Re: Load Balance - Grant Taylor

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: Load Balance
Date: Mon, 16 May 2011 19:45:45 -0500	[thread overview]
Message-ID: <4DD1C539.20404@riverviewtech.net> (raw)
In-Reply-To: <1305581912.2041.15.camel@andybev-desktop>

On 5/16/2011 16:38, Andrew Beverley wrote:
> If you don't do this, then each gateway will only see half the
> packets for a connection stream, which although I am not an expert, I
> guess is not a good thing.

The problem has to do with the fact that most connections are using NAT 
at the edge, not a globally routable IP behind the load balancer with 
multiple routes back in.

So what happens is that some of the traffic for a session is sent out 
one gateway and being NATed to one external IP and the other traffic for 
the same session is being sent out the other gateway and being NATed to 
a different external IP.  Thus, the server sees weird traffic, coming 
from two different IPs.  One connection exhibits drops and the other 
exhibits incorrect sequence (think TCP 3-way handshake).  The server 
will abort the out of order / incorrect state traffic, which really 
causes the client to abort the entire connection.  You end up with a 
mess.  Thus you need to use something like conntrack to make connections 
be persistent when NAT is involved like that.

Grant. . . .

next prev parent reply	other threads:[~2011-05-17  0:45 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-04-17 23:22 Load Balance Usuário do Sistema
2011-05-15 17:23 ` Andrew Beverley
2011-05-16 20:24   ` Usuário do Sistema
2011-05-16 21:38     ` Andrew Beverley
2011-05-16 22:42       ` Usuário do Sistema
2011-05-17  0:45       ` Grant Taylor [this message]
2011-05-17 17:00         ` Usuário do Sistema
2011-05-17 18:07           ` Grant Taylor
2011-05-17 20:06             ` Usuário do Sistema

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4DD1C539.20404@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).