Nick, Actually I lied... I was just remembered that you will need to disable the source and destination checks on the load balancer:
https://loadbalancer.org/uk/blog/transparent-load-balancing-with-haproxy-on-amazon-ec2 • Disable the source / Destination check on the instance in AWS. To do this go to the EC2 console and select your load balancer instance. Then select “Actions > Network > Change source/Dest. check” and Disable this option. Doing so enables the instance to receive traffic which has a destination IP it does not own. On 21 November 2016 at 19:49, Malcolm Turnbull <malc...@loadbalancer.org> wrote: > Nick, > > AWS is a good place to use a one arm nat configuration (because all > the clients are usually remote) > > As long as the real server has the default gateway set as the load > balancer it should be fine? > > > > > On 21 November 2016 at 19:13, Nick Leli <nicholasl...@gmail.com> wrote: >> Thanks Malcom. So in this scenario, the client is in a different subnet; >> it's coming from the public Internet. I am looking for the easiest route >> to get something running so any logical recommendations are greatly >> appreciated. Here is the current topology: >> >> my laptop, connected to public >> internet >> | >> | >> | >> V >> LVS host in AWS with public IP >> | >> | >> | >> V >> Real server in AWS within same >> VPC/subnet >> >> What routing rules are needed on the backend server to get this to at least >> work in this simple setup. Are iptables rules still required to masquerade >> on eth0 or do you need to permanently change the routes? >> >> On Mon, Nov 21, 2016 at 10:53 AM, Malcolm Turnbull <malc...@loadbalancer.org >>> wrote: >> >>> Usually for MASQ/NAT mode the real server would be in a different >>> subnet with the LVS server set as the default gateway. >>> >>> If you want to do one-arm i.e. same subnet MASQ then the test client >>> needs to be in a separate subnet OR you need to have special routing >>> rules on the real (backend) server. >>> >>> >>> >>> >>> >>> On 21 November 2016 at 18:26, Nick Leli <nicholasl...@gmail.com> wrote: >>> > Hi Everyone, >>> > >>> > I am trying to learn LVS and have created the setup below (better >>> > formatting at Server Fault http://serverfault.com/ >>> questions/816026/lvs-load- >>> > balancer-not-getting-response). The LVS setup seems correct, but it >>> > appears that the connections never make it to the real server, even >>> though >>> > traffic is being sent from the director. I am under the impression that >>> no >>> > iptables rules are required since the real server is added with >>> > masquerade. Is this incorrect? I have read through the HOWTO multiple >>> > times but am not clear on what is needed. >>> > >>> > **Director Host** >>> > >>> > root@ip-172-31-16-196:/home/ubuntu# cat /proc/sys/net/ipv4/ip_forward >>> > 1 >>> > >>> > root@ip-172-31-16-196:/home/ubuntu# ifconfig >>> > eth0 Link encap:Ethernet HWaddr 06:a0:5b:48:1b:f5 >>> > inet addr:172.31.16.196 Bcast:172.31.31.255 >>> > Mask:255.255.240.0 >>> > inet6 addr: fe80::4a0:5bff:fe48:1bf5/64 Scope:Link >>> > UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1 >>> > RX packets:4211 errors:0 dropped:0 overruns:0 frame:0 >>> > TX packets:3692 errors:0 dropped:0 overruns:0 carrier:0 >>> > collisions:0 txqueuelen:1000 >>> > RX bytes:416625 (416.6 KB) TX bytes:406446 (406.4 KB) >>> > >>> > lo Link encap:Local Loopback >>> > inet addr:127.0.0.1 Mask:255.0.0.0 >>> > inet6 addr: ::1/128 Scope:Host >>> > UP LOOPBACK RUNNING MTU:65536 Metric:1 >>> > RX packets:173 errors:0 dropped:0 overruns:0 frame:0 >>> > TX packets:173 errors:0 dropped:0 overruns:0 carrier:0 >>> > collisions:0 txqueuelen:1 >>> > RX bytes:12776 (12.7 KB) TX bytes:12776 (12.7 KB) >>> > >>> > root@ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln >>> > IP Virtual Server version 1.2.1 (size=4096) >>> > Prot LocalAddress:Port Scheduler Flags >>> > -> RemoteAddress:Port Forward Weight ActiveConn InActConn >>> > TCP 172.31.16.196:80 rr >>> > -> 172.31.16.195:80 Masq 1 0 0 >>> > >>> > root@ip-172-31-16-196:/home/ubuntu# ipvsadm -Ln --stats >>> > IP Virtual Server version 1.2.1 (size=4096) >>> > Prot LocalAddress:Port Conns InPkts OutPkts InBytes >>> > OutBytes >>> > -> RemoteAddress:Port >>> > TCP 172.31.16.196:80 23 122 0 6436 >>> > 0 >>> > -> 172.31.16.195:80 23 122 0 6436 >>> > 0 >>> > >>> > root@ip-172-31-16-196:/home/ubuntu# curl 172.31.16.195-vv >>> > * Rebuilt URL to: 172.31.16.195/ >>> > * Trying 172.31.16.195... >>> > * Connected to 172.31.16.195 (172.31.16.195) port 80 (#0) >>> >> GET / HTTP/1.1 >>> >> Host: 172.31.16.195 >>> >> User-Agent: curl/7.47.0 >>> >> Accept: */* >>> >> >>> > * HTTP 1.0, assume close after body >>> > < HTTP/1.0 200 OK >>> > < Server: SimpleHTTP/0.6 Python/2.7.12 >>> > < Date: Mon, 21 Nov 2016 04:59:04 GMT >>> > < Content-type: text/html >>> > < Content-Length: 26 >>> > < Last-Modified: Mon, 21 Nov 2016 00:58:21 GMT >>> > < >>> > >From server 172.31.16.195 >>> > * Closing connection 0 >>> > >>> > # Show the public IP of this host >>> > root@ip-172-31-16-196:/home/ubuntu# wget http://ipinfo.io/ip -qO - >>> > 52.15.105.107 >>> > >>> > **Backend Server** >>> > >>> > root@ip-172-31-16-195:/home/ubuntu# netstat -tnlp >>> > Active Internet connections (only servers) >>> > Proto Recv-Q Send-Q Local Address Foreign Address State >>> > PID/Program name >>> > tcp 0 0 0.0.0.0:80 0.0.0.0:* >>> LISTEN >>> > 2444/python >>> > tcp 0 0 0.0.0.0:22 0.0.0.0:* >>> LISTEN >>> > 1221/sshd >>> > tcp6 0 0 :::22 :::* >>> LISTEN >>> > 1221/sshd >>> > >>> > root@ip-172-31-16-195:/home/ubuntu# iptables -L -t nat >>> > Chain PREROUTING (policy ACCEPT) >>> > target prot opt source destination >>> > >>> > Chain INPUT (policy ACCEPT) >>> > target prot opt source destination >>> > >>> > Chain OUTPUT (policy ACCEPT) >>> > target prot opt source destination >>> > >>> > Chain POSTROUTING (policy ACCEPT) >>> > target prot opt source destination >>> > >From Remote Client >>> > >>> > # Hitting the public IP >>> > $ curl -vvv http://52.15.105.107/ >>> > * Trying 52.15.105.107... >>> > * Connected to 52.15.105.107 (127.0.0.1) port 80 (#0) >>> >> GET / HTTP/1.1 >>> >> Host: 52.15.105.107 >>> >> User-Agent: curl/7.43.0 >>> >> Accept: */* >>> >> >>> > < HTTP/1.1 504 Gateway Time-out >>> > < Server: ScanSafe >>> > < Mime-Version: 1.0 >>> > < Date: Mon, 21 Nov 2016 05:40:50 GMT >>> > < Content-Type: text/html >>> > < Content-Length: 1664 >>> > < X-ScanSafe-Error: ERR_CONNECT_FAIL 110 >>> > < Keep-Alive: 60 >>> > < Via: HTTP/1.1 proxy10829 >>> > _______________________________________________ >>> > Please read the documentation before posting - it's available at: >>> > http://www.linuxvirtualserver.org/ >>> > >>> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org >>> > Send requests to lvs-users-requ...@linuxvirtualserver.org >>> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users >>> >>> >>> >>> -- >>> Regards, >>> >>> Malcolm Turnbull. >>> >>> Loadbalancer.org Ltd. >>> Phone: +44 (0)330 380 1064 >>> http://www.loadbalancer.org/ >>> >>> _______________________________________________ >>> Please read the documentation before posting - it's available at: >>> http://www.linuxvirtualserver.org/ >>> >>> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org >>> Send requests to lvs-users-requ...@linuxvirtualserver.org >>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users >>> >> _______________________________________________ >> Please read the documentation before posting - it's available at: >> http://www.linuxvirtualserver.org/ >> >> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org >> Send requests to lvs-users-requ...@linuxvirtualserver.org >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > > > -- > Regards, > > Malcolm Turnbull. > > Loadbalancer.org Ltd. > Phone: +44 (0)330 380 1064 > http://www.loadbalancer.org/ -- Regards, Malcolm Turnbull. Loadbalancer.org Ltd. Phone: +44 (0)330 380 1064 http://www.loadbalancer.org/ _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users
