Hi Timothy,
I've been watching this post to see if you get any replies, I too
recently had issues trying LVS-TUN in Amazon AWS... I was using an
IPsec VPN from home to my VPC attempting to load balance servers
across this link. Later, I tried as a sanity check against my
own(Proxmox) hosted server(In a local DC) using an OpenVPN link which
I also couldn't get to work... Although it works in the LAN with Linux
boxes as my routers when I try to simulate the network layout without
VPN's...
Other pressures eventually pulled me away from this task but I had
planned to go back to it at a later date so on seeing your post I've
been eagerly awaiting any replies you might get.
I have nothing to really offer at this stage as a resolution but
wanted to give the topic a bump at least, however, if I learn anything
on my next round of testing I'll share it.
>From my troubleshooting I think I proved that the traffic got as far
as the tunnel adapter on the real server but seemed to get lost on the
return path, I believe it's only the part between director and real
server that uses a tunnel with replies going directly back to the
client like DR mode so I was assuming(Maybe incorrectly) that
something was dropping them on the path back.
Aaron West
Loadbalancer.org
www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
aaron@xxxxxxxxxxxxxxxx
LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG
On 14 July 2017 at 16:13, Timothy R. Weiand <timothy.weiand@xxxxxxxxx> wrote:
> I am building a DR-TUN configuration to load balance DNS traffic. My issue
> is with the real servers: the ipip packet get unwrapped and appears on the
> tunnel interface and becomes a martian. Also, I have not been able to
> determine how to bind to the tunnel interface to capture these packets. I
> have verified details with tcpdump/dmesg. All my configuration is scripted
> to ensure reproducibility. tcpdumps below do not show real DNS traffic;
> using netcat to send text.
>
> Much more detail can be supplied, please request it.
>
> Configuration:
>
> ==============
>
> - All machines are currently Debian 9 (4.9.30-2+deb9u2)
>
> - Client: 192.168.200.10
>
> - Director: 192.168.200.11
>
> - Real Server: 192.168.200.12
>
> - No VIP: I am using the IP address for my director interface -
> 192.168.200.11
>
>
> Director Configuration:
>
> ==================
>
> vagrant@debian-9-lb:~$ sudo ipvsadm -Ln
>
> IP Virtual Server version 1.2.1 (size=4096)
>
> Prot LocalAddress:Port Scheduler Flags
>
> -> RemoteAddress:Port Forward Weight ActiveConn InActConn
>
> UDP 192.168.200.11:53 rr
>
> -> 192.168.200.12:53 Tunnel 1 0 0
>
>
>
> Real Server:
>
> ============
>
> # modprobe ipip
>
> # echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # ip tunnel add tunl1 mode ipip ttl 32 local 192.168.200.12 remote
> 192.168.200.11
>
> # ip link set tunl1 up arp off
>
> # echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
>
> # echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
>
> # echo 2 > /proc/sys/net/ipv4/conf/tunl0/rp_filter
>
> # echo 2 > /proc/sys/net/ipv4/conf/tunl1/rp_filter
>
>
>
> vagrant@debian-9-dns:~$ sudo tcpdump -e -n -s 0 -i tunl1 -vv
>
> tcpdump: listening on tunl1, link-type RAW (Raw IP), capture size 262144
> bytes
>
> 10:16:13.919646 ip: (tos 0x0, ttl 64, id 63545, offset 0, flags [DF], proto
> UDP (17), length 40)
>
> 192.168.200.10.51149 > 192.168.200.11.53: [udp sum ok] 26226 updateMA+
> [b2&3=0x6f6d] [27753a] [11619q] [25966n] [29706au][|domain]
>
>
>
> If I add an IP address to the interface the packet never reaches tunl1
>
> # ip addr add 192.168.200.11/24 brd 192.168.200.11 dev tunl1
>
>
>
> Notes:
>
> ======
>
>
>
> LVS-DR was not an option because the real servers will be in different
> subnets (I was able to get LVS-DR working though).
>
>
>
> I am looking for advice on how to better understand or resolve this issue.
> Or, who would be better to answer this question.
>
>
>
> I have groked as many articles on how to setup this configuration as I can.
> And, I have read a good deal of the archives of this mailing list.
>
>
>
> Linux distributions I have tried are Debian, Ubuntu and Amazon linux. This
> is been tested on both AWS and VMware fusion.
>
>
>
> ------
>
>
>
> I have a feeling I am missing something simple...
>
>
>
> Thanks!
>
> -Timothy
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|