[lvs-users] LVS-TUN IPv6 questions
zmousm at noc.grnet.gr
Mon Oct 6 00:20:15 BST 2014
I am trying to setup a simple, dual-stack LVS-TUN cluster and I've
stumbled on the IPv6 setup of the realserver. I did get it to work after
all, but I still wonder whether I've got it totally wrong.
All systems are Debian Wheezy based with Linux 3.2.0, ipvsadm v1.26.
This is my working configuration:
ip addr add 126.96.36.199/32 scope global dev eth0
ip -6 addr add 2001:648:2ffc:106::85/128 scope global dev eth0
ipvsadm -R <<EOF
-A -t 188.8.131.52:80 -s rr
-a -t 184.108.40.206:80 -r 220.127.116.11:80 -i -w 1
-A -t [2001:648:2ffc:106::85]:80 -s rr
-a -t [2001:648:2ffc:106::85]:80 -r [2001:648:2ffc:100::213]:80 -i -w 1
ip ip addr add dev tunl0 18.104.22.168/32 brd 22.214.171.124
ip link set dev tunl0 up
ip -6 tunnel add lvs6tun0 mode ip6ip6 local 2001:648:2ffc:100::213
remote 2001:648:2ffc:106::78 dev eth0
ip link set dev lvs6tun0 up
ip -6 addr add 2001:648:2ffc:106::85 dev lvs6tun0
At first I tried to setup the ipv6 tunnel interface following the
guidelines for ipv4. I could not use tunl0 since the encapsulation is
ip -6 addr add dev ip6tnl0 2001:648:2ffc:106::85/128 scope global
ip link set dev ip6tnl0 up
This didn't work; no traffic on ip6tnl0 and I noticed the realserver was
sending icmp6 parameter problem back to the director.
Then I tried to get the director to use 6-in-4 encapsulation (SIT),
which perhaps would be easier to setup on the realserver (like IPIP for
ipvsadm -t [2001:648:2ffc:106::85]:80 -r 126.96.36.199:80 -i -w 1
This also didn't work; ipvsadm -l shows this:
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP [2001:648:2ffc:106::85]:http rr
-> [c2b1:d2d5:2ffc:106::85]:http Tunnel 1 0 0
This matches the 32 bits of the realserver ipv4 address + the last 96
bits of the service address.
Finally when I did get to setup the tunnel as in the working
configuration above, it still didn't work until I set the remote
endpoint. Not being able to use "remote any" means I have to setup a
different tunnel for every director.
So I wonder whether it is at all possible to use a setup similar to
ipv4, without an explicit tunnel setup or at least without specifying a
remote endpoint. I would rather use iptables rules to limit the
endpoints (directors) that can send tunneled traffic to the realserver.
I'm also curious if IPVS can do ipv6-in-ipv4 encapsulation.
Thanks in advance for your insight.
More information about the lvs-users