lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sun, 8 Apr 2007 14:22:10 -0400
From:	lsorense@...lub.uwaterloo.ca (Lennart Sorensen)
To:	W Agtail <wagtail@....ie>
Cc:	netdev@...r.kernel.org
Subject: Re: two gateways with one NIC

On Sun, Apr 08, 2007 at 05:10:15PM +0100, W Agtail wrote:
> Hi, and thanks very much for your response. Your guess sounds spot on. 
> 
> As you've mentioned, using one sync group works quite well and gives you
> an active/passive LVS cluster (not sure of correct terminology here -
> sorry), thus all traffic goes via LVS1, leaving LVS2 not doing much
> unless LVS1 fails.
> 
> I thought it would be a cool idea to setup two sync groups to ultimately
> handle several Apache instances on the two Apache servers. This way,
> both LVS servers would be used in a kind of active/active fashion and
> would be a master/slave to each other. For example, vip1 & gw1 could
> possibly end up on LVS2 with vip2 & gw2.
> 
> The challenge though in having two sync groups, with two GWs. I would
> like all traffic coming through vip1 to be returned via gw1 and all
> traffic coming through vip2 to be returned via gw2.
> 
> I am using keepalived (v1.1.13) with two sync groups. One with vip1 &
> gw1 and another with vip2 & gw2. Port 8088 will always comes through
> vip1/gw1, load balancing to web1:8088 and web2:8088. Port 8089 will
> always come through vip2/gw2, load balancing to web1:8089 and web2:8089.
> 
> Web1's default gw is set to gw1 and web2's default gw is set to gw2. But
> this causing issues when say, vip1:8088 gets forwarded through gw1 to
> web2:8088 and doesn't get back back via gw2. To get round this, I need
> something like iproute2 on web2 to send all 8088 traffic back through
> gw1.

You have to set up both web servers to use the same gateway.  You can
setup an alternate routing table and tag packets from the apache on port
8089 to use the other gateway IP instead, but any traffic handled by
LVS1 _must_ be returned through LVS1.  So both web servers have to have
identical configuration (which is also much simpler to maintain).

You can use iptables to tag packets matching the source port of 8089 and
have ip route route all packets with that specific tag using an
alternate routing table, which will then use the other LVS.

So if you have two VRRP groups, you have port 8088 return by the regular
default gateway going to the first group IP, and you have tagging flag
all port 8089 packets to go through the second vrrp IP.  If an LVS
fails, both vrrp groups end up on the working LVS and everything still
works, but while both works, one LVS handles one port, and the other the
other port.  Of course routing packets is hardly a lot of work, so it
may not really be worth the bother to do anything extra with two groups.
You really have to configure both web servers identically though in
terms of routes.

> Hope this makes a little more sense to what I'm trying to achieve?
> Thanks again.

--
Len Sorensen
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists