I got it right, I should be able to do two distinct connects
as follows:
telnet tetsuo.unboundtech.com 5222
telnet tetsuo.unboundtech.com 5222
and you should see one connection request to ~.18 and one to ~.17, right?
> ipvsadm -L shows this
>
> TCP 66.150.129.229:5222 wrr
> -> 192.162.10.18:5222 Masq 1 0 0
> -> 192.168.10.17:5222 Masq 1 0 0
What does it show after you connected and closed the connection once?
> So I think it's configured right. My problem is that only 192.168.10.17
It looks like. DGW of both RS is pointing to the director? No additional
iptables rule that would DROP packets to the ~.18 RS?
> is responding through LVS. A tcpdump on 18 shows no packets arriving
> when trying to go through LVS. I can telnet to port 5222 on both 17
> and 18 from the LVS box. I have public DNS/IPs for both of those
internal
So you could switch to LVS-DR?
> boxes. I can telnet directly to these IPs, on port 5222, and connect
> to each realserver bypassing LVS. But the application needs to be able
> to hit either through the LVS.
So the IPs of the RS are actually public?
> After browsing through some of the documentation, the only thing I can
> come up with is DNS. The bind installation returns public IP addresses
> only, and I'm not really doing any DNS overriding with /etc/hosts. If
It would be /etc/nsswitch.conf anyway.
> this were the problem, what kind of, but it can be reached directly
> (not going through LVS) and from the LVS box itself changes would I
> need to make?
Mhh, if one of my questions doesn't solve the problem, I will ask you to
enable the debug mode and do two separated connection requests and send
me the dump (privatly).
> In summary, I have a weighted round-robin service, where all
> realservers have equal weight. I have specified no persistence, so
> defaults are used. One of the realservers can't be reached through
> LVS. I can reach it internally using internal IP (from any machine on
> the 192.168.10/0/24 subnet using the 192.168.10.18 IP) or publically,
> bypassing the LVS, using an alternate public IP address than the one
> I'm load balancing between realservers.
It looks all pretty correct at first sight but I also know that it
actually must work ;), so ...
Regards,
Roberto Nibali, ratz
--
Justin Georgeson
UnBound Technologies, Inc.
http://www.unboundtech.com
Main 713.329.9330
Fax 713.460.4051
Mobile 512.789.1962
5295 Hollister Road
Houston, TX 77040
Real Applications using Real Wireless Intelligence(tm)
|
