LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Solution to my NAT problems

To: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Solution to my NAT problems
From: "Ryan McCain" <Ryan.McCain@xxxxxxxxxxxxxxx>
Date: Wed, 09 Mar 2005 15:04:04 -0600
If any of your realservers are on the same network as your director,
make sure you follow these directions..

To get a LVS-NAT LVS to work on one network -

1. On the director, turn off icmp redirects on the NIC that
is the default gw for the realservers.

director:/etc/lvs# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
director:/etc/lvs# echo 0 >
/proc/sys/net/ipv4/conf/default/send_redirects
director:/etc/lvs# echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects

2. Make the director the default and only route for outgoing packets.

You will probably have set the routing on the realserver up like this

realserver:/etc/lvs# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 director 0.0.0.0 UG 0 0 0 eth0

Note the route to 192.168.1.0/24. This route allows the realserver to
send
packets to the client by just putting them out on eth0, where the client
will
pick them up directly (without being demasqueraded) and the LVS will not
work.
This route also allows the realservers to talk to each other directly
i.e.
without routing packets through the director. (As the admin, you might
want to
telnet from one realserver to another, or you might have ntp running,
sending
ntp packets between realservers.)

Remove the route to 192.168.1.0/24.

realserver:/etc/lvs#route del -net 192.168.1.0 netmask 255.255.255.0 dev
eth0

This will leave you with

realserver:/etc/lvs# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 director 0.0.0.0 UG 0 0 0 eth0

Now packets RIP->CIP have to go via the director and will be
demasqueraded. The
LVS-NAT LVS now works. If LVS is forwarding telnet, you can telnet from
the
client to the VIP and connect to the realserver.


---

Ryan

<Prev in Thread] Current Thread [Next in Thread>