On Mon, 26 Nov 2007, Ben Hollingsworth wrote: > Apparently, the forwarding rules get first dibs. In my environment, > when the director sees a packet come back from the private side that > didn't first come through addressed to the VIP, then the director just > acts as a router and dutifully forward the packet wherever it thinks it > should go without NATting it. No iptables or conntrack is used. > > BTW, in the default setup, the director merely sends an ICMP redirect > back to the real server, which causes problems under some > circumstances. I had to set "net.ipv4.conf.default.send_redirects = 0" > to get it to work consistently.
I think in the HOWTO I said to turn all these off. > What we ended up doing was dissolving the private subnet entirely. Each > RS thinks that it's on a /32 (1-host) subnet that contains only itself. > We forced a routing rule that tells it the default route is to the > virtual gateway on eth0, even though it doesn't have a subnet route for > that gateway. The RS routing table looks like this: > > # netstat -rn > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt Iface > 172.22.64.222 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 > 0.0.0.0 172.22.64.222 0.0.0.0 UG 0 0 0 eth0 > > 172.22.64.222 is the virtual gateway on the director. The down side > here is that any communication amongst the RS's gets bounced off the > director. In the HOWTO I setup hostroutes for the realservers and they talk to each other bouncing off the director. > In our low-volume environment, that's not a problem. We're > balancing for availability, not throughput. > > Does this all make sense? Are you all cringing yet? We didn't exactly > plan this layout; it's just where we ended up after we'd fixed all the > problems we encountered along the way. sounds fine to me. I'll add it to the one-network NAT section sometime. Joe -- Joseph Mack NA3T EME(B,D), FM05lw North Carolina jmack (at) wm7d (dot) net - azimuthal equidistant map generator at http://www.wm7d.net/azproj.shtml Homepage http://www.austintek.com/ It's GNU/Linux! _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
