Hi On Wed, 2008-02-06 at 01:06 -0800, andreas2008 wrote: > I am al little bit confused about what will be the best for me. As I've > learned, when using LVS-NAT all the traffic will be routed back via the > director.
That's right. > In fact, I do not want the real server to have a public IP. The realservers either: 1. Have an internally private (set of) IP address(es) and send all traffic back through the director - LVS-NAT. This does not necessarily mean that they're unreachable from the public Internet, since it's quite possible to do NAT with public but protected address space. 2. Have whatever addressing scheme you want, but have the VIP (which is by definition "public", since clients have to access it - although the clients could be in private space too.... confused?) bound to a local interface (maybe loopback, maybe tun, maybe real) so they can handle requests made to the VIP - LVS-TUN and LVS-DR. If you want to keep the realservers completely private, put them in a block taken from RFC1918 space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and make sure that when they have to initiate connections to the outside world - for example, for system updates - that they have a valid path doing SNAT for them somewhere. Using LVS-NAT you simply have the VIP on the director, and the director then DNATs connections on the way in to route them to the realservers' private addresses. Return traffic goes back via the director, is un-NATted, and sent back to the client. Using LVS-DR you have the VIP on the director and then you need some way of handling the traffic destined to the VIP when it arrives at the realservers. The easiest and most commonly documented way of doing this is to create a loopback alias interface and put the VIP on it with a /32 (255.255.255.255) netmask. Then, when a connection is initiated by a client, the realserver responds directly (ie. does not have to traverse the director on the way out) to the client using the VIP address. This does *not* necessarily mean that clients can reach the realservers directly, but it does mean the reverse is possible. > Imagine the following configuration: > > director has a public IP, the VIP is within the same subnet. The real > servers should have private IP. So I guess, the only solution is LVS-NAT. Am > I right? Or is it possible to use LVS-DR with only private IPs on the real > servers a route via the director? It isn't possible (within reason) to use -DR where there is no VIP on the realserver. This is because the applications running on the realserver really need to know which IP address they're listening to, and which they need to respond from. However, you can still use private addressing with -DR as long as the public VIP is on a loopback adapter. Does that make sense? Graeme _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
