[lvs-users] FTP data port connection not closing?

Julian Anastasov ja at ssi.bg
Tue Aug 29 19:53:42 BST 2017


	Hello,

On Tue, 29 Aug 2017, Owain Jones wrote:

> Hi,
> 
> The packets seem to be dying at the router. As I can see the packets being
> received on the director and the response packets being sent from the real
> server.
> 
> One thing I'm thinking of, that I failed to mention earlier, is that the
> router does NAT. I've placed the VIP in the DMZ, so the director should be
> receiving all external packets directly. But the actual machines themselves
> are in the router's LAN and being NAT'ed.
> 
> As I'm using LVS-DR, then the only thing that should be being changed in the
> incoming packet is the MAC address, yes? But then, when the real server
> responds, it'll have a different MAC address to the incoming packet because
> it's actually a physically different machine.
> 
> So my thought is, could this MAC address mismatch be possibly confusing the
> router's NATting?

	The MAC usually does not play. You can also check the state
of conntrack entries in router, if possible. But to be sure that it
is not the router, you can start client connection from some box
on the LAN, then the real server will talk directly with this
client box.

> I guess I could test it by rewriting the MAC address on outgoing packets from
> the real server to have the MAC of the director, so that, from the router's
> perspective, the LVS is entirely transparent.

	Almost, Linux 4.10+ decrements the IP TTL field for all
forwarding methods including DR.

> Though surely, that said, the source MAC address on outgoing packets shouldn't
> really matter, I'd have thought.

	Yep

Regards

--
Julian Anastasov <ja at ssi.bg>



More information about the lvs-users mailing list