Interesting Setup?

Jacco van Koll jko at
Sat Aug 6 22:27:34 BST 2005

Joe, Thanks for the explanation :-)

Joseph Mack NA3T wrote:

>> Hello all,
>> I have 3 boxes, which are all connected to the public network, but 
>> also to a private segment.
> be careful, not all ascii art survived e-mail.
> Make it 40 char or so wide and don't mix
> blanks and tabs.

I will remember that for the future :-)

>> The connections between the loadbalancer and the real servers is done 
>> by a vlan part on a switch, with addresses.
>> I would like to have the following setup:
>> 1. All webtraffic (http/https) must be handled by the loadbalancer 2. 
>> All ssh traffic must be performed directly to the real servers 3. 
>> Optional, i must have the possibility for handling certain protocols 
>> by the real servers, like DNS, or, if there is the need, by the 
>> loadbalancer. (like pop3 for example)
>> Whenever i add the default route on the real servers to the 
>> gateway, nothting happens when connecting to the 
>> loadbalancer port 80. When i change the default route to the private 
>> ip on the loadbalancer, it works, but the real servers cannot be 
>> connected trough ssh.
> points:
> o an LVS is usually operated as if it were one machine.
> The realservers are on private IPs and are not accessable
> by the clients. This makes it easy to keep the realservers
> secure. You can make the realservers routable if you like,
> but you must understand the security implications.
I do certainly understand the security implications of hanging the 
realservers to the 'hot' network. All machines are hardenend and 
therefor they may be accessible from the internet directly. Reason for 
loadbalancing is that this customer is having a couple of serious 
customers, who demand 'guaranteed' availability, eg, they have a huge 
demand and this must be spread over 2 systems....

> o you need the iproute2 tools. Concepts like a default
> gw are only used on leaf nodes where they have one IP
> and all packets come in and out through a single gateway.
> In your setup on the realservers
> all packets from RIP to the RIP network are routed locally.
> tcp packets from RIP:ssh to 0/0:0 are routed to the 82.x.x.x machine
> tcp and udp packets from RIP:dns to 0/0:0 are routed to the 82.x.x.x 
> machine
> tcp and udp packets from VIP:dns are routed to the DIP
> tcp packets from VIP:http and VIP:https are routed to the DIP
> other packets are not routed (they can't go anywhere),
> ie you do not have a default route.
> For examples on how to route by port, look at

Ah! Missed that probably :-) Thank you for the link my friend!

> Don't expect this to be real easy ;-)

Who said that building an advanced infrastructure should be an easy job? 
A lot of RTFM and trying makes the world go round, right?

> Joe


J. van Koll

More information about the lvs-users mailing list