SNAT Confusion

[Janusz Krzysztofik]

Rodre Ghorashi-Zadeh napisał(a):
> I can see the traffic being SNAT-ed and hitting the realserver and being 
> sent back but then packet trail just seemed to drop off. I figure it is 
> because the kernel on the director is probably looking at the source 
> address of the reply packet, which matches the VIP ip that is on the 
> director, and is saying "hey, I didn't send this!" and is dropping the 
> packet. What am I not seeing here? What am I missing? What I guess I 
> need here is the so called f5 style SNAT? How can I achieve what I need 
> to do?

Rod,

Sorry, I have read the thread in reverse direction and have missed this 
important point while sending my previous reply. You are right, the 
problem is probably related to source address matching VIP configured on 
the director. I can think of three possible solutions:

1. Try to find and apply an IPVS-related patch that allows a director to 
accept packets with source address matching one of its own addresses (I 
have no experience with this patch).

2. Remove VIP from your director and use static routing / proxy arp and 
netfilter marking instead (this is my way of doing things). If you do 
need VIP on your director for other clients to work, use an additional 
VIP configured this way for accessing your realservers just from 
themselves via LVS.

3. Do SNAT on your realservers when acting as LVS clients, not on the 
director (I had this working some time ago, but removed this config as I 
do not need it anymore).

Cheers,
Janusz