LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

RE: LVS Directory behind two firewalls

To: "'LinuxVirtualServer.org users mailing list.'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: LVS Directory behind two firewalls
From: Ryan Leathers <Ryan.Leathers@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 7 Sep 2004 08:38:59 -0400
Make the VIP and both firewalls' internal interfaces public addresses(same
subnet is ideal).  Let the public address assigned to the VIP be the
destination address rather than something associated with either firewall's
outside interface. (I suspect the latter is what you have done.)

In order to reach the VIP address traffic must route through one firewall or
another.  Return traffic from the LVS will use correct addressing via the
correct firewall every time.  In this way you make it a routing problem one
hop away rather than a NATing problem - in fact a routing problem is where
this belongs.

If you need assistance understanding how this works in greater detail or
would like examples using popular Cisco hardware I would be happy to help
off list - but I do not believe this is an LVS problem.

-----Original Message-----
From: Jason Stubbs [mailto:jstubbs@xxxxxxxxxxxxx]
Sent: Sunday, September 05, 2004 9:04 PM
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: LVS Directory behind two firewalls


The director will receive requests by way of two firewalls. The firewalls
only 
NAT the source address on the way in. I'm concerned whether packets on the 
way out will be sent by the director based on destination address (all to 
default gateway) or based on where the connection originated from.

On Friday 03 September 2004 21:21, Ryan Leathers wrote:
> your director keeps state and your firewall keeps state - unless I
> misunderstood your question somehow you have no problem
>
> -----Original Message-----
> From: Jason Stubbs [mailto:jstubbs@xxxxxxxxxxxxx]
> Sent: Friday, September 03, 2004 1:13 AM
> To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Subject: LVS Directory behind two firewalls
>
>
> Hi,
>
> I've just started with LVS but everything is running smoothly so far. I
> have 9
> servers split between two firewalls. Each firewall is responsible for 5
> public IPs in two different subnets. There's a total of 6 different host
> names and, up until now, load balancing was done using DNS round robin for
> some of the hosts.
>
> My goal is to have all services run on all servers and load balance across
> the
> lot. However, I realized that the two firewalls will cause me problems due
> to
> routing back. I've looked at the information in the HOWTO(1) and read the
> information I think it points to(2) but still don't understand how it
works
> on the whole.
>
> So, to state the question simply: How do I ensure that traffic takes the
> same
> outward path as its inward path?
>
> Regards,
> Jason Stubbs
>
>
1.http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.ipvsadm.html#Henri
>k
>
2.http://article.gmane.org/gmane.comp.security.firewalls.netfilter.devel/37
>0 8/
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users
<Prev in Thread] Current Thread [Next in Thread>