From: Brian Austin - Standard Universal <brian@standarduniversal.com.au>
To: Lloyd Standish <lloyd@crnatural.net>
Cc: Amos Jeffries <squid3@treenet.co.nz>,
"netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: load-balancing router: trouble with breaking connections
Date: Thu, 23 Feb 2012 07:57:31 +1100 [thread overview]
Message-ID: <4F4556BB.7020303@standarduniversal.com.au> (raw)
In-Reply-To: <op.v924y4pvx1lyi3@debiandesk2.net>
On 23/02/2012 1:53 AM, Lloyd Standish wrote:
> On Wed, 22 Feb 2012 01:22:02 -0600, Amos Jeffries
> <squid3@treenet.co.nz> wrote:
>
>> I think the LB setup was suffering more from NAT than from routing
>> issues. It is perfectly reasonable to expect that load balancer to
>> work. Just as it would be perfectly reasonable to expect a router
>> with an intermittent primary uplink to work with the same output style.
>> Only NAT on the LBs outbound interface or at the ISP level would
>> cause the broken behaviour you describe.
>> AYJ
>
> I would certainly like to understand WHY I had to use connmarks to
> keep the packets belonging to a connection on the right interface.
> However, I don't believe the problem was NAT, because the only changes
> I had to make to get this load-balancing router to work (that is, to
> stop breaking connections) were the ones I mentioned in a previous
> post. I did not add or change any NAT rules. The router is doing NAT
> the way it was before, set up with a command like this for each
> interface:
>
> iptables -t nat -A POSTROUTING -o ${interface} -j SNAT --to-source
> ${!wan}
>
> Furthermore, on this router I was already using connmark to mark and
> route packets for those destinations and origin IP for which we did
> not want to have load-balancing. This by the way worked fine
> (connections were not broken). The only thing I added to fix the
> connection-breaking was marking of NEW packets after netfilter had
> made the routing decision (based on either the routing cache or
> round-robin distribution).
>
> I would like to know whether or not anyone has succeeded in doing
> load-balancing with "nexthop via..." over interfaces with *private* IPs.
>
My set up has nat at the adsl modems, not at the linux box. So my router
is in private ip space on all interfaces.
I don't see how NAT could be an issue either, but I'm not a guru at
this - just enough to get it going.
Without thorough conntrack, it was rubbish.
prev parent reply other threads:[~2012-02-22 20:57 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-18 22:40 load-balancing router: trouble with breaking connections Lloyd Standish
2012-02-19 1:59 ` Brian Austin - Standard Universal
2012-02-19 3:19 ` Lloyd Standish
2012-02-19 5:17 ` Brian Austin - Standard Universal
2012-02-22 3:07 ` Lloyd Standish
2012-02-22 3:46 ` Brian Austin - Standard Universal
2012-02-22 4:19 ` Lloyd Standish
2012-02-22 7:22 ` Amos Jeffries
2012-02-22 14:53 ` Lloyd Standish
2012-02-22 20:57 ` Brian Austin - Standard Universal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F4556BB.7020303@standarduniversal.com.au \
--to=brian@standarduniversal.com.au \
--cc=lloyd@crnatural.net \
--cc=netfilter@vger.kernel.org \
--cc=squid3@treenet.co.nz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.