Re: Using Keepalived on a WAN with Tunneling (keepalived-1.1.13, Kernel

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: Using Keepalived on a WAN with Tunneling (keepalived-1.1.13, Kernel 2.6.9-42.0.10.ELsmp)
From:	Joseph Mack NA3T <jmack@xxxxxxxx>
Date:	Tue, 22 May 2007 11:22:06 -0700 (PDT)

On Tue, 22 May 2007, Shaun Mccullagh wrote:

KL is in location A, RS1 in location B and RS2 in location C.


KL == client?, keepalived?

All these locations are geographically separate and all systems have
public IPs.

for production, for security, you don't want the anyone toaccess the realservers directly - use private IPs.

The problem is both Real Servers are running Windows 2003 Server.
Windows 2003 does not support IPIP encapsulation, Win2k used to.

However both Windows servers sit behind Linux Firewalls which do support
IPIP. So wondered if I could use the firewalls to decapsulate the IPIP
datagrams and the forward them to the RS.

I don't know how to do it, but Linux is supposed to be ableto do this sort of thing. You're going to have to find aniptables master. Maybe someone on this list knows, butotherwise, you might have to join another mailing list forthe answer. After decapsulation on the firewall, you'll havea packet with dest_addr==VIP in local_in and you'll have toforward it to the output chain.

I've succeeded in getting one tunnel operational. The KL healthchecker
is successfully executing a simple TCP check on Port 80 of RS1 every 20
seconds.

The problem is the Linux firewall will not forward browser client
requests to RS1.

Tcpdump shows the requests are being delivered to tun0 on the firewall
connected to RS1:

14:50:42.225285 IP 10.200.0.1 > 10.200.0.2: IP 62.100.54.4.1174 >
62.100.52.101.http: S 126909974:126909974(0) win 65535 <mss
1260,nop,nop,sackOK> (ipip-proto-4)

Note that 62.100.52.101 is the KL VIP, 10.200.0.2 is the firewall tunnel
address, 10.200.0.1 is the KL tunnel address. I've added an IPTABLES
rule to DNAT all traffic sent to 10.200.0.2:20 to RS1 (10.1.40.10), this
works for the KL TCP check, but not for browser requests.


RS1 will need the VIP with the service listening on the VIP,

the firewall will need a route to the VIP (which is on RS1)

the firewall will need a rule on the firewall to forwardpackets with dest_addr=VIP to the output chain.

RS1 will reply to the client directly (presumably throughthe firewall, but the reply packet should traverse thefirewall untouched by any rules).


Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

<Prev in Thread]	Current Thread	[Next in Thread>
load balancing using keepalived, Gerry Reno Re: load balancing using keepalived, Joseph Mack NA3T Using Keepalived on a WAN with Tunneling (keepalived-1.1.13, Kernel 2.6.9-42.0.10.ELsmp), Shaun Mccullagh Re: Using Keepalived on a WAN with Tunneling (keepalived-1.1.13, Kernel 2.6.9-42.0.10.ELsmp), Joseph Mack NA3T <= Re: load balancing using keepalived, Gerry Reno Re: load balancing using keepalived, Joseph Mack NA3T Re: load balancing using keepalived, Gerry Reno Re: load balancing using keepalived, Dr. Volker Jaenisch Re: load balancing using keepalived, Gerry Reno Re: load balancing using keepalived, Gerry Reno Re: load balancing using keepalived, Dr. Volker Jaenisch Re: load balancing using keepalived, Gerry Reno Re: load balancing using keepalived, Gerry Reno Re: load balancing using keepalived, Dr. Volker Jaenisch

Previous by Date:	RE: SNAT / Masquerading problems using LVS-NAT, Rudd, Michael
Next by Date:	Anouncement: ipvsman/d Version 0.9.2-9 released, Dr. Volker Jaenisch
Previous by Thread:	Using Keepalived on a WAN with Tunneling (keepalived-1.1.13, Kernel 2.6.9-42.0.10.ELsmp), Shaun Mccullagh
Next by Thread:	Re: load balancing using keepalived, Gerry Reno
Indexes:	[Date] [Thread] [Top] [All Lists]