Hi Srinivas what's the difference between using masquerading and static?
And just to update... I realise what was my problem! Big boo boo! I didn't set the ip address 192.168.1.204 on the eth0! Hahaha, it works now! But another question is: can I enable ftp services for Vyatata OS? Don't see services like VSFTP in it... Thanks man! Happy Daren -----Original Message----- From: Srinivaas Kamath [mailto:[EMAIL PROTECTED] Sent: Thursday, 23 August 2007 17:46 To: 'Daren Tay'; [EMAIL PROTECTED] Subject: RE: [Vyatta-users] Allowing ports to bridge using vyatta Hi Daren, The "translation-type" masquerade is wrong. Use "translation-type" static. rule 5 { type: "destination" translation-type: "masquerade" <=== This is wrong. Change it to static Thanks Srinivas ---------------------------------------------------------------------------- -- From: Daren Tay [mailto:[EMAIL PROTECTED] Sent: Thursday, August 23, 2007 7:35 PM To: Srinivaas Kamath; [EMAIL PROTECTED] Subject: RE: [Vyatta-users] Allowing ports to bridge using vyatta Hi Srinivaas, I am currently testing it out, while it still doesn't work, but it feels close my entire test setup can route to the internet successfully currently, but the 'Destination NAT' is still not working. My NAT rule for this is as follows: The setup is still done in lab, so all are private IPs 192.168.1.x represents the public network 192.168.4.x represents the VIP on the load balancer rule 5 { type: "destination" translation-type: "masquerade" inbound-interface: "eth0" source { network: 0.0.0.0/0 } destination { address: 192.168.1.204 } inside-address { address: 192.168.4.100 } } eth0: public port of the router, to 192.168.1.x eth1: private port, connects to load balancer via 192.168.3.x/30 --> all pingable My idea is to map the 'public ip' of 192.168.1.204 to the load balancer VIP 192.168.4.100 The above doesn't work, and I have been toying with the rule here and there but no luck still. But it feels near... you able to point me in the correct direction? Thanks! Daren -----Original Message----- From: Srinivaas Kamath [mailto:[EMAIL PROTECTED] Sent: Wednesday, 22 August 2007 19:36 To: 'Daren Tay'; [EMAIL PROTECTED] Subject: RE: [Vyatta-users] Allowing ports to bridge using vyatta Hi Daren, NAT stands for Network Address Translation - a mechanism to provide modification of the addresses and/or ports of packets as they pass through a computer or network device. Destination NAT in particular refers to the translation of the destination address (destination IP address). This means that you can substitute the destination IP address in a packet with another IP address. The router will do that for you automatically on the forward path to the Loadbalancer. On the return path the router will reverse the change by substituting the Source IP address back with the original IP address. The router will keep track of all address substitutions it makes in the forward path to the loadbalancer so that it can reverse the changes in the reply packet. So from the clients perspective it is still talking to the public VIP. Example: If your public VIP is 203.55.86.87, the router can change this to say 192.168.86.87 in the packet that is headed for the loadbalancer. Therefore on the loadbalancer you have to configure 192.168.86.87 as your VIP and not 203.55.86.87. But on the Vyatta router you have to configure destination NAT to map 203.55.86.87 to 192.168.86.87. i.e. there is a one-to-one mapping between the Public side VIP and the Private side VIP. The vyatta router will simply substitute the destination IP address. It won' t do any load balancing. On the Vyatta router you have to define rules to do Destination NAT. Please read the Vyatta configuration for further details. Regards Srinivas ---------------------------------------------------------------------------- From: Daren Tay [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 22, 2007 8:33 PM To: [EMAIL PROTECTED] Cc: Srinivaas Kamath Subject: FW: [Vyatta-users] Allowing ports to bridge using vyatta Hi Srinvias, what's Destination NAT? -- Sorry, I guess I'm not quite 'there' with my network know-hows... but judging from what you say... if my VIPs are on the private network, the idea is to have the actual public IPs to be VIPs on the router side, then route it to the load balancer? How should I do that? Basically, I am dealing with web content... Thanks! Daren -----Original Message----- From: Srinivaas Kamath [mailto:[EMAIL PROTECTED] Sent: Wednesday, 22 August 2007 11:54 To: 'Daren Tay'; [EMAIL PROTECTED] Subject: RE: [Vyatta-users] Allowing ports to bridge using vyatta Hi, Is there anything that stops you from using Destination NAT on the Vyatta router? If you use DNAT, then the Link between the router and the Loadbalancer can be on a private subnet and that goes for the VIPs as well. So VLAN3, VLAN2 and the VIPs will all be on private subnets. You can have a 1-to-1 correspondence between the VIP on the public side and the VIP on the private subnet. The Vyatta router will do DNAT first and then route the packet. So the scheme has to work. Thanks Srinivas -------------------------------------------------------------------------- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daren Tay Sent: Wednesday, August 22, 2007 12:58 PM To: [EMAIL PROTECTED] Subject: [Vyatta-users] Allowing ports to bridge using vyatta Hi everyone, I'm currently sourcing open-source router solutions and have chanced upon Vyatta. Still tinkering with it. I currently have an infrastructure that only has a Load Balncer with 2 VLANs: VLAN #2: Public domain --> that's where the public IPs reside, and where servers not being load-balanced are VLAN #3: Private Domain --> this where the servers for the load-balanced "farms" are located. Private IPs, not routable to the internet (as there is no router, hence the need for a router) The public IPs representing the farms are located on the Load Balancer as Virtual IPs (VIP). As attached, I am trying to achieve that setup, but I realise I need my datacentre to give me a separate line to the router (of a different subnet) so that I can maintain my original use of the ip addresses set... and yet be able to get routing info... or am I wrong to think that? Looking at the diagram, the servers squared up is VLAN#3, the private domain. Thats one subnet (private address). The connection between the router and the load balancer can be a /30 private ip subnet, no issue. The big issue is that if the uplink coming in from the top is from the public domain subnet, I won't be able to specify the VIP in the Load Balancer using IPs from the same public domain subnet, because the router won't know where to route isn't it? At least the test setup I did with a simple router shows that. What I am thinking of is if I can bridge the 2 ports on my router (yeah, using a machine with 2 ports) such that it will just bypass the traffic from the router, then I will just need 2 subnets really, the private domain and the public domain as before -- and yet be able to let my machines from the private domain route out to the internet. Possible with vyatta? Thanks people! Daren Tay
_______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
