How to NAT The FTP-DATA Connection?

Graeme Fowler graeme at
Mon Dec 25 07:49:42 GMT 2006

On Sun, 2006-12-24 at 21:35 -0800, Robinson, Eric wrote:
> I'm not sure they are ever going INTO the director. I think they're
> bypassing it and being routed instead.

Aha - it all becomes (sort of) clear.

In LVS-NAT, the return packets from the realservers to the clients
_must_ traverse the director or they will not get NATted back to an
address/port pair for the right client.

For the FTP helper to work it must see the PORT packet so it can work
its' magic to change the address. This is why I asked you if there were
routes involved in a previous post - if the realservers have explicit
routes back to the clients, and those routes avoid the director, NAT
simply won't work (it might work partially if there's another NAT device
involved mapping the realserver/service back to a NAT IP/service, but
not completely).

This is the key difference between NAT and TUN or DR - in TUN & DR, the
packets return directly (by hook or by crook) to the client. In NAT,
they go via the director.

Merry Christmas, list!


More information about the lvs-users mailing list