On 17/01/2011 12:36, Jan Engelhardt wrote:
> On Monday 2011-01-17 11:55, Giles Coochey wrote:
>>> You should do all of the NAT-ing ON THE LOAD BALANCER:
>>>
>> I have to agree - if you are doing NAT you want to avoid any type of asymmetric
>> routing - especially you NEED to make sure that the device that is doing the
>> NAT (be it for load balancing or other reasons) receives the return packets.
> Not strictly. You could utilize a second device whose CTs are synchronized
> with the LB to apply the reverse transform, using conntrackd.
> Sort of like
>
> digraph { internet ->  lb; lb ->  web; web ->  unnat; unnat ->  internet; };
>
> but it only looks feasible to me if your LB is already computationally
> crowded.
> --
It also requires the loadbalancer to be using netfilter as well.

If it's a hardware load balancer with proprietary methods then you will 
need symmetric routing through it, unless it supports some form of TCP 
state sharing.

-- 
Best Regards,

Giles Coochey
NetSecSpec Ltd
NL T-Systems Mobile: +31 681 265 086
NL Mobile: +31 626 508 131
Gib Mobile: +350 5401 6693
Email/MSN/Live Messenger: giles@coochey.net
Skype: gilescoochey