[lvs-users] LVS-NAT simple (?) setup not working in mysterious way?

[Steve Wray]

Hi there,
I've spent the last few days reading and re-reading LVS documentation, 
doing network traces etc and trying to figure out what is going wrong here.

I am trying to set up a simple 2-network LVS-NAT to a webserver.

So far as I can tell all of my config is by the book.

I've stripped it down to one DIP, one RIP.

In the end there is intended to be two directors with failover so the 
config shows the virtual IP of the interior interface of the director 
(eth1). This is used as the default route on the realserver.

I'll attach the tcpdumps I've obtained from the RIP, DIP and CIP as well 
as my config files. The interfaces file is from the director.

In the case of the /etc/network/interfaces, this is where I've been 
setting up the masquerading. Note that I've tried this with and without 
iptables masquerading on the director. I've tried various forms of 
masquerading, making it tighter or looser (eg so that outgoing port 80 
does not get masqueraded or ensuring that the masqueraded connection 
appears as from the VIP).

Without masquerading the realserver cannot see the outside world.

Its not clear to me whether or not this aspect of masquerading is 
intended to be taken care of by LVS itself. I am guessing not as most of 
the LVS-NAT documentation I've found does indicate configuring iptables 
rules for masquerading.

With masquerading the realserver can access the outside world just fine.

The symptom is that 'telnet VIP 80' followed by a 'GET /' appears to 
produce no content even though the tcpdump appears to show traffic 
coming from VIP to CIP.

The same telnet from the director to the RIP does get content.

I've been trying various combinations of configurations; its not 
entirely clear whether I need to use any iptables masquerading rules on 
the director. I've tried with and without and the results have been the 
same.

This appears to be such a simple setup that there has to be something 
very basic that I'm missing...

Looking at the cip.dump in wireshark I have to say that it does look 
very very odd. I'm can't say that I fully understand it though.

Any advice appreciated.

Thanks

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ha.cf
Url: http://lists.graemef.net/pipermail/lvs-users/attachments/20070920/3f558da9/attachment.ksh 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: interfaces
Url: http://lists.graemef.net/pipermail/lvs-users/attachments/20070920/3f558da9/attachment-0001.ksh 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ldirectord.cf
Url: http://lists.graemef.net/pipermail/lvs-users/attachments/20070920/3f558da9/attachment-0002.ksh 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: haresources
Url: http://lists.graemef.net/pipermail/lvs-users/attachments/20070920/3f558da9/attachment.pl