Hi
On Wed, 2008-02-06 at 01:06 -0800, andreas2008 wrote:
> I am al little bit confused about what will be the best for me. As I've
> learned, when using LVS-NAT all the traffic will be routed back via the
> director.
That's right.
> In fact, I do not want the real server to have a public IP.
The realservers either:
1. Have an internally private (set of) IP address(es) and send all
traffic back through the director - LVS-NAT. This does not necessarily
mean that they're unreachable from the public Internet, since it's quite
possible to do NAT with public but protected address space.
2. Have whatever addressing scheme you want, but have the VIP (which is
by definition "public", since clients have to access it - although the
clients could be in private space too.... confused?) bound to a local
interface (maybe loopback, maybe tun, maybe real) so they can handle
requests made to the VIP - LVS-TUN and LVS-DR.
If you want to keep the realservers completely private, put them in a
block taken from RFC1918 space (10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16) and make sure that when they have to initiate
connections to the outside world - for example, for system updates -
that they have a valid path doing SNAT for them somewhere.
Using LVS-NAT you simply have the VIP on the director, and the director
then DNATs connections on the way in to route them to the realservers'
private addresses. Return traffic goes back via the director, is
un-NATted, and sent back to the client.
Using LVS-DR you have the VIP on the director and then you need some way
of handling the traffic destined to the VIP when it arrives at the
realservers. The easiest and most commonly documented way of doing this
is to create a loopback alias interface and put the VIP on it with a /32
(255.255.255.255) netmask. Then, when a connection is initiated by a
client, the realserver responds directly (ie. does not have to traverse
the director on the way out) to the client using the VIP address. This
does *not* necessarily mean that clients can reach the realservers
directly, but it does mean the reverse is possible.
> Imagine the following configuration:
>
> director has a public IP, the VIP is within the same subnet. The real
> servers should have private IP. So I guess, the only solution is LVS-NAT. Am
> I right? Or is it possible to use LVS-DR with only private IPs on the real
> servers a route via the director?
It isn't possible (within reason) to use -DR where there is no VIP on
the realserver. This is because the applications running on the
realserver really need to know which IP address they're listening to,
and which they need to respond from.
However, you can still use private addressing with -DR as long as the
public VIP is on a loopback adapter.
Does that make sense?
Graeme
|