LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Issues with braindead network topology and LVS-NAT

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Issues with braindead network topology and LVS-NAT
From: Pascal Bleser <pascal.bleser@xxxxxxxxxxxxxx>
Date: Tue, 04 Oct 2005 10:38:14 +0200
Joseph Mack NA3T wrote:
> On Wed, 28 Sep 2005, Pascal Bleser wrote:
>> [ok] the webserver gets the request and replies (10.10.3.32 =>
>> 10.10.1.10)
>> [**] the firewall.. well.. just routes the webserver reply packets to
>> the client
>> [**] the (Linux) client says.. wtf is 10.10.3.32 :\
> 
> :-(
> You have a one-network LVS-NAT, with the added complication of a
> firewall between the director(s) and the realservers.
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-NAT.html#one_network
> you have to arrange the routing on the realservers go that any packets
> from RIP->0/0 go through the director (and nowhere else).
> See if the HOWTO helps any and then let us know what's left over

Thanks for your help, but I eventually gave up trying to implement it with LVS, 
especially because I
can't really expect changes to be made to the realservers. Even worse, default 
routing and such is a
bit tricky to modify because:
- the firewall is "checkpoint", not really the most flexible routing stack
- the realservers are HP-UX.. yes, evil
- the realservers are also accessed from the LAN by Java/Swing/RMI clients 
(actually those are J2EE
application servers that do Servlet and EJB container, not just "webservers") 
and I want to make
sure that I don't cause side effects there

Now I use a simple TCP forwarder, rinetd. I know there are better performing 
options (e.g. plb (pure
load balancer)) but I'm "limited" to what's shipped and supported by SLES 9.
The realservers are monitored with "mon" on the heartbeat cluster and when a 
failure is detected, a
custom Perl script I wrote queries the state of the realserver nodes (from mon) 
and rewrites
/etc/rinetd.conf accordingly, then SIGHUPs rinetd.

Not necessarely the best performing solution (but, hey, they get what they 
deserve, given their
awkward network topology) but throughput is not that critical, and it has the 
advantage that it's
certainly easier to setup and monitor than LVS and doesn't require any changes 
to the realservers or
firewall.

I'd certainly would have preferred to use LVS as it's widely used and rock 
solid but.. I need
something that works now ;)

Anyway, thanks for the help, and looking forward to implement LVS for another 
project in a _sane_
network topology.

cheers
-- 
  -o) Pascal Bleser               ATOS Worldline/Aachen(DE)
  /\\   System Architect              WLP Business Platform
 _\_v "Really, I'm not out to destroy Microsoft.  That will
just be a completely unintentional side effect."-L.Torvalds

<Prev in Thread] Current Thread [Next in Thread>