LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] stuck on LVS-TUN, realservers receiving ipip packet, but

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] stuck on LVS-TUN, realservers receiving ipip packet, but not doing anything because it think's it's martian.
From: Vincent Young <nard@xxxxxxx>
Date: Wed, 14 Oct 2009 12:44:47 -0400
On 2009-10-14, at 10:40 AM, Joseph Mack NA3T wrote:

> On Wed, 14 Oct 2009, Vincent Young wrote:
>
>> Linode is a VPS hosting company using Xen virtual servers, and i'm
>> being hosted with them at the moment.
>
> there are minor wrinkles running LVS under Xen. Look at the
> HOWTO.

Will do this next. Thanks.


>
>>>> So i decided to use LVS-TUN.
>>
>> Linode has the option of deploying your environment in 4 datacenters,
>> and i figured it would be good to be able to have the flexibility to
>> connect outside my datacenter when the need should arise.
>
> make sure you understand the consequences of a packet with
> src_addr=VIP from one datacenter emerging from another
> datacenter. It appears to be a spoofed packet.
>
yep, i'll reread the docs regarding this when i do this.

>> I'll give that a try, But the documentation I was reading on my  
>> linode
>> said that my Linode only have one virtual ethernet interface -eth0,  
>> so
>> that is why I needed to assign my private ip as an alias on that
>> interface.
>
> iproute2 handles this.

gotcha.

>
>>>> director: cannot ping realserver
>>>
>>> you need to fix this. I assume this is your problem.
>>
>> ping stops working once I added the tunl0 device to my realserver  
>> with
>> the following command:
>> /sbin/ifconfig tunl0 97.107.133.234 netmask 255.255.255.255 broadcast
>> 97.107.133.234
>
> ping to the RIP (has to work) or to the VIP (won't work)?

director pinging to the RIP on eth0 does not work. would it be because  
the netmask 255.255.255.255 of the tunl0  is interfereing with the RIP  
on eth0 which uses mask of 255.255.255.0?
ifconfig on the real server:

eth0      Link encap:Ethernet  HWaddr FE:FD:61:6B:82:44
           inet addr:97.107.130.68  Bcast:97.107.130.255  Mask: 
255.255.255.0
           inet6 addr: fe80::fcfd:61ff:fe6b:8244/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:15772 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1961 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:1603668 (1.5 MiB)  TX bytes:325301 (317.6 KiB)

eth0:0    Link encap:Ethernet  HWaddr FE:FD:61:6B:82:44
           inet addr:192.168.134.109  Bcast:192.168.255.255  Mask: 
255.255.128.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:10 errors:0 dropped:0 overruns:0 frame:0
           TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:586 (586.0 b)  TX bytes:586 (586.0 b)

tunl0     Link encap:IPIP Tunnel  HWaddr
           inet addr:97.107.133.234  Mask:255.255.255.255
           UP RUNNING NOARP  MTU:1480  Metric:1
           RX packets:59 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:2832 (2.7 KiB)  TX bytes:0 (0.0 b)



because of that, i tried to get the director to ping the RIP on eth0:0  
192.168.134.109, and it works, and I can telnet to the realserver on  
port 80. so next I did the following on the director:
# /sbin/ipvsadm -C
# /sbin/ipvsadm -A -t 97.107.133.234:80 -s rr
# /sbin/ipvsadm -a -t 97.107.133.234:80 -r 192.168.134.109 -i -w 1

so now, on the Client, when I telnet 97.107.133.234:80, it still isnt  
able to get anything. when I do tcpdump on the realserver to listen  
for the VIP I get the following:
# /usr/sbin/tcpdump -nn host 97.107.133.234
tcpdump: verbose output suppressed, use -v or -vv for full protocol  
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:42:46.785041 IP 97.107.133.234.80 > 97.107.128.100.18233: S  
4199097079:4199097079(0) ack 4011139591 win 5840 <mss 1460>


but I no longer get the martian source logged. but nothing appears in  
my http logs.




>
>>
>>
>> before I added that, I'm able to ping the real server from the
>> director no problem. Is there something I should be doing to get it  
>> to
>> work?
>>
>>
>>>
>>>> or telnet port 80 into realserver eth0 public ip.
>>>
>>> this test doesn't tell you anything if you can't ping the
>>> realserver. After you can ping the realserver, you still
>>> won't be able to connect to the realserver:VIP:80. Do you
>>> understand why?
>>
>> Which is why I used a different client to do my tests. Is the reason
>> because I'll just be connecting locally, and not actually go through
>> the VIP?
>
> yes
>
>>> if so, turn off blocking martians.
>>
>> Is this controlled at the router level?
>
> on the machine that's seeing the martian.
>
>> or on the realserver? Im on a
>> VPS, and dont have access to the physical machines themselves or the
>> hardware like routers.
>
> a common problem when setting up LVS. If you're doing it all
> in a single Xen, then you'll be routing within the Xen too.
>
> Joe
> -- 
> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> jmack (at) wm7d (dot) net - azimuthal equidistant map
> generator at http://www.wm7d.net/azproj.shtml
> Homepage http://www.austintek.com/ It's GNU/Linux!
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>