Upon further testing of this, I've found a problem. Without the iptables rules doing the SNAT, basically what I see is perfect loadbalancing between my 2 real servers but absolutely no SNAT happening. The return packets have the source IP address of the real server.
With this Iptables rule on the director "/sbin/iptables -t nat -A POSTROUTING -p udp --source-port 53 -j SNAT --to-source VIP:53" I see the packets get SNAT'ed correctly. However I don't see any loadbalancing. It just chooses a server and continuously sends it to that server. Also no stats are shown via ipvsadm -L --stats. They just sit there like they are doing no work. The incoming packets are source port 32794 and destination port 53. So they should just bypass the iptables rule. Why this rule is messing up LVS from working correctly I have no clue. It should only be affecting the outgoing packets from the realservers back to the directors. Anybody got any clues as to what this rule is doing to my LVS setup? Thanks Mike -----Original Message----- From: Rudd, Michael Sent: Thursday, April 26, 2007 9:34 AM To: 'LinuxVirtualServer.org users mailing list.' Subject: RE: SNAT / Masquerading problems using LVS-NAT Followup after some testing. First off yeah I found out the application doing the DNS queries is bound to 0.0.0.0/53. So its pretty much choosing whatever interface it wants to go out from. Probably why the SNAT isnt working from the realserver for LVS-DR. I may see if I can get this working cause I ultimately want to use LVS-DR someday. As for LVS-NAT, I had the idea to do the SNAT for LVS since its not working because of the OPS patch I need. So implemented an iptables rule that whenever it receives a source port of 53, it snats it to the VIP:53 and sends it out. This should pick up all traffic coming back from my realservers. I tried this and it works. So this is an acceptable workaround for me right now. I'll post when I get the LVS-DR testing done and verify it is SNATing when I have it configured correctly and bound to the correct interface. Thanks for the help guys. Mike -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graeme Fowler Sent: Wednesday, April 18, 2007 8:46 AM To: LinuxVirtualServer.org users mailing list. Subject: RE: SNAT / Masquerading problems using LVS-NAT On Wed, 2007-04-18 at 07:01 -0500, Rudd, Michael wrote: > My setup is 2 bonds: 1 with 2 vlans, 1 with 1 vlan Bond0.200 (public) > Bond0.202 (private) > Bond1.201 (public and vlan DNS traffic is used on) > > So I send my DNS query to my VIP on my directors. It gets routed to a > realserver which I've attached the vip to bond1.201:0. According to > others I've talked to I shouldn't need an iptables rule but I still > don't see the packet out with the source ip address of the VIP. I see > the packet with the source IP of the actual realserver. Its possible > it is a routing issue though so I plan on digging deeper on that today. > > Should I need an iptables rule at all for LVS-DR? Nope. Dumb question: you haven't configured BIND to send responses from the RIP. have you (by allowing it to bind to interfaces as it sees fit)? Also, have you solved the ARP problem for LVS-DR? You don't want your realservers ARPing the VIP, especially as you have it bound to a "real" interface rather than loopback. I have a sneaking feeling here that the application itself is the problem, not LVS. Graeme _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://www.in-addr.de/mailman/listinfo/lvs-users _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://www.in-addr.de/mailman/listinfo/lvs-users
