|
Joe, Thanks for the explanation :-)
Joseph Mack NA3T wrote:
Hello all,
I have 3 boxes, which are all connected to the public network, but
also to a private segment.
be careful, not all ascii art survived e-mail.
Make it 40 char or so wide and don't mix
blanks and tabs.
I will remember that for the future :-)
The connections between the loadbalancer and the real servers is done
by a vlan part on a switch, with 172.16.125.0/24 addresses.
I would like to have the following setup:
1. All webtraffic (http/https) must be handled by the loadbalancer 2.
All ssh traffic must be performed directly to the real servers 3.
Optional, i must have the possibility for handling certain protocols
by the real servers, like DNS, or, if there is the need, by the
loadbalancer. (like pop3 for example)
Whenever i add the default route on the real servers to the
82.94.229.129 gateway, nothting happens when connecting to the
loadbalancer port 80. When i change the default route to the private
ip on the loadbalancer, it works, but the real servers cannot be
connected trough ssh.
points:
o an LVS is usually operated as if it were one machine.
The realservers are on private IPs and are not accessable
by the clients. This makes it easy to keep the realservers
secure. You can make the realservers routable if you like,
but you must understand the security implications.
I do certainly understand the security implications of hanging the
realservers to the 'hot' network. All machines are hardenend and
therefor they may be accessible from the internet directly. Reason for
loadbalancing is that this customer is having a couple of serious
customers, who demand 'guaranteed' availability, eg, they have a huge
demand and this must be spread over 2 systems....
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-DR.html#Pearthree
o you need the iproute2 tools. Concepts like a default
gw are only used on leaf nodes where they have one IP
and all packets come in and out through a single gateway.
In your setup on the realservers
all packets from RIP to the RIP network are routed locally.
tcp packets from RIP:ssh to 0/0:0 are routed to the 82.x.x.x machine
tcp and udp packets from RIP:dns to 0/0:0 are routed to the 82.x.x.x
machine
tcp and udp packets from VIP:dns are routed to the DIP
tcp packets from VIP:http and VIP:https are routed to the DIP
other packets are not routed (they can't go anywhere),
ie you do not have a default route.
For examples on how to route by port, look at
Ah! Missed that probably :-) Thank you for the link my friend!
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.3-Tier.html
Don't expect this to be real easy ;-)
Who said that building an advanced infrastructure should be an easy job?
A lot of RTFM and trying makes the world go round, right?
Joe
--
Regards,
J. van Koll
|
