How to NAT The FTP-DATA Connection?

Joseph Mack NA3T jmack at wm7d.net
Sat Dec 23 06:56:00 GMT 2006 

On Fri, 22 Dec 2006, Robinson, Eric wrote:

>> the RIPs then must be public IPs?
>
> No. The configuration looks basically as follows. This is a
> simplification. The real configuration has 2 corporate firewalls
> (active/passive cluster), 2 load-balancers (active/passive cluster), and
> 2 FTP servers. But I'm no good at creating ASCII network drawings.

OK so you're at home with your client PC and traversing a 
bunch of stuff, to arrive at the VIP of the LVS. Can you 
plunk your laptop (or whatever) down into the network of the 
VIP for testing?

>  My PC (Client)
>    |    *10.0.0.109
>    |
>    |    *10.0.0.12
> My Firewall
>    |    *Public IP
>    |         ||
>    |         ||
> Internet      || <- Tunnel
>    |         ||
>    |         ||
>    |     *Public IP
> Corporate Firewall
>    |     *192.168.5.1
>    |
>    |     *192.168.5.100 (VIP)
> Load-balancer
>    |     *192.168.10.100
>    |
>    |     *192.168.10.62 (RIP)
> FTP Server
>
>> if the client is connecting with the VIP, why is it accepting an
> ftp-data connect request from the RIP?
>
> I admit that is a VERY good question.

Here you're showing me what doesn't work. You have something 
that does work (the ftp-data from the RIP). Can you show me 
how that works?

> All I can say is, it is happening.

This might be central to the problem.

> Attached is an Ethereal trace (ftp_nonat) captured on "My PC" when I
> initiated an FTP connection to the VIP of the load-balancer. The
> transaction starts on packet #3. In packet #23 you can see my GET
> command with the destination of the VIP. In the next packet, you see the
> RealServer open the FTP-DATA connection with a source address of
> 192.168.10.62.

then what happens to the packet?

> The load-balancer's internal interface (192.168.10.100) is the FTP
> server's default gateway.

OK
Joe

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list