[lvs-users] lvs NAT mode - real server to (different) virtual server public IP web requests fail

James H jeh1965 at gmail.com
Thu Nov 26 18:12:19 GMT 2009


I anticipated this question and should have answered this before it
was asked. In a nutshell, the two websites that need to communicate
with one another are owned by different entities that may not be aware
they are on the same cluster. So website 1 needs to be able to call
website 2 without any knowledge of the underlying infrastructure.

I'd like to back up to one of my original configurations that works -
for just a minute or so! Perhaps there is an ARP issue I need to
resolve in that configuration.

When I said it was a fairly stock setup, well that's not entirely
true. I actually have two private nets connected to the real servers.
192.168.1.x which I call a "management net" that lets me access the
real servers even if LVS routing is off, and 192.168.2.x which handles
the LVS traffic. The default gateway is on the 192.168.2.x (LVS)
router net.

I have a routing tabled defined to 192.168.1.x and a rule that any
traffic originating from the 192.168.1.x interface is routed via ex: (the real server is, here are the
if-cfg rules and routes defined)

rule-eth1: from table InternalNet
route-eth1: default table InternalNet via

This works fine and is nice to have so that I can run some local
traffic between machines on a private net.

Now, I add this next rule trying to solve the problem of real servers
as clients (assuming xxx.xxx.xxx.xxx/26 is my "live" IP network
route-eth1: xxx.xxx.xxx.xxx/26 via dev eth1

This will direct requests for the VIPs out the 192.168.1.x interface
via That happens to be another simple NAT firewall, whose
public IP is in the same public subnet as the VIPs. When I put this
in, and restart the network on the real server, I CAN use lynx on a
real server to browse a website on the public IP address. The request
goes OUT the 192.168.1.x InternalNet, via, NATs out to the
public side and makes the request to the VIP on the LVS director.
Reply presumably comes full circle back out the LVS director, back
through my firewall and into the real server via

But after a minute or so, the connection breaks down and will begin to timeout.



On Thu, Nov 26, 2009 at 5:50 AM, Graeme Fowler <graeme at graemef.net> wrote:
> On Wed, 2009-11-25 at 20:17 -0800, James H wrote:
>> Suggestions?
> See the section in the HOWTO on "realservers as clients". It's a
> difficult one to solve, and adds extra complexity to the system.
> Here's a thought for you, though - why do the internal requests need to
> be load balanced? If the service is located on all of the realservers,
> can it not just be called locally?
> Graeme

More information about the lvs-users mailing list