Mailing List Archive

[lvs-users] Correct configuration for ARP on real servers.
Hello,

I just configured an environment of two LVS servers with three real
servers, and it works fine ... in the same network. When we try to
access the web server through the virtual IP from another network,
suddenly it doesn't work, this noted in the fact that we can't access
the VIP, but it still works in the same network. But, if I shutdown one
of the servers, it works perfectly.

My configuration is Direct Routing. My doubt is in the ARP
configuration. I read on section 6.8 at
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.arp_problem.html
that the following commands must be executed to properly configure
arptables on every real server:

# arptables -A IN -d $VIP -j DROP
# arptables -A OUT -s $VIP -j mangle --mangle-ip-s $RIP


But looking at RedHat documentation (I'm working with RHEL servers)
mentions on section 3.2.1 at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Virtual_Server_Administration/s1-lvs-direct-VSA.html#s2-lvs-direct-arptables-VSA
that the configuration to use is:

arptables -A IN -d <virtual_ip> -j DROP
arptables -A OUT -d <virtual_ip> -j mangle --mangle-ip-s <real_ip>


So ... Austintek uses the VIP as a source on the OUT chain, but RedHat
uses it as a destiny. Can anyone tell me what is the right
configuration? And could it be the cause of my problem, not being able
to access my balancers with three real servers from outside the network?
Funny thing is, both configurations seem to work the same way, which one
is correct?

Thanks in advance.

Israel.


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Correct configuration for ARP on real servers. [ In reply to ]
should that not be something like a sysctl setting? i can post the real values laterbut i have always used sysctl to prevent linux from tripping over itself

this was pounded out on my iPhone and i have fat fingers plus two left thumbs :)


> On Aug 18, 2015, at 10:54, israel@lanxe.is wrote:
>
>
> Hello,
>
> I just configured an environment of two LVS servers with three real
> servers, and it works fine ... in the same network. When we try to
> access the web server through the virtual IP from another network,
> suddenly it doesn't work, this noted in the fact that we can't access
> the VIP, but it still works in the same network. But, if I shutdown one
> of the servers, it works perfectly.
>
> My configuration is Direct Routing. My doubt is in the ARP
> configuration. I read on section 6.8 at
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.arp_problem.html
> that the following commands must be executed to properly configure
> arptables on every real server:
>
> # arptables -A IN -d $VIP -j DROP
> # arptables -A OUT -s $VIP -j mangle --mangle-ip-s $RIP
>
>
> But looking at RedHat documentation (I'm working with RHEL servers)
> mentions on section 3.2.1 at
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Virtual_Server_Administration/s1-lvs-direct-VSA.html#s2-lvs-direct-arptables-VSA
> that the configuration to use is:
>
> arptables -A IN -d <virtual_ip> -j DROP
> arptables -A OUT -d <virtual_ip> -j mangle --mangle-ip-s <real_ip>
>
>
> So ... Austintek uses the VIP as a source on the OUT chain, but RedHat
> uses it as a destiny. Can anyone tell me what is the right
> configuration? And could it be the cause of my problem, not being able
> to access my balancers with three real servers from outside the network?
> Funny thing is, both configurations seem to work the same way, which one
> is correct?
>
> Thanks in advance.
>
> Israel.
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Correct configuration for ARP on real servers. [ In reply to ]
so yah, i've always seen the following settings applied to
/etc/sysctl.conf on linux hosts that are behind DR/DSR vips:
net.ipv4.conf.lo.arp_ignore=1
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.all.arp_announce=2
[jdahl@proxy-3-edge ~]$

however after reading yoru email again, I'm not thinking this is the issue.

I assume you are allowing a permit in iptables to the VIP IP on the real
servers?



>
> Hello,
>
> I just configured an environment of two LVS servers with three real
> servers, and it works fine ... in the same network. When we try to
> access the web server through the virtual IP from another network,
> suddenly it doesn't work, this noted in the fact that we can't access
> the VIP, but it still works in the same network. But, if I shutdown one
> of the servers, it works perfectly.
>
> My configuration is Direct Routing. My doubt is in the ARP
> configuration. I read on section 6.8 at
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.arp_problem.html
> that the following commands must be executed to properly configure
> arptables on every real server:
>
> # arptables -A IN -d $VIP -j DROP
> # arptables -A OUT -s $VIP -j mangle --mangle-ip-s $RIP
>
>
> But looking at RedHat documentation (I'm working with RHEL servers)
> mentions on section 3.2.1 at
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Virtual_Server_Administration/s1-lvs-direct-VSA.html#s2-lvs-direct-arptables-VSA
> that the configuration to use is:
>
> arptables -A IN -d <virtual_ip> -j DROP
> arptables -A OUT -d <virtual_ip> -j mangle --mangle-ip-s <real_ip>
>
>
> So ... Austintek uses the VIP as a source on the OUT chain, but RedHat
> uses it as a destiny. Can anyone tell me what is the right
> configuration? And could it be the cause of my problem, not being able
> to access my balancers with three real servers from outside the network?
> Funny thing is, both configurations seem to work the same way, which one
> is correct?
>
> Thanks in advance.
>
> Israel.
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>


--



_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Correct configuration for ARP on real servers. [ In reply to ]
if u are using direct return , how about the loopback addition to the real
servers ?



On Tue, Aug 18, 2015 at 10:44 PM, Jamie Dahl <jamied@meatball.net> wrote:

>
> so yah, i've always seen the following settings applied to
> /etc/sysctl.conf on linux hosts that are behind DR/DSR vips:
> net.ipv4.conf.lo.arp_ignore=1
> net.ipv4.conf.lo.arp_announce=2
> net.ipv4.conf.all.arp_ignore=1
> net.ipv4.conf.all.arp_announce=2
> [jdahl@proxy-3-edge ~]$
>
> however after reading yoru email again, I'm not thinking this is the issue.
>
> I assume you are allowing a permit in iptables to the VIP IP on the real
> servers?
>
>
>
> >
> > Hello,
> >
> > I just configured an environment of two LVS servers with three real
> > servers, and it works fine ... in the same network. When we try to
> > access the web server through the virtual IP from another network,
> > suddenly it doesn't work, this noted in the fact that we can't access
> > the VIP, but it still works in the same network. But, if I shutdown one
> > of the servers, it works perfectly.
> >
> > My configuration is Direct Routing. My doubt is in the ARP
> > configuration. I read on section 6.8 at
> > http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.arp_problem.html
> > that the following commands must be executed to properly configure
> > arptables on every real server:
> >
> > # arptables -A IN -d $VIP -j DROP
> > # arptables -A OUT -s $VIP -j mangle --mangle-ip-s $RIP
> >
> >
> > But looking at RedHat documentation (I'm working with RHEL servers)
> > mentions on section 3.2.1 at
> >
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Virtual_Server_Administration/s1-lvs-direct-VSA.html#s2-lvs-direct-arptables-VSA
> > that the configuration to use is:
> >
> > arptables -A IN -d <virtual_ip> -j DROP
> > arptables -A OUT -d <virtual_ip> -j mangle --mangle-ip-s <real_ip>
> >
> >
> > So ... Austintek uses the VIP as a source on the OUT chain, but RedHat
> > uses it as a destiny. Can anyone tell me what is the right
> > configuration? And could it be the cause of my problem, not being able
> > to access my balancers with three real servers from outside the network?
> > Funny thing is, both configurations seem to work the same way, which one
> > is correct?
> >
> > Thanks in advance.
> >
> > Israel.
> >
> >
> > _______________________________________________
> > Please read the documentation before posting - it's available at:
> > http://www.linuxvirtualserver.org/
> >
> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> > Send requests to lvs-users-request@LinuxVirtualServer.org
> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> >
>
>
> --
>
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Correct configuration for ARP on real servers. [ In reply to ]
so that begs a good question. why does keepalived/ipvs not take into accoun the loopback during healthchecking?

this was pounded out on my iPhone and i have fat fingers plus two left thumbs :)


> On Aug 19, 2015, at 06:51, Alex Lopez <alxmlpz@gmail.com> wrote:
>
> if u are using direct return , how about the loopback addition to the real servers ?
>
>
>
>> On Tue, Aug 18, 2015 at 10:44 PM, Jamie Dahl <jamied@meatball.net> wrote:
>>
>> so yah, i've always seen the following settings applied to
>> /etc/sysctl.conf on linux hosts that are behind DR/DSR vips:
>> net.ipv4.conf.lo.arp_ignore=1
>> net.ipv4.conf.lo.arp_announce=2
>> net.ipv4.conf.all.arp_ignore=1
>> net.ipv4.conf.all.arp_announce=2
>> [jdahl@proxy-3-edge ~]$
>>
>> however after reading yoru email again, I'm not thinking this is the issue.
>>
>> I assume you are allowing a permit in iptables to the VIP IP on the real
>> servers?
>>
>>
>>
>> >
>> > Hello,
>> >
>> > I just configured an environment of two LVS servers with three real
>> > servers, and it works fine ... in the same network. When we try to
>> > access the web server through the virtual IP from another network,
>> > suddenly it doesn't work, this noted in the fact that we can't access
>> > the VIP, but it still works in the same network. But, if I shutdown one
>> > of the servers, it works perfectly.
>> >
>> > My configuration is Direct Routing. My doubt is in the ARP
>> > configuration. I read on section 6.8 at
>> > http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.arp_problem.html
>> > that the following commands must be executed to properly configure
>> > arptables on every real server:
>> >
>> > # arptables -A IN -d $VIP -j DROP
>> > # arptables -A OUT -s $VIP -j mangle --mangle-ip-s $RIP
>> >
>> >
>> > But looking at RedHat documentation (I'm working with RHEL servers)
>> > mentions on section 3.2.1 at
>> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Virtual_Server_Administration/s1-lvs-direct-VSA.html#s2-lvs-direct-arptables-VSA
>> > that the configuration to use is:
>> >
>> > arptables -A IN -d <virtual_ip> -j DROP
>> > arptables -A OUT -d <virtual_ip> -j mangle --mangle-ip-s <real_ip>
>> >
>> >
>> > So ... Austintek uses the VIP as a source on the OUT chain, but RedHat
>> > uses it as a destiny. Can anyone tell me what is the right
>> > configuration? And could it be the cause of my problem, not being able
>> > to access my balancers with three real servers from outside the network?
>> > Funny thing is, both configurations seem to work the same way, which one
>> > is correct?
>> >
>> > Thanks in advance.
>> >
>> > Israel.
>> >
>> >
>> > _______________________________________________
>> > Please read the documentation before posting - it's available at:
>> > http://www.linuxvirtualserver.org/
>> >
>> > LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
>> > Send requests to lvs-users-request@LinuxVirtualServer.org
>> > or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>> >
>>
>>
>> --
>>
>>
>>
>> _______________________________________________
>> Please read the documentation before posting - it's available at:
>> http://www.linuxvirtualserver.org/
>>
>> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
>> Send requests to lvs-users-request@LinuxVirtualServer.org
>> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users