|
On Tue, 2008-02-26 at 14:44 +0000, Andy Ashley wrote:
> The realservers are using the inside interface of thier firewall as the
> default gateway. The firewall then has the L3 switch as it's default
> gateway.
Right. I made a hash of my previous reply since I missed the -NAT (-m)
option on your setup.
> I can assign the ip to lo without issue. However,
If you're using LVS-NAT you don't need to. However...
> xxxx-lb1-lbr01 ha.d # echo 1 > /proc/sys/net/ipv4/conf/all/hidden
> -bash: /proc/sys/net/ipv4/conf/all/hidden: No such file or directory
>
> xxxx-lb1-lbr01 ha.d # echo 1 > /proc/sys/net/ipv4/conf/lo/hidden
> -bash: /proc/sys/net/ipv4/conf/lo/hidden: No such file or directory
>
> Distro is Gentoo Linux, kernel 2.6.23-r8
Yah, yah, cut'n'paste from the web pages... that's the 2.4 method. On
2.6.x you need:
/proc/sys/net/ipv4/conf/all/arp_ignore
/proc/sys/net/ipv4/conf/lo/arp_ignore
> At present, the packets are being forwarded to the realservers with the
> client ip as the source ip.
Yes, this is the normal way of doing things.
> The realservers are actually responding directly to the client ip.
Indeed they will do. Their default gateway is, as you mention:
> The realservers are using the inside interface of thier firewall as the
> default gateway. The firewall then has the L3 switch as it's default
> gateway.
And therein lies the problem. For LVS-NAT to work the replies MUST
traverse the director on the way out to be un-NATted.
In this case I would simplify things for yourself - making the responses
go back via the director requires an infrastructure change; you know the
SNAT approach doesn't work already.
Switch to LVS-DR - put the VIP on the realservers, forget SNAT and have
the realservers respond directly. Problem solved.
Joe, did I get this one right?
Graeme
|
