Re: [lvs-users] Problems implementing "Lars' Method"

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] Problems implementing "Lars' Method"
From: Joseph Mack NA3T <jmack@xxxxxxxx>
Date: Mon, 24 Nov 2008 19:08:29 -0800 (PST)
On Mon, 24 Nov 2008, Eli Ben-Shoshan wrote:

> I am trying to not have to have a public IP on the realserver.

apart from the VIP?

For the LVS you should setup with private IPs on the RIP 
network. If you need public IPs on the realservers for some 
other reason (ruining security) then these public IPs are 
independant of the LVS.

> My problem is that I can get the realserver to reply back 
> to the client.

For an LVS to work, there must be no way that the client can 
send packets directly to the realserver. With Lar's method 
the router has a host route to the VIP on the outside of the 
director. The various ways of handing the arp problem, all 
result in the realservers not replying to arp requests 
broadcast by the router.

> I know the director is getting packets to the realserver 
> but I can't get the realserver to reply back to the 
> client.

this contradicts the first sentence in the paragraph.

> Is there an example somewhere that is similar to mine? I 
> think my director is setup correct. My problem is with the 
> realserver.

for Lar's method you do nothing to the realserver, you 
reconfigure the router.

> When the realserver arps for the gateway's mac address, it 
> does not get a response. The reason for this is that the 
> realserver's IP address is not on the same network as the 
> gateway.

for routing to work, the router must have an IP in the 
network of the node using it as a router.

> The realserver's IP address is and
> the IP of the gateway is

hmm. Is 128.x.x.x in the same network as the VIP?

> Here is the relevant section of the
> tcpdump:
> 16:00:52.119149 arp who-has tell

Well dang. I haven't setup Lar's method, and it looked so 
simple and obvious at the time, I didn't think through any 
of these details, or ask him how he'd got it to work. 
Presumably it wasn't a major sweat or he would have told us 
about it.

I assume from here you're going to have to do one of these

o Put an address on the router and use this 
address as the default gw (acceptable). Remember that the 
outbound packets from the realserver come from the VIP not 
the RIP. You only need this address on the router to allow 
you to have a default route from the realserver.

o put an address in the network on the 
realserver (bad from the point of view of security)

o put a host route on the realserver to the router 
(acceptable). You seem to be able to do this across 
networks. is the IP on the outside of my home router.

Here's a node inside the network, with a private IP

dennis: # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface   U     0      0        0 eth0       U     0      0        0 lo         UG    0      0        0 eth0

dennis: # route add -host eth0
dennis: # route del default gw
dennis: # route add default gw

dennis:#  route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface UH    0      0        0 eth0   U     0      0        0 eth0       U     0      0        0 lo         UG    0      0        0 eth0

dennis: # ping
PING ( 56 octets data
64 octets from icmp_seq=0 ttl=64 time=1.2 ms
64 octets from icmp_seq=1 ttl=64 time=0.8 ms

The only remaining question is how did Lar's do it?

I'd suggest the last method would be the best, since you 
won't have to rely on the routing people to maintain this 
part of the configuration.

> After talking to my network people, they tell me that this 
> is explicitly not allowed by their current configs.

Well yes :-)


Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at
Homepage It's GNU/Linux!

<Prev in Thread] Current Thread [Next in Thread>