LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

RE: Trouble setting up LVS/TUN

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Trouble setting up LVS/TUN
From: redirecting decoy <redirectingdecoy@xxxxxxxxx>
Date: Tue, 8 Feb 2005 08:59:35 -0800 (PST)
Well,  I have managed to get my LVS half working.  I had to tweak around
the net setting's a bit, turned out to be combination of problems including 
routing,iptables, and
reboots. 
I can now have my Director see the real servers on the 10.x.x.x networks.  I am 
only having one
more problem then, LVS works great with iptables turned off, but does not work 
with iptables
turned on.
I have tracked down the offending rule down to: 
"-A POSTROUTING -o eth1 -j MASQUERADE",
which is the very first rule on my "Real Server Gateway (10.1.2.1)". All my 
real servers will pass
through either 10.1.2.1 or 10.1.3.1, depending on which network the rip is on, 
to get to the
client.  I need this rule in place so that my real servers can connect to the 
internet, as my real
servers act as client machines for other tasks. 

So is there a way for LVS-Tun+Masquerade to play nice?

Thanks,

-R.D.

--- redirecting decoy <redirectingdecoy@xxxxxxxxx> wrote:

> > SSH VIP will probably work, but not because of anything LVS does.  By 
> > default
> > most sshd's are setup to listen on all addresses.  If you do "netstat -anp |
> > grep 22", you will probably see something like:
> > tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
> > 658/sshd
> 
> ok. that answers my question.
> 
> I believe I am getting closer to solving my problem.  I've been tracing the 
> path where
> the packets go, and it looks something like this:
> 
> RGW=Default Gateway for real servers = 10.1.2.1
> 
> Client -> VIP
> Director:SYN -> 
> RIP:SYN-ACK -> RGW:SYN-ACK -> Client
> 
> So basically, the real servers have to pass through RGW to get to the client.
> I think this machine is what is giving me troubles.  If I leave RGW alone 
> with its
> 2 nics (eth0:10.1.2.1) and (eth1:192.168.10.101), the is what I get on my 
> client:
> 
> SYN -> SYN-ACK -> RST
> SYN to VIP -> SYN-ACK from 192.168.10.101 -> RST to 192.168.10.101
> 
> I don't think that is right, so I gave RGW a VIP(tunl0,noarp) as well.  In 
> theory,
> that should have worked and the client should be recieving SYN-ACK from VIP 
> (RGW). 
> It doesn't. I can see the both RIP and RGW want to send a SYN-ACK to the 
> client.
> Just never get's there is seems.  Now in this case my client just sends out 
> SYN packets
> and gets no replies.  I'm confused.
> 
> This is what I am trying to do.
> 
> C=Client
> D=Director   (VIP, Arps)
> R1,R2 =  Real servers 1 and 2    (VIP, noarp)
> RGW = Real Server Gateway        (VIP, noarp)
> 
> DIP=192.168.10.110
> VIP=192.168.10.111
> RS1=10.1.2.254
> RS2=10.1.2.253
> RGW= eth0: 10.1.2.1
>      eth1: 192.168.10.101
> 
>    ___C___ <---------|
>    |  |  |           |
>    |  D  |           |
>    ___|___           |
>    |     |           |
>    R1    R2          |
>    |_____|           |
>       |              |
>      RGW             |
>       |              |
>     Back to Client   |
>       |______________|
> 
> 
> I think my problem is being caused at RGW somehow.  Is a setup such as this 
> possible ?
> Is this still a routing problem ?
> 
> -R.D.
> 
> 
>               
> __________________________________ 
> Do you Yahoo!? 
> Meet the all-new My Yahoo! - Try it today! 
> http://my.yahoo.com 
>  
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

<Prev in Thread] Current Thread [Next in Thread>