On Mon, 24 Nov 2008, Eli Ben-Shoshan wrote:
> I am trying to not have to have a public IP on the realserver.
apart from the VIP?
For the LVS you should setup with private IPs on the RIP
network. If you need public IPs on the realservers for some
other reason (ruining security) then these public IPs are
independant of the LVS.
> My problem is that I can get the realserver to reply back
> to the client.
For an LVS to work, there must be no way that the client can
send packets directly to the realserver. With Lar's method
the router has a host route to the VIP on the outside of the
director. The various ways of handing the arp problem, all
result in the realservers not replying to arp requests
broadcast by the router.
> I know the director is getting packets to the realserver
> but I can't get the realserver to reply back to the
> client.
this contradicts the first sentence in the paragraph.
> Is there an example somewhere that is similar to mine? I
> think my director is setup correct. My problem is with the
> realserver.
for Lar's method you do nothing to the realserver, you
reconfigure the router.
> When the realserver arps for the gateway's mac address, it
> does not get a response. The reason for this is that the
> realserver's IP address is not on the same network as the
> gateway.
for routing to work, the router must have an IP in the
network of the node using it as a router.
> The realserver's IP address is 192.168.74.81 and
> the IP of the gateway is 128.227.74.126.
hmm. Is 128.x.x.x in the same network as the VIP?
> Here is the relevant section of the
> tcpdump:
>
> 16:00:52.119149 arp who-has 128.227.74.126 tell 192.168.74.81
Well dang. I haven't setup Lar's method, and it looked so
simple and obvious at the time, I didn't think through any
of these details, or ask him how he'd got it to work.
Presumably it wasn't a major sweat or he would have told us
about it.
I assume from here you're going to have to do one of these
o Put an address 192.168.74.0/24 on the router and use this
address as the default gw (acceptable). Remember that the
outbound packets from the realserver come from the VIP not
the RIP. You only need this address on the router to allow
you to have a default route from the realserver.
o put an address in the 128.227.74.0/24 network on the
realserver (bad from the point of view of security)
o put a host route on the realserver to the router
(acceptable). You seem to be able to do this across
networks.
71.111.216.83 is the IP on the outside of my home router.
Here's a node inside the network, with a private IP
dennis: # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
dennis: # route add -host 71.111.216.83 eth0
dennis: # route del default gw 192.168.1.254
dennis: # route add default gw 71.111.216.83
dennis:# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
71.111.216.83 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 71.111.216.83 0.0.0.0 UG 0 0 0 eth0
dennis: # ping 71.111.216.83
PING 71.111.216.83 (71.111.216.83): 56 octets data
64 octets from 71.111.216.83: icmp_seq=0 ttl=64 time=1.2 ms
64 octets from 71.111.216.83: icmp_seq=1 ttl=64 time=0.8 ms
The only remaining question is how did Lar's do it?
I'd suggest the last method would be the best, since you
won't have to rely on the routing people to maintain this
part of the configuration.
> After talking to my network people, they tell me that this
> is explicitly not allowed by their current configs.
Well yes :-)
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
|