You have been subscribed to a public bug:
When using keepalived/ipvsadm/LVS as a loadbalancer and iptables to
SNAT. Traffic gets lost when the VIP address and the REAL servers are
not in the same subnet/VLAN.
When I turn on logging for iptables you can see the package coming in but
nothing happens.
---
Nov 15 06:25:08 lb1 kernel: [922014.361577] IN= OUT=eth0 SRC=192.168.1.100
DST=192.168.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44987 DF PROTO=TCP
SPT=58504 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
---
This works running Ubuntu 14.04 or 12.04 but on Ubuntu 16.04 it stopped
working.
---
In /etc/sysctl.conf I have included:
net.ipv4.ip_forward=1
net.ipv4.vs.conntrack = 1
net.ipv4.vs.snat_reroute = 1
-----
# lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
# apt-cache policy keepalived
keepalived:
Installed: 1:1.2.19-1
Candidate: 1:1.2.19-1
Version table:
*** 1:1.2.19-1 500
500 http://ftp.tudelft.nl/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
# apt-cache policy iptables
iptables:
Installed: 1.6.0-2ubuntu3
Candidate: 1.6.0-2ubuntu3
Version table:
*** 1.6.0-2ubuntu3 500
500 http://ftp.tudelft.nl/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
# apt-cache policy ipvsadm
ipvsadm:
Installed: 1:1.28-3
Candidate: 1:1.28-3
Version table:
*** 1:1.28-3 500
500 http://ftp.tudelft.nl/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
-----
This is the iptables config:
iptables -t nat -A POSTROUTING -o eth0 --dst 192.168.10.10 -m ipvs --ipvs
--vaddr 192.168.9.5 --vport 80 --vmethod masq -j SNAT --to-source 192.168.9.4
iptables -t nat -A POSTROUTING -o eth0 --dst 192.168.10.11 -m ipvs --ipvs
--vaddr 192.168.9.5 --vport 80 --vmethod masq -j SNAT --to-source 192.168.9.4
This is the keepalived config:
vrrp_instance vapp1 {
state EQUAL
interface eth0
virtual_router_id 100
priority 100
advert_int 1
smtp_alert
authentication {
auth_type PASS
auth_pass vapp1
}
virtual_ipaddress {
192.168.9.5/24 brd 192.168.9.255 dev eth0
}
}
virtual_server 192.168.9.5 80 {
delay_loop 6
lb_algo wlc
lb_kind NAT
persistence_timeout 3600
protocol TCP
real_server 192.168.10.10 80 {
weight 100
TCP_CHECK {
connect_timeout 5
}
}
real_server 192.168.10.11 80 {
weight 100
TCP_CHECK {
connect_timeout 5
}
}
}
** Affects: keepalived (Ubuntu)
Importance: Undecided
Status: New
** Tags: bot-comment
--
LVS + SNAT: VIP and RIP not in the same subnet not working
https://bugs.launchpad.net/bugs/1641918
You received this bug notification because you are a member of Ubuntu High
Availability Team, which is subscribed to keepalived in Ubuntu.
_______________________________________________
Mailing list: https://launchpad.net/~ubuntu-ha
Post to : [email protected]
Unsubscribe : https://launchpad.net/~ubuntu-ha
More help : https://help.launchpad.net/ListHelp
