[LARTC] DNAT and Load Balancing

Manish Kathuria mkathuria at tuxtechnologies.co.in
Fri Mar 2 02:52:13 CET 2007 

On 3/2/07, Tom Lobato <tomlobato at gmail.com> wrote:
>
>
>     Hi all!
>
>
>     After that good thread "DGD patch not detecting dead gateway" I was
> able to set up a Load Balancing with ping based DGD (without Julian
> Anastasov patch). But now I'm facing a new problem and tried some
> options, with only partial solutions.
>
>     I made a script based on
> http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank
> you Manish Kathuria), without Julian A. patch, and with routes/rules as
> described in nano.txt. It works fine, but...
>
>     The problem: I do DNAT for internet located people to access my LAN
> machines (VNC, RDP, etc...). It sometimes works, sometimes don't work.
> It appears that the connection from outside can enter, but when reply
> packets try to get back across nat machine, it falls into the round
> robin default route selection to define its gateway. Well, of course,
> this reply must leave the router via the same interface whose initial
> packets entered.
>
>
>     vnc initial
> request packet      reply that got
>             \                   wrong route
>              \                       ^
>               \                     /
>               V                  /
>               isp1 isp2 isp3
>                _|____|____|__
>               |                    |
>               |      dnat      |
>               |_____________|
>                         ^
>                          |
>                          |
>                         V
>               LAN estation, the
>                   vnc server
>
>
>
>     What I need is a way to force packets leave the router via the same
> interface whose its request entered this.
>     I'd like to hear opinions about the problem (and also solution =).
> Remember, I can't apply the DGD patch from J.A. because it only checks
> the first hop for dead detection.
>     I will apreciate any help.
>
>     Thank you,
>
>
>
>     Tom Lobato
>
>
> _______________________________________________
> LARTC mailing list
> LARTC at mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

I had overlooked this. I had also faced a similar problem.  There are
two possible solutions, one is to apply Julian's patches because even
though you are not using the patches for DGD, they do help in making
NAT processing with multiple gateways work properly. The other option
is to mark the packets using CONNTRACK. There was a good discussion on
this topic some days back. You can check the thread using the
following links to the archives:

http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html
http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html

-- 
Manish Kathuria
Tux Technologies
http://www.tuxtechnologies.co.in/

More information about the LARTC mailing list