|
Hello all,
I have 3 boxes, which are all connected to the public
network, but also to a private segment.
be careful, not all ascii art survived e-mail.
Make it 40 char or so wide and don't mix
blanks and tabs.
-----------------------------------------------------------------------------------public
net (82.94.229.128/25)
| |
|
| loadbalancer
|
| /\
|
| / \
|
| /
\
|
| /
\ |
server 1- - - - -
-
server 2
The connections between the loadbalancer and the real
servers is done by a vlan part on a switch, with
172.16.125.0/24 addresses.
I would like to have the following setup:
1. All webtraffic (http/https) must be handled by the
loadbalancer 2. All ssh traffic must be performed directly
to the real servers 3. Optional, i must have the
possibility for handling certain protocols by the real
servers, like DNS, or, if there is the need, by the
loadbalancer. (like pop3 for example)
Whenever i add the default route on the real servers to
the 82.94.229.129 gateway, nothting happens when
connecting to the loadbalancer port 80. When i change the
default route to the private ip on the loadbalancer, it
works, but the real servers cannot be connected trough
ssh.
points:
o an LVS is usually operated as if it were one machine.
The realservers are on private IPs and are not accessable
by the clients. This makes it easy to keep the realservers
secure. You can make the realservers routable if you like,
but you must understand the security implications.
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-DR.html#Pearthree
o you need the iproute2 tools. Concepts like a default
gw are only used on leaf nodes where they have one IP
and all packets come in and out through a single gateway.
In your setup on the realservers
all packets from RIP to the RIP network are routed locally.
tcp packets from RIP:ssh to 0/0:0 are routed to the 82.x.x.x
machine
tcp and udp packets from RIP:dns to 0/0:0 are routed to the
82.x.x.x machine
tcp and udp packets from VIP:dns are routed to the DIP
tcp packets from VIP:http and VIP:https are routed to the
DIP
other packets are not routed (they can't go anywhere),
ie you do not have a default route.
For examples on how to route by port, look at
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.3-Tier.html
Don't expect this to be real easy ;-)
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
|
