[LARTC] DNAT and Load Balancing

Alex Samad alex at samad.com.au
Fri Mar 2 19:30:16 CET 2007 

On Fri, Mar 02, 2007 at 07:22:13AM +0530, Manish Kathuria wrote:
> On 3/2/07, Tom Lobato <tomlobato at gmail.com> wrote:
> >
> >
> >    Hi all!
> >
> >
> >    After that good thread "DGD patch not detecting dead gateway" I was
> >able to set up a Load Balancing with ping based DGD (without Julian
> >Anastasov patch). But now I'm facing a new problem and tried some
> >options, with only partial solutions.
> >
> >    I made a script based on
> >http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank
> >you Manish Kathuria), without Julian A. patch, and with routes/rules as
> >described in nano.txt. It works fine, but...
> >
> >    The problem: I do DNAT for internet located people to access my LAN
> >machines (VNC, RDP, etc...). It sometimes works, sometimes don't work.
> >It appears that the connection from outside can enter, but when reply
> >packets try to get back across nat machine, it falls into the round
> >robin default route selection to define its gateway. Well, of course,
> >this reply must leave the router via the same interface whose initial
> >packets entered.
> >
> >
> >    vnc initial
> >request packet      reply that got
> >            \                   wrong route
> >             \                       ^
> >              \                     /
> >              V                  /
> >              isp1 isp2 isp3
> >               _|____|____|__
> >              |                    |
> >              |      dnat      |
> >              |_____________|
> >                        ^
> >                         |
> >                         |
> >                        V
> >              LAN estation, the
> >                  vnc server
> >
> >
> >
> >    What I need is a way to force packets leave the router via the same
> >interface whose its request entered this.
> >    I'd like to hear opinions about the problem (and also solution =).
> >Remember, I can't apply the DGD patch from J.A. because it only checks
> >the first hop for dead detection.
> >    I will apreciate any help.
> >
> >    Thank you,
> >
> >
> >
> >    Tom Lobato
> >
> >
> >_______________________________________________
> >LARTC mailing list
> >LARTC at mailman.ds9a.nl
> >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> 
> I had overlooked this. I had also faced a similar problem.  There are
> two possible solutions, one is to apply Julian's patches because even

This sounds exactly like my problem, until I appplied julian's patch, I would
suggest giving it  a try

> though you are not using the patches for DGD, they do help in making
> NAT processing with multiple gateways work properly. The other option
> is to mark the packets using CONNTRACK. There was a good discussion on
> this topic some days back. You can check the thread using the
> following links to the archives:
> 
> http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html
> http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
> 
> -- 
> Manish Kathuria
> Tux Technologies
> http://www.tuxtechnologies.co.in/
> _______________________________________________
> LARTC mailing list
> LARTC at mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070303/761740d3/attachment.pgp

More information about the LARTC mailing list