Hmm without the rule I don't see any SNAT happening? Could it be my use
of bonding?
Our servers have 3 networks. 2 public networks on bond0(bond0.200 and
bond0.202) where 200 is public and 202 is private. And 1 public on
bond1(bond1.201). We are receiving on bond1.201. So I put the vip on
bond1.201:0. I'll recheck my routing. Its possible it was using a
default route, thus was being routed out of the bond0 interface rather
than the bond1 interface.
-----Original Message-----
From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Graeme
Fowler
Sent: Tuesday, April 17, 2007 12:31 PM
To: LinuxVirtualServer.org users mailing list.
Subject: RE: SNAT / Masquerading problems using LVS-NAT
On Tue, 2007-04-17 at 06:53 -0500, Rudd, Michael wrote:
> Not a problem LOL. I understand you guys are busy. Grame fowler was
> asking some questions yesterday.
>
> Any rate as I was telling him I also switched to trying to use LVS-DR
> as well. The problem I'm running into there is I setup an Iptables
> rule to do the SNAT for me on the realserver. Show below iptables -t
> nat -A POSTROUTING -p udp --source-port 53 -o bond1.201 -j SNAT
> --to-source
> 192.168.67.213:53
Hrm.
You shouldn't need the SNAT rule with LVS-DR (that's the point of DR,
after all!).
The VIP should be bound to a real device (ie not loopback) on the
director; to loopback on the realserver; BIND should be listening on the
VIP (and probably not on the realserver's RIP).
That way, query responses will be sent from the interface to which BIND
is, erm, bound. If you see what I mean.
I don't recall *ever* having to use SNAT to mangle outgoing packets
using DR.
Graeme
|