LVS-NAT + SNAT is it impossible?

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	LVS-NAT + SNAT is it impossible?
From:	"Paulo F. Andrade" <pfca@xxxxxxxxxxxxxxx>
Date:	Tue, 11 Jul 2006 15:54:31 +0100

Hi,

I'm currently testing some solution on load balancing servers on adifferent network than the directors.The obvious solution would be to use LVS-TUN, but I can't change theroutes on the router in the real servers network to accept packetswith source VIP. A solution to this would be to tunnel back thepackets to the director, but then I have the martian packets problem...


No wanting to path the kernel, I came up with this solution:
- put secondary addresses of type 192.168.0.xxx on the real servers.
- use LVS-NAT to balance connections to those ip addresses

- construct a two way tunnel (using iproute2) based on thedestination ip addresses


Surprisingly this works, but it's a little to complex for my liking :)

A better and simpler solution would be to use LVS-NAT and then SNATin the POSTROUTING, but according to numerous sources (LVS HOWTO,this mailling lists archive...) this is not possible because LVS-NAT'ed packets don't traverse the POSTROUTING chain.


Is it impossible to SNAT packets in an LVS-NAT setup?

PS: I also found this on the LVS HOWTO (http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-NAT.html#lvs_net_extending):

"Tao Zhao taozhao (at) cs (dot) nyu (dot) edu 01 May 2002 LVS-NATassumes that all servers are behind the director, so the directoronly need to change the destination IP when a request comes in andforward that to the scheduled realserver. When the reply packets gothrough the director it will change the source IP. This limits thedeployment of LVS using NAT: the director must be the outgoinggateway for all servers.I am wondering if I can change the code so that both source anddestinamtion IPs are changed in both ways. For example, CIP: clientIP; DIP: director IP; SIP: server IP (public IPs);

Client->Director->Server: address pair (CIP, DIP) is changed to (DIP,SIP)Server->Director->Client: address pair (SIP, DIP) is changed to (DIP,CIP).



Lars

Not very efficient; but this can actually already be done by usingthe port-forwarding feature AFAIK, or by a userspace applicationlevel gateway. "

How does port forwarding enables me to do this? And userspaceapplication is he talking about?


Thank you for your time and sorry for the long e-mail!

Paulo F. Andrade 52439@IST
mailto: pfca@xxxxxxxxxxxxxxx

<Prev in Thread]	Current Thread	[Next in Thread>
LVS-NAT + SNAT is it impossible?, Paulo F. Andrade <= RE: LVS-NAT + SNAT is it impossible?, Chris Newland Re: LVS-NAT + SNAT is it impossible?, Paulo F. Andrade RE: LVS-NAT + SNAT is it impossible?, Chris Newland Re: LVS-NAT + SNAT is it impossible?, Josh Marshall Re: LVS-NAT + SNAT is it impossible?, Paulo F. Andrade Re: LVS-NAT + SNAT is it impossible?, Graeme Fowler Re: LVS-NAT + SNAT is it impossible?, malcolm Re: LVS-NAT + SNAT is it impossible?, Paulo F. Andrade Re: LVS-NAT + SNAT is it impossible?, Joseph Mack NA3T

Previous by Date:	Re: invoke scheduler for every received packet, Viktor Matic
Next by Date:	RE: LVS-NAT + SNAT is it impossible?, Chris Newland
Previous by Thread:	invoke scheduler for every received packet, Viktor Matic
Next by Thread:	RE: LVS-NAT + SNAT is it impossible?, Chris Newland
Indexes:	[Date] [Thread] [Top] [All Lists]