LARTC - Feb 2005 - Load Balancer setting for Public Servers

Hello,

I have finished setting up the load balancer with IPROUTE ... also patch the
kernel to support DGD and now it''s working fine with the valuable guide
at
LARTC website, Julian Anastasov, and the kind people in this mailing list.
Now I would like to launch a web server and a ftp server to the public but
I''m stuck into a problem and really need your help.

Currently internal users can access internet and loadbalancing feature is
working well, but users in external network can''t access my servers.
Please
someone help investigate my config and suggest me what is wrong or missing.
Thank you very much.

My network design is like this:

+----------+     +----------+     +----------+
|   ISP1   |     |   ISP3   |     |   ISP3   |
+----------+     +----------+     +----------+
     |                |                 |
     |                |                 |
     |         +--------------+         |
     |_________| LoadBalancer |_________|
               +--------------+
                      |
                      |
               +--------------+
      _________|   Firewall   |_________
     |         +--------------+         |
     |                |                 |
     |                |                 |
+----------+     +----------+     +----------+
|Web Server|     |FTP Server|     |   LAN    |
+----------+     +----------+     +----------+

eth0 - Internal Network
-----------------------
IP = 10.0.0.1/24

eth1 - route to ISP1
--------------------
IP = 213.244.0.254/24
GW = 213.244.0.1

eth2 - route to ISP2
--------------------
IP = 222.240.0.254/24
GW = 222.240.0.1

eth3 - route to ISP3
--------------------
IP = 201.10.0.254/24
GW = 201.10.0.1

Public Server
-------------
Web Server = 213.244.0.30
FTP Server = 213.244.0.31
(Firewall  = 213.244.0.20)

Firewall
--------
Interface to LoadBalancer = 10.0.0.254
Interface to Web Server = 10.0.0.30
Interface to FTP Server = 10.0.0.31

Following is my configuration:
-----------------------------
ip address add 10.0.0.1/24 brd + dev eth0
ip address add 213.244.0.254/24 brd + dev eth1
ip address add 222.240.0.254/24 brd + dev eth2
ip address add 201.10.0.254/24 brd + dev eth3
ip rule add prio 5 table main
ip route add default via 213.244.0.1 dev eth1 src 213.244.0.254 proto static
table 10
ip route append prohibit default table 10 metric 1 proto static
ip route add default via 222.240.0.1 dev eth2 src 222.240.0.254 proto static
table 20
ip route append prohibit default table 20 metric 1 proto static
ip route add default via 201.10.0.1 dev eth3 src 201.10.0.254 proto static
table 30
ip route append prohibit default table 30 metric 1 proto static
ip rule add prio 10 from 213.244.0.0/24 table 10
ip rule add prio 20 from 222.240.0.0/24 table 20
ip rule add prio 30 from 201.10.0.0/24 table  30
ip rule add prio 40 table 40
ip route add default table 40 proto static nexthop via 213.244.0.1 dev eth1
weight 1 nexthop via 222.240.0.1 dev eth2 weight 1 nexthop via 201.10.0.1
dev eth3 weight 1

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
iptables -t filter -N keep_state
iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED -j
ACCEPT
iptables -t filter -A keep_state -j RETURN
iptables -t nat -N keep_state
iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A keep_state -j RETURN
iptables -t nat -A PREROUTING -j keep_state
iptables -t nat -A POSTROUTING -j keep_state
iptables -t nat -A OUTPUT -j keep_state
iptables -t filter -A INPUT -j keep_state
iptables -t filter -A FORWARD -j keep_state
iptables -t filter -A OUTPUT -j keep_state
iptables -t nat -I PREROUTING -d 213.244.0.20 -j DNAT --to 10.0.0.254
iptables -t nat -I PREROUTING -d 213.244.0.30 -j DNAT --to 10.0.0.30
iptables -t nat -I PREROUTING -d 213.244.0.31 -j DNAT --to 10.0.0.31

Best regards,

Sureerat P.

You are facing the CONNMARK problem! Every people follow nano howto 
faces CONNMARK problem, no need to read your config :)

Sureerat P. (EQHO) wrote:
> Hello,
>  
> I have finished setting up the load balancer with IPROUTE ... also 
> patch the kernel to support DGD and now it''s working fine with the
> valuable guide at LARTC website, Julian Anastasov, and the kind people 
> in this mailing list. Now I would like to launch a web server and a 
> ftp server to the public but I''m stuck into a problem and really
need
> your help.
>  
> Currently internal users can access internet and loadbalancing feature 
> is working well, but users in external network can''t access my 
> servers. Please someone help investigate my config and suggest me what 
> is wrong or missing. Thank you very much.
>  
> My network design is like this:
>  
> +----------+     +----------+     +----------+
> |   ISP1   |     |   ISP3   |     |   ISP3   |
> +----------+     +----------+     +----------+
>      |                |                 |
>      |                |                 |
>      |         +--------------+         |
>      |_________| LoadBalancer |_________|
>                +--------------+
>                       |
>                       |
>                +--------------+
>       _________|   Firewall   |_________
>      |         +--------------+         |
>      |                |                 |
>      |                |                 |
> +----------+     +----------+     +----------+
> |Web Server|     |FTP Server|     |   LAN    |
> +----------+     +----------+     +----------+
>  
> eth0 - Internal Network
> -----------------------
> IP = 10.0.0.1/24
>  
> eth1 - route to ISP1
> --------------------
> IP = 213.244.0.254/24
> GW = 213.244.0.1
>  
> eth2 - route to ISP2
> --------------------
> IP = 222.240.0.254/24
> GW = 222.240.0.1
>  
> eth3 - route to ISP3
> --------------------
> IP = 201.10.0.254/24
> GW = 201.10.0.1
>  
> Public Server
> -------------
> Web Server = 213.244.0.30
> FTP Server = 213.244.0.31
> (Firewall  = 213.244.0.20)
>  
> Firewall
> --------
> Interface to LoadBalancer = 10.0.0.254
> Interface to Web Server = 10.0.0.30
> Interface to FTP Server = 10.0.0.31
>  
> Following is my configuration:
> -----------------------------
> ip address add 10.0.0.1/24 brd + dev eth0
> ip address add 213.244.0.254/24 brd + dev eth1
> ip address add 222.240.0.254/24 brd + dev eth2
> ip address add 201.10.0.254/24 brd + dev eth3
> ip rule add prio 5 table main
> ip route add default via 213.244.0.1 dev eth1 src 213.244.0.254 proto 
> static table 10
> ip route append prohibit default table 10 metric 1 proto static
> ip route add default via 222.240.0.1 dev eth2 src 222.240.0.254 proto 
> static table 20
> ip route append prohibit default table 20 metric 1 proto static
> ip route add default via 201.10.0.1 dev eth3 src 201.10.0.254 proto 
> static table 30
> ip route append prohibit default table 30 metric 1 proto static
> ip rule add prio 10 from 213.244.0.0/24 table 10
> ip rule add prio 20 from 222.240.0.0/24 table 20
> ip rule add prio 30 from 201.10.0.0/24 table  30
> ip rule add prio 40 table 40
> ip route add default table 40 proto static nexthop via 213.244.0.1 dev 
> eth1 weight 1 nexthop via 222.240.0.1 dev eth2 weight 1 nexthop via 
> 201.10.0.1 dev eth3 weight 1
> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
> iptables -t filter -N keep_state
> iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED 
> -j ACCEPT
> iptables -t filter -A keep_state -j RETURN
> iptables -t nat -N keep_state
> iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j 
> ACCEPT
> iptables -t nat -A keep_state -j RETURN
> iptables -t nat -A PREROUTING -j keep_state
> iptables -t nat -A POSTROUTING -j keep_state
> iptables -t nat -A OUTPUT -j keep_state
> iptables -t filter -A INPUT -j keep_state
> iptables -t filter -A FORWARD -j keep_state
> iptables -t filter -A OUTPUT -j keep_state
> iptables -t nat -I PREROUTING -d 213.244.0.20 -j DNAT --to 10.0.0.254
> iptables -t nat -I PREROUTING -d 213.244.0.30 -j DNAT --to 10.0.0.30
> iptables -t nat -I PREROUTING -d 213.244.0.31 -j DNAT --to 10.0.0.31
> Best regards,
>  
> Sureerat P.
>  

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hello Nguyen Dinh Nam,

Thank you for your reply. Please you also suggest me how to fix the problem.
What do you mean is I should not follow nano howto? Kindly provide me some clue.
Thank you.

Best regards,

Sureerat P.

-----Original Message-----
From: Nguyen Dinh Nam [mailto:64vn@cardvn.net]
Sent: Wednesday, February 16, 2005 5:29 PM
To: Sureerat P. (EQHO)
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Load Balancer setting for Public Servers


You are facing the CONNMARK problem! Every people follow nano howto 
faces CONNMARK problem, no need to read your config :)

Sureerat P. (EQHO) wrote:
> Hello,
>  
> I have finished setting up the load balancer with IPROUTE ... also 
> patch the kernel to support DGD and now it''s working fine with the
> valuable guide at LARTC website, Julian Anastasov, and the kind people 
> in this mailing list. Now I would like to launch a web server and a 
> ftp server to the public but I''m stuck into a problem and really
need
> your help.
>  
> Currently internal users can access internet and loadbalancing feature 
> is working well, but users in external network can''t access my 
> servers. Please someone help investigate my config and suggest me what 
> is wrong or missing. Thank you very much.
>  
> My network design is like this:
>  
> +----------+     +----------+     +----------+
> |   ISP1   |     |   ISP3   |     |   ISP3   |
> +----------+     +----------+     +----------+
>      |                |                 |
>      |                |                 |
>      |         +--------------+         |
>      |_________| LoadBalancer |_________|
>                +--------------+
>                       |
>                       |
>                +--------------+
>       _________|   Firewall   |_________
>      |         +--------------+         |
>      |                |                 |
>      |                |                 |
> +----------+     +----------+     +----------+
> |Web Server|     |FTP Server|     |   LAN    |
> +----------+     +----------+     +----------+
>  
> eth0 - Internal Network
> -----------------------
> IP = 10.0.0.1/24
>  
> eth1 - route to ISP1
> --------------------
> IP = 213.244.0.254/24
> GW = 213.244.0.1
>  
> eth2 - route to ISP2
> --------------------
> IP = 222.240.0.254/24
> GW = 222.240.0.1
>  
> eth3 - route to ISP3
> --------------------
> IP = 201.10.0.254/24
> GW = 201.10.0.1
>  
> Public Server
> -------------
> Web Server = 213.244.0.30
> FTP Server = 213.244.0.31
> (Firewall  = 213.244.0.20)
>  
> Firewall
> --------
> Interface to LoadBalancer = 10.0.0.254
> Interface to Web Server = 10.0.0.30
> Interface to FTP Server = 10.0.0.31
>  
> Following is my configuration:
> -----------------------------
> ip address add 10.0.0.1/24 brd + dev eth0
> ip address add 213.244.0.254/24 brd + dev eth1
> ip address add 222.240.0.254/24 brd + dev eth2
> ip address add 201.10.0.254/24 brd + dev eth3
> ip rule add prio 5 table main
> ip route add default via 213.244.0.1 dev eth1 src 213.244.0.254 proto 
> static table 10
> ip route append prohibit default table 10 metric 1 proto static
> ip route add default via 222.240.0.1 dev eth2 src 222.240.0.254 proto 
> static table 20
> ip route append prohibit default table 20 metric 1 proto static
> ip route add default via 201.10.0.1 dev eth3 src 201.10.0.254 proto 
> static table 30
> ip route append prohibit default table 30 metric 1 proto static
> ip rule add prio 10 from 213.244.0.0/24 table 10
> ip rule add prio 20 from 222.240.0.0/24 table 20
> ip rule add prio 30 from 201.10.0.0/24 table  30
> ip rule add prio 40 table 40
> ip route add default table 40 proto static nexthop via 213.244.0.1 dev 
> eth1 weight 1 nexthop via 222.240.0.1 dev eth2 weight 1 nexthop via 
> 201.10.0.1 dev eth3 weight 1
> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
> iptables -t filter -N keep_state
> iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED 
> -j ACCEPT
> iptables -t filter -A keep_state -j RETURN
> iptables -t nat -N keep_state
> iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j 
> ACCEPT
> iptables -t nat -A keep_state -j RETURN
> iptables -t nat -A PREROUTING -j keep_state
> iptables -t nat -A POSTROUTING -j keep_state
> iptables -t nat -A OUTPUT -j keep_state
> iptables -t filter -A INPUT -j keep_state
> iptables -t filter -A FORWARD -j keep_state
> iptables -t filter -A OUTPUT -j keep_state
> iptables -t nat -I PREROUTING -d 213.244.0.20 -j DNAT --to 10.0.0.254
> iptables -t nat -I PREROUTING -d 213.244.0.30 -j DNAT --to 10.0.0.30
> iptables -t nat -I PREROUTING -d 213.244.0.31 -j DNAT --to 10.0.0.31
> Best regards,
>  
> Sureerat P.
>  

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi!

Sureerat P. (EQHO) wrote:
> Hello,
>  
> I have finished setting up the load balancer with IPROUTE ... also patch 
> the kernel to support DGD and now it''s working fine with the
valuable
> guide at LARTC website, Julian Anastasov, and the kind people in this 
> mailing list. Now I would like to launch a web server and a ftp server 
> to the public but I''m stuck into a problem and really need your
help.
I had a very similar setup, and everything worked.
> Currently internal users can access internet and loadbalancing feature 
> is working well, but users in external network can''t access my
servers.
> Please someone help investigate my config and suggest me what is wrong 
> or missing. Thank you very much.
I suggest you to run tcpdump on the firewalls interfaces to track the 
packets. This way you can nail the problem.
> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
I think the problem may be here.
You should use SNAT like me:
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE  -j SNAT 
--to-source $EXTERNAL_IP_ADDR
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE2  -j SNAT 
--to-source $EXTERNAL_IP_ADDR2


-- 
Udv,
   Nandor
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Although I don''t agree with the approach of using JA''s patch,
I still
admit that nano-howto is a good howto, many people are using it 
successfully.

But nano-howto doesn''t tell you to bind each connection to only one
link
(internet connection), so some packets get dropped when get routed to 
the wrong link. You can read about using CONNMARK here: 
http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking

Sureerat P. (EQHO) wrote:
>Hello Nguyen Dinh Nam,
>
>Thank you for your reply. Please you also suggest me how to fix the problem.
What do you mean is I should not follow nano howto? Kindly provide me some clue.
Thank you.
>
>Best regards,
>
>Sureerat P.
>  
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hello,

On Wed, 16 Feb 2005, Nguyen Dinh Nam wrote:
> Although I don''t agree with the approach of using JA''s
patch, I still
> admit that nano-howto is a good howto, many people are using it
> successfully.
>
> But nano-howto doesn''t tell you to bind each connection to only
one link
> (internet connection), so some packets get dropped when get routed to
> the wrong link. You can read about using CONNMARK here:
> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
	It is controlled by correct routes. NAT connections are
bound to masquerade IP (done in netfilter) but the patches guarantee
this is propagated to the routing usage, look for lsrc in patch.
It works for DNAT too. IOW, in some cases you can use more ISPs
for maddr, for example, ISP1 for maddr_X->dest1 and ISP2 for
maddr_X->dest2.

	Once maddr is selected for connection (from first packet), this
maddr can be routed to one ISP (if the ISPs do spoofing checks)
or to many ISPs, you can even use multipath route for ''from maddr to
all''.
So, for packets from single connection all requirements are met,
traffic from maddr can use any/many alive links but only one at
a time for specific maddr->dest path.

	When two NAT connections are related CONNMARK can solve the
problem to route both of them to same path, sometimes this is done from
the application modules, they select same maddr for related connections.
Of course, other high level dependencies can be solved with CONNMARK,
eg. web session persistence, may be with help from application
modules. The problem here is that "routes" works only at routing
level while CONNMARK work can be helped from other modules.

Regards

--
Julian Anastasov <ja@ssi.bg>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi all,

Thank you for your kindly reply.

So my next step should be as following:

1. patch the kernel with patch-o-matic
2. add more config with iptables+connmark as described in
http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking

Please you help me suggest whether my understanding is correct. Thank you.

Best regards,

Sureerat P.

-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
Behalf Of Julian Anastasov
Sent: Thursday, February 17, 2005 7:17 AM
To: Nguyen Dinh Nam
Cc: Sureerat P. (EQHO); lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Load Balancer setting for Public Servers



	Hello,

On Wed, 16 Feb 2005, Nguyen Dinh Nam wrote:
> Although I don''t agree with the approach of using JA''s
patch, I still
> admit that nano-howto is a good howto, many people are using it
> successfully.
>
> But nano-howto doesn''t tell you to bind each connection to only
one link
> (internet connection), so some packets get dropped when get routed to
> the wrong link. You can read about using CONNMARK here:
> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
	It is controlled by correct routes. NAT connections are
bound to masquerade IP (done in netfilter) but the patches guarantee
this is propagated to the routing usage, look for lsrc in patch.
It works for DNAT too. IOW, in some cases you can use more ISPs
for maddr, for example, ISP1 for maddr_X->dest1 and ISP2 for
maddr_X->dest2.

	Once maddr is selected for connection (from first packet), this
maddr can be routed to one ISP (if the ISPs do spoofing checks)
or to many ISPs, you can even use multipath route for ''from maddr to
all''.
So, for packets from single connection all requirements are met,
traffic from maddr can use any/many alive links but only one at
a time for specific maddr->dest path.

	When two NAT connections are related CONNMARK can solve the
problem to route both of them to same path, sometimes this is done from
the application modules, they select same maddr for related connections.
Of course, other high level dependencies can be solved with CONNMARK,
eg. web session persistence, may be with help from application
modules. The problem here is that "routes" works only at routing
level while CONNMARK work can be helped from other modules.

Regards

--
Julian Anastasov <ja@ssi.bg>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Not enough, my tutorial only discuss about CONNMARK outgoing NEW packets 
in POSTROUTING, if you want to DNAT connections from internet to some 
computers in your LAN, you must also CONNMARK incoming NEW packets in 
PREROUTING too. I want to keep the tutorial short and simple so I don''t
write about it, you can consult CONNMARK in PREROUTING in
RoutesKeeper''s
source code.
Lacking CONNMARK in PREROUTING, some of your SYN/ACK packets may be 
DROPed by ISPs.
 From kernel 2.6.10, CONNMARK is included already, you don''t have to 
patch anything.

Sureerat P. (EQHO) wrote:
>Hi all,
>
>Thank you for your kindly reply.
>
>So my next step should be as following:
>
>1. patch the kernel with patch-o-matic
>2. add more config with iptables+connmark as described in
>http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
>
>Please you help me suggest whether my understanding is correct. Thank you.
>
>Best regards,
>
>Sureerat P.
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hello,

On Thu, 17 Feb 2005, Nguyen Dinh Nam wrote:
> Not enough, my tutorial only discuss about CONNMARK outgoing NEW packets
> in POSTROUTING, if you want to DNAT connections from internet to some
> computers in your LAN, you must also CONNMARK incoming NEW packets in
> PREROUTING too. I want to keep the tutorial short and simple so I
don''t
> write about it, you can consult CONNMARK in PREROUTING in
RoutesKeeper''s
> source code.
> Lacking CONNMARK in PREROUTING, some of your SYN/ACK packets may be
> DROPed by ISPs.
	That problem should be solved with the "routes" patch, may
be you know for some issue with this? First packet comes, DNAT selects
manipulations for both directions, packet is routed to internal host,
reply comes, we route by lsrc (maddr), one of the valid links for
maddr is selected, it can be different if routing allows input and
output routes to use diffrent interfaces (you don''t know always the
incoming gateway that remote hosts are using to reach maddr). What
"routes" gives you is correct routing usage for NAT which is expected
from all NAT users in multipath setups.
>  From kernel 2.6.10, CONNMARK is included already, you don''t have
to
> patch anything.
	I''m happy with that, i just don''t see the problems you see
with "routes".

Regards

--
Julian Anastasov <ja@ssi.bg>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hello all,

Thank you again for all of your information provided to me.

But now I''m quite confused about the solution. Frankly, CONNMARK is the
new
thing to me. As I read the guide, I have not understood it much, maybe I
will take some more time to study and test more about it. In case you have
the final case study about this, it will help me much because now it''s
the
urgent task for me.

Regarding Julian''s suggestion, do you mean that CONNMARK is not
necessary
for this scenario? And also I don''t have idea about lsrc and maddr you
are
mentioning. Could you please provide me the reference site so I can get more
details about it.

To tell you the truth, even I''m confused but more knowledges I get from
here. And I want to say "Thank you" for your all kindness. Tonight I
will
study deeper about your guideline and do more testing. Any progress,
I''ll
update you via this mailing group.

Best regards,

Sureerat P.

-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
Behalf Of Julian Anastasov
Sent: Thursday, February 17, 2005 6:45 PM
To: Nguyen Dinh Nam
Cc: Sureerat P. (EQHO); lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Load Balancer setting for Public Servers



        Hello,

On Thu, 17 Feb 2005, Nguyen Dinh Nam wrote:
> Not enough, my tutorial only discuss about CONNMARK outgoing NEW packets
> in POSTROUTING, if you want to DNAT connections from internet to some
> computers in your LAN, you must also CONNMARK incoming NEW packets in
> PREROUTING too. I want to keep the tutorial short and simple so I
don''t
> write about it, you can consult CONNMARK in PREROUTING in
RoutesKeeper''s
> source code.
> Lacking CONNMARK in PREROUTING, some of your SYN/ACK packets may be
> DROPed by ISPs.
        That problem should be solved with the "routes" patch, may
be you know for some issue with this? First packet comes, DNAT selects
manipulations for both directions, packet is routed to internal host,
reply comes, we route by lsrc (maddr), one of the valid links for
maddr is selected, it can be different if routing allows input and
output routes to use diffrent interfaces (you don''t know always the
incoming gateway that remote hosts are using to reach maddr). What
"routes" gives you is correct routing usage for NAT which is expected
from all NAT users in multipath setups.
>  From kernel 2.6.10, CONNMARK is included already, you don''t have
to
> patch anything.
        I''m happy with that, i just don''t see the problems you
see
with "routes".

Regards

--
Julian Anastasov <ja@ssi.bg>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hello,

On Thu, 17 Feb 2005, Sureerat P. (EQHO) wrote:
> Regarding Julian''s suggestion, do you mean that CONNMARK is not
necessary
> for this scenario? And also I don''t have idea about lsrc and maddr
you are
	connmark should work, you just need to set it up.
> mentioning. Could you please provide me the reference site so I can get
more
> details about it.
http://www.ssi.bg/~ja/dgd.txt
http://www.ssi.bg/~ja/dgd-usage.txt
> To tell you the truth, even I''m confused but more knowledges I get
from
> here. And I want to say "Thank you" for your all kindness.
Tonight I will
> study deeper about your guideline and do more testing. Any progress,
I''ll
> update you via this mailing group.
	Yes, it is not easy, there is no complete solution for such
setups as the details can be very different, you have to combine
lots of scripts :)

Regards

--
Julian Anastasov <ja@ssi.bg>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi Julian,

Thank you for your reply.

I''ve some idea now. I''ll try it and update you the outcome.
:-D

Best regards,

Sureerat P.

-----Original Message-----
From: Julian Anastasov [mailto:ja@ssi.bg]
Sent: Friday, February 18, 2005 2:14 PM
To: Sureerat P. (EQHO)
Cc: Nguyen Dinh Nam; lartc@mailman.ds9a.nl
Subject: RE: [LARTC] Load Balancer setting for Public Servers



	Hello,

On Thu, 17 Feb 2005, Sureerat P. (EQHO) wrote:
> Regarding Julian''s suggestion, do you mean that CONNMARK is not
necessary
> for this scenario? And also I don''t have idea about lsrc and maddr
you are
	connmark should work, you just need to set it up.
> mentioning. Could you please provide me the reference site so I can get
more
> details about it.
http://www.ssi.bg/~ja/dgd.txt
http://www.ssi.bg/~ja/dgd-usage.txt
> To tell you the truth, even I''m confused but more knowledges I get
from
> here. And I want to say "Thank you" for your all kindness.
Tonight I will
> study deeper about your guideline and do more testing. Any progress,
I''ll
> update you via this mailing group.
	Yes, it is not easy, there is no complete solution for such
setups as the details can be very different, you have to combine
lots of scripts :)

Regards

--
Julian Anastasov <ja@ssi.bg>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/