Hmm without the rule I don't see any SNAT happening? Could it be my use of bonding? Our servers have 3 networks. 2 public networks on bond0(bond0.200 and bond0.202) where 200 is public and 202 is private. And 1 public on bond1(bond1.201). We are receiving on bond1.201. So I put the vip on bond1.201:0. I'll recheck my routing. Its possible it was using a default route, thus was being routed out of the bond0 interface rather than the bond1 interface.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graeme Fowler Sent: Tuesday, April 17, 2007 12:31 PM To: LinuxVirtualServer.org users mailing list. Subject: RE: SNAT / Masquerading problems using LVS-NAT On Tue, 2007-04-17 at 06:53 -0500, Rudd, Michael wrote: > Not a problem LOL. I understand you guys are busy. Grame fowler was > asking some questions yesterday. > > Any rate as I was telling him I also switched to trying to use LVS-DR > as well. The problem I'm running into there is I setup an Iptables > rule to do the SNAT for me on the realserver. Show below iptables -t > nat -A POSTROUTING -p udp --source-port 53 -o bond1.201 -j SNAT > --to-source > 192.168.67.213:53 Hrm. You shouldn't need the SNAT rule with LVS-DR (that's the point of DR, after all!). The VIP should be bound to a real device (ie not loopback) on the director; to loopback on the realserver; BIND should be listening on the VIP (and probably not on the realserver's RIP). That way, query responses will be sent from the interface to which BIND is, erm, bound. If you see what I mean. I don't recall *ever* having to use SNAT to mangle outgoing packets using DR. Graeme _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://www.in-addr.de/mailman/listinfo/lvs-users _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://www.in-addr.de/mailman/listinfo/lvs-users
