|
First a description of the environment.
I'm trying to setup an HA firewall/cache/nat-router
with only 2 boxes as in ultramonkey streamlined
configuration.
(http://www.ultramonkey.org/2.0.0/topologies/sl-ha-lb-overview.html)
On each box i have:
- 2 NICs (internal & external)
- Squid on port 3128
- apache on port 80
- LVS-DR
- Forwarfing ON
- Masquerading rule for outgoing traffic
- default gateway on external network
each box is separately working the way it should.
Using heartbeat/ldirectord i set one box as the
live director (x.x.x.1) and the other as stand by
(x.x.x.2)
The VIP (x.x.x.254) is the default GW for my network
clients.
I use fwmark to mark 0x01 all traffic to 0.0.0.0:80
(http request to the internet)
I use fwmark to mark 0x02 all traffic to x.x.x.254:80
(http request to the cluster)
The cluster supports 2 virtual services for
fwmark 1 and fwmark 2 both routing to both servers
(x.x.x.1 and x.x.x.2) using roundrobin policy
I use iptables REDIRECT for x.x.x.254:80 traffic on
the node
that doesn't have the VIP (standby director) as in
17.3.2
http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.transparent_proxy.html#id2878595
- connections to x.x.x.254:80 (apache) are working
fine
- connections to 0.0.0.0:80 are not, and this is a
common problem
>>>DEBUG 1
If i set iptables for REDIRECT --to-port 3128 on the
director
(as in squid transparent proxy howto)
I get 50% of request working (only those locally
routed to the
director x.x.x.1).
The standby director get packets with x.x.x.1:3128 as
destination
and doesn't know how to hanlde that. Standard problem
with 2.4 kernels it seems.
>>>DEBUG 2
If i setup local delivery on the director using ip
rule as in
http://marc.theaimsgroup.com/?l=linux-virtual-server&m=101674735204704&w=2
or
http://www.linuxvirtualserver.org/Joseph.Mack/HOWTO/LVS-HOWTO.routing_tricks.html#routing_and_delivery
# ip rule add prio 100 fwmark 1 table 100
# ip route add local 0/0 dev lo table 100
and REDIRECT --to-port 3128 on the standby director.
Again i get 50% of request working, this time only
those
routed to the standby director.
I'm not able to find any trace of the locally routed
packets.
>>>DEBUG 3
I played around a bit also setting squid on port 80
and avoiding completely the REDIRECT problem,
but still no results (probably it was too late at
night)
It would be glad to ear from you, comments and
solutions are very welcome.
Sorry for being verbose,
if you need more details just ask.
I'll keep you posted on the developments.
Regards,
Mario Mene'
__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com
|
