LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: ipvs and source nat

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: ipvs and source nat
From: Dan McCormick <dan@xxxxxxxxxx>
Date: Sun, 24 Sep 2006 20:10:04 -0400
On Sun, 2006-09-24 at 16:00 -0700, Joseph Mack NA3T wrote:
> On Sun, 24 Sep 2006, Dan McCormick wrote:
> > I'm trying to use ipvs with source NAT and am not having much luck.
> 
> Horms is working on patches to make it work out of the box. 
> Untill then the best info we have is at
> 
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-NAT.html#brownfield
> 
> and
> 
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-NAT.html#lvs_nat_problems
> 
> sounds like that isn't what you're doing though.

Yeah, they seem to apply to the default gateway on the director, which I
don't think is an issue in my case.

> > In my case, my real servers can't use the director as the 
> > default gateway,
> 
> why not?

Because my grand plan is to migrate a web site that's already running on
a separate director from one set of IPs to another.  I'd like the web
site to be able to respond on both sets of IPs, change the DNS to point
to the new set, and not have to worry if the old IPs get cached for days
or weeks.  The old IP range is on a 100MBps connection, and the new one
is gigabit, and my ISP won't let me comingle them on a single switch.
On top of that, all my existing director machines only have two NICs, so
I can't plug the old external network, the new external network, and the
local network into a single machine.

> can you use the DIP as the next hop for packets from RIP:80?

No, because they might need to use the old IP range on a different
director.

> > so I'd like the director to rewrite 
> > packets to the real servers with the director's local IP 
> > as the source address.
> 
> you'll have your work cut out for you. Tell us why packets 
> from RIP:80 can't be sent to the DIP and we'll see if we 
> can't figure out another solution first

Ok.  Well, I was thinking I might be missing something and that it might
be done easily.  At this point, it sounds like it would be easier to
just use a separate machine as a firewall, or set up new director
machines with three NICs, so I'll pursue that route.

Thanks for the help,
Dan


<Prev in Thread] Current Thread [Next in Thread>