From: Amos Jeffries <squid3@treenet.co.nz>
To: Lloyd Standish <lloyd@crnatural.net>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: load-balancing router: trouble with breaking connections
Date: Wed, 22 Feb 2012 20:22:02 +1300 [thread overview]
Message-ID: <4F44979A.4030506@treenet.co.nz> (raw)
In-Reply-To: <op.v92bnewzx1lyi3@debiandesk2.net>
On 22/02/2012 5:19 p.m., Lloyd Standish wrote:
> On Tue, 21 Feb 2012 21:46:40 -0600, Brian Austin - Standard Universal
> <brian@standarduniversal.com.au> wrote:
>
>> Hi,
>> you need to restore marks to packets from the local machine too.. or its
>> sessions will be messed up.
>> first line in mangle output should be
>>
>> iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark;
>>
>> I believe conntrack replaces the route cache function entirely for
>> session persistence.
>>
>> cheers
>>
>
> Thanks for your comment. I do --restore-mark for OUTPUT as well,
> although I didn't mention it in my post.
>
> The main point of my post was to show how load-balancing can be done
> using the route cache to choose a route based on previous routing, and
> use conntrack to keep packets on the same interfaces.
>
> It may be that there is confusion about my use of the word "session."
> I am not referring to keeping all packets belonging to the same
> *connection* on the same interface, but rather to keeping a series of
> connections by a user to the same destination on the same interface.
>
> In my experience the only practical way to achieve session persistence
> is to allow the route cache to choose the route (and therefore the
> outbound interface). When I ran a load-balancing router that ignored
> the route cache, using the statistics module in "probability" mode to
> choose an outbound interface at random, marking packets with connmark,
> I got beautiful load-balancing, but sessions (not connections) were
> broken constantly. That is, websites that expected a logged-in user
> to keep the same IP number gave endless trouble. Interestingly, most
> banking sites don't have a problem with this (although PayPal does).
I think the LB setup was suffering more from NAT than from routing
issues. It is perfectly reasonable to expect that load balancer to work.
Just as it would be perfectly reasonable to expect a router with an
intermittent primary uplink to work with the same output style.
Only NAT on the LBs outbound interface or at the ISP level would cause
the broken behaviour you describe.
AYJ
next prev parent reply other threads:[~2012-02-22 7:22 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-18 22:40 load-balancing router: trouble with breaking connections Lloyd Standish
2012-02-19 1:59 ` Brian Austin - Standard Universal
2012-02-19 3:19 ` Lloyd Standish
2012-02-19 5:17 ` Brian Austin - Standard Universal
2012-02-22 3:07 ` Lloyd Standish
2012-02-22 3:46 ` Brian Austin - Standard Universal
2012-02-22 4:19 ` Lloyd Standish
2012-02-22 7:22 ` Amos Jeffries [this message]
2012-02-22 14:53 ` Lloyd Standish
2012-02-22 20:57 ` Brian Austin - Standard Universal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F44979A.4030506@treenet.co.nz \
--to=squid3@treenet.co.nz \
--cc=lloyd@crnatural.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox