[lvs-users] IPv6 loadbalancer and source addr selection
anders.henke at 1und1.de
Thu Jan 9 10:25:58 GMT 2014
On 08.01.2014, Michael Schwartzkopff wrote:
> I want to set up a IPv6 load balancer in direct routing mode. So I configure a
> IPv6 address an my loadbalancer and the same IPv6 addr on the lo interface of
> the real servers.
> No to the problem:
> Since the IPv6 is the last IPv6 address configured on the interface in that
> subnet the loadbalancer uses this IPv6 addr to communicate with the real
> server. The real server answers to the IPv6 addr on the lo interface and to
> communication is possible.
> So no connection from the loadbalancer to the real server is possible.
> I found a solution via the ip -6 addlabel (see RFC 6724). No I am wondering if
> the is a more simle solution. Any hints? Thanks.
There are multiple ways to achieve this.
You noted the adress label, but according to RFC 3484, there are other ways with even higher preferences to influence the source address selection.
First of all, you may mark the services IP addresses as being deprecated:
/sbin/ip address change 2001:db8::1/64 dev eth0 preferred_lft 0
This IP address will be avoided in the default address selection, but still serve incoming requests. Intention of this "deprecated" flag is to still permit incoming traffic on dynamically allocated IPv6 addresses, who have been replaced by a different dynamically allocated IPv6 address. If you're running keepalived, simply upgrade to 1.2.9 and higher - these releases do automatically set the VRRP VIP address to be "deprecated" by default.
Secondary, you may also try to mark the host's IPv6 address as being a home address:
/sbin/ip address change 2001:db8::1/64 dev eth0 home
The intention of "home adress" is to properly support mobile IPv6; in mobile IPv6, your host receives an IPv6 address for its current network, but may also receive traffic via a tunneling setup from a tunneling endpoint on your home network via the "home address". According to RFC 3484, this setting should prefer your IP address when choosing an outgoing connection.
And not necessarily last: if your painpoint is only to implement checks from your realserver, you may also ask your checking utilities to bind to a specific (the hosts) IPv6 address when initiating outgoing connections. The default address selection only kicks in if the source address is undefined and to be determined by the system. In keepalived, this is is done via the "bindto" option in the check configuration.
I personally try to avoid this, as most manual debugging ("telnet realserver 80" ...) will still fall back to the default address selection and so give different results than the automated checks. However, there are cases where such specific binds may be important.
1&1 Internet AG Expert Systems Architect (IT Operations)
Amtsgericht Montabaur HRB 6484
Vorstand: Ralph Dommermuth, Frank Einhellinger, Robert Hoffmann,
Andreas Hofmann, Markus Huhn, Hans-Henning Kettler, Uwe Lamnek,
Jan Oetjen, Christian Würst
Aufsichtsratsvorsitzender: Michael Scheeren
More information about the lvs-users