[lvs-users] lvs NAT mode - real server to (different) virtual server public IP web requests fail

Simon Horman horms at verge.net.au
Fri Nov 27 12:15:06 GMT 2009

On Thu, Nov 26, 2009 at 10:12:19AM -0800, James H wrote:
> Hi,
> I anticipated this question and should have answered this before it
> was asked. In a nutshell, the two websites that need to communicate
> with one another are owned by different entities that may not be aware
> they are on the same cluster. So website 1 needs to be able to call
> website 2 without any knowledge of the underlying infrastructure.
> I'd like to back up to one of my original configurations that works -
> for just a minute or so! Perhaps there is an ARP issue I need to
> resolve in that configuration.
> When I said it was a fairly stock setup, well that's not entirely
> true. I actually have two private nets connected to the real servers.
> 192.168.1.x which I call a "management net" that lets me access the
> real servers even if LVS routing is off, and 192.168.2.x which handles
> the LVS traffic. The default gateway is on the 192.168.2.x (LVS)
> router net.
> I have a routing tabled defined to 192.168.1.x and a rule that any
> traffic originating from the 192.168.1.x interface is routed via
> ex: (the real server is, here are the
> if-cfg rules and routes defined)
> rule-eth1: from table InternalNet
> route-eth1: default table InternalNet via
> This works fine and is nice to have so that I can run some local
> traffic between machines on a private net.
> Now, I add this next rule trying to solve the problem of real servers
> as clients (assuming xxx.xxx.xxx.xxx/26 is my "live" IP network
> range).
> route-eth1: xxx.xxx.xxx.xxx/26 via dev eth1
> This will direct requests for the VIPs out the 192.168.1.x interface
> via That happens to be another simple NAT firewall, whose
> public IP is in the same public subnet as the VIPs. When I put this
> in, and restart the network on the real server, I CAN use lynx on a
> real server to browse a website on the public IP address. The request
> goes OUT the 192.168.1.x InternalNet, via, NATs out to the
> public side and makes the request to the VIP on the LVS director.
> Reply presumably comes full circle back out the LVS director, back
> through my firewall and into the real server via
> But after a minute or so, the connection breaks down and will begin to timeout.
> Suggestions?

Here is my thinking:

1) The LVS-NATed connections will have the source IP address of
   the machine that made the request. Though in this case
   it will be the IP address of in the live range.
2) The live range is routed via, not the linux-director.
   So return packets from the real-server will go to the wrong place.

More information about the lvs-users mailing list