[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-virtual-server
Subject: Re: Using Keepalived on a WAN with Tunneling (keepalived-1.1.13,
From: Joseph Mack NA3T <jmack () wm7d ! net>
Date: 2007-05-22 18:22:06
Message-ID: Pine.LNX.4.64.0705221108380.30861 () wm7d ! net
[Download RAW message or body]
On Tue, 22 May 2007, Shaun Mccullagh wrote:
> KL is in location A, RS1 in location B and RS2 in location C.
KL == client?, keepalived?
> All these locations are geographically separate and all systems have
> public IPs.
for production, for security, you don't want the anyone to
access the realservers directly - use private IPs.
> The problem is both Real Servers are running Windows 2003 Server.
> Windows 2003 does not support IPIP encapsulation, Win2k used to.
>
> However both Windows servers sit behind Linux Firewalls which do support
> IPIP. So wondered if I could use the firewalls to decapsulate the IPIP
> datagrams and the forward them to the RS.
I don't know how to do it, but Linux is supposed to be able
to do this sort of thing. You're going to have to find an
iptables master. Maybe someone on this list knows, but
otherwise, you might have to join another mailing list for
the answer. After decapsulation on the firewall, you'll have
a packet with dest_addr==VIP in local_in and you'll have to
forward it to the output chain.
> I've succeeded in getting one tunnel operational. The KL healthchecker
> is successfully executing a simple TCP check on Port 80 of RS1 every 20
> seconds.
>
> The problem is the Linux firewall will not forward browser client
> requests to RS1.
>
> Tcpdump shows the requests are being delivered to tun0 on the firewall
> connected to RS1:
>
> 14:50:42.225285 IP 10.200.0.1 > 10.200.0.2: IP 62.100.54.4.1174 >
> 62.100.52.101.http: S 126909974:126909974(0) win 65535 <mss
> 1260,nop,nop,sackOK> (ipip-proto-4)
>
> Note that 62.100.52.101 is the KL VIP, 10.200.0.2 is the firewall tunnel
> address, 10.200.0.1 is the KL tunnel address. I've added an IPTABLES
> rule to DNAT all traffic sent to 10.200.0.2:20 to RS1 (10.1.40.10), this
> works for the KL TCP check, but not for browser requests.
RS1 will need the VIP with the service listening on the VIP,
the firewall will need a route to the VIP (which is on RS1)
the firewall will need a rule on the firewall to forward
packets with dest_addr=VIP to the output chain.
RS1 will reply to the client directly (presumably through
the firewall, but the reply packet should traverse the
firewall untouched by any rules).
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://www.in-addr.de/mailman/listinfo/lvs-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic