LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

RE: LVS-TUN: How to test if ISP allows it? Solved: firewall on RIP

To: "'LinuxVirtualServer.org users mailing list.'" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: LVS-TUN: How to test if ISP allows it? Solved: firewall on RIP
From: "Son Nguyen" <trungson@xxxxxxxxx>
Date: Fri, 24 Jun 2005 00:53:20 -0700
Ok, problem solved (man, it feels good!). I turned off the firewall on
realserver and it works, so don't have to wonder about changing ISP and have
a clue about what to do next. Thank you Joe and everyone.
Son Nguyen

> -----Original Message-----
> From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx 
> [mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf 
> Of Mack.Joseph@xxxxxxxxxxxxxxx
> Sent: Monday, June 20, 2005 8:30 AM
> To: LinuxVirtualServer.org users mailing list.
> Subject: Re: LVS-TUN: How to test if ISP allows it?
> 
> Joseph Mack PhD, High Performance Computing & Scientific 
> Visualisation LMIT, Supporting the EPA Research Triangle 
> Park, NC 919-541-0007 Federal Infrastructure Contact-Ravi 
> Nair 919-541-5467 - nair.ravi@xxxxxxx, Federal Visualization  
> Contact - Joe Retzer, Ph.D. 919-541-4190 - retzer.joseph@xxxxxxx
> 
> lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx wrote on 06/17/2005 02:07:05
> PM:
> 
> > Hello,
> >
> > I'm trying to setup a simple LVS, one director and one realserver 
> > using LVS-TUN (these machines are on 2 different datacenters).
> 
> have you set up LVS-Tun with machines all local, just to test 
> that you can do it at all, before you try connecting to a 
> realserver out on the internet?
> 
> > On the real, I had tunl0 up and also hidden. Debug:
> >
> > client# telnet VIP 80
> >
> > director# tcpdump -ln -i eth0 host RIP
> > tcpdump: listening on eth0
> 
> OK
> 
> > realserver# tcpdump port 80
> > tcpdump: listening on eth0
> > (and there is nothing coming in)
> 
> hmm,
> 
> > realserver# tcpdump -i tunl0 port 80
> > tcpdump: listening on tunl0
> > (and there is also nothing)
> 
> don't know whether the packet actually goes through tunl0, 
> with tunl0 not being a physical device, so don't know whether 
> you should expect to see anything here or not.
> 
> > director# ipvsadm -L -n
> > IP Virtual Server version 1.0.8 (size=65536) Prot LocalAddress:Port 
> > Scheduler Flags
> >   -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP  
> > VIP:80 wlc
> >   -> RIP:80             Tunnel  1      0          1
> 
> this is usually a routing problem (most people don't have the 
> route from the RIP to the CIP setup properly) and as you've 
> found you can't get IPIP packets to the realserver.
> Do you have routing from the DIP to the RIP? can you ping the RIP?
> 
> > I also wonder if it's the ISP that drops the ip-encapsulated packet?
> 
> The ISP doesn't know that it's an IPIP packet, unless it 
> opens it up and looks (which a router isn't going to do).
> All the ISP sees is a regular IP packet from DIP to RIP.
> 
> The usual problem with the ISP is that the realserver is 
> sending a packet back to the CIP with src_addr=VIP. Since the 
> VIP is usually not on the tunnelled realserver's network, the 
> ISP may block it on the outbound direction, thinking it to be 
> a spoofed packet.
> 
> Joe
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - 
> lvs-users@xxxxxxxxxxxxxxxxxxxxxx Send requests to 
> lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
> 


<Prev in Thread] Current Thread [Next in Thread>