Maybe, But rp_filter just controls where the reply packet goes, default setting is out of any interface (which I've always thought is a bit crazy). I would start with a one arm one VLAN configuration for simplicity and diagnosis, and it could be the switch has MAC spoofing protection turned on.
On 24 March 2014 21:18, Tiago <[email protected]> wrote: > I tried both, but it didn't work. > > Maybe my switch/gw is rejecting packets from my realservers directly to > customers because of RPF filter? > > > 2014-03-24 18:03 GMT-03:00 Malcolm Turnbull <[email protected]>: > >> I've never used that method before, I would think you would need to be >> careful with your rp_filter settings? >> >> The ones I know that do work with the DR mode LVS arp problem are: >> >> http://pdfs.loadbalancer.org/quickstartguideLBVMv7.pdf >> Page 30: loopback + arp_ignore sysctl values >> >> or forget the loopback and use just >> Page 29: iptables method >> >> >> >> >> On 24 March 2014 20:57, Tiago <[email protected]> wrote: >> > Hi Malcom, >> > >> > Answering: >> >>Is the apache server responding to BOTH the RIP & the VIP? (RIP for >> >>health checks, VIP for load balanced traffic) >> > >> > root@web1:/var/log/apache2# netstat -ntlpd | grep :80 >> > tcp 0 0 0.0.0.0:80 0.0.0.0:* >> LISTEN >> > 10159/apache2 >> > >> > >> >>And how have you solved the ARP problem for the loopback adapter? >> > >> > As we have completely separate vlans, the traffic which comes to VIP >> > doesn't reach RIP network segment. So, per some instructions I didn't >> take >> > any measure on it, I hope that approach is correct. >> > >> > Basically I have: >> > LVS server: >> > >> > eth1 (vlan 2054) with public IPs >> > eth0 (vlan 1296) with private IPs >> > >> > So I have VIP on top of eth1. >> > And I have an 10.56.213.6 on top of eth0. >> > >> > Real servers: >> > eth1 (vlan 2054) with public IPs >> > eth0 (vlan 1296) with private IPs >> > >> > So I have VIP on lo:0 >> > And I have 10.56.213.20 on top of eth0 on realserver 1 and I have >> > 10.56.213.21 on top of eth0 on realserver 2. >> > >> > Thanks >> > >> > >> > >> > >> > 2014-03-24 17:40 GMT-03:00 Malcolm Turnbull <[email protected]>: >> > >> >> Tiago, >> >> >> >> Is the apache server responding to BOTH the RIP & the VIP? (RIP for >> >> health checks, VIP for load balanced traffic) >> >> And how have you solved the ARP problem for the loopback adapter? >> >> >> >> >> >> >> >> On 24 March 2014 20:00, Tiago <[email protected]> wrote: >> >> > Hello all, >> >> > >> >> > I'm trying to setup an LVS-DR here for a couple of webservers. My >> >> scenario >> >> > is: >> >> > >> >> > Eth1 and eth0 are in separated vlans. >> >> > >> >> > 1. My realservers ips: 10.56.213.31-10.56.213.32 at eth0 >> >> > 2. >> >> > 3. myrealip** at eth1 (its a public IP) >> >> > 4. >> >> > 5. >> >> > 6. root@lvs1:~# ipvsadm >> >> > 7. IP Virtual Server version 1.2.1 (size=4096) >> >> > 8. Prot LocalAddress:Port Scheduler Flags >> >> > 9. -> RemoteAddress:Port Forward Weight ActiveConn >> >> InActConn >> >> > 10. TCP myrealip**:http wlc >> >> > 11. -> 10.56.213.31:http Route 1 0 0 >> >> > 12. -> 10.56.213.32:http Route 1 0 0 >> >> > 13. >> >> > 14. On realservers: >> >> > 15. lo:0 Link encap:Local Loopback >> >> > 16. inet addr:myrealip** Mask:255.255.255.255 >> >> > 17. UP LOOPBACK RUNNING MTU:16436 Metric:1 >> >> > 18. >> >> > 19. route -n: >> >> > 20. myrealip** 0.0.0.0 255.255.255.255 UH 0 0 >> >> 0 >> >> > lo >> >> > 21. >> >> > 22. >> >> > 23. When someone try to access myrealip**:80 I have: >> >> > 24. -> 10.56.213.31:http Route 1 0 1 >> >> > 25. -> 10.56.213.32:http Route 1 0 0 >> >> > 26. >> >> > 27. And on realserver 10.56.213.31: >> >> > 28. >> >> > 29. root@web1:/var/log/apache2# tcpdump -ni eth0 host 216.5.78.123 >> >> (my >> >> > source ip) >> >> > 30. tcpdump: WARNING: eth0: no IPv4 address assigned >> >> > 31. tcpdump: verbose output suppressed, use -v or -vv for full >> >> protocol >> >> > decode >> >> > 32. listening on eth0, link-type EN10MB (Ethernet), capture size >> 65535 >> >> > bytes >> >> > 33. 13:40:35.267880 IP 216.5.78.123.37026 > myrealip**.80: Flags >> [S], >> >> > seq 2186878409, win 14600, options [mss 1460,sackOK,TS val >> 164050646 >> >> ecr >> >> > 0,nop,wscale 7], length 0 >> >> > 34. 13:40:36.270371 IP 216.5.78.123.37026 > myrealip**.80: Flags >> [S], >> >> > seq 2186878409, win 14600, options [mss 1460,sackOK,TS val >> 164051646 >> >> ecr >> >> > 0,nop,wscale 7], length 0 >> >> > 35. 13:40:38.276806 IP 216.5.78.123.37026 > myrealip**.80: Flags >> [S], >> >> > seq 2186878409, win 14600, options [mss 1460,sackOK,TS val >> 164053646 >> >> ecr >> >> > 0,nop,wscale 7], length 0 >> >> > 36. 13:40:42.294667 IP 216.5.78.123.37026 > myrealip**.80: Flags >> [S], >> >> > seq 2186878409, win 14600, options [mss 1460,sackOK,TS val >> 164057646 >> >> ecr >> >> > 0,nop,wscale 7], length 0 >> >> > 37. 13:40:50.328756 IP 216.5.78.123.37026 > myrealip**.80: Flags >> [S], >> >> > seq 2186878409, win 14600, options [mss 1460,sackOK,TS val >> 164065646 >> >> ecr >> >> > 0,nop,wscale 7], length 0 >> >> > 38. >> >> > 39. But I can't see the answer going back to me in any interface I >> >> have >> >> > at these realservers. I don't get any HTTP HIT at apache either. >> >> > >> >> > Obviously it seems I'm missing something here, however, I can't see >> >> clearly >> >> > what is it. >> >> > >> >> > Can you help on this? >> >> > >> >> > Thanks in advance! >> >> > _______________________________________________ >> >> > Please read the documentation before posting - it's available at: >> >> > http://www.linuxvirtualserver.org/ >> >> > >> >> > LinuxVirtualServer.org mailing list - [email protected] >> >> > Send requests to [email protected] >> >> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users >> >> >> >> >> >> >> >> -- >> >> Regards, >> >> >> >> Malcolm Turnbull. >> >> >> >> Loadbalancer.org Ltd. >> >> Phone: +44 (0)870 443 8779 >> >> http://www.loadbalancer.org/ >> >> >> >> _______________________________________________ >> >> Please read the documentation before posting - it's available at: >> >> http://www.linuxvirtualserver.org/ >> >> >> >> LinuxVirtualServer.org mailing list - [email protected] >> >> Send requests to [email protected] >> >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users >> >> >> > _______________________________________________ >> > Please read the documentation before posting - it's available at: >> > http://www.linuxvirtualserver.org/ >> > >> > LinuxVirtualServer.org mailing list - [email protected] >> > Send requests to [email protected] >> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users >> >> >> >> -- >> Regards, >> >> Malcolm Turnbull. >> >> Loadbalancer.org Ltd. >> Phone: +44 (0)870 443 8779 >> http://www.loadbalancer.org/ >> >> _______________________________________________ >> Please read the documentation before posting - it's available at: >> http://www.linuxvirtualserver.org/ >> >> LinuxVirtualServer.org mailing list - [email protected] >> Send requests to [email protected] >> or go to http://lists.graemef.net/mailman/listinfo/lvs-users >> > _______________________________________________ > Please read the documentation before posting - it's available at: > http://www.linuxvirtualserver.org/ > > LinuxVirtualServer.org mailing list - [email protected] > Send requests to [email protected] > or go to http://lists.graemef.net/mailman/listinfo/lvs-users -- Regards, Malcolm Turnbull. Loadbalancer.org Ltd. Phone: +44 (0)870 443 8779 http://www.loadbalancer.org/ _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
