Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Linux Virtual Server>
  3. Users
[lvs-users] Question about director (LVS-DR) & realservers on different VLANs
frederique at netground
Oct 17, 2012, 7:08 AM
Post #1 of 5 (1605 views)
Permalink
Hi,


We have a LVS-DR setup (currently figure 1), where the keepalived hosts use tagged vlan interfaces to 'be' in the same broadcast lans as the realservers. This all works fine for the clients. The problem is that realserver1/2 can not reach VIP2, and realserver 3/4 can not reach VIP1. But even 'other' hosts, like "other server1" and "other server2", that are in the same VLANs as respectivly realserver1/2 and realserver3/4, can not reach neither VIPs. I can see the SYN packets reaching the VIP on the director, but keepalived seems to do nothing with them. I'm not sure if there is a solution for this. Is there? Would figure 2 make any difference? (VIP on eth0, and VLAN interfaces on eth1). I've tested the whole setup without any firewall anywhere, but that doesn't make any difference.

Director: Ubuntu 12.04 64-bit + Keepalived 1:1.2.2-3ubuntu1
Realservers: FreeBSD (VIP/32 on lo0 with or without -arp)
See below for configuration of network and keepalived


Figure 1
________
| |
| client |
|________|
|
|
________
| |
|internet|
|________|
|
__________ |
| | | eth0 RIP=XX.YYY.AAA.5/27
| director |--- eth0.608 RIP=XX.YYY.BBB.18/26
|__________| | eth0.621 RIP=XX.YYY.CCC.71/27
|
|
| VIP1=XX.YYY.AAA.7:80 (realserver1/2 - VLAN 621)
| VIP2=XX.YYY.AAA.9:443 (realserver3/4 - VLAN 608)
|
----------------------------------------------
| |
| |
---------------- -----------------------
| | | |
| | | |
RIP=XX.YYY.CCC.68/27 RIP=XX.YYY.CCC.70/27 RIP=XX.YYY.BBB.52/26 RIP=XX.YYY.BBB.12/26
VIP=XX.YYY.AAA.7/32 VIP=XX.YYY.AAA.7/32 VIP=XX.YYY.AAA.9/32 VIP=XX.YYY.AAA.9/32
_____________ _____________ _____________ _____________
| | | | | | | |
| | | | | | | |
| VLAN 621 | | VLAN 621 | | VLAN 608 | | VLAN 608 |
| realserver1 | | realserver2 | | realserver3 | | realserver4 |
|_____________| |_____________| |_____________| |_____________|



RIP=XX.YYY.CCC.69/27 RIP=XX.YYY.BBB.9/26
_____________ _____________
| | | |
| | | |
| VLAN 621 | | VLAN 608 |
|other server1| |other server2|
|_____________| |_____________|



Figure 2
________
| |
| client |
|________|
|
|
________
| |
|internet|
|________|
|
__________ |
| |--- eth0 RIP=XX.YYY.AAA.5/27
| director | eth1.608 RIP=XX.YYY.BBB.18/26
|__________|--- eth1.621 RIP=XX.YYY.CCC.71/27
|
|

the rest



Network configuration on director:

auto eth0
iface eth0 inet static
address XX.YYY.AAA.5
netmask 255.255.255.224
network XX.YYY.AAA.0
broadcast XX.YYY.AAA.31
gateway XX.YYY.AAA.1

auto eth0.608
iface eth0.608 inet static
address XX.YYY.BBB.18
netmask 255.255.255.192

auto eth0.621
iface eth0.621 inet static
address XX.YYY.CCC.71
netmask 255.255.255.224

Non-default sysctls on the director:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv4.ip_nonlocal_bind=1



keepalived.conf:

vrrp_sync_group LBGT0 {
group {
LBGT0
}
}
global_defs {
lvs_id lb01
}

vrrp_instance LB1 {
state MASTER
priority 101
interface eth0
virtual_router_id x
advert_int 1
authentication {
auth_type PASS
auth_pass xxxxxxx
}
virtual_ipaddress {
XX.YYY.AAA.7
XX.YYY.AAA.9
}

virtual_server XX.YYY.AAA.9 443 {
delay_loop 6
lb_algo wrr
lb_kind DR
protocol TCP

# realserver3
real_server XX.YYY.BBB.52 443 {
weight 0

HTTP_GET {
url {
path /ping.php
digest e0aa021e21dddbd6d8cecec71e9cf564
}
nb_get_retry 3
delay_before_retry 3
connect_timeout 60
connect_port 80
}
}

# realserver4
real_server XX.YYY.144.12 443 {
weight 100

HTTP_GET {
url {
path /ping.php
digest e0aa021e21dddbd6d8cecec71e9cf564
}
nb_get_retry 3
delay_before_retry 3
connect_timeout 60
connect_port 80
}
}
}

virtual_server XX.YYY.AAA.7 80 {
delay_loop 6
lb_algo wrr
lb_kind DR
protocol TCP

# realserver1
real_server XX.YYY.CCC.68 80 {
weight 60

HTTP_GET
{
url {
path /ping.php
digest e0aa021e21dddbd6d8cecec71e9cf564
}
nb_get_retry 3
delay_before_retry 3
connect_port 80
connect_timeout 60
}
}

# realserver2
real_server XX.YYY.CCC.70 80 {
weight 60

HTTP_GET {
url {
path /ping.php
digest e0aa021e21dddbd6d8cecec71e9cf564
}
nb_get_retry 3
delay_before_retry 3
connect_timeout 60
connect_port 80
}
}
}
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Question about director (LVS-DR) & realservers on different VLANs [ In reply to ]
jmack at wm7d
Oct 17, 2012, 7:13 AM
Post #2 of 5 (1541 views)
Permalink
On Wed, 17 Oct 2012, Net Ground - Frederique Rijsdijk wrote:

> Hi,
>
>
> We have a LVS-DR setup (currently figure 1), where the
> keepalived hosts use tagged vlan interfaces to 'be' in the
> same broadcast lans as the realservers. This all works
> fine for the clients. The problem is that realserver1/2
> can not reach VIP2, and realserver 3/4 can not reach VIP1.
> But even 'other' hosts, like "other server1" and "other
> server2", that are in the same VLANs as respectivly
> realserver1/2 and realserver3/4, can not reach neither
> VIPs. I can see the SYN packets reaching the VIP on the
> director, but keepalived seems to do nothing with them.
> I'm not sure if there is a solution for this. Is there?

real "clients on realservers" in the HOWTO

Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Question about director (LVS-DR) & realservers on different VLANs [ In reply to ]
frederique at netground
Oct 17, 2012, 7:32 AM
Post #3 of 5 (1550 views)
Permalink
Hi Joe,

On Wed Oct 17 15:13:27 BST 2012, Joe wrote:
> real "clients on realservers" in the HOWTO

I've read that, but even for servers that are not part of the LVS, but in the same subnet as some of the realservers, I can not reach the VIP. Is that normal behaviour?


-- Frederique
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Question about director (LVS-DR) & realservers on different VLANs [ In reply to ]
jmack at wm7d
Oct 17, 2012, 8:14 AM
Post #4 of 5 (1553 views)
Permalink
On Wed, 17 Oct 2012, Net Ground - Frederique Rijsdijk wrote:

> Hi Joe,
>
> On Wed Oct 17 15:13:27 BST 2012, Joe wrote:
>> real "clients on realservers" in the HOWTO
>
> I've read that, but even for servers that are not part of
> the LVS, but in the same subnet as some of the
> realservers, I can not reach the VIP. Is that normal
> behaviour?

I haven't had much to do with LVS in the last few years, so
I may not have the correct answer here.

In the earlier versions of lvs, it was possible to set up an
lvs with CIP, VIP, and DIPs all on the same network.

Once you go to separate networks for the VIP and DIPs, you
have to regard the LVS as a black box network wise. ie you
only connect with the VIP:lvs_port (and packets come back
from the VIPs on the realservers). LVS controlls the routing
of packets on the DIP network to the LVS'ed ports. You
aren't supposed to connect with anything in the DIP:lvs_port
network from the outside. In this case a machine in the DIP
network won't be able to connect to the VIP:lvs_port either.

Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] [SOLVED] Question about director (LVS-DR) & realservers on different VLANs [ In reply to ]
frederique at netground
Oct 23, 2012, 10:13 PM
Post #5 of 5 (1517 views)
Permalink
Well, it seems my case was not fully onderstood or looked at. My problem seems a feature, not a bug. It is because of the tagged vlan ports the LVS has. When a realserver acts as a client in my case, the incoming packet comes to eth0, when the LVS has already learned mac addresses via it's eth0.621 or eth0.608 interface.

Setting sysctl net.ipv4.conf.eth0.rp_filter=0 solved my problem.
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal