Re: SNAT Confusion

To:	Rodre Ghorashi-Zadeh <rodrico7@xxxxxxxxxxx>
Subject:	Re: SNAT Confusion
Cc:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
From:	Janusz Krzysztofik <jkrzyszt@xxxxxxxxxxxx>
Date:	Tue, 20 Mar 2007 12:49:51 +0100

Rodre Ghorashi-Zadeh napisał(a):

You are right, the problem is probably related to source addressmatching VIP configured on the director.
This is what I initially thought so what I did was SNAT the sourceaddress (on the director) to be what I will refer to as a "token" IPaddress, in this case 101.101.101.101, and set the default gateway onthe realserver to be the director, thinking that when the the realserverreplies it would not now how to route to 101.101.101.101 and send itback to the director, which would have an entry in it's conntrack, andSNAT it back to the original address, which is the realserver:

Yes, it sounds reasonable, but still does not solve the problem ofdirector dropping packets with source address matching one of its ownaddresses.

realserver1 client (10.0.0.1:2777) -> director VIP (10.0.0.200:389) ->DNAT 10.0.0.200:389 to 10.0.0.1:389 and SNAT 10.0.0.1:2777 to101.101.101.101:2777 -> send packet to realserver1 service(10.0.0.1:389) -> director gateway IP 10.0.0.254 -> SNAT 10.0.0.1:389 to10.0.0.200:389 and DNAT 101.101.101.101:2777 to 10.0.0.1:2777 ->realserver1 client (10.0.0.1:2777)

To avoid confusion, I would describe this as below, using your "token"term for realserver1 SNATed IP, DMAC and RMAC1 meaning director andrealserver1 MAC addresses:


1. realserver1 client: connect from RIP1:* to DMAC:VIP:389

2. director: LVS-NAT VIP:389 to RIP1:389 and netfilter SNAT RIP1:* totoken:*, send to RMAC1:RIP1:389

3. relaserver1 service: answer from RIP1:389 to DMAC:token:* (DMACresolved as MAC address of default gateway IP in your setup)

4. director: LVS-de-NAT RIP1:389 to VIP:389 and netfilter de-SNATtoken:* to RIP1:8, send to RMAC1:RIP1:*


In theory this should work, no?

In theory, yes, but I can not see any way to do it on LVS director,neither with Julian's conntrack patch (POSTROUTING nat not traversed, sonetfilter SNAT not working), nor my patch (works only for LVS-DR method).

Assuming you keep using LVS-NAT method, you could try to set upnetfilter SNAT of RIP1:*->VIP:389 to token:*->VIP:389 on the realserveritself and teach the director where to find "token" (solution 3 from myprevoius message). It sholud work without any IPVS patches.


Janusz

<Prev in Thread]	Current Thread	[Next in Thread>
Re: SNAT Confusion, (continued) Re: SNAT Confusion, Joseph Mack NA3T Re: SNAT Confusion, Rodre Ghorashi-Zadeh Re: SNAT Confusion, Joseph Mack NA3T Re: SNAT Confusion, Rodre Ghorashi-Zadeh Re: SNAT Confusion, Joseph Mack NA3T Re: SNAT Confusion, Rodre Ghorashi-Zadeh Re: SNAT Confusion, Joseph Mack NA3T Re: SNAT Confusion, Janusz Krzysztofik Re: SNAT Confusion, Janusz Krzysztofik Re: SNAT Confusion, Rodre Ghorashi-Zadeh Re: SNAT Confusion, Janusz Krzysztofik <= Re: SNAT Confusion, Rodre Ghorashi-Zadeh Re: SNAT Confusion, Janusz Krzysztofik

Previous by Date:	LVS-Tun with Windows 2003 server. No way to make it work with IP Tunelling ?, Arief Setiawan
Next by Date:	Re: LVS-Tun with Windows 2003 server. No way to make it work with IP Tunelling ?, Joseph Mack NA3T
Previous by Thread:	Re: SNAT Confusion, Rodre Ghorashi-Zadeh
Next by Thread:	Re: SNAT Confusion, Rodre Ghorashi-Zadeh
Indexes:	[Date] [Thread] [Top] [All Lists]