[lvs-users] lvs NAT mode - real server to (different) virtual server public IP web requests fail
horms at verge.net.au
Fri Nov 27 12:15:06 GMT 2009
On Thu, Nov 26, 2009 at 10:12:19AM -0800, James H wrote:
> I anticipated this question and should have answered this before it
> was asked. In a nutshell, the two websites that need to communicate
> with one another are owned by different entities that may not be aware
> they are on the same cluster. So website 1 needs to be able to call
> website 2 without any knowledge of the underlying infrastructure.
> I'd like to back up to one of my original configurations that works -
> for just a minute or so! Perhaps there is an ARP issue I need to
> resolve in that configuration.
> When I said it was a fairly stock setup, well that's not entirely
> true. I actually have two private nets connected to the real servers.
> 192.168.1.x which I call a "management net" that lets me access the
> real servers even if LVS routing is off, and 192.168.2.x which handles
> the LVS traffic. The default gateway is on the 192.168.2.x (LVS)
> router net.
> I have a routing tabled defined to 192.168.1.x and a rule that any
> traffic originating from the 192.168.1.x interface is routed via
> 192.168.1.1. ex: (the real server is 192.168.1.104, here are the
> if-cfg rules and routes defined)
> rule-eth1: from 192.168.1.104 table InternalNet
> route-eth1: default table InternalNet via 192.168.1.1
> This works fine and is nice to have so that I can run some local
> traffic between machines on a private net.
> Now, I add this next rule trying to solve the problem of real servers
> as clients (assuming xxx.xxx.xxx.xxx/26 is my "live" IP network
> route-eth1: xxx.xxx.xxx.xxx/26 via 192.168.1.1 dev eth1
> This will direct requests for the VIPs out the 192.168.1.x interface
> via 192.168.1.1. That happens to be another simple NAT firewall, whose
> public IP is in the same public subnet as the VIPs. When I put this
> in, and restart the network on the real server, I CAN use lynx on a
> real server to browse a website on the public IP address. The request
> goes OUT the 192.168.1.x InternalNet, via 192.168.1.1, NATs out to the
> public side and makes the request to the VIP on the LVS director.
> Reply presumably comes full circle back out the LVS director, back
> through my 192.168.1.1 firewall and into the real server via
> But after a minute or so, the connection breaks down and will begin to timeout.
Here is my thinking:
1) The LVS-NATed connections will have the source IP address of
the machine that made the request. Though in this case
it will be the IP address of 192.168.1.1 in the live range.
2) The live range is routed via 192.168.1.1, not the linux-director.
So return packets from the real-server will go to the wrong place.
More information about the lvs-users