On Fri, Jul 16, 2010 at 09:50:23AM +0200, L.S. Keijser wrote: > Hi, > > I'm facing a problem with accessing services from one realserver (rs_a1) > through the director to another realserver (rs_b1). The setup is > something like this: > > VIP_1 VIP_2 > +----------+ > | director | > +----------+ > DIP_1 / \ DIP_2 > +-------+ +-------+ > V | rs_a1 | | rs_b1 | V > L +-------+ +-------+ L > A +-------+ +-------+ A > N | rs_a2 | | rs_b2 | N > 1 +-------+ +-------+ 2
Nice diagram :-) > Really simple. Two VIPs on the director, two 'sets' of realservers > behind them, all LVS-NAT. Realservers rs_aX are in a seperate vlan and > have a different network address: > > VIP_1 10.0.0.11 DIP_1 192.168.11.1 > VIP_2 10.0.0.22 DIP_2 192.168.22.1 > > rs_aX 192.168.11.0/24 vlan_A > rs_bX 192.168.22.0/24 vlan_B > > Now something happens. A realserver in vlan_A wants to access a webpage > that is loadbalanced behind VIP_2. So it does a: > > rs_a1 $ wget http://VIP_2/page > > And gets a timeout. Probably because the director receives the request > coming from 192.168.11.0/24 for 10.0.0.22 (which it has configured > locally) and forwards it without source NAT'ting it. Pure speculation > here because i can't seem to properly capture the traffic. > > I see the request entering DIP_1 from rs_a1 with a destination of VIP_2. > But when i tell nmap to capture traffic (on the director) for the > interface where VIP_2 is configured, i see nothing with either a src_ip > of 192.168.11.0/24 or 10.0.0.11. > > Anyone with some insight? :) Hi, I think that you have hit a known limitation which is that LVS can't load-balance requests from a real-sever when LVS-NAT is in use. Well, not without a work-around. There was a recent discussion of this on this list[1] And there is also a discussion of the problem and work-arounds in the HOWTO[2]. As stated in that thread, my personal feeling is that this problem can be resolved with full-nat support which I am currently trying to get merged[3] [1] http://archive.linuxvirtualserver.org/html/lvs-users/2010-07/msg00000.html [2] http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.lvs_clients_on_realservers.html#lvs_clients_on_LVS-NAT_realserver_contacting_services_on_VIP [3] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/34529 _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users