[lvs-users] Packets Not Reaching Real Server

Malcolm Turnbull malcolm at loadbalancer.org
Mon Nov 21 21:38:39 GMT 2016


Nick,

Actually I lied... I was just remembered that you will need to disable
the source and destination checks on the load balancer:

https://loadbalancer.org/uk/blog/transparent-load-balancing-with-haproxy-on-amazon-ec2

• Disable the source / Destination check on the instance in AWS. To do
this go to the EC2 console and select your load balancer instance.
Then select “Actions > Network > Change source/Dest. check” and
Disable this option. Doing so enables the instance to receive traffic
which has a destination IP it does not own.



On 21 November 2016 at 19:49, Malcolm Turnbull <malcolm at loadbalancer.org> wrote:
> Nick,
>
> AWS is a good place to use a one arm nat configuration (because all
> the clients are usually remote)
>
> As long as the real server has the default gateway set as the load
> balancer it should be fine?
>
>
>
>
> On 21 November 2016 at 19:13, Nick Leli <nicholasleli at gmail.com> wrote:
>> Thanks Malcom.  So in this scenario, the client is in a different subnet;
>> it's coming from the public Internet.  I am looking for the easiest route
>> to get something running so any logical recommendations are greatly
>> appreciated.  Here is the current topology:
>>
>>                                       my laptop, connected to public
>> internet
>>                                                     |
>>                                                     |
>>                                                     |
>>                                                     V
>>                                         LVS host in AWS with public IP
>>                                                     |
>>                                                     |
>>                                                     |
>>                                                     V
>>                                         Real server in AWS within same
>> VPC/subnet
>>
>> What routing rules are needed on the backend server to get this to at least
>> work in this simple setup.  Are iptables rules still required to masquerade
>> on eth0 or do you need to permanently change the routes?
>>
>> On Mon, Nov 21, 2016 at 10:53 AM, Malcolm Turnbull <malcolm at loadbalancer.org
>>> wrote:
>>
>>> Usually for MASQ/NAT mode the real server would be in a different
>>> subnet with the LVS server set as the default gateway.
>>>
>>> If you want to do one-arm i.e. same subnet MASQ then the test client
>>> needs to be in a separate subnet OR you need to have special routing
>>> rules on the real (backend) server.
>>>
>>>
>>>
>>>
>>>
>>> On 21 November 2016 at 18:26, Nick Leli <nicholasleli at gmail.com> wrote:
>>> > Hi Everyone,
>>> >
>>> > I am trying to learn LVS and have created the setup below (better
>>> > formatting at Server Fault http://serverfault.com/
>>> questions/816026/lvs-load-
>>> > balancer-not-getting-response).  The LVS setup seems correct, but it
>>> > appears that the connections never make it to the real server, even
>>> though
>>> > traffic is being sent from the director.  I am under the impression that
>>> no
>>> > iptables rules are required since the real server is added with
>>> > masquerade.  Is this incorrect?  I have read through the HOWTO multiple
>>> > times but am not clear on what is needed.
>>> >
>>> > **Director Host**
>>> >
>>> > root at ip-172-31-16-196:/home/ubuntu# cat  /proc/sys/net/ipv4/ip_forward
>>> > 1
>>> >
>>> > root at ip-172-31-16-196:/home/ubuntu# ifconfig
>>> >     eth0      Link encap:Ethernet  HWaddr 06:a0:5b:48:1b:f5
>>> >               inet addr:172.31.16.196  Bcast:172.31.31.255
>>> >  Mask:255.255.240.0
>>> >               inet6 addr: fe80::4a0:5bff:fe48:1bf5/64 Scope:Link
>>> >               UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
>>> >               RX packets:4211 errors:0 dropped:0 overruns:0 frame:0
>>> >               TX packets:3692 errors:0 dropped:0 overruns:0 carrier:0
>>> >               collisions:0 txqueuelen:1000
>>> >               RX bytes:416625 (416.6 KB)  TX bytes:406446 (406.4 KB)
>>> >
>>> >     lo        Link encap:Local Loopback
>>> >               inet addr:127.0.0.1  Mask:255.0.0.0
>>> >               inet6 addr: ::1/128 Scope:Host
>>> >               UP LOOPBACK RUNNING  MTU:65536  Metric:1
>>> >               RX packets:173 errors:0 dropped:0 overruns:0 frame:0
>>> >               TX packets:173 errors:0 dropped:0 overruns:0 carrier:0
>>> >               collisions:0 txqueuelen:1
>>> >               RX bytes:12776 (12.7 KB)  TX bytes:12776 (12.7 KB)
>>> >
>>> > root at ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln
>>> > IP Virtual Server version 1.2.1 (size=4096)
>>> > Prot LocalAddress:Port Scheduler Flags
>>> >   -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
>>> > TCP  172.31.16.196:80 rr
>>> >   -> 172.31.16.195:80             Masq    1      0          0
>>> >
>>> > root at ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln --stats
>>> > IP Virtual Server version 1.2.1 (size=4096)
>>> > Prot LocalAddress:Port               Conns   InPkts  OutPkts  InBytes
>>> > OutBytes
>>> >   -> RemoteAddress:Port
>>> > TCP  172.31.16.196:80                   23      122        0     6436
>>> >  0
>>> >   -> 172.31.16.195:80                   23      122        0     6436
>>> >  0
>>> >
>>> > root at ip-172-31-16-196:/home/ubuntu# curl 172.31.16.195-vv
>>> > * Rebuilt URL to: 172.31.16.195/
>>> > *   Trying 172.31.16.195...
>>> > * Connected to 172.31.16.195 (172.31.16.195) port 80 (#0)
>>> >> GET / HTTP/1.1
>>> >> Host: 172.31.16.195
>>> >> User-Agent: curl/7.47.0
>>> >> Accept: */*
>>> >>
>>> > * HTTP 1.0, assume close after body
>>> > < HTTP/1.0 200 OK
>>> > < Server: SimpleHTTP/0.6 Python/2.7.12
>>> > < Date: Mon, 21 Nov 2016 04:59:04 GMT
>>> > < Content-type: text/html
>>> > < Content-Length: 26
>>> > < Last-Modified: Mon, 21 Nov 2016 00:58:21 GMT
>>> > <
>>> > >From server 172.31.16.195
>>> > * Closing connection 0
>>> >
>>> > # Show the public IP of this host
>>> > root at ip-172-31-16-196:/home/ubuntu# wget http://ipinfo.io/ip -qO -
>>> > 52.15.105.107
>>> >
>>> > **Backend Server**
>>> >
>>> > root at ip-172-31-16-195:/home/ubuntu# netstat -tnlp
>>> > Active Internet connections (only servers)
>>> > Proto Recv-Q Send-Q Local Address           Foreign Address         State
>>> >     PID/Program name
>>> > tcp        0      0 0.0.0.0:80              0.0.0.0:*
>>>  LISTEN
>>> >      2444/python
>>> > tcp        0      0 0.0.0.0:22              0.0.0.0:*
>>>  LISTEN
>>> >      1221/sshd
>>> > tcp6       0      0 :::22                   :::*
>>> LISTEN
>>> >      1221/sshd
>>> >
>>> > root at ip-172-31-16-195:/home/ubuntu# iptables -L -t nat
>>> > Chain PREROUTING (policy ACCEPT)
>>> > target     prot opt source               destination
>>> >
>>> > Chain INPUT (policy ACCEPT)
>>> > target     prot opt source               destination
>>> >
>>> > Chain OUTPUT (policy ACCEPT)
>>> > target     prot opt source               destination
>>> >
>>> > Chain POSTROUTING (policy ACCEPT)
>>> > target     prot opt source               destination
>>> > >From Remote Client
>>> >
>>> > # Hitting the public IP
>>> > $ curl -vvv http://52.15.105.107/
>>> > *   Trying 52.15.105.107...
>>> > * Connected to 52.15.105.107 (127.0.0.1) port 80 (#0)
>>> >> GET / HTTP/1.1
>>> >> Host: 52.15.105.107
>>> >> User-Agent: curl/7.43.0
>>> >> Accept: */*
>>> >>
>>> > < HTTP/1.1 504 Gateway Time-out
>>> > < Server: ScanSafe
>>> > < Mime-Version: 1.0
>>> > < Date: Mon, 21 Nov 2016 05:40:50 GMT
>>> > < Content-Type: text/html
>>> > < Content-Length: 1664
>>> > < X-ScanSafe-Error: ERR_CONNECT_FAIL 110
>>> > < Keep-Alive: 60
>>> > < Via: HTTP/1.1 proxy10829
>>> > _______________________________________________
>>> > Please read the documentation before posting - it's available at:
>>> > http://www.linuxvirtualserver.org/
>>> >
>>> > LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
>>> > Send requests to lvs-users-request at LinuxVirtualServer.org
>>> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>>
>>>
>>>
>>> --
>>> Regards,
>>>
>>> Malcolm Turnbull.
>>>
>>> Loadbalancer.org Ltd.
>>> Phone: +44 (0)330 380 1064
>>> http://www.loadbalancer.org/
>>>
>>> _______________________________________________
>>> Please read the documentation before posting - it's available at:
>>> http://www.linuxvirtualserver.org/
>>>
>>> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
>>> Send requests to lvs-users-request at LinuxVirtualServer.org
>>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>>>
>> _______________________________________________
>> Please read the documentation before posting - it's available at:
>> http://www.linuxvirtualserver.org/
>>
>> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
>> Send requests to lvs-users-request at LinuxVirtualServer.org
>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
>
>
> --
> Regards,
>
> Malcolm Turnbull.
>
> Loadbalancer.org Ltd.
> Phone: +44 (0)330 380 1064
> http://www.loadbalancer.org/



-- 
Regards,

Malcolm Turnbull.

Loadbalancer.org Ltd.
Phone: +44 (0)330 380 1064
http://www.loadbalancer.org/



More information about the lvs-users mailing list