On Mon, 24 Nov 2008, Eli Ben-Shoshan wrote: > I am trying to not have to have a public IP on the realserver.
apart from the VIP? For the LVS you should setup with private IPs on the RIP network. If you need public IPs on the realservers for some other reason (ruining security) then these public IPs are independant of the LVS. > My problem is that I can get the realserver to reply back > to the client. For an LVS to work, there must be no way that the client can send packets directly to the realserver. With Lar's method the router has a host route to the VIP on the outside of the director. The various ways of handing the arp problem, all result in the realservers not replying to arp requests broadcast by the router. > I know the director is getting packets to the realserver > but I can't get the realserver to reply back to the > client. this contradicts the first sentence in the paragraph. > Is there an example somewhere that is similar to mine? I > think my director is setup correct. My problem is with the > realserver. for Lar's method you do nothing to the realserver, you reconfigure the router. > When the realserver arps for the gateway's mac address, it > does not get a response. The reason for this is that the > realserver's IP address is not on the same network as the > gateway. for routing to work, the router must have an IP in the network of the node using it as a router. > The realserver's IP address is 192.168.74.81 and > the IP of the gateway is 128.227.74.126. hmm. Is 128.x.x.x in the same network as the VIP? > Here is the relevant section of the > tcpdump: > > 16:00:52.119149 arp who-has 128.227.74.126 tell 192.168.74.81 Well dang. I haven't setup Lar's method, and it looked so simple and obvious at the time, I didn't think through any of these details, or ask him how he'd got it to work. Presumably it wasn't a major sweat or he would have told us about it. I assume from here you're going to have to do one of these o Put an address 192.168.74.0/24 on the router and use this address as the default gw (acceptable). Remember that the outbound packets from the realserver come from the VIP not the RIP. You only need this address on the router to allow you to have a default route from the realserver. o put an address in the 128.227.74.0/24 network on the realserver (bad from the point of view of security) o put a host route on the realserver to the router (acceptable). You seem to be able to do this across networks. 71.111.216.83 is the IP on the outside of my home router. Here's a node inside the network, with a private IP dennis: # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0 dennis: # route add -host 71.111.216.83 eth0 dennis: # route del default gw 192.168.1.254 dennis: # route add default gw 71.111.216.83 dennis:# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 71.111.216.83 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 71.111.216.83 0.0.0.0 UG 0 0 0 eth0 dennis: # ping 71.111.216.83 PING 71.111.216.83 (71.111.216.83): 56 octets data 64 octets from 71.111.216.83: icmp_seq=0 ttl=64 time=1.2 ms 64 octets from 71.111.216.83: icmp_seq=1 ttl=64 time=0.8 ms The only remaining question is how did Lar's do it? I'd suggest the last method would be the best, since you won't have to rely on the routing people to maintain this part of the configuration. > After talking to my network people, they tell me that this > is explicitly not allowed by their current configs. Well yes :-) Joe -- Joseph Mack NA3T EME(B,D), FM05lw North Carolina jmack (at) wm7d (dot) net - azimuthal equidistant map generator at http://www.wm7d.net/azproj.shtml Homepage http://www.austintek.com/ It's GNU/Linux! _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
