RE: Using ip_vs on different subnets

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Using ip_vs on different subnets
From: "James Wells" <jwells@xxxxxxxxx>
Date: Mon, 18 Jul 2005 13:28:50 -0700

   I have a similar setup and got around this by setting the default
route on the real server to a system that would route back out through
the LVS NAT server.

        LVS NAT:
        Real Servers: 10.1.0.x
        Real Server GW:
        Client: 172.168.1.x

   Client connects to the VIP, which translates the address, using LVS,
to the real servers.  The real servers respond and send their outbound
traffic to the GW, which routes it out through the LVS NAT.   A very
simplified way of doing it would be;
        LVS NAT:
        LVS NAT GW:
        Real Servers: 10.1.0.x
        Real Server GW:

-----Original Message-----
From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Scott J.
Sent: Monday, July 18, 2005 1:21 PM
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Using ip_vs on different subnets

Ive been trying to get this working and I think Ive come to the 
conclusion that its impossible, but Im wondering if anyone has an idea.

Basically I'm trying to get ip_vs to use a real server that is on a 
different subnet from what the vip is on.  Here is my setup.

Real Server:

Ive tried tun, dr, and nat, but all seem to have a problem with them. 

With dr, the director can't route to the real server and from the 
tcpdump output, the real server is never getting the packet.

With tun, I can get a packet from the client, to the vip, to the real 
server, but when the packet leaves the real server it never gets back to

the client.  I'm guessing thats because the router is droping the packet

with a internal ip address(the vip) coming in on the external link.  The

client never sees the packet returning.

With nat, I can get the entire loop, from the client to the vip to the 
real server to the client.  The packet though, never goes back through 
the director.  This is obvious because the default route of the real 
server is supposed to be the director, but I can't do that because they 
are on different subnets.  So the packet returns to the client with a 
source ip address of the real server instead of the vip.  This means the

client rejects the packet.  So that one is out as well.

Is this what is supposed to be happening?  Is there a way to have the 
vip and real server on different subnets like I have above?  Normally we

use dr with a redirects rule on the real servers on the same subnet and 
that has been working great, but we have need of putting real servers on

a different subnet. 

Any help would be appreciated.  Thanks.

<Prev in Thread] Current Thread [Next in Thread>