[lvs-users] LVS-DR - internal network to remote network setup through VPN
claudineimatos at hospedevip.com.br
Wed Jul 30 14:05:28 BST 2008
I'm trying to do a setup of LVS-DR through a vpn but I'm having no
success. Let's explain my scenario:
On my local network (network A) I have host C which is my machine and
host B as the internet gateway and vpn client.
In a datacenter I have "network D", where I have host E which is
a LVS-DR server. This machine also works as vpn server.
I'm running web servers on hosts F and G, and host E is able to balance
connections between them both.
All the network D hosts have both internal and public addresses.
With my vpn/nat setup I can connect from any host on network A to any
host on network D, as well as from any machine on network D I can
any machine of network A.
That's the scenario:
network A - 192.168.0.0/24
host B - gateway/firewall/vpn client 201.xxx.xxx.xxx
host C - user machine
network D - 192.168.1.0/24
host E - LVS-DR/gateway/firewall/vpn server - 200.xxx.xxx.xxx
host F - real http server 1 - 200.xxx.xxx.xxx
host G - real http server 2 - 200.xxx.xxx.xxx
On "host E" I have a LVS-DR setup as all my machine have public IP.
If I want to connect to my website from "network A", through "internet",
I can choose to connect to the LVS (host E) address (balanced) or
directly to hosts F and G public addresses.
I can also connect to my website within the "network D" internal address
due to my VPN setup but I can't balance through LVS-DR on this case as
LVS address is public.
This setup is working really fine and both my network users and all my
clients can access my website.
Now, I want to change this setup a bit. I need to log some extra info
when my network users do access my website.
That's not exact a problem since my users can access website on host F
and host G internal address though the vpn, but I can't balance those
I've tried to create a new LVS-DR setup using the network D internal
address, so my network users would be allowed to connect to host E on
network D and get redirected to host F or G.
That's where the problem begins: If I try to connect to my website
through vpn LVS-DR address, I can't establish a connection.
Looking at the tcpdump output, I can see that if I try to connect from
A/host C to network D/LVS-DR the packages arrives on host F or G but
stops at "host E" (the reverse gateway) and don't get back to my network
A. Also, both they see my IP as the vpn client IP (network A/host B).
If I undo this new setup, looking again at tcpdump, I can see that if I
try to connect from network A direct to hosts F or G (also through the
vpn), my IP is identified with the vpn server IP (network D/host E) and
the connection is fully established.
I've tried a lot of routes combinations and firewall settings but I
think my problem is not with route/firewall as if I use direct
connection to webservers instead of LVS-DR everything works fine.
Is there any test I can do? Isn't this kind of setup allowed to ipvs? Or
have to setup IPVS-TUN on my network A/host D machine?
Any advices are welcome.
*Claudinei Matos | Coordenador de TI*
claudinei.matos at hospedevip.com.br <mailto:claudinei.matos at hospedevip.com.br>
(21) *2195 0612*
www.hospedevip.com.br <http://www.hospedevip.com.br/> | *(21) 2195 0600*
More information about the lvs-users