|
Julian Anastasov wrote:
> Hello,
>
> - proxy ARP is used when the traffic should be routed at Layer 3
> with the help from ARP. The packets reach the routing after the
> box answers ARP probes asking for foreign addresses.
>
> - transparent proxy has mostly Layer 5-7 semantic, it is used
> to intercept traffic destined to foreign addresses and to deliver
> it to sockets.
>
OK, thanks for these explanations. I can't remember (read too many
docs :) where I saw the term "transparent proxy" which was not
used in a proxy (squid) context... Nevertheless, it is now clear.
>> - If so, I found a document
>> (http://www.sjdjweis.com/linux/proxyarp/) explaining how to do proxy
>> arp on a 2.4 kernel. Will this method be compatible with LVS as long
>> as director would also be the default GW for realservers ?
>
> No. The spoofing checks performed from routing will drop
> the traffic.
>
OK.
>
> Solution 1:
> You can use Linux Bridging. In such case the traffic from
> real servers to the ROUTER passes only Layer 2, i.e. the routing
> is not reached and you avoid the spoofing checks. If you don't
> want Bridging or the link to the ROUTER is not ARP aware, then
> you can use solutions that avoid the spoofing checks for this
> traffic. One of them is the forward_shared flag (Solution 2).
>
I'd rather keep the simplest possible setup and it seems to me
a little bit complicated.
>
> The difference in the NAT/DR speed is very small in Linux 2.4,
> nearly nothing. My recommendation is:
>
> - DR or NAT (depending on other factors, mostly real server setup
> complexity)
>
> - forward_shared: 1 in all/forward_shared and in eth1/forward_shared,
> assuming eth1 is the private interface.
>
To be sure: is forward_shared patch mandatory even in an LVS-NAT setup
(at least the following one) ?
I setup the following LVS-NAT :
CLIENT YYY.YYY.YYY.YYY
|
INTERNET
|
(SWITCH)
____|_____
| | VIP=XXX.XXX.XXX.XXX (eth1)
| DIRECTOR |
|__________| DIP=192.168.0.20 (eth0)
|
-----------------------------------
| | |
RIP1=192.168.0.30 RIP2=192.168.0.31 RIP3=192.168.0.32 (all eth0)
_____________ _____________ _____________
| | | | | |
| realserver | | realserver | | realserver |
|_____________| |_____________| |_____________|
GW for all RIPs is DIP
I can see this tcpdump trace on director when I issue the following command:
CLIENT# telnet VIP 80
DIRECTOR# tcpdump
CLIENT:HIGH_PORT > VIP:HTTP:S 1:1(0) win 5480 <mss 1460,sackOK,timestamp
77782103 0,nop,wscale 0> (DF)
CLIENT:HIGH_PORT > RIP1:HTTP:S 1:1(0) win 5480 <mss 1460,sackOK,timestamp
77782103 0,nop,wscale 0> (DF)
RIP1:HTTP > CLIENT:HIGH_PORT:S 10:10(0) ack 2 win 5792 <mss
1460,sackOK,timestamp 2 77782103 0,nop,wscale 0> (DF)
DIP > RIP1: icmp: net CLIENT unreachable [tos 0xc0]
I don't know what to do on director to correct this issue (2 NICs, 2
Networks).
Regards,
Nicolas.
|
