On Fri, 28 Oct 2005, Les Mikesell wrote:
> On Fri, 2005-10-28 at 11:14, Robin Mordasiewicz wrote:
>>>> We are using Centos behind an F5 Bigip load balancer.
>>>> The linux box is using bonding and tagged VLAN's
>>>>
>>>> Everything works fine except that when traffic is forwarded from the BigIP
>>>> to the linux box on the VLAN where the web server is running the linux box
>>>> returns the traffic on the wrong VLAN, It returns traffic on the lowest
>>>> ordered VLAN.
>>>>
>>>> ie. here is a tcpdump on my load balancer showing traffic being sent on
>>>> VLAN 911 to the linux box, but the linux box returns traffic on VLAN 902.
>>>> The linux box is returning traffic on the same VLAN as its configured
>>>> default gateway. If I change the default gateway to be on the VLAN 911
>>>> then everytyhing works.
>>>
>>> It seems reasonable to require a route to the destination on the
>>> VLAN used. Why should it ever do otherwise? What are you trying
>>> to accomplish by using a VLAN interface with no route back?
>>
>> Is there any way to say that if traffic is recieved on VLAN#911 to be sure
>> that the return traffic is tagged with the same vlan id. Currently traffic
>> is tagged based on the routing table, and even if traffic comes in on
>> VLAN#911, when it returns the traffc it uses the VLAN tag from the network
>> that the default gateway is on(VLAN#902).
>
> The BigIP will do this sort of magic itself to save the time looking
> up the return route, but it really is black magic in terms of
> standard networking where asymmetrical routes are permitted and
> expected. The reply packet doesn't have much to connect it to the
> one that came in and it's path is determined by the route to the
> destination address. That said, there may be some black magic
> you can do with iptables and the ip_conntrack info or some sort
> of policy based routing.
I will research policy based routing.
