Re: SNAT Confusion

To:	Rodre Ghorashi-Zadeh <rodrico7@xxxxxxxxxxx>
Subject:	Re: SNAT Confusion
Cc:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
From:	Janusz Krzysztofik <jkrzyszt@xxxxxxxxxxxx>
Date:	Wed, 21 Mar 2007 13:00:28 +0100

Rodre Ghorashi-Zadeh napisał(a):

I am using LVS-DR and not LVS-NAT.


So what did you mean saying:
>>> realserver1 client (10.0.0.1:2777) -> director VIP (10.0.0.200:389)
>>> -> DNAT 10.0.0.200:389 to 10.0.0.1:389 ...

I assumed this "DNAT" is LVS-NAT. If it is netfilter DNAT, it happens innat PREROUTING hook, so how would your packets be processed by LVS INPUThook, that expects VIP as destination address? Please give more detailson your setup if there are any not mentiond yet, or think it over again.


 I tried this with your SNAT patch in

place but it wasn't working, even though I could see the packets beingSNAT-ed to the "token" ip address, both in the iptables counters andwith tcpdump.

Could you see replys as well? If you see them on the director commingand not leaving it, we have already suggested they could be droppedbecause their source addresses (VIP) match one of the director ownaddresses. Could you please confirm or deny if this is still true inyour setup?

Also, I tried SNAT-ing the initial request from the realserver to a"token" ip address and used routing on the director in LVS-DR mode tosend the replies back to the client/realserver (your recommendation #3)but this didn't work for me either.

Please be more specific. Trace your packets and describre what can yousee and where do they disappear.


 Could you explain this setup a

little better?



Using unmodified LVS-NAT:

1. realserver1 client: connect from RIP1:* to DMAC:VIP:389, SNAT RIP1:*to token:* before sending


2. director: LVS-NAT VIP:389 to RIP1:389, send to RMAC1:RIP1:389

3. relaserver1 service: accept, answer from RIP1:389 to DMAC:token:*

4. director: LVS-de-NAT RIP1:389 to VIP:389, send to RMAC1:token:*

5. realserver1 client: de-SNAT token:* to RIP1:*, accept.


Using unmodified LVS-DR:

1. realserver1 client: connect from RIP1:* to DMAC:VIP:389, but SNATRIP1:* to token:* before sending (requirement: no VIP on the realserver)


2. director: LVS-DR send to RMAC1:VIP:389

3. relaserver1 service: DNAT VIP:389 to RIP1:389, accept, answer fromRIP1:389 to DMAC:token:*, de-DNAT RIP1:389 to VIP:389 before sending


4. director (or another router): route to RMAC1:token:*

5. realserver1 client: de-SNAT token:* to RIP1:*, accept.


Janusz

<Prev in Thread]	Current Thread	[Next in Thread>
Re: SNAT Confusion, (continued) Re: SNAT Confusion, Joseph Mack NA3T Re: SNAT Confusion, Rodre Ghorashi-Zadeh Re: SNAT Confusion, Joseph Mack NA3T Re: SNAT Confusion, Rodre Ghorashi-Zadeh Re: SNAT Confusion, Joseph Mack NA3T Re: SNAT Confusion, Janusz Krzysztofik Re: SNAT Confusion, Janusz Krzysztofik Re: SNAT Confusion, Rodre Ghorashi-Zadeh Re: SNAT Confusion, Janusz Krzysztofik Re: SNAT Confusion, Rodre Ghorashi-Zadeh Re: SNAT Confusion, Janusz Krzysztofik <=

Previous by Date:	Re: understanding lvs, Martijn Grendelman
Next by Date:	Re: understanding lvs, Hideki
Previous by Thread:	Re: SNAT Confusion, Rodre Ghorashi-Zadeh
Next by Thread:	PPPoE and LVS router, Hideki
Indexes:	[Date] [Thread] [Top] [All Lists]