LVS 4 server setup with directors running on gateway shorewall servers

["Jason Powell" <jpowell@xxxxxxxxxxx>]

I’m hoping someone can help me out - or at least point me in the right 
direction. New to LVS, and been struggling with all the various guides and 
documentation.

 

My simple setup at home before being moved to the datacenter (assuming it 
works):

 

(Business class DSL router)

 

(Linksys Firewall – Port forwarding enabled)

 

(Director Server 1)  (Director Server 2)

 

(Web server 1) (Web server 2)

 

 

The Linksys handles the external IP address, with an internal of 192.168.1.1. 
The two director servers have a VIP of 192.168.1.105 for eth0 which connects to 
a switch also connected to the Linksys. They also have a VIP of 10.69.69.5 and 
10.69.69.105 for eth1, and .5 is the default route for the web servers. The two 
director servers also run Shorewall, which essentially only drops ping. (I’ve 
tried with and without shorewall, same problem.)

 

All the heartbeat/VIP failover works flawlessly.

 

My ldirector.cf file is as follows:

 

checktimeout=10

checkinterval=2

#fallback=127.0.0.1:80

autoreload=no

logfile="/var/log/ldirectord.log"

logfile="local0"

quiescent=yes

 

virtual=10.69.69.105:80

        real=10.69.69.11:80 gate

        service=http

        checkport=80

        checktype=negotiate

        request="ldirector.html"

        receive="OK"

        scheduler=rr

#        persistent=600

 

 

>From any machine on the 10.69.69.x network other then the servers listed 
>above, it works perfectly. All the connections to the web servers are balanced 
>and everything is happy.

 

The problem is, from outside (internet), I cannot get it to work. With no DNAT 
rule, I simply get a connection refused. 

 

With a DNAT rule of:

 

DNAT            all             loc:10.69.69.105                tcp     80 - 
192.168.1.205

 

My connection times out, and ipvsadm shows the connection count increasing 
under “InActConn”

 

If I put a DNAT rule on shorewall to send port 80 to a real server instead of 
the VIP, I’m able to access the real servers webpage (obviously not being load 
balanced though).

 

Am I missing something super obvious here? Is this even possible? I’ve run out 
of ideas to troubleshoot this. My next step was going to try installing the 
director on the real web servers, and simply do a DNAT on shorewall to a VIP 
there – but I’m hoping that isn’t necessary.

 

Any help or insight is greatly appreciated.

 

Thanks


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.15.2/560 - Release Date: 11/30/2006