[lvs-users] LVS-DR - internal network to remote network setup through VPN

Claudinei Matos claudineimatos at hospedevip.com.br
Wed Jul 30 14:05:28 BST 2008


I'm trying to do a setup of LVS-DR through a vpn but I'm having no 
success. Let's explain my scenario:

On my local network (network A) I have host C which is my machine and
host B as the internet gateway and vpn client.

In a datacenter I have "network D", where I have host E which is
a LVS-DR server. This machine also works as vpn server.
I'm running web servers on hosts F and G, and host E is able to balance
connections between them both.
All the network D hosts have both internal and public addresses.

With my vpn/nat setup I can connect from any host on network A to any
host on network D, as well as from any machine on network D I can 
connect on
any machine of network A.

That's the scenario:

   network A   -
      host B   -   gateway/firewall/vpn client 201.xxx.xxx.xxx
      host C   -   user machine

   network D   -
      host E   -   LVS-DR/gateway/firewall/vpn server - 200.xxx.xxx.xxx
      host F   -   real http server 1 - 200.xxx.xxx.xxx
      host G   -   real http server 2 - 200.xxx.xxx.xxx

On "host E" I have a LVS-DR setup as all my machine have public IP.

If I want to connect to my website from "network A", through "internet", 
I can choose to connect to the LVS (host E) address (balanced) or 
directly to hosts F and G public addresses.

I can also connect to my website within the "network D" internal address
due to my VPN setup but I can't balance through LVS-DR on this case as
LVS address is public.

This setup is working really fine and both my network users and all my
clients can access my website.

Now, I want to change this setup a bit. I need to log some extra info
when my network users do access my website.

That's not exact a problem since my users can access website on host F
and host G internal address though the vpn, but I can't balance those

I've tried to create a new LVS-DR setup using the network D internal
address, so my network users would be allowed to connect to host E on
network D and get redirected to host F or G.

That's where the problem begins: If I try to connect to my website
through vpn LVS-DR address, I can't establish a connection.

Looking at the tcpdump output, I can see that if I try to connect from 
A/host C to network D/LVS-DR the packages arrives on host F or G but 
stops at "host E" (the reverse gateway) and don't get back to my network 
A. Also, both they see my IP as the vpn client IP (network A/host B).

If I undo this new setup, looking again at tcpdump, I can see that if I
try to connect from network A direct to hosts F or G (also through the
vpn), my IP is identified with the vpn server IP (network D/host E) and
the connection is fully established.

I've tried a lot of routes combinations and firewall settings but I
think my problem is not with route/firewall as if I use direct
connection to webservers instead of LVS-DR everything works fine.

Is there any test I can do? Isn't this kind of setup allowed to ipvs? Or 
maybe I
have to setup IPVS-TUN on my network A/host D machine?

Any advices are welcome.


Claudinei Matos

*Claudinei Matos | Coordenador de TI*

claudinei.matos at hospedevip.com.br <mailto:claudinei.matos at hospedevip.com.br>

(21) *2195 0612*

	HóspedeVIP <http://www.hospedevip.com.br/>

www.hospedevip.com.br <http://www.hospedevip.com.br/> | *(21) 2195 0600*

More information about the lvs-users mailing list