On Mon, 23 Mar 2009, Joseph Mack NA3T wrote: > you shouldn't be able to do this (at least on a well setup > machine). The only connection between the client and the > realservers is through the LVS-NAT. A ping packet shouldn't > be able to get to the realservers from the client. > > Is the only route to the client from the realservers through > the director?
No, all I configured wasa route from the real servers to the client going through the director. I'm not sure how to force that behavior, either, without creating a VLAN with no default route to the outside world. When pinging the real servers from the client, our routers are quite happy to route the packets directly to the real servers. I don't control the network here, so that's not an option -- and, incidentally, as I don't intend to use LVS-NAT in production, I think it'd be kind of counterproductive to jump through those kinds of hoops to get this working. That said, I'm not sure why packet routing from the client to the real servers should matter; in the test I was doing, I was requesting the VIP from the client; the director passed the request on to a real server; and the real server routes its replies through the director. At no time during that test should the client _try_ to communicate directly with the real server, so I'm not sure why that matters. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
