* is this possible (multiple sources, replies go to proper source)
@ 2006-07-07 20:21 David Lang
0 siblings, 0 replies; 6+ messages in thread
From: David Lang @ 2006-07-07 20:21 UTC (permalink / raw)
To: netfilter
In trying to figure out a LVS configuration to load balance firewallsI have
gotten stuck with one problem.
the scenerio below is drasticly simplified, I can go into more detail if people
think it would help.
inbound traffic to a box can arrive through either box B or box C (depending on
factors outside this problem)
B C
\ /
A
|
D
box A routes the traffic on to box D
box D replies to the connection (sending the packets to box A)
box A needs to figure out which box (B or C) the connection came through in the
first place and use that as the gateway for the reply packets.
the nearest thing I can think of to a solution would be for box A to remember
the MAC address that started the connection and then use it as the gateway for
reply packets that are part of that connections. I don't know how to do this (or
even if it's possible)
please copy me on replies as I am not subscribed to the list.
David Lang
^ permalink raw reply [flat|nested] 6+ messages in thread
* is this possible (multiple sources, replies go to proper source)
@ 2006-07-10 20:00 David Lang
2006-07-11 11:12 ` Martijn Lievaart
[not found] ` <55561.2001:888:19e1::53.1152616368.squirrel@dexter>
0 siblings, 2 replies; 6+ messages in thread
From: David Lang @ 2006-07-10 20:00 UTC (permalink / raw)
To: netfilter
In trying to figure out a LVS configuration to load balance firewallsI have
gotten stuck with one problem.
the scenerio below is drasticly simplified, I can go into more detail if people
think it would help.
inbound traffic to a box can arrive through either box B or box C (depending on
factors outside this problem)
B C
\ /
A
|
D
box A routes the traffic on to box D
box D replies to the connection (sending the packets to box A)
box A needs to figure out which box (B or C) the connection came through in the
first place and use that as the gateway for the reply packets.
the nearest thing I can think of to a solution would be for box A to remember
the MAC address that started the connection and then use it as the gateway for
reply packets that are part of that connections. I don't know how to do this
(or even if it's possible)
please copy me on replies as I am not subscribed to the list.
David Lang
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: is this possible (multiple sources, replies go to proper source)
2006-07-10 20:00 is this possible (multiple sources, replies go to proper source) David Lang
@ 2006-07-11 11:12 ` Martijn Lievaart
[not found] ` <55561.2001:888:19e1::53.1152616368.squirrel@dexter>
1 sibling, 0 replies; 6+ messages in thread
From: Martijn Lievaart @ 2006-07-11 11:12 UTC (permalink / raw)
To: David Lang; +Cc: netfilter
<citaat van="David Lang">
> In trying to figure out a LVS configuration to load balance firewallsI
> have
> gotten stuck with one problem.
>
> the scenerio below is drasticly simplified, I can go into more detail if
> people
> think it would help.
>
> inbound traffic to a box can arrive through either box B or box C
> (depending on
> factors outside this problem)
>
> B C
> \ /
> A
> |
> D
>
> box A routes the traffic on to box D
>
> box D replies to the connection (sending the packets to box A)
>
> box A needs to figure out which box (B or C) the connection came through
> in the
> first place and use that as the gateway for the reply packets.
>
> the nearest thing I can think of to a solution would be for box A to
> remember
> the MAC address that started the connection and then use it as the gateway
> for
> reply packets that are part of that connections. I don't know how to do
> this
> (or even if it's possible)
Use CONNMARK to remember which connection came from which gateway, use the
ROUTE target to correctly route the replies.
HTH,
M4
^ permalink raw reply [flat|nested] 6+ messages in thread
* is this possible (multiple sources, replies go to proper source)
@ 2006-07-13 21:10 David Lang
0 siblings, 0 replies; 6+ messages in thread
From: David Lang @ 2006-07-13 21:10 UTC (permalink / raw)
To: netfilter
I'm resending this as I haven't seen an answer in the last 5 days (hopefully it
just slipped through the cracks)
In trying to figure out a LVS configuration to load balance firewallsI have
gotten stuck with one problem.
the scenerio below is drasticly simplified, I can go into more detail if people
think it would help.
inbound traffic to a box can arrive through either box B or box C (depending on
factors outside this problem) with the same source IP in the packet.
B C
\ /
A
|
D
box A routes the traffic on to box D
box D replies to the connection (sending the packets to box A)
box A needs to figure out which box (B or C) the connection came through in the
first place and use that as the gateway for the reply packets.
for other reasons doing NAT on boxes B and C is not a useable option (things on
D _really_ want to be able to see the real source IP, or as close to it as they
can)
the nearest thing I can think of to a solution would be for box A to remember
the MAC address that started the connection and then use it as the gateway for
reply packets that are part of that connections. I don't know how to do this
(or even if it's possible)
David Lang
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: is this possible (multiple sources, replies go to proper source)
[not found] ` <55561.2001:888:19e1::53.1152616368.squirrel@dexter>
@ 2006-07-19 15:00 ` Paulo Andre
2006-07-22 10:32 ` Martijn Lievaart
0 siblings, 1 reply; 6+ messages in thread
From: Paulo Andre @ 2006-07-19 15:00 UTC (permalink / raw)
To: Martijn Lievaart; +Cc: netfilter
Martijn Lievaart wrote:
>
>Use CONNMARK to remember which connection came from which gateway, use the
>ROUTE target to correctly route the replies.
>
>HTH,
>M4
>
>
Hi Martjin, do you have an example on how to do this?
Thanks
Paulo
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: is this possible (multiple sources, replies go to proper source)
2006-07-19 15:00 ` Paulo Andre
@ 2006-07-22 10:32 ` Martijn Lievaart
0 siblings, 0 replies; 6+ messages in thread
From: Martijn Lievaart @ 2006-07-22 10:32 UTC (permalink / raw)
To: Paulo Andre; +Cc: netfilter
Paulo Andre wrote:
> Martijn Lievaart wrote:
>
>>
>> Use CONNMARK to remember which connection came from which gateway,
>> use the
>> ROUTE target to correctly route the replies.
>>
>> HTH,
>> M4
>>
>>
>
> Hi Martjin, do you have an example on how to do this?
>
Scratch the route target. Use iproute2. In prerouting mark the packet
according to the interface it came in on. On the retrun traffic restore
the mark. Create routing rules on the fwmark. Google on "connmark route"
gives lots of info.
HTH,
M4
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2006-07-22 10:32 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-07-10 20:00 is this possible (multiple sources, replies go to proper source) David Lang
2006-07-11 11:12 ` Martijn Lievaart
[not found] ` <55561.2001:888:19e1::53.1152616368.squirrel@dexter>
2006-07-19 15:00 ` Paulo Andre
2006-07-22 10:32 ` Martijn Lievaart
-- strict thread matches above, loose matches on Subject: below --
2006-07-13 21:10 David Lang
2006-07-07 20:21 David Lang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.