kaner
commented
2 years ago Attempting to draw the example setup.
Normal server mode:
+----+
|RIP1|
+----+
+---+ +-------------+
|CIP| | | +----+
+-+-+ +---------+ | | |RIP2|
| SYN | | S | seesaw | +----+
+---->| Router +-->| with |
| | | VIP +--------+
+---+ | | | | SYN |
|SIP| +---------+ +-------------+ v
+---+ ^ +----+
+-----------------------------+RIP3|
SYN,ACK +----+Client connection from the backend:
+----+
|RIP1|
+---+ +-------------+ +----+
|CIP| | |
+---+ +---------+ | |
SYN,ACK| |S,A| seesaw | +----+
+---->| Router +-->| with | |RIP2|
| | | | VIP | +----+
+-+-+ | | | |
|SIP| <-+---------+ +-------------+
+---+ S ^ +----+
| SYN |RIP3|
+------------------------------+----+
Maybe I'm missing something, but out-of-the-box
seesawdoesn't seem to support having the backend servers initiate TCP connections to outside servers (say, Gmail mail servers) for LVS-DR.Here is a longer form explanation of an example setup with one outside client, one outside server, seesaw load balancer with a
VIPand three backend real servers:CIP= Client IP address (outside)SIP= Server IP address (outside)VIP= Virtual IP address of the seesaw service /vserverRIP1= Real (backend) server IP address number 1RIP2= Real (backend) server IP address number 2RIP3= Real (backend) server IP address number 3Typically for LVS-DR, a client from outside will initiate TCP (say, port 25) connection with [source IP=
CIP, source port=34567, destination IP=VIP, destination port=25] to the load balancer. Load balancer (if it has a matchingvserverconfigured for port 25) then forwards via MAC address re-write to one of the backend servers, say server withRIP3. TCP Server living on that server sees a TCPSYNpacket with [source IP=CIP, source port=34567, destination IP=VIP, destination port=25], theVIPbeing configured on one of its dummy interfaces. The TCP server on port 25 on the backend server withRIP3will then respond with aSYN,ACKTCP packet with [source IP=VIP, source port=25, destination IP=CIP, destination port=34567] directly to the router and the packets end up on the client with IP address=CIPthat originally initiated the TCP connection.I am just describing this for clarity. This is what normal LVS-DR looks like and what
seesawtypically does. This is when TCP connections are initiated from an outside client towardsseesaw/VIP.What about the reverse? Say I have a TCP client on one of the real (
backend) servers. I want this client to initiate TCP connection with [source IP=VIP, source port=34568, destination IP=SIP, destination IP=25]. For the initialSYNpackage, this works fine, as it is send directly via the router, not through theseesawdirector node. The outside server listening onSIPthen responds withSYN,ACKpacket with [source IP=SIP, source port=25, destination IP=VIP, destination port=34568]. Then the problem occurs: Theseesawnode sees the packet coming in and, since its sent towards a port that isn't configured as avserver(ephemeral port 34568), drops the packet and the connection isn't established.Now, if I add the following configuration to the seesaw node by hand, it does work:
Is there any other way to do this? As it looks now, I would have to fork seesaw to add this functionality into the code so it works with
seesawnode switchover etc.