[lvs-users] LVS-NAT simple (?) setup not working in mysterious way?

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: [lvs-users] LVS-NAT simple (?) setup not working in mysterious way?
From: Steve Wray <steve.wray@xxxxxxxxx>
Date: Thu, 20 Sep 2007 12:33:45 +1200
Hi there,
I've spent the last few days reading and re-reading LVS documentation, doing network traces etc and trying to figure out what is going wrong here.

I am trying to set up a simple 2-network LVS-NAT to a webserver.

So far as I can tell all of my config is by the book.

I've stripped it down to one DIP, one RIP.

In the end there is intended to be two directors with failover so the config shows the virtual IP of the interior interface of the director (eth1). This is used as the default route on the realserver.

I'll attach the tcpdumps I've obtained from the RIP, DIP and CIP as well as my config files. The interfaces file is from the director.

In the case of the /etc/network/interfaces, this is where I've been setting up the masquerading. Note that I've tried this with and without iptables masquerading on the director. I've tried various forms of masquerading, making it tighter or looser (eg so that outgoing port 80 does not get masqueraded or ensuring that the masqueraded connection appears as from the VIP).

Without masquerading the realserver cannot see the outside world.

Its not clear to me whether or not this aspect of masquerading is intended to be taken care of by LVS itself. I am guessing not as most of the LVS-NAT documentation I've found does indicate configuring iptables rules for masquerading.

With masquerading the realserver can access the outside world just fine.

The symptom is that 'telnet VIP 80' followed by a 'GET /' appears to produce no content even though the tcpdump appears to show traffic coming from VIP to CIP.

The same telnet from the director to the RIP does get content.

I've been trying various combinations of configurations; its not entirely clear whether I need to use any iptables masquerading rules on the director. I've tried with and without and the results have been the same.

This appears to be such a simple setup that there has to be something very basic that I'm missing...

Looking at the cip.dump in wireshark I have to say that it does look very very odd. I'm can't say that I fully understand it though.

Any advice appreciated.


logfacility        local0
bcast        eth0                # Linux
mcast eth0 694 1 0
auto_failback off
node        eztki-web-lb1
node        eztki-web-lb2
respawn hacluster /usr/lib/heartbeat/ipfail
apiauth ipfail gid=haclient uid=hacluster
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static

auto eth1
iface eth1 inet static
  up iptables -t nat -A POSTROUTING -j SNAT -s -o eth0 
  down iptables -t nat -D POSTROUTING -j SNAT -s -o eth0 


        fallback= masq
        real= masq
        real= masq
        receive="Test Page"

eztki-web-lb1        \ \
        LVSSyncDaemonSwap::master \
        IPaddr2:: \

<Prev in Thread] Current Thread [Next in Thread>