|
Hello,
I've been trying to build up my first lvs using NAT. I have followed up
closely the instructions from the LVS-Mini-HOW-TO (compile a standard 2.6.15
kernel, get an adecvate ipvsadm, run the configure script etc), but it just
doesn't work. My configuration is -two NIC two networks- and the diagram looks
like this:
# | client |
# |________|
# CIP=eth0 192.168.81.20
# |
# |
# VIP=eth1:10 192.168.81.10/24
# __________
# | |
# | director |
# |__________|
# DIP=eth0 192.168.82.10
# |
# |
# |
# -------------------
# | |
# | |
# RIP1=eth0 RIP2=eth0
# 192.168.82.30 192.168.82.40
# ______________ ______________
# | | | |
# | realserver1 | | realserver2 |
# |______________| |_____________ _|
The configure script looks like this:
#----------lvs_nat.conf------------------------------------
LVSCONF_FORMAT=1.1
LVS_TYPE=VS_NAT
INITIAL_STATE=on
CLEAR_IPVS_TABLES=yes
#
#VIP line format - device[:alias] IP netmask broadcast
#To help avoid namespace collisions with other VIPs, I set alias=last number
of VIP (here 10).
VIP=eth1:10 192.168.81.10 255.255.255.0 192.168.81.255
#
#DIP line format - device[:alias] IP network netmask broadcast
DIP=eth0 192.168.82.10 192.168.82.0 255.255.255.0 192.168.82.255
#
#DIRECTOR_GW - packets with src_addr=VIP, dst_addr=0/0 are sent to DIRECTOR_GW
#to be forwarded to the outside world.
#The script will not neccesarily set up the DIRECTOR_GW as the director's
default gw.
DIRECTOR_GW=192.168.81.20
#SERVICE line format - proto port scheduler IP|name:port[,weight]
[IP|name:port[,weight]]
#SERVICE=t ftp rr 192.168.82.30:ftp 192.168.82.40:ftp
SERVICE=t 80 rr 192.168.82.30:80,1 192.168.82.40:80,2
#SERVICE=t netpipe rr 192.168.82.30:netpipe 192.168.82.40:netpipe RS3:netpipe
RS4:netpipe
#
SERVER_NET_DEVICE=eth0
#VS-NAT real-servers do not have a VIP, i.e. there is no SERVER_VIP_DEVICE
#SERVER_VIP_DEVICE=
#SERVER_GW is not user configurable with VS-NAT. script sets SERVER_GW = DIP
#SERVER_GW=
#----------end lvs_nat.conf---------------------------------
I am able to ping from the realservers to the client, the packets go through
the director, I have no firewall on the director or realservers enabled, no
iptable security rules. I have followed Julian's step-by-step check of a L4
LVS-NAT setup and here are the results got by running tcpdump after I try a
connection on port 80 at the VIP 192.168.81.10 from the client:
--on director, eth1:10 (VIP) (192.168.81.10)
[@fedora]# tcpdump -ln -i eth1:10 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1:10, link-type EN10MB (Ethernet), capture size 96 bytes
21:47:17.464334 IP 192.168.81.20.1052 > 192.168.81.10.http: S
1178659280:1178659280(0) win 64240 <mss 1460,nop,nop,sackOK>
21:47:20.434621 IP 192.168.81.20.1052 > 192.168.81.10.http: S
1178659280:1178659280(0) win 64240 <mss 1460,nop,nop,sackOK>
21:47:26.442598 IP 192.168.81.20.1052 > 192.168.81.10.http: S
1178659280:1178659280(0) win 64240 <mss 1460,nop,nop,sackOK>
3 packets captured
3 packets received by filter
0 packets dropped by kernel
on director, eth0 (DIP) (192.168.82.10)
t@Fedora ~]# tcpdump -ln port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
21:47:17.464593 IP 192.168.81.20.1052 > 192.168.82.40.http: S
1178659280:1178659280(0) win 64240 <mss 1460,nop,nop,sackOK>
21:47:17.488393 IP 192.168.82.40.http > 192.168.81.20.1052: S
1670207386:1670207386(0) ack 1178659281 win 5840 <mss 1460,nop,nop,sackOK>
21:47:20.434682 IP 192.168.81.20.1052 > 192.168.82.40.http: S
1178659280:1178659280(0) win 64240 <mss 1460,nop,nop,sackOK>
21:47:20.436262 IP 192.168.82.40.http > 192.168.81.20.1052: S
1672560325:1672560325(0) ack 1178659281 win 5840 <mss 1460,nop,nop,sackOK>
21:47:26.442664 IP 192.168.81.20.1052 > 192.168.82.40.http: S
1178659280:1178659280(0) win 64240 <mss 1460,nop,nop,sackOK>
21:47:26.449812 IP 192.168.82.40.http > 192.168.81.20.1052: S
1677436576:1677436576(0) ack 1178659281 win 5840 <mss 1460,nop,nop,sackOK>
6 packets captured
6 packets received by filter
0 packets dropped by kernel
and on the realserver (192.168.82.30)
t@server ~]# tcpdump -ln port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
21:18:45.008933 IP 192.168.81.20.1052 > 192.168.82.40.http: S
1178659280:1178659280(0) win 64240 <mss 1460,nop,nop,sackOK>
21:18:45.025946 IP 192.168.82.40.http > 192.168.81.20.1052: S
1670207386:1670207386(0) ack 1178659281 win 5840 <mss 1460,nop,nop,sackOK>
21:18:47.375599 IP 192.168.81.20.1052 > 192.168.82.40.http: S
1178659280:1178659280(0) win 64240 <mss 1460,nop,nop,sackOK>
21:18:47.375612 IP 192.168.82.40.http > 192.168.81.20.1052: S
1672560325:1672560325(0) ack 1178659281 win 5840 <mss 1460,nop,nop,sackOK>
21:18:52.173898 IP 192.168.81.20.1052 > 192.168.82.40.http: S
1178659280:1178659280(0) win 64240 <mss 1460,nop,nop,sackOK>
21:18:52.183396 IP 192.168.82.40.http > 192.168.81.20.1052: S
1677436576:1677436576(0) ack 1178659281 win 5840 <mss 1460,nop,nop,sackOK>
6 packets captured
6 packets received by filter
0 packets dropped by kernel
The output from ipvsadm looks like this:
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.81.10:http rr
-> 192.168.82.40:http Masq 2 0 1
-> 192.168.82.30:http Masq 1 0 0
Of course the client doesn?t get the reply from the realserver and cannot
connect. I believe the problem is in the director, because I can see SYN+ACK
transmited from the realserver, but the packet dissapears after being received
in the director eth0.
I am really stuck here, I don?t know what to do, I cannot identify the
problem, so I would really apreciate if any of you could help me.
Thanks,
Dan
---------------------------------
Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.
---------------------------------
Brings words and photos together (easily) with
PhotoMail - it's free and works with Yahoo! Mail.
|
