|
David M wrote:
Rob:
Thank you for the recommendation.
I hope that I understand you correctly. You are running pf on a
separate firewall, right (and not on the LVS-DR)? "px.py.pz.1" are
the public IPs, right?
Since we are a mostly Linux shop, I would have to try to see if I could
make
this work using iptables (rather than pf). I guess that the iptables rules
for a separate firewall would look something like this:
Incoming:
iptables -t nat -A PREROUTING -d <Public IP> -i $EXT_INTERFACE -j DNAT
--to-destination <VIP>
Outgoing:
iptables -t nat -A POSTROUTING -s <Public IP> -o $EXT_INTERFACE -j SNAT
--to-source <VIP>
Having a separate firewall makes sense. Do you think that this is how most
people are using LVS, i.e., with a separate firewall?
David Mitchell
Right, I should have made that more clear - you understood correctly:
| OpenBSD |=-->[LVS DR]=-->[Linux/MS Win Real Servers]
Tubes <---> |Pub IP Priv IP| \/
| FW |<--------------------------=
I run them separate because:
1) I run all OpenBSD firewalls
2) I find life is alot easier if the are no public IP packets
running around inside the firewall,
3) I do all port redirection in one place instead of on individual machines,
4) it makes it simpler to use LVS-DR and troubleshoot any problems and
5) low director load - due to using DR.
But other people I have helped with LVS use Linux based firewalls and do the
same;
A separate Linux box running the firewall. We have also had success running the
LVS
director on a Xen domU (believe it or not) but that is another story.
I would say with 30+ external services, 90+ redundant services and your
requirement for proper routing from boxes with multiple VIPs, having a separate
firewall and running an unpatched plain LVS-DR will give you a system that is
easier
to build/maintain/troubleshoot than trying to run the patched LVS-NAT method.
No patched kernels, same gateway for all machines and then you can verify that
things are working correctly by checking the arp tables and tcpdumps at the
firewall.
I also use LVS for some services even if I only have one machine running that
service
at the moment, then I am free to move it to another machine or add more servers
if
load increases. I am moving toward the idea that any/all services used from
outside
the firewall all go to the LVS director(s) and nowhere else - that seems
cleaner to me.
YMMV.
Those firewall rules seem correct, but I am not an iptables expert.
If you set up a test configuration and want to do load testing on it,
check out postal: http://www.coker.com.au/postal/
(I am not sure if I mentioned it already)
BTW, I also run all Linux machines except for the firewalls which run OpenBSD
(or
if forced to run a Windows box for a certain Windows only app, I have these on
LVS, too).
Having 2 or 4 boxes different out of the whole data center isn't bad, OpenBSD
is more
maintenance free than anything else I have ever run (Linux, Solaris, AIX, IRIX,
etc).
|
