Public bug reported:
When using keepalived/ipvsadm/LVS as a loadbalancer and iptables to
SNAT. Traffic gets lost when the VIP address and the REAL servers are
not in the same subnet/VLAN.
When I turn on logging for iptables you can see the package coming in but
nothing happens.
---
Nov 15 06:25:08 lb1 kernel: [922014.361577] IN= OUT=eth0 SRC=192.168.1.100
DST=192.168.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44987 DF PROTO=TCP
SPT=58504 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
---
This works running Ubuntu 14.04 or 12.04 but on Ubuntu 16.04 it stopped
working.
---
In /etc/sysctl.conf I have included:
net.ipv4.ip_forward=1
net.ipv4.vs.conntrack = 1
net.ipv4.vs.snat_reroute = 1
-----
# lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
# apt-cache policy keepalived
keepalived:
Installed: 1:1.2.19-1
Candidate: 1:1.2.19-1
Version table:
*** 1:1.2.19-1 500
500 http://ftp.tudelft.nl/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
# apt-cache policy iptables
iptables:
Installed: 1.6.0-2ubuntu3
Candidate: 1.6.0-2ubuntu3
Version table:
*** 1.6.0-2ubuntu3 500
500 http://ftp.tudelft.nl/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
# apt-cache policy ipvsadm
ipvsadm:
Installed: 1:1.28-3
Candidate: 1:1.28-3
Version table:
*** 1:1.28-3 500
500 http://ftp.tudelft.nl/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
-----
This is the iptables config:
iptables -t nat -A POSTROUTING -o eth0 --dst 192.168.10.10 -m ipvs --ipvs
--vaddr 192.168.9.5 --vport 80 --vmethod masq -j SNAT --to-source 192.168.9.4
iptables -t nat -A POSTROUTING -o eth0 --dst 192.168.10.11 -m ipvs --ipvs
--vaddr 192.168.9.5 --vport 80 --vmethod masq -j SNAT --to-source 192.168.9.4
This is the keepalived config:
vrrp_instance vapp1 {
state EQUAL
interface eth0
virtual_router_id 100
priority 100
advert_int 1
smtp_alert
authentication {
auth_type PASS
auth_pass vapp1
}
virtual_ipaddress {
192.168.9.5/24 brd 192.168.9.255 dev eth0
}
}
virtual_server 192.168.9.5 80 {
delay_loop 6
lb_algo wlc
lb_kind NAT
persistence_timeout 3600
protocol TCP
real_server 192.168.10.10 80 {
weight 100
TCP_CHECK {
connect_timeout 5
}
}
real_server 192.168.10.11 80 {
weight 100
TCP_CHECK {
connect_timeout 5
}
}
}
** Affects: ubuntu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1641918
Title:
LVS + SNAT: VIP and RIP not in the same subnet not working
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1641918/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
