* Re: [LARTC] Load Balancer setting for Public Servers
2005-02-16 3:34 [LARTC] Load Balancer setting for Public Servers Sureerat P. (EQHO)
@ 2005-02-16 10:28 ` Nguyen Dinh Nam
2005-02-16 11:16 ` Sureerat P. (EQHO)
` (9 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Nguyen Dinh Nam @ 2005-02-16 10:28 UTC (permalink / raw)
To: lartc
You are facing the CONNMARK problem! Every people follow nano howto
faces CONNMARK problem, no need to read your config :)
Sureerat P. (EQHO) wrote:
> Hello,
>
> I have finished setting up the load balancer with IPROUTE ... also
> patch the kernel to support DGD and now it's working fine with the
> valuable guide at LARTC website, Julian Anastasov, and the kind people
> in this mailing list. Now I would like to launch a web server and a
> ftp server to the public but I'm stuck into a problem and really need
> your help.
>
> Currently internal users can access internet and loadbalancing feature
> is working well, but users in external network can't access my
> servers. Please someone help investigate my config and suggest me what
> is wrong or missing. Thank you very much.
>
> My network design is like this:
>
> +----------+ +----------+ +----------+
> | ISP1 | | ISP3 | | ISP3 |
> +----------+ +----------+ +----------+
> | | |
> | | |
> | +--------------+ |
> |_________| LoadBalancer |_________|
> +--------------+
> |
> |
> +--------------+
> _________| Firewall |_________
> | +--------------+ |
> | | |
> | | |
> +----------+ +----------+ +----------+
> |Web Server| |FTP Server| | LAN |
> +----------+ +----------+ +----------+
>
> eth0 - Internal Network
> -----------------------
> IP = 10.0.0.1/24
>
> eth1 - route to ISP1
> --------------------
> IP = 213.244.0.254/24
> GW = 213.244.0.1
>
> eth2 - route to ISP2
> --------------------
> IP = 222.240.0.254/24
> GW = 222.240.0.1
>
> eth3 - route to ISP3
> --------------------
> IP = 201.10.0.254/24
> GW = 201.10.0.1
>
> Public Server
> -------------
> Web Server = 213.244.0.30
> FTP Server = 213.244.0.31
> (Firewall = 213.244.0.20)
>
> Firewall
> --------
> Interface to LoadBalancer = 10.0.0.254
> Interface to Web Server = 10.0.0.30
> Interface to FTP Server = 10.0.0.31
>
> Following is my configuration:
> -----------------------------
> ip address add 10.0.0.1/24 brd + dev eth0
> ip address add 213.244.0.254/24 brd + dev eth1
> ip address add 222.240.0.254/24 brd + dev eth2
> ip address add 201.10.0.254/24 brd + dev eth3
> ip rule add prio 5 table main
> ip route add default via 213.244.0.1 dev eth1 src 213.244.0.254 proto
> static table 10
> ip route append prohibit default table 10 metric 1 proto static
> ip route add default via 222.240.0.1 dev eth2 src 222.240.0.254 proto
> static table 20
> ip route append prohibit default table 20 metric 1 proto static
> ip route add default via 201.10.0.1 dev eth3 src 201.10.0.254 proto
> static table 30
> ip route append prohibit default table 30 metric 1 proto static
> ip rule add prio 10 from 213.244.0.0/24 table 10
> ip rule add prio 20 from 222.240.0.0/24 table 20
> ip rule add prio 30 from 201.10.0.0/24 table 30
> ip rule add prio 40 table 40
> ip route add default table 40 proto static nexthop via 213.244.0.1 dev
> eth1 weight 1 nexthop via 222.240.0.1 dev eth2 weight 1 nexthop via
> 201.10.0.1 dev eth3 weight 1
> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
> iptables -t filter -N keep_state
> iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED
> -j ACCEPT
> iptables -t filter -A keep_state -j RETURN
> iptables -t nat -N keep_state
> iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j
> ACCEPT
> iptables -t nat -A keep_state -j RETURN
> iptables -t nat -A PREROUTING -j keep_state
> iptables -t nat -A POSTROUTING -j keep_state
> iptables -t nat -A OUTPUT -j keep_state
> iptables -t filter -A INPUT -j keep_state
> iptables -t filter -A FORWARD -j keep_state
> iptables -t filter -A OUTPUT -j keep_state
> iptables -t nat -I PREROUTING -d 213.244.0.20 -j DNAT --to 10.0.0.254
> iptables -t nat -I PREROUTING -d 213.244.0.30 -j DNAT --to 10.0.0.30
> iptables -t nat -I PREROUTING -d 213.244.0.31 -j DNAT --to 10.0.0.31
> Best regards,
>
> Sureerat P.
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 12+ messages in thread* RE: [LARTC] Load Balancer setting for Public Servers
2005-02-16 3:34 [LARTC] Load Balancer setting for Public Servers Sureerat P. (EQHO)
2005-02-16 10:28 ` Nguyen Dinh Nam
@ 2005-02-16 11:16 ` Sureerat P. (EQHO)
2005-02-16 12:28 ` Tóth Nándor
` (8 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Sureerat P. (EQHO) @ 2005-02-16 11:16 UTC (permalink / raw)
To: lartc
Hello Nguyen Dinh Nam,
Thank you for your reply. Please you also suggest me how to fix the problem. What do you mean is I should not follow nano howto? Kindly provide me some clue. Thank you.
Best regards,
Sureerat P.
-----Original Message-----
From: Nguyen Dinh Nam [mailto:64vn@cardvn.net]
Sent: Wednesday, February 16, 2005 5:29 PM
To: Sureerat P. (EQHO)
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Load Balancer setting for Public Servers
You are facing the CONNMARK problem! Every people follow nano howto
faces CONNMARK problem, no need to read your config :)
Sureerat P. (EQHO) wrote:
> Hello,
>
> I have finished setting up the load balancer with IPROUTE ... also
> patch the kernel to support DGD and now it's working fine with the
> valuable guide at LARTC website, Julian Anastasov, and the kind people
> in this mailing list. Now I would like to launch a web server and a
> ftp server to the public but I'm stuck into a problem and really need
> your help.
>
> Currently internal users can access internet and loadbalancing feature
> is working well, but users in external network can't access my
> servers. Please someone help investigate my config and suggest me what
> is wrong or missing. Thank you very much.
>
> My network design is like this:
>
> +----------+ +----------+ +----------+
> | ISP1 | | ISP3 | | ISP3 |
> +----------+ +----------+ +----------+
> | | |
> | | |
> | +--------------+ |
> |_________| LoadBalancer |_________|
> +--------------+
> |
> |
> +--------------+
> _________| Firewall |_________
> | +--------------+ |
> | | |
> | | |
> +----------+ +----------+ +----------+
> |Web Server| |FTP Server| | LAN |
> +----------+ +----------+ +----------+
>
> eth0 - Internal Network
> -----------------------
> IP = 10.0.0.1/24
>
> eth1 - route to ISP1
> --------------------
> IP = 213.244.0.254/24
> GW = 213.244.0.1
>
> eth2 - route to ISP2
> --------------------
> IP = 222.240.0.254/24
> GW = 222.240.0.1
>
> eth3 - route to ISP3
> --------------------
> IP = 201.10.0.254/24
> GW = 201.10.0.1
>
> Public Server
> -------------
> Web Server = 213.244.0.30
> FTP Server = 213.244.0.31
> (Firewall = 213.244.0.20)
>
> Firewall
> --------
> Interface to LoadBalancer = 10.0.0.254
> Interface to Web Server = 10.0.0.30
> Interface to FTP Server = 10.0.0.31
>
> Following is my configuration:
> -----------------------------
> ip address add 10.0.0.1/24 brd + dev eth0
> ip address add 213.244.0.254/24 brd + dev eth1
> ip address add 222.240.0.254/24 brd + dev eth2
> ip address add 201.10.0.254/24 brd + dev eth3
> ip rule add prio 5 table main
> ip route add default via 213.244.0.1 dev eth1 src 213.244.0.254 proto
> static table 10
> ip route append prohibit default table 10 metric 1 proto static
> ip route add default via 222.240.0.1 dev eth2 src 222.240.0.254 proto
> static table 20
> ip route append prohibit default table 20 metric 1 proto static
> ip route add default via 201.10.0.1 dev eth3 src 201.10.0.254 proto
> static table 30
> ip route append prohibit default table 30 metric 1 proto static
> ip rule add prio 10 from 213.244.0.0/24 table 10
> ip rule add prio 20 from 222.240.0.0/24 table 20
> ip rule add prio 30 from 201.10.0.0/24 table 30
> ip rule add prio 40 table 40
> ip route add default table 40 proto static nexthop via 213.244.0.1 dev
> eth1 weight 1 nexthop via 222.240.0.1 dev eth2 weight 1 nexthop via
> 201.10.0.1 dev eth3 weight 1
> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
> iptables -t filter -N keep_state
> iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED
> -j ACCEPT
> iptables -t filter -A keep_state -j RETURN
> iptables -t nat -N keep_state
> iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j
> ACCEPT
> iptables -t nat -A keep_state -j RETURN
> iptables -t nat -A PREROUTING -j keep_state
> iptables -t nat -A POSTROUTING -j keep_state
> iptables -t nat -A OUTPUT -j keep_state
> iptables -t filter -A INPUT -j keep_state
> iptables -t filter -A FORWARD -j keep_state
> iptables -t filter -A OUTPUT -j keep_state
> iptables -t nat -I PREROUTING -d 213.244.0.20 -j DNAT --to 10.0.0.254
> iptables -t nat -I PREROUTING -d 213.244.0.30 -j DNAT --to 10.0.0.30
> iptables -t nat -I PREROUTING -d 213.244.0.31 -j DNAT --to 10.0.0.31
> Best regards,
>
> Sureerat P.
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [LARTC] Load Balancer setting for Public Servers
2005-02-16 3:34 [LARTC] Load Balancer setting for Public Servers Sureerat P. (EQHO)
2005-02-16 10:28 ` Nguyen Dinh Nam
2005-02-16 11:16 ` Sureerat P. (EQHO)
@ 2005-02-16 12:28 ` Tóth Nándor
2005-02-16 15:44 ` Nguyen Dinh Nam
` (7 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Tóth Nándor @ 2005-02-16 12:28 UTC (permalink / raw)
To: lartc
Hi!
Sureerat P. (EQHO) wrote:
> Hello,
>
> I have finished setting up the load balancer with IPROUTE ... also patch
> the kernel to support DGD and now it's working fine with the valuable
> guide at LARTC website, Julian Anastasov, and the kind people in this
> mailing list. Now I would like to launch a web server and a ftp server
> to the public but I'm stuck into a problem and really need your help.
I had a very similar setup, and everything worked.
> Currently internal users can access internet and loadbalancing feature
> is working well, but users in external network can't access my servers.
> Please someone help investigate my config and suggest me what is wrong
> or missing. Thank you very much.
I suggest you to run tcpdump on the firewalls interfaces to track the
packets. This way you can nail the problem.
> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
I think the problem may be here.
You should use SNAT like me:
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j SNAT
--to-source $EXTERNAL_IP_ADDR
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE2 -j SNAT
--to-source $EXTERNAL_IP_ADDR2
--
Udv,
Nandor
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [LARTC] Load Balancer setting for Public Servers
2005-02-16 3:34 [LARTC] Load Balancer setting for Public Servers Sureerat P. (EQHO)
` (2 preceding siblings ...)
2005-02-16 12:28 ` Tóth Nándor
@ 2005-02-16 15:44 ` Nguyen Dinh Nam
2005-02-17 0:17 ` Julian Anastasov
` (6 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Nguyen Dinh Nam @ 2005-02-16 15:44 UTC (permalink / raw)
To: lartc
Although I don't agree with the approach of using JA's patch, I still
admit that nano-howto is a good howto, many people are using it
successfully.
But nano-howto doesn't tell you to bind each connection to only one link
(internet connection), so some packets get dropped when get routed to
the wrong link. You can read about using CONNMARK here:
http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
Sureerat P. (EQHO) wrote:
>Hello Nguyen Dinh Nam,
>
>Thank you for your reply. Please you also suggest me how to fix the problem. What do you mean is I should not follow nano howto? Kindly provide me some clue. Thank you.
>
>Best regards,
>
>Sureerat P.
>
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [LARTC] Load Balancer setting for Public Servers
2005-02-16 3:34 [LARTC] Load Balancer setting for Public Servers Sureerat P. (EQHO)
` (3 preceding siblings ...)
2005-02-16 15:44 ` Nguyen Dinh Nam
@ 2005-02-17 0:17 ` Julian Anastasov
2005-02-17 7:28 ` Sureerat P. (EQHO)
` (5 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Julian Anastasov @ 2005-02-17 0:17 UTC (permalink / raw)
To: lartc
Hello,
On Wed, 16 Feb 2005, Nguyen Dinh Nam wrote:
> Although I don't agree with the approach of using JA's patch, I still
> admit that nano-howto is a good howto, many people are using it
> successfully.
>
> But nano-howto doesn't tell you to bind each connection to only one link
> (internet connection), so some packets get dropped when get routed to
> the wrong link. You can read about using CONNMARK here:
> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
It is controlled by correct routes. NAT connections are
bound to masquerade IP (done in netfilter) but the patches guarantee
this is propagated to the routing usage, look for lsrc in patch.
It works for DNAT too. IOW, in some cases you can use more ISPs
for maddr, for example, ISP1 for maddr_X->dest1 and ISP2 for
maddr_X->dest2.
Once maddr is selected for connection (from first packet), this
maddr can be routed to one ISP (if the ISPs do spoofing checks)
or to many ISPs, you can even use multipath route for 'from maddr to all'.
So, for packets from single connection all requirements are met,
traffic from maddr can use any/many alive links but only one at
a time for specific maddr->dest path.
When two NAT connections are related CONNMARK can solve the
problem to route both of them to same path, sometimes this is done from
the application modules, they select same maddr for related connections.
Of course, other high level dependencies can be solved with CONNMARK,
eg. web session persistence, may be with help from application
modules. The problem here is that "routes" works only at routing
level while CONNMARK work can be helped from other modules.
Regards
--
Julian Anastasov <ja@ssi.bg>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 12+ messages in thread* RE: [LARTC] Load Balancer setting for Public Servers
2005-02-16 3:34 [LARTC] Load Balancer setting for Public Servers Sureerat P. (EQHO)
` (4 preceding siblings ...)
2005-02-17 0:17 ` Julian Anastasov
@ 2005-02-17 7:28 ` Sureerat P. (EQHO)
2005-02-17 10:29 ` Nguyen Dinh Nam
` (4 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Sureerat P. (EQHO) @ 2005-02-17 7:28 UTC (permalink / raw)
To: lartc
Hi all,
Thank you for your kindly reply.
So my next step should be as following:
1. patch the kernel with patch-o-matic
2. add more config with iptables+connmark as described in
http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
Please you help me suggest whether my understanding is correct. Thank you.
Best regards,
Sureerat P.
-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
Behalf Of Julian Anastasov
Sent: Thursday, February 17, 2005 7:17 AM
To: Nguyen Dinh Nam
Cc: Sureerat P. (EQHO); lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Load Balancer setting for Public Servers
Hello,
On Wed, 16 Feb 2005, Nguyen Dinh Nam wrote:
> Although I don't agree with the approach of using JA's patch, I still
> admit that nano-howto is a good howto, many people are using it
> successfully.
>
> But nano-howto doesn't tell you to bind each connection to only one link
> (internet connection), so some packets get dropped when get routed to
> the wrong link. You can read about using CONNMARK here:
> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
It is controlled by correct routes. NAT connections are
bound to masquerade IP (done in netfilter) but the patches guarantee
this is propagated to the routing usage, look for lsrc in patch.
It works for DNAT too. IOW, in some cases you can use more ISPs
for maddr, for example, ISP1 for maddr_X->dest1 and ISP2 for
maddr_X->dest2.
Once maddr is selected for connection (from first packet), this
maddr can be routed to one ISP (if the ISPs do spoofing checks)
or to many ISPs, you can even use multipath route for 'from maddr to all'.
So, for packets from single connection all requirements are met,
traffic from maddr can use any/many alive links but only one at
a time for specific maddr->dest path.
When two NAT connections are related CONNMARK can solve the
problem to route both of them to same path, sometimes this is done from
the application modules, they select same maddr for related connections.
Of course, other high level dependencies can be solved with CONNMARK,
eg. web session persistence, may be with help from application
modules. The problem here is that "routes" works only at routing
level while CONNMARK work can be helped from other modules.
Regards
--
Julian Anastasov <ja@ssi.bg>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [LARTC] Load Balancer setting for Public Servers
2005-02-16 3:34 [LARTC] Load Balancer setting for Public Servers Sureerat P. (EQHO)
` (5 preceding siblings ...)
2005-02-17 7:28 ` Sureerat P. (EQHO)
@ 2005-02-17 10:29 ` Nguyen Dinh Nam
2005-02-17 11:44 ` Julian Anastasov
` (3 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Nguyen Dinh Nam @ 2005-02-17 10:29 UTC (permalink / raw)
To: lartc
Not enough, my tutorial only discuss about CONNMARK outgoing NEW packets
in POSTROUTING, if you want to DNAT connections from internet to some
computers in your LAN, you must also CONNMARK incoming NEW packets in
PREROUTING too. I want to keep the tutorial short and simple so I don't
write about it, you can consult CONNMARK in PREROUTING in RoutesKeeper's
source code.
Lacking CONNMARK in PREROUTING, some of your SYN/ACK packets may be
DROPed by ISPs.
From kernel 2.6.10, CONNMARK is included already, you don't have to
patch anything.
Sureerat P. (EQHO) wrote:
>Hi all,
>
>Thank you for your kindly reply.
>
>So my next step should be as following:
>
>1. patch the kernel with patch-o-matic
>2. add more config with iptables+connmark as described in
>http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
>
>Please you help me suggest whether my understanding is correct. Thank you.
>
>Best regards,
>
>Sureerat P.
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [LARTC] Load Balancer setting for Public Servers
2005-02-16 3:34 [LARTC] Load Balancer setting for Public Servers Sureerat P. (EQHO)
` (6 preceding siblings ...)
2005-02-17 10:29 ` Nguyen Dinh Nam
@ 2005-02-17 11:44 ` Julian Anastasov
2005-02-17 13:14 ` Sureerat P. (EQHO)
` (2 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Julian Anastasov @ 2005-02-17 11:44 UTC (permalink / raw)
To: lartc
Hello,
On Thu, 17 Feb 2005, Nguyen Dinh Nam wrote:
> Not enough, my tutorial only discuss about CONNMARK outgoing NEW packets
> in POSTROUTING, if you want to DNAT connections from internet to some
> computers in your LAN, you must also CONNMARK incoming NEW packets in
> PREROUTING too. I want to keep the tutorial short and simple so I don't
> write about it, you can consult CONNMARK in PREROUTING in RoutesKeeper's
> source code.
> Lacking CONNMARK in PREROUTING, some of your SYN/ACK packets may be
> DROPed by ISPs.
That problem should be solved with the "routes" patch, may
be you know for some issue with this? First packet comes, DNAT selects
manipulations for both directions, packet is routed to internal host,
reply comes, we route by lsrc (maddr), one of the valid links for
maddr is selected, it can be different if routing allows input and
output routes to use diffrent interfaces (you don't know always the
incoming gateway that remote hosts are using to reach maddr). What
"routes" gives you is correct routing usage for NAT which is expected
from all NAT users in multipath setups.
> From kernel 2.6.10, CONNMARK is included already, you don't have to
> patch anything.
I'm happy with that, i just don't see the problems you see
with "routes".
Regards
--
Julian Anastasov <ja@ssi.bg>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 12+ messages in thread* RE: [LARTC] Load Balancer setting for Public Servers
2005-02-16 3:34 [LARTC] Load Balancer setting for Public Servers Sureerat P. (EQHO)
` (7 preceding siblings ...)
2005-02-17 11:44 ` Julian Anastasov
@ 2005-02-17 13:14 ` Sureerat P. (EQHO)
2005-02-18 7:14 ` Julian Anastasov
2005-02-18 7:47 ` Sureerat P. (EQHO)
10 siblings, 0 replies; 12+ messages in thread
From: Sureerat P. (EQHO) @ 2005-02-17 13:14 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 2719 bytes --]
Hello all,
Thank you again for all of your information provided to me.
But now I'm quite confused about the solution. Frankly, CONNMARK is the new
thing to me. As I read the guide, I have not understood it much, maybe I
will take some more time to study and test more about it. In case you have
the final case study about this, it will help me much because now it's the
urgent task for me.
Regarding Julian's suggestion, do you mean that CONNMARK is not necessary
for this scenario? And also I don't have idea about lsrc and maddr you are
mentioning. Could you please provide me the reference site so I can get more
details about it.
To tell you the truth, even I'm confused but more knowledges I get from
here. And I want to say "Thank you" for your all kindness. Tonight I will
study deeper about your guideline and do more testing. Any progress, I'll
update you via this mailing group.
Best regards,
Sureerat P.
-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
Behalf Of Julian Anastasov
Sent: Thursday, February 17, 2005 6:45 PM
To: Nguyen Dinh Nam
Cc: Sureerat P. (EQHO); lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Load Balancer setting for Public Servers
Hello,
On Thu, 17 Feb 2005, Nguyen Dinh Nam wrote:
> Not enough, my tutorial only discuss about CONNMARK outgoing NEW packets
> in POSTROUTING, if you want to DNAT connections from internet to some
> computers in your LAN, you must also CONNMARK incoming NEW packets in
> PREROUTING too. I want to keep the tutorial short and simple so I don't
> write about it, you can consult CONNMARK in PREROUTING in RoutesKeeper's
> source code.
> Lacking CONNMARK in PREROUTING, some of your SYN/ACK packets may be
> DROPed by ISPs.
That problem should be solved with the "routes" patch, may
be you know for some issue with this? First packet comes, DNAT selects
manipulations for both directions, packet is routed to internal host,
reply comes, we route by lsrc (maddr), one of the valid links for
maddr is selected, it can be different if routing allows input and
output routes to use diffrent interfaces (you don't know always the
incoming gateway that remote hosts are using to reach maddr). What
"routes" gives you is correct routing usage for NAT which is expected
from all NAT users in multipath setups.
> From kernel 2.6.10, CONNMARK is included already, you don't have to
> patch anything.
I'm happy with that, i just don't see the problems you see
with "routes".
Regards
--
Julian Anastasov <ja@ssi.bg>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[-- Attachment #2: Type: text/html, Size: 4094 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread* RE: [LARTC] Load Balancer setting for Public Servers
2005-02-16 3:34 [LARTC] Load Balancer setting for Public Servers Sureerat P. (EQHO)
` (8 preceding siblings ...)
2005-02-17 13:14 ` Sureerat P. (EQHO)
@ 2005-02-18 7:14 ` Julian Anastasov
2005-02-18 7:47 ` Sureerat P. (EQHO)
10 siblings, 0 replies; 12+ messages in thread
From: Julian Anastasov @ 2005-02-18 7:14 UTC (permalink / raw)
To: lartc
Hello,
On Thu, 17 Feb 2005, Sureerat P. (EQHO) wrote:
> Regarding Julian's suggestion, do you mean that CONNMARK is not necessary
> for this scenario? And also I don't have idea about lsrc and maddr you are
connmark should work, you just need to set it up.
> mentioning. Could you please provide me the reference site so I can get more
> details about it.
http://www.ssi.bg/~ja/dgd.txt
http://www.ssi.bg/~ja/dgd-usage.txt
> To tell you the truth, even I'm confused but more knowledges I get from
> here. And I want to say "Thank you" for your all kindness. Tonight I will
> study deeper about your guideline and do more testing. Any progress, I'll
> update you via this mailing group.
Yes, it is not easy, there is no complete solution for such
setups as the details can be very different, you have to combine
lots of scripts :)
Regards
--
Julian Anastasov <ja@ssi.bg>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 12+ messages in thread* RE: [LARTC] Load Balancer setting for Public Servers
2005-02-16 3:34 [LARTC] Load Balancer setting for Public Servers Sureerat P. (EQHO)
` (9 preceding siblings ...)
2005-02-18 7:14 ` Julian Anastasov
@ 2005-02-18 7:47 ` Sureerat P. (EQHO)
10 siblings, 0 replies; 12+ messages in thread
From: Sureerat P. (EQHO) @ 2005-02-18 7:47 UTC (permalink / raw)
To: lartc
Hi Julian,
Thank you for your reply.
I've some idea now. I'll try it and update you the outcome. :-D
Best regards,
Sureerat P.
-----Original Message-----
From: Julian Anastasov [mailto:ja@ssi.bg]
Sent: Friday, February 18, 2005 2:14 PM
To: Sureerat P. (EQHO)
Cc: Nguyen Dinh Nam; lartc@mailman.ds9a.nl
Subject: RE: [LARTC] Load Balancer setting for Public Servers
Hello,
On Thu, 17 Feb 2005, Sureerat P. (EQHO) wrote:
> Regarding Julian's suggestion, do you mean that CONNMARK is not necessary
> for this scenario? And also I don't have idea about lsrc and maddr you are
connmark should work, you just need to set it up.
> mentioning. Could you please provide me the reference site so I can get
more
> details about it.
http://www.ssi.bg/~ja/dgd.txt
http://www.ssi.bg/~ja/dgd-usage.txt
> To tell you the truth, even I'm confused but more knowledges I get from
> here. And I want to say "Thank you" for your all kindness. Tonight I will
> study deeper about your guideline and do more testing. Any progress, I'll
> update you via this mailing group.
Yes, it is not easy, there is no complete solution for such
setups as the details can be very different, you have to combine
lots of scripts :)
Regards
--
Julian Anastasov <ja@ssi.bg>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 12+ messages in thread