Mailing List Archive: newbie: troubles with lvs-NAT on same segment

Hello all,

I've been pulling my hair out for the last few days. I'm hoping that you
guys can tell me where I'm going wrong. Any help would be sincerely
appreciated.

I have 3 machines for testing (1 winnt 4.0 as client, 2 Linux Mandrake 7.1
as virtual server and real server), all on the same segment, arranged like
so:

192.168.30.81 -------+ <------------client (WinNT 4.0)
|
192.168.30.86 |
10.0.6.1 ------+ <------------director (Mandrake 7.1, .86 is
real, the other two are aliases to the card.)
192.168.30.99 |
|
10.0.6.2 ------------+ <------------realserver (Mandrake 7.1, will be
more eventually)

30.81 cannot ping 6.2 directly. As near as I can figure, the routing tables
and ipvsadm and ipchains are set up correctly...(see below for details).

The behavior is that the realserver can surf the web though the client can't
see him, so I'm assuming that means the NAT setup is corrent.

When trying to load balance the http traffic, tcpdump reports that the
traffic isn't going anywhere (look at the bottom of this message).

So, can you guys spot any troubles?

If you do, by all means, forward your email to the mailing list, but please
also respond to me...the mailing list administration functions seem to be
*really* slow tonight.

Cheers!

-Ken

.86 has the following ipchains:
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
target prot opt source destination ports
MASQ tcp ------ 10.0.6.2 anywhere www ->
any
Chain output (policy ACCEPT):

.86 has the following ipvsadm report:
IP Virtual Server version 0.9.11 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.30.99:www rr
-> 10.0.6.2:www Masq 1 0 0

192.168.30.81 (win nt):
C:\users>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 50 8b 91 02 94 ...... Compaq Ethernet or Fast Ethernet NIC
0x3 ...00 50 56 ea 01 30 ...... VMware Virtual Ethernet Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.30.1 192.168.30.81 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.75.0 255.255.255.0 172.16.75.1 172.16.75.1 1
172.16.75.1 255.255.255.255 127.0.0.1 127.0.0.1 1
172.16.255.255 255.255.255.255 172.16.75.1 172.16.75.1 1
192.168.30.0 255.255.255.0 192.168.30.81 192.168.30.81 1
192.168.30.81 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.30.255 255.255.255.255 192.168.30.81 192.168.30.81 1
224.0.0.0 224.0.0.0 172.16.75.1 172.16.75.1 1
224.0.0.0 224.0.0.0 192.168.30.81 192.168.30.81 1
255.255.255.255 255.255.255.255 192.168.30.81 192.168.30.81 1
===========================================================================

10.0.6.1:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.30.99 * 255.255.255.255 UH 0 0 0 eth0
10.0.6.0 * 255.255.255.0 U 0 0 0 eth0
192.168.30.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.30.1 0.0.0.0 UG 0 0 0 eth0

10.0.6.2:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.6.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.0.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.0.6.1 0.0.0.0 UG 0 0 0 eth0

tcpdump on .86
tcpdump: listening on eth0
18:17:17.298696 arp who-has 192.168.30.86 tell 192.168.30.81
18:17:17.298722 arp reply 192.168.30.86 is-at 0:50:8b:77:13:3d
18:17:17.298944 192.168.30.81.3216 > 192.168.30.86.www: S
98479196:98479196(0) w
18:17:17.299005 192.168.30.86.www > 192.168.30.81.3216: R 0:0(0) ack
98479197 wi
18:17:17.716156 192.168.30.81.3216 > 192.168.30.86.www: S
98479196:98479196(0) w
18:17:17.716200 192.168.30.86.www > 192.168.30.81.3216: R 0:0(0) ack 1 win 0
18:17:18.219099 192.168.30.81.3216 > 192.168.30.86.www: S
98479196:98479196(0) w
18:17:18.219137 192.168.30.86.www > 192.168.30.81.3216: R 0:0(0) ack 1 win 0
18:17:18.722029 192.168.30.81.3216 > 192.168.30.86.www: S
98479196:98479196(0) w
18:17:18.722061 192.168.30.86.www > 192.168.30.81.3216: R 0:0(0) ack 1 win 0
18:17:22.294029 arp who-has 192.168.30.81 tell 192.168.30.86
18:17:22.294282 arp reply 192.168.30.81 is-at 0:50:8b:91:2:94

Hey dude,

>
> 192.168.30.81 -------+ <------------client (WinNT 4.0)
> |
> 192.168.30.86 |
> 10.0.6.1 ------+ <------------director (Mandrake 7.1, .86 is
> real, the other two are aliases to the card.)
> 192.168.30.99 |
> |
> 10.0.6.2 ------------+ <------------realserver (Mandrake 7.1, will
be
> more eventually)
>
> 30.81 cannot ping 6.2 directly. As near as I can figure, the routing
tables
> and ipvsadm and ipchains are set up correctly...(see below for
details).

My mail client doesn't do ascii pictures well, but from what looks like
what should be, you have stuff setup right. Your NT client is not
supposed to be able to ping your internal real servers (unless you setup
tunneling or vpn or a routing gateway thing or something like that as
far as I know). Anyway, I had problems directly forwarding actual ports
(especially https), but stuff eventually worked for me when someone here
suggested for me to use the firewall mark (fwm) rules for forwarding.
If using ipchains, use the -m flag to mark stuff on www port. It's
worth a shot *shrug*

Jano