On Mon, 23 Mar 2009, Joseph Mack NA3T wrote:
> you shouldn't be able to do this (at least on a well setup
> machine). The only connection between the client and the
> realservers is through the LVS-NAT. A ping packet shouldn't
> be able to get to the realservers from the client.
>
> Is the only route to the client from the realservers through
> the director?
No, all I configured wasa route from the real servers to the client
going through the director.
I'm not sure how to force that behavior, either, without creating a
VLAN with no default route to the outside world. When pinging the
real servers from the client, our routers are quite happy to route the
packets directly to the real servers. I don't control the network
here, so that's not an option -- and, incidentally, as I don't intend
to use LVS-NAT in production, I think it'd be kind of
counterproductive to jump through those kinds of hoops to get this
working.
That said, I'm not sure why packet routing from the client to the real
servers should matter; in the test I was doing, I was requesting the
VIP from the client; the director passed the request on to a real
server; and the real server routes its replies through the director.
At no time during that test should the client _try_ to communicate
directly with the real server, so I'm not sure why that matters.
Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|