Hi Graeme, I want to keep the load balancer on its own network if at all possible as this is a shared solution (multiple client networks) and its going to mean additional cabling and complexity if I use LVS-DR and it requires assigning the VIP to the realservers.
Am I barking up the wrong tree here then, expecting this configuration to work, even if I could somehow get the load balancer to SNAT outgoing packets? Perhaps if I had another physical interface on the load balancers and SNAT'ed outgoing packets leaving via that interface to avoid the ARP problem? Thanks. Andy. Graeme Fowler wrote: > On Tue, 2008-02-26 at 14:44 +0000, Andy Ashley wrote: > >> The realservers are using the inside interface of thier firewall as the >> default gateway. The firewall then has the L3 switch as it's default >> gateway. >> > > Right. I made a hash of my previous reply since I missed the -NAT (-m) > option on your setup. > > >> I can assign the ip to lo without issue. However, >> > > If you're using LVS-NAT you don't need to. However... > > >> xxxx-lb1-lbr01 ha.d # echo 1 > /proc/sys/net/ipv4/conf/all/hidden >> -bash: /proc/sys/net/ipv4/conf/all/hidden: No such file or directory >> >> xxxx-lb1-lbr01 ha.d # echo 1 > /proc/sys/net/ipv4/conf/lo/hidden >> -bash: /proc/sys/net/ipv4/conf/lo/hidden: No such file or directory >> >> Distro is Gentoo Linux, kernel 2.6.23-r8 >> > > Yah, yah, cut'n'paste from the web pages... that's the 2.4 method. On > 2.6.x you need: > > /proc/sys/net/ipv4/conf/all/arp_ignore > /proc/sys/net/ipv4/conf/lo/arp_ignore > > >> At present, the packets are being forwarded to the realservers with the >> client ip as the source ip. >> > > Yes, this is the normal way of doing things. > > >> The realservers are actually responding directly to the client ip. >> > > Indeed they will do. Their default gateway is, as you mention: > > >> The realservers are using the inside interface of thier firewall as the >> default gateway. The firewall then has the L3 switch as it's default >> gateway. >> > > And therein lies the problem. For LVS-NAT to work the replies MUST > traverse the director on the way out to be un-NATted. > > In this case I would simplify things for yourself - making the responses > go back via the director requires an infrastructure change; you know the > SNAT approach doesn't work already. > > Switch to LVS-DR - put the VIP on the realservers, forget SNAT and have > the realservers respond directly. Problem solved. > > Joe, did I get this one right? > > Graeme > > > _______________________________________________ > LinuxVirtualServer.org mailing list - [email protected] > Send requests to [EMAIL PROTECTED] > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
