LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

RE: SNAT / Masquerading problems using LVS-NAT

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: SNAT / Masquerading problems using LVS-NAT
From: "Rudd, Michael" <Michael.Rudd@xxxxxxxxxxx>
Date: Thu, 26 Apr 2007 08:33:37 -0500
Followup after some testing. 

First off yeah I found out the application doing the DNS queries is
bound to 0.0.0.0/53. So its pretty much choosing whatever interface it
wants to go out from. Probably why the SNAT isnt working from the
realserver for LVS-DR. I may see if I can get this working cause I
ultimately want to use LVS-DR someday. 

As for LVS-NAT, I had the idea to do the SNAT for LVS since its not
working because of the OPS patch I need. So implemented an iptables rule
that whenever it receives a source port of 53, it snats it to the VIP:53
and sends it out. This should pick up all traffic coming back from my
realservers. I tried this and it works. So this is an acceptable
workaround for me right now.

I'll post when I get the LVS-DR testing done and verify it is SNATing
when I have it configured correctly and bound to the correct interface. 

Thanks for the help guys.
Mike 

-----Original Message-----
From: lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx
[mailto:lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Graeme
Fowler
Sent: Wednesday, April 18, 2007 8:46 AM
To: LinuxVirtualServer.org users mailing list.
Subject: RE: SNAT / Masquerading problems using LVS-NAT

On Wed, 2007-04-18 at 07:01 -0500, Rudd, Michael wrote:
> My setup is 2 bonds: 1 with 2 vlans, 1 with 1 vlan Bond0.200 (public)
> Bond0.202 (private)
> Bond1.201 (public and vlan DNS traffic is used on)
> 
> So I send my DNS query to my VIP on my directors. It gets routed to a 
> realserver which I've attached the vip to bond1.201:0. According to 
> others I've talked to I shouldn't need an iptables rule but I still 
> don't see the packet out with the source ip address of the VIP. I see 
> the packet with the source IP of the actual realserver. Its possible 
> it is a routing issue though so I plan on digging deeper on that
today.
> 
> Should I need an iptables rule at all for LVS-DR? 

Nope.

Dumb question: you haven't configured BIND to send responses from the
RIP. have you (by allowing it to bind to interfaces as it sees fit)?
Also, have you solved the ARP problem for LVS-DR? You don't want your
realservers ARPing the VIP, especially as you have it bound to a "real"
interface rather than loopback.

I have a sneaking feeling here that the application itself is the
problem, not LVS.

Graeme


<Prev in Thread] Current Thread [Next in Thread>