|
On Fri, 7 Jul 2006, Joseph Mack NA3T wrote:
On Thu, 6 Jul 2006, David Lang wrote:
I have been diging in the list archives for the last hour without finding
the answer so I'm asking directly.
in 2001 this post
http://archive.linuxvirtualserver.org/html/lvs-users/2001-01/msg00322.html
I just reread this post. I don't understand why all the firewalls are where
they are (are they just there and you have to fit in with the pre-existing
system, or is this optimal for a setup whose purpose I don't understand). As
well the poster doesn't seem to understand the packet flow of LVS (or I don't
understand his posting). With this as input to the mailing list, he's
guaranteed an answer of "no".
I'm not finding it in the several hunder posts that I've read that google
found for me in the list archives, could someone point out where to find
the information? (this would be a good addition to the wiki for the
examples page as well)
How about a description of your system and an explanation of why the
firewalls aren't transparent,
the firewalls are transparent, they are just packet filters (think iptables
firewalls). there is no NAT takeing place anywhere.
the issue I don't think you are understanding is that we aren't trying to load
balance the servers behind the firewalls, we are trying to load balance the
firewalls themselves
so you have
Internet
| |
switch--------------switch
| |
load balancer load balancer
| |
switch--------------switch
| |
firewall firewall
| |
switch--------------switch
| |
load balancer load balancer
| |
switch--------------switch
| | | | | | | | | | |
servers
the servers themselves are NOT load balanced (at least for the purposes of these
discussions, any load balanceing that they have is done by seperate equipment)
the outside load balancers need to make a decision on which firewall to send the
traffic through
the packets are sent through that firewall, and then go to the load balancer on
the inside which routes them to the server, the server responds and the outbound
traffic hits the inside load balancer, it needs to send the response packets
back to the same firewall that the inbound packets came through or the firewall
will reject them
does this clarify things?
I had thought that the origional post that I refrenced described the problem
fairly well which is why I didn't go through everything again in my post.
David Lang
P.S. count this as a vote against having a subscribers-only list. I almost
decided it wasn't worth it and didn't subscribe to send this message. the
last thing I need is yet another mailing list filling my inbox when I just
need a simple answer
Subscribing to a mailing list for what you hope is a simple answer to a
simple question is a real pain indeed. However if you've searched several
hundred postings and not found an answer, you can only conclude that the
problem is trivial or hasn't been solved. You should be prepared for a
complicated answer. You say what you don't want, but you don't give us any
information about what would work for you. We're happy to help, but we can't
do anything with a statement like this.
given that the response to the later post was a simple 'yes we can do it, search
the archives' I expected the response to be a simple 'here it is' or something
like that.
Joe
|
