Re: load-balancing router: trouble with breaking connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 23/02/2012 1:53 AM, Lloyd Standish wrote:
On Wed, 22 Feb 2012 01:22:02 -0600, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
I think the LB setup was suffering more from NAT than from routing issues. It is perfectly reasonable to expect that load balancer to work. Just as it would be perfectly reasonable to expect a router with an intermittent primary uplink to work with the same output style. Only NAT on the LBs outbound interface or at the ISP level would cause the broken behaviour you describe. 
AYJ
I would certainly like to understand WHY I had to use connmarks to keep the packets belonging to a connection on the right interface. However, I don't believe the problem was NAT, because the only changes I had to make to get this load-balancing router to work (that is, to stop breaking connections) were the ones I mentioned in a previous post. I did not add or change any NAT rules. The router is doing NAT the way it was before, set up with a command like this for each interface:
iptables -t nat -A POSTROUTING -o ${interface} -j SNAT --to-source ${!wan}
Furthermore, on this router I was already using connmark to mark and route packets for those destinations and origin IP for which we did not want to have load-balancing. This by the way worked fine (connections were not broken). The only thing I added to fix the connection-breaking was marking of NEW packets after netfilter had made the routing decision (based on either the routing cache or round-robin distribution).
I would like to know whether or not anyone has succeeded in doing load-balancing with "nexthop via..." over interfaces with *private* IPs.
My set up has nat at the adsl modems, not at the linux box. So my router is in private ip space on all interfaces.
I don't see how NAT could be an issue either, but I'm not a guru at this - just enough to get it going. 
Without thorough conntrack, it was rubbish.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux