LVS-NAT with public address space

Roberto Nibali ratz at drugphish.ch
Tue Jul 20 05:37:24 BST 2004


Hello,

> I am having problems with LVS-NAT and iptables running on the same 
> director. For some reason iptables rules that do static NAT for traffic 
> originating from a real server quit working after some time.

Could you be a little more specific on "quit working after some time", 
please? I'm referring to (but not exclusively): kernel version, iptables 
version, your rules, your setup, dmesg, tcpdump traces on both director 
interfaces for one connection attempt, ...

> One thought that came to mind is to give real servers real ip address 
> space. This would eliminate the need to NAT connections originating from 
> the real servers, instead just plain routing is needed on the director.

Correct.

> One problem remains that now I need a floating address on both sides of 

Apologies for my ignorance but what is a "floating address"? Do you mean 
a routeable/public address/IP?

> the director, the original floating address used by the real servers as 
> default gateway and a floating address on the external side of the 
> director to route traffic for the real server network to. How can I do 
> this?

You don't need routeable IP addresses inside the LVS collision domain 
(read: the phyiscal network consisting of the LVS' internal interface 
and all connected RSs), you can overlay as many public address spaces on 
top of a private one as you want. Plus keep in mind that for LVS-DR the 
director is not the DGW anymore.

This is a preferred solution anyway, as you can do locally based health 
checks over a private network but route "real" traffic over a virtual 
routeable network which is overlayed. It's a matter of setting up your 
FIB correctly on the director and the RS.

Best regards,
Roberto Nibali, ratz


More information about the lvs-users mailing list