LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

[lvs-users] LVS SNAT problem.

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: [lvs-users] LVS SNAT problem.
From: Andy Ashley <lists@xxxxxxxxxxxx>
Date: Tue, 26 Feb 2008 13:34:51 +0000
Hi,

I need a bit of help for an LVS setup:

I have the following setup: (hope this ASCII comes out OK..)

--

[CLIENT IP] (10.78.35.163)
     |
     |
     |
############
# Internet #
############
     |
     |
     |
     |(Internet uplink)
     |
-----------
|               |10.91.234.1/24
|Layer 3   |------------------eth0-[LOAD BALANCER] LVS/Heartbeat/ldirectord
|Switch     |                                   (management ip: 
10.91.243.4/24 : DFGW: 10.91.234.1)
|               |                                   (VIP: 10.91.243.10/24)
-----------
     |(10.19.48.1/22)
     |
     |
     |
     eth0 (10.19.51.250/22)
[FIREWALL]
     eth1 (10.19.60.225/29)
     |
     |
     |
[SWITCH ] (layer 2 only)
     |   |___________
     |                          |
[SERVER1]            [SERVER2]
(10.19.60.230/29)  (10.19.60.231/29)
(DFGW: 10.19.60.225)


Notes: - .19 and .91 isnt a typo
       - The load balancer has one interface, router-on-a-stick style, 
with a /24 assigned to it
       - All IP addresses in this network are real, not rfc1918. I have 
changed the first octet to 10. so its not immediately obvious what 
network it is
         but these are in fact real (internet routable) IP's. Not 
private addresses are used in the setup.
       - The layer 3 switch knows about the networks on its interfaces 
as they are directly connected.
---

I have the following set up using ipvsadm:

# ipvsadm -A -t 10.91.243.10:80 -s rr
# ipvsadm -a -t 10.91.243.10:80 -r 10.19.60.230:80 -m
# ipvsadm -a -t 10.91.243.10:80 -r 10.19.60.231:80 -m

I also have the following SNAT rule to change the source address of 
packets leaving the load balancer,
destined for the web servers, to 10.91.243.4, which is the load balancer 
IP that it chooses to route packets from (as its lowest, I think..)

# iptables -A POSTROUTING -t nat -o eth0 -s 0/0 -d 10.19.60.224/29 -j 
SNAT --to-source 10.91.243.4

-- 

Problem:

Packets come in from the client IP to the VIP. The load balancer then 
sends out packets correctly to the two web server IP's.
The packets arrive at the web servers with the source address of the 
client IP (i.e: they are not being SNAT'ted for some reason..)

The replies then go back via the usual default gateway, over the Internet,
bypassing the load balancer and hence the client sees this as a new tcp 
session and the web page never gets displayed on the client web browser.

So, it all looks good in theory and the packets get load balanced, and 
routed in correctly, but the SNAT seems to be the issue.

Questions:

1. Why are the packets leaving eth0 on the load balancer not being 
SNAT'ted to appear as if they are coming from the load balancer, not the 
client IP?

2. Also, is this design actually ever going to work, or is there 
something inherently wrong/impossible with it? :-)


Thanks very much for any input..

Andy.


<Prev in Thread] Current Thread [Next in Thread>