Greetings, I am running shorewall on an LVS cluster director. There are 2 NICs in the director. Here is their configurations: eth0: 192.168.1.1 eth1: 24.244.141.30 The heartbeat software is used to add virtual ip addresses to eth1 and start services on those ips. The virtual ip addresses added by heartbeat to eth1 are: 24.244.141.3 24.244.141.31 I am also using vlan tagging to add public ip addresses on different networks to eth1. The settings for this are: eth1.204: 65.243.101.240 The way the LVS director works is like this. The director is running shorewall, heartbeat, and ldirectord. Heartbeat starts up and configures the virtual ip addresses on eth1. Then heartbeat starts ldirectord. The purpose of ldirectord is to handle load balancing of services to the real servers on the local network that eth0 is a part of. I have configured shorewall to open ports to the director itself because the connections should come to ldirectord who then passes on the connections to the real servers in the cluster. In other words no port forwarding takes place from shorewalls point of view. All of this works fine except when I add the vlan tagging to the configuration. When I bring up eth1.204 and configure the links in the providers file the routing seems to work however the services the cluster provides loose connectivity. I am not sure why this is happening but because I have never done this kind of configuration with shorewall before I suspect it has something to do with my configuration. I am attaching the shorewall dump file as directed on the support page. Thank you for your time. Regards, Jason
Jason Harrison wrote:> Greetings, > > I am running shorewall on an LVS cluster director. There are 2 NICs in the > director. Here is their configurations: > > eth0: 192.168.1.1 > eth1: 24.244.141.30 > > The heartbeat software is used to add virtual ip addresses to eth1 and start > services on those ips. The virtual ip addresses added by heartbeat to eth1 > are: > > 24.244.141.3 > 24.244.141.31 > > I am also using vlan tagging to add public ip addresses on different networks > to eth1. The settings for this are: > > eth1.204: 65.243.101.240 > > The way the LVS director works is like this. The director is running > shorewall, heartbeat, and ldirectord. Heartbeat starts up and configures the > virtual ip addresses on eth1. Then heartbeat starts ldirectord. The purpose > of ldirectord is to handle load balancing of services to the real servers on > the local network that eth0 is a part of. I have configured shorewall to > open ports to the director itself because the connections should come to > ldirectord who then passes on the connections to the real servers in the > cluster. In other words no port forwarding takes place from shorewalls point > of view. All of this works fine except when I add the vlan tagging to the > configuration. When I bring up eth1.204 and configure the links in the > providers file the routing seems to work however the services the cluster > provides loose connectivity. I am not sure why this is happening but because > I have never done this kind of configuration with shorewall before I suspect > it has something to do with my configuration. I am attaching the shorewall > dump file as directed on the support page. > > Thank you for your time.Could you post the providers file please. Jerry ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> Could you post the providers file please. > Jerry > > > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-usersHere is the providers file. Jason
Jason Harrison wrote:>> Could you post the providers file please. >> Jerry> Here is the providers file. > > JasonCan you give this a try: link1 1 1 main eth1 24.244.141.1 track,balance eth0 link2 2 2 main eth1.204 65.243.101.1 track,balance eth0 Jerry ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> Can you give this a try: > > link1 1 1 main eth1 24.244.141.1 track,balance eth0 > link2 2 2 main eth1.204 65.243.101.1 track,balance eth0 > > Jerry > > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-usersI have tried that in the past as well but it is the same as usual. Once the entries in the providers file become active all services going through the director to the nodes in the inside network go offline. Other options I have tried are: link1 1 1 main eth1 24.244.141.1 track,loose eth0 link2 2 2 main eth1.204 65.243.101.1 track,loose eth0 ldirectord can handle tcp, udp and firewall marks. I think maybe the firewall is not handing ldirectord the connections correctly because my configuration is wrong. I think this because I have tried various things in the providers file without success which leads me to believe something else is not right. Jason ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jason Harrison wrote:>> Can you give this a try: >> >> link1 1 1 main eth1 24.244.141.1 track,balance eth0 >> link2 2 2 main eth1.204 65.243.101.1 track,balance eth0 >> >> Jerry >>> I have tried that in the past as well but it is the same as usual. Once the > entries in the providers file become active all services going through the > director to the nodes in the inside network go offline.In a single isp setup, does everything work correctly?> Other options I have > tried are: > > link1 1 1 main eth1 24.244.141.1 track,loose eth0 > link2 2 2 main eth1.204 65.243.101.1 track,loose eth0 > > ldirectord can handle tcp, udp and firewall marks. I think maybe the firewall > is not handing ldirectord the connections correctly because my configuration > is wrong. I think this because I have tried various things in the providers > file without success which leads me to believe something else is not right. >Not having setup ldirectord has me at a disadvantage, the only other thing I can suggest is to try in tcrules: 1 $FW:24.244.141.3 0.0.0.0/0 all - - - 1 $FW:24.244.141.31 0.0.0.0/0 all - - - If your running with "loose", you need to have entries in tcrules, to route the traffic based solely on the fwmarks, as the "ip from rules" are not present. Not sure what else the issue could be. Sorry I couldn''t help you further. Jerry ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Tuesday 25 April 2006 10:21 am, Jerry Vonau wrote:> Jason Harrison wrote: > >> Can you give this a try: > >> > >> link1 1 1 main eth1 24.244.141.1 track,balance eth0 > >> link2 2 2 main eth1.204 65.243.101.1 track,balance eth0 > >> > >> Jerry > > > > I have tried that in the past as well but it is the same as usual. Once > > the entries in the providers file become active all services going > > through the director to the nodes in the inside network go offline. > > In a single isp setup, does everything work correctly? > > > Other options I have > > tried are: > > > > link1 1 1 main eth1 24.244.141.1 track,loose eth0 > > link2 2 2 main eth1.204 65.243.101.1 track,loose eth0 > > > > ldirectord can handle tcp, udp and firewall marks. I think maybe the > > firewall is not handing ldirectord the connections correctly because my > > configuration is wrong. I think this because I have tried various things > > in the providers file without success which leads me to believe something > > else is not right. > > Not having setup ldirectord has me at a disadvantage, the only other > thing I can suggest is to try in tcrules: > > 1 $FW:24.244.141.3 0.0.0.0/0 all - - - > 1 $FW:24.244.141.31 0.0.0.0/0 all - - - > > If your running with "loose", you need to have entries in tcrules, to > route the traffic based solely on the fwmarks, as the "ip from rules" > are not present. > > Not sure what else the issue could be. Sorry I couldn''t help you further. > > Jerry > > > > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-usersI have not tried what you have suggested above before. I think it is worth trying what you have suggested. However the system is live so I will try it during the next maintainence window. Thank you very much for your help. I will let you know the result. Jason ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642