Hello all,
Thank you again for
all of your information provided to me.
But now I'm quite confused about
the solution. Frankly, CONNMARK is the new thing to me. As I read the guide, I
have not understood it much, maybe I will take some more time to study and test
more about it. In case you have the final case study about this, it will help me
much because now it's the urgent task for me.
Regarding Julian's
suggestion, do you mean that CONNMARK is not necessary for this scenario? And
also I don't have idea about lsrc and maddr you are mentioning. Could you please
provide me the reference site so I can get more details about
it.
To tell you the
truth, even I'm confused but more knowledges I get from here. And I want to
say "Thank you" for your all kindness. Tonight I will study deeper about
your guideline and do more testing. Any progress, I'll update you via this
mailing group.
Best regards,
Sureerat P.
-----Original Message-----
From: lartc-admin@xxxxxxxxxxxxxxx
[mailto:lartc-admin@xxxxxxxxxxxxxxx]On Behalf Of Julian Anastasov
Sent: Thursday,
February 17, 2005 6:45 PM
To: Nguyen Dinh Nam
Cc: Sureerat P. (EQHO);
lartc@xxxxxxxxxxxxxxx
Subject: Re: Load Balancer setting for Public
Servers
Hello,
On Thu, 17 Feb 2005, Nguyen Dinh Nam wrote:
> Not
enough, my tutorial only discuss about CONNMARK outgoing NEW packets
> in
POSTROUTING, if you want to DNAT connections from internet to some
>
computers in your LAN, you must also CONNMARK incoming NEW packets in
>
PREROUTING too. I want to keep the tutorial short and simple so I don't
>
write about it, you can consult CONNMARK in PREROUTING in RoutesKeeper's
>
source code.
> Lacking CONNMARK in PREROUTING, some of your SYN/ACK
packets may be
> DROPed by
ISPs.
That problem should be
solved with the "routes" patch, may
be you know for some issue with this?
First packet comes, DNAT selects
manipulations for both directions, packet is
routed to internal host,
reply comes, we route by lsrc (maddr), one of the
valid links for
maddr is selected, it can be different if routing allows
input and
output routes to use diffrent interfaces (you don't know always
the
incoming gateway that remote hosts are using to reach maddr).
What
"routes" gives you is correct routing usage for NAT which is
expected
from all NAT users in multipath setups.
> From
kernel 2.6.10, CONNMARK is included already, you don't have to
> patch
anything.
I'm happy with that,
i just don't see the problems you see
with
"routes".
Regards
--
Julian Anastasov
<ja@xxxxxx>
_______________________________________________
LARTC
mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
