Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Linux Virtual Server: Users

[lvs-users] stuck on LVS-TUN, realservers receiving ipip packet, but not doing anything because it think's it's martian.

  

 
Linux Virtual Server users RSS feed   Index | Next | Previous | View Threaded


nard at nard

Oct 13, 2009, 9:54 PM

Post #1 of 10 (1404 views)
Permalink
[lvs-users] stuck on LVS-TUN, realservers receiving ipip packet, but not doing anything because it think's it's martian.
Hello,

This is my first time setting up LVS, and I am abit stuck. So I was
hoping to maybe get a little insight and advice from some of the more
experienced members of this mailing list.

So first things first, I'm trying to get this set up on linode.com.
and I've been in their IRC channel, and asked if this would work. and
one of the official responses on this issue:

caker:if packets get rewritten, it's not gonna work
[.
caker:we filter based on source ip and mac, and dest ip and mac
[.caker:^-- for a given Linode

So i decided to use LVS-TUN. Each linode has a public IP on eth0, and
an aliased eth0:0 private ip address with no gateway.

This is where I am not sure if it was the correct approach or not,
please correct me. On the director, I set the VIP to be the same as
my eth0 public IP. and on the real servers I created a tunl0 interface
that matched the VIP. I dont think i needed to add a route, since they
both share a common gateway on their public IP's, and they can talk to
each other.

all machines:
running Centos 5.3
Kernel@ 2.6.18.8-x86_64
realserver contains nginx


director setup:
sysctl.conf has this loaded:
net.ipv4.ip_forward = 1

# /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr FE:FD:61:6B:85:EA
inet addr:97.107.133.234 Bcast:97.107.133.255 Mask:
255.255.255.0
inet6 addr: fe80::fcfd:61ff:fe6b:85ea/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4440 errors:0 dropped:0 overruns:0 frame:0
TX packets:6386 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:796449 (777.7 KiB) TX bytes:1195747 (1.1 MiB)

eth0:0 Link encap:Ethernet HWaddr FE:FD:61:6B:85:EA
inet addr:192.168.134.25 Bcast:192.168.255.255 Mask:
255.255.128.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:65 errors:0 dropped:0 overruns:0 frame:0
TX packets:65 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5944 (5.8 KiB) TX bytes:5944 (5.8 KiB)
# /sbin/route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
97.107.133.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
192.168.128.0 0.0.0.0 255.255.128.0 U 0 0
0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
0 eth0
0.0.0.0 97.107.133.1 0.0.0.0 UG 0 0
0 eth0

# /sbin/ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 97.107.133.234:80 wlc
-> 97.107.130.68:80 Tunnel 1 0 0






real server with http web server listening on port 80:
sysctl.conf already loaded with:
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.eth0.arp_announce=2
net.ipv4.conf.eth0.arp_ignore=1
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.lo.arp_ignore=1
net.ipv4.conf.tunl0.arp_ignore = 1
net.ipv4.conf.tunl0.arp_announce = 2


# /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr FE:FD:61:6B:82:44
inet addr:97.107.130.68 Bcast:97.107.130.255 Mask:
255.255.255.0
inet6 addr: fe80::fcfd:61ff:fe6b:8244/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:64369 errors:0 dropped:0 overruns:0 frame:0
TX packets:92259 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:48183677 (45.9 MiB) TX bytes:23467359 (22.3 MiB)

eth0:0 Link encap:Ethernet HWaddr FE:FD:61:6B:82:44
inet addr:192.168.134.109 Bcast:192.168.255.255 Mask:
255.255.128.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:48 errors:0 dropped:0 overruns:0 frame:0
TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6877 (6.7 KiB) TX bytes:6877 (6.7 KiB)

tunl0 Link encap:IPIP Tunnel HWaddr
inet addr:97.107.133.234 Mask:255.255.255.255
UP RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

# /sbin/route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
97.107.133.234 0.0.0.0 255.255.255.255 UH 0 0
0 tunl0
97.107.130.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
192.168.128.0 0.0.0.0 255.255.128.0 U 0 0
0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
0 eth0
0.0.0.0 97.107.130.1 0.0.0.0 UG 0 0
0 eth0



iptables is clear and is accepting everything on both director and
real server.



director: cannot ping realserver or telnet port 80 into realserver
eth0 public ip. can ping client.
realserver: can ping both realserver and client.when i telnet into VIP
on port 80, i believe it bypasses the director, since tcpdump host
97.107.130.68 on the director showed no activity.
client (public ip 99.247.97.70) can ping director and realserver, and
can telnet port 80 to real server fine. when i telnet to the
VIP,client doesnt get a response. When i run tcpdump on the director
and realserver, this is the what happens when a client tries to telnet
port 80 into the VIP:

director tcpdump:
# /usr/sbin/tcpdump -nn host 97.107.130.68
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

04:39:47.872616 IP 97.107.133.234 > 97.107.130.68: IP
99.247.97.70.34213 > 97.107.133.234.80: S 2271054937:2271054937(0) win
65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 343332259 0,sackOK,[|
tcp]> (ipip-proto-4)
04:39:51.874495 IP 97.107.133.234 > 97.107.130.68: IP
99.247.97.70.34213 > 97.107.133.234.80: S 2271054937:2271054937(0) win
65535 <mss 1460,sackOK,eol> (ipip-proto-4)

realserver tcp dump:
# /usr/sbin/tcpdump -nn host 97.107.133.234
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

04:39:47.860998 IP 97.107.133.234 > 97.107.130.68: IP
99.247.97.68.34213 > 97.107.133.234.80: S 2271054937:2271054937(0) win
65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 343332259 0,sackOK,[|
tcp]> (ipip-proto-4)
04:39:51.863289 IP 97.107.133.234 > 97.107.130.68: IP
99.247.97.68.34213 > 97.107.133.234.80: S 2271054937:2271054937(0) win
65535 <mss 1460,sackOK,eol> (ipip-proto-4)

realserver has an entry in /var/log/messages:
Oct 14 04:39:51 li60-68 kernel: martian source 97.107.130.68 from
97.107.133.234, on dev eth0
Oct 14 04:39:51 li60-68 kernel: ll header: fe:fd:61:6b:82:44:00:0e:
39:6f:48:00:08:00


conclusion so far:
it looks like the ipip packet is reaching the realserver, but want to
find out if it's being discarded because it thinks it's a martian
source? I thought with kernel 2.6+ all i need was the arp_ignore and
arp_announce flags set on the real servers. do i need to do stuff with
arptables or iptables? If any additional information is needed, let me
know. is it possible to do LVS-DR or LVS-TUN over the eth0:0 aliased
private ip's?

What can I try next? I've been exploring LVS for the last 2 days or
so, and read through the documentation several times. I know i'm not
as experienced as some people here, so I'm hoping someone can point me
in the right direction.
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


jmack at wm7d

Oct 14, 2009, 5:32 AM

Post #2 of 10 (1358 views)
Permalink
Re: [lvs-users] stuck on LVS-TUN, realservers receiving ipip packet, but not doing anything because it think's it's martian. [In reply to]
On Wed, 14 Oct 2009, Vincent Young wrote:

> So first things first, I'm trying to get this set up on linode.com.

I assume this means you are trying to run linode.com on an
LVS.

> and I've been in their IRC channel, and asked if this

I have no idea what "this" is.

> would work. and one of the official responses on this
> issue:
>
> caker:if packets get rewritten, it's not gonna work
> [
> caker:we filter based on source ip and mac, and dest ip and mac
> [caker:^-- for a given Linode

LVS relies on rewriting packets and works everywhere else
(almost)

> So i decided to use LVS-TUN.

why? I don't know what the problem is, so I don't know why
you'd want LVS-Tun

> Each linode has a public IP on eth0, and an aliased eth0:0
> private ip address with no gateway.

it's best now not to use aliases. use iproute2 tools. see
the HOWTO


> This is where I am not sure if it was the correct approach or not,
> please correct me. On the director, I set the VIP to be the same as
> my eth0 public IP. and on the real servers I created a tunl0 interface
> that matched the VIP.

yes

> I dont think i needed to add a route, since they
> both share a common gateway on their public IP's, and they can talk to
> each other.

LVS-Tun doesn't get you anything over LVS-DR, if all
machines are on the same network.

> director: cannot ping realserver

you need to fix this. I assume this is your problem.

> or telnet port 80 into realserver eth0 public ip.

this test doesn't tell you anything if you can't ping the
realserver. After you can ping the realserver, you still
won't be able to connect to the realserver:VIP:80. Do you
understand why?

> can ping client.

yes

> realserver: can ping both realserver and client.when i telnet into VIP
> on port 80, i believe it bypasses the director,

yes

> since tcpdump host
> 97.107.130.68 on the director showed no activity.
> client (public ip 99.247.97.70) can ping director and realserver, and
> can telnet port 80 to real server fine.

yes

> when i telnet to the
> VIP,client doesnt get a response.

packets aren't getting from the director to the realserver
(the ping problem).

> conclusion so far:
> it looks like the ipip packet is reaching the realserver, but want to
> find out if it's being discarded because it thinks it's a martian
> source?

if so, turn off blocking martians

Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


nard at nard

Oct 14, 2009, 7:29 AM

Post #3 of 10 (1367 views)
Permalink
Re: [lvs-users] stuck on LVS-TUN, realservers receiving ipip packet, but not doing anything because it think's it's martian. [In reply to]
Thanks for the quick response Joseph, really appreciate your input.


On 2009-10-14, at 8:32 AM, Joseph Mack NA3T wrote:

> On Wed, 14 Oct 2009, Vincent Young wrote:
>
>> So first things first, I'm trying to get this set up on linode.com.
>
> I assume this means you are trying to run linode.com on an
> LVS.
>

Linode is a VPS hosting company using Xen virtual servers, and i'm
being hosted with them at the moment.


>> and I've been in their IRC channel, and asked if this
>
> I have no idea what "this" is.

I was asking in their IRC channel if people had got a LVS setup going
on their linodes, and i was talking about the problems of my real
server not doing anything with the ipip packet and the martian sources
being logged.


>
>> would work. and one of the official responses on this
>> issue:
>>
>> caker:if packets get rewritten, it's not gonna work
>> [
>> caker:we filter based on source ip and mac, and dest ip and mac
>> [caker:^-- for a given Linode
>
> LVS relies on rewriting packets and works everywhere else
> (almost)
>
>> So i decided to use LVS-TUN.

Linode has the option of deploying your environment in 4 datacenters,
and i figured it would be good to be able to have the flexibility to
connect outside my datacenter when the need should arise.


> why? I don't know what the problem is, so I don't know why
> you'd want LVS-Tun
>
>> Each linode has a public IP on eth0, and an aliased eth0:0
>> private ip address with no gateway.
>
> it's best now not to use aliases. use iproute2 tools. see
> the HOWTO


I'll give that a try, But the documentation I was reading on my linode
said that my Linode only have one virtual ethernet interface -eth0, so
that is why I needed to assign my private ip as an alias on that
interface.
>
>
>> This is where I am not sure if it was the correct approach or not,
>> please correct me. On the director, I set the VIP to be the same as
>> my eth0 public IP. and on the real servers I created a tunl0
>> interface
>> that matched the VIP.
>
> yes
>
>> I dont think i needed to add a route, since they
>> both share a common gateway on their public IP's, and they can talk
>> to
>> each other.
>
> LVS-Tun doesn't get you anything over LVS-DR, if all
> machines are on the same network.
>
>> director: cannot ping realserver
>
> you need to fix this. I assume this is your problem.

ping stops working once I added the tunl0 device to my realserver with
the following command:
/sbin/ifconfig tunl0 97.107.133.234 netmask 255.255.255.255 broadcast
97.107.133.234


before I added that, I'm able to ping the real server from the
director no problem. Is there something I should be doing to get it to
work?


>
>> or telnet port 80 into realserver eth0 public ip.
>
> this test doesn't tell you anything if you can't ping the
> realserver. After you can ping the realserver, you still
> won't be able to connect to the realserver:VIP:80. Do you
> understand why?

Which is why I used a different client to do my tests. Is the reason
because I'll just be connecting locally, and not actually go through
the VIP?


>
>> can ping client.
>
> yes
>
>> realserver: can ping both realserver and client.when i telnet into
>> VIP
>> on port 80, i believe it bypasses the director,
>
> yes
>
>> since tcpdump host
>> 97.107.130.68 on the director showed no activity.
>> client (public ip 99.247.97.70) can ping director and realserver, and
>> can telnet port 80 to real server fine.
>
> yes
>
>> when i telnet to the
>> VIP,client doesnt get a response.
>
> packets aren't getting from the director to the realserver
> (the ping problem).
>
>> conclusion so far:
>> it looks like the ipip packet is reaching the realserver, but want to
>> find out if it's being discarded because it thinks it's a martian
>> source?
>
> if so, turn off blocking martians.

Is this controlled at the router level? or on the realserver? Im on a
VPS, and dont have access to the physical machines themselves or the
hardware like routers. I just deploy my distro of linux and ssh in to
customize it. I can then customize it by adding modules to the kernel
like what I had to do (add ip_vs), or use a custom kernel. so in my
case, would i have any control over this?


>
> Joe
>
> --
> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> jmack (at) wm7d (dot) net - azimuthal equidistant map
> generator at http://www.wm7d.net/azproj.shtml
> Homepage http://www.austintek.com/ It's GNU/Linux!
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
> Send requests to lvs-users-request [at] LinuxVirtualServer
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


jmack at wm7d

Oct 14, 2009, 7:40 AM

Post #4 of 10 (1361 views)
Permalink
Re: [lvs-users] stuck on LVS-TUN, realservers receiving ipip packet, but not doing anything because it think's it's martian. [In reply to]
On Wed, 14 Oct 2009, Vincent Young wrote:

> Linode is a VPS hosting company using Xen virtual servers, and i'm
> being hosted with them at the moment.

there are minor wrinkles running LVS under Xen. Look at the
HOWTO.

>>> So i decided to use LVS-TUN.
>
> Linode has the option of deploying your environment in 4 datacenters,
> and i figured it would be good to be able to have the flexibility to
> connect outside my datacenter when the need should arise.

make sure you understand the consequences of a packet with
src_addr=VIP from one datacenter emerging from another
datacenter. It appears to be a spoofed packet.

> I'll give that a try, But the documentation I was reading on my linode
> said that my Linode only have one virtual ethernet interface -eth0, so
> that is why I needed to assign my private ip as an alias on that
> interface.

iproute2 handles this.

>>> director: cannot ping realserver
>>
>> you need to fix this. I assume this is your problem.
>
> ping stops working once I added the tunl0 device to my realserver with
> the following command:
> /sbin/ifconfig tunl0 97.107.133.234 netmask 255.255.255.255 broadcast
> 97.107.133.234

ping to the RIP (has to work) or to the VIP (won't work)?

>
>
> before I added that, I'm able to ping the real server from the
> director no problem. Is there something I should be doing to get it to
> work?
>
>
>>
>>> or telnet port 80 into realserver eth0 public ip.
>>
>> this test doesn't tell you anything if you can't ping the
>> realserver. After you can ping the realserver, you still
>> won't be able to connect to the realserver:VIP:80. Do you
>> understand why?
>
> Which is why I used a different client to do my tests. Is the reason
> because I'll just be connecting locally, and not actually go through
> the VIP?

yes

>> if so, turn off blocking martians.
>
> Is this controlled at the router level?

on the machine that's seeing the martian.

> or on the realserver? Im on a
> VPS, and dont have access to the physical machines themselves or the
> hardware like routers.

a common problem when setting up LVS. If you're doing it all
in a single Xen, then you'll be routing within the Xen too.

Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


nard at nard

Oct 14, 2009, 9:44 AM

Post #5 of 10 (1363 views)
Permalink
Re: [lvs-users] stuck on LVS-TUN, realservers receiving ipip packet, but not doing anything because it think's it's martian. [In reply to]
On 2009-10-14, at 10:40 AM, Joseph Mack NA3T wrote:

> On Wed, 14 Oct 2009, Vincent Young wrote:
>
>> Linode is a VPS hosting company using Xen virtual servers, and i'm
>> being hosted with them at the moment.
>
> there are minor wrinkles running LVS under Xen. Look at the
> HOWTO.

Will do this next. Thanks.


>
>>>> So i decided to use LVS-TUN.
>>
>> Linode has the option of deploying your environment in 4 datacenters,
>> and i figured it would be good to be able to have the flexibility to
>> connect outside my datacenter when the need should arise.
>
> make sure you understand the consequences of a packet with
> src_addr=VIP from one datacenter emerging from another
> datacenter. It appears to be a spoofed packet.
>
yep, i'll reread the docs regarding this when i do this.

>> I'll give that a try, But the documentation I was reading on my
>> linode
>> said that my Linode only have one virtual ethernet interface -eth0,
>> so
>> that is why I needed to assign my private ip as an alias on that
>> interface.
>
> iproute2 handles this.

gotcha.

>
>>>> director: cannot ping realserver
>>>
>>> you need to fix this. I assume this is your problem.
>>
>> ping stops working once I added the tunl0 device to my realserver
>> with
>> the following command:
>> /sbin/ifconfig tunl0 97.107.133.234 netmask 255.255.255.255 broadcast
>> 97.107.133.234
>
> ping to the RIP (has to work) or to the VIP (won't work)?

director pinging to the RIP on eth0 does not work. would it be because
the netmask 255.255.255.255 of the tunl0 is interfereing with the RIP
on eth0 which uses mask of 255.255.255.0?
ifconfig on the real server:

eth0 Link encap:Ethernet HWaddr FE:FD:61:6B:82:44
inet addr:97.107.130.68 Bcast:97.107.130.255 Mask:
255.255.255.0
inet6 addr: fe80::fcfd:61ff:fe6b:8244/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15772 errors:0 dropped:0 overruns:0 frame:0
TX packets:1961 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1603668 (1.5 MiB) TX bytes:325301 (317.6 KiB)

eth0:0 Link encap:Ethernet HWaddr FE:FD:61:6B:82:44
inet addr:192.168.134.109 Bcast:192.168.255.255 Mask:
255.255.128.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:586 (586.0 b) TX bytes:586 (586.0 b)

tunl0 Link encap:IPIP Tunnel HWaddr
inet addr:97.107.133.234 Mask:255.255.255.255
UP RUNNING NOARP MTU:1480 Metric:1
RX packets:59 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2832 (2.7 KiB) TX bytes:0 (0.0 b)



because of that, i tried to get the director to ping the RIP on eth0:0
192.168.134.109, and it works, and I can telnet to the realserver on
port 80. so next I did the following on the director:
# /sbin/ipvsadm -C
# /sbin/ipvsadm -A -t 97.107.133.234:80 -s rr
# /sbin/ipvsadm -a -t 97.107.133.234:80 -r 192.168.134.109 -i -w 1

so now, on the Client, when I telnet 97.107.133.234:80, it still isnt
able to get anything. when I do tcpdump on the realserver to listen
for the VIP I get the following:
# /usr/sbin/tcpdump -nn host 97.107.133.234
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:42:46.785041 IP 97.107.133.234.80 > 97.107.128.100.18233: S
4199097079:4199097079(0) ack 4011139591 win 5840 <mss 1460>


but I no longer get the martian source logged. but nothing appears in
my http logs.




>
>>
>>
>> before I added that, I'm able to ping the real server from the
>> director no problem. Is there something I should be doing to get it
>> to
>> work?
>>
>>
>>>
>>>> or telnet port 80 into realserver eth0 public ip.
>>>
>>> this test doesn't tell you anything if you can't ping the
>>> realserver. After you can ping the realserver, you still
>>> won't be able to connect to the realserver:VIP:80. Do you
>>> understand why?
>>
>> Which is why I used a different client to do my tests. Is the reason
>> because I'll just be connecting locally, and not actually go through
>> the VIP?
>
> yes
>
>>> if so, turn off blocking martians.
>>
>> Is this controlled at the router level?
>
> on the machine that's seeing the martian.
>
>> or on the realserver? Im on a
>> VPS, and dont have access to the physical machines themselves or the
>> hardware like routers.
>
> a common problem when setting up LVS. If you're doing it all
> in a single Xen, then you'll be routing within the Xen too.
>
> Joe
> --
> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> jmack (at) wm7d (dot) net - azimuthal equidistant map
> generator at http://www.wm7d.net/azproj.shtml
> Homepage http://www.austintek.com/ It's GNU/Linux!
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
> Send requests to lvs-users-request [at] LinuxVirtualServer
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


jmack at wm7d

Oct 14, 2009, 10:22 AM

Post #6 of 10 (1362 views)
Permalink
Re: [lvs-users] stuck on LVS-TUN, realservers receiving ipip packet, but not doing anything because it think's it's martian. [In reply to]
On Wed, 14 Oct 2009, Vincent Young wrote:

>> ping to the RIP (has to work) or to the VIP (won't work)?
>
> director pinging to the RIP on eth0 does not work. would it be because
> the netmask 255.255.255.255 of the tunl0 is interfereing with the RIP
> on eth0 which uses mask of 255.255.255.0?

no, you can have as many networks on a physical NIC as you
like.

> ifconfig on the real server:
>
> eth0 Link encap:Ethernet HWaddr FE:FD:61:6B:82:44
> inet addr:97.107.130.68 Bcast:97.107.130.255 Mask:255.255.255.0
> inet6 addr: fe80::fcfd:61ff:fe6b:8244/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:15772 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1961 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:1603668 (1.5 MiB) TX bytes:325301 (317.6 KiB)
>
> eth0:0 Link encap:Ethernet HWaddr FE:FD:61:6B:82:44
> inet addr:192.168.134.109 Bcast:192.168.255.255 Mask:255.255.128.0

you have a /23 network?

> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:10 errors:0 dropped:0 overruns:0 frame:0
> TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:586 (586.0 b) TX bytes:586 (586.0 b)
>
> tunl0 Link encap:IPIP Tunnel HWaddr
> inet addr:97.107.133.234 Mask:255.255.255.255

what happened to BROADCAST? it should be 97.107.133.234

please edit out unneccessary text when you reply

Thanks Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


nard at nard

Oct 14, 2009, 11:29 AM

Post #7 of 10 (1368 views)
Permalink
Re: [lvs-users] stuck on LVS-TUN, realservers receiving ipip packet, but not doing anything because it think's it's martian. [In reply to]
On 2009-10-14, at 1:22 PM, Joseph Mack NA3T wrote:
>
>> ifconfig on the real server:
>>
>> eth0 Link encap:Ethernet HWaddr FE:FD:61:6B:82:44
>> inet addr:97.107.130.68 Bcast:97.107.130.255 Mask:
>> 255.255.255.0
>> inet6 addr: fe80::fcfd:61ff:fe6b:8244/64 Scope:Link
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:15772 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:1961 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:1603668 (1.5 MiB) TX bytes:325301 (317.6 KiB)
>>
>> eth0:0 Link encap:Ethernet HWaddr FE:FD:61:6B:82:44
>> inet addr:192.168.134.109 Bcast:192.168.255.255 Mask:
>> 255.255.128.0
>
> you have a /23 network?


This is the settings I was given to add a private ip to eth0:0


>
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>
>> lo Link encap:Local Loopback
>> inet addr:127.0.0.1 Mask:255.0.0.0
>> inet6 addr: ::1/128 Scope:Host
>> UP LOOPBACK RUNNING MTU:16436 Metric:1
>> RX packets:10 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0
>> RX bytes:586 (586.0 b) TX bytes:586 (586.0 b)
>>
>> tunl0 Link encap:IPIP Tunnel HWaddr
>> inet addr:97.107.133.234 Mask:255.255.255.255
>
> what happened to BROADCAST? it should be 97.107.133.234
>
This is on the realhost.
I bring up the tunl0 on realhost using:
# /sbin/ifconfig tunl0 97.107.133.234 netmask 255.255.255.255
broadcast 97.107.133.234
it doesnt show me anything about broadcast. same thing if i use lo:0
as well.


Thanks,
-Vincent Young

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


jmack at wm7d

Oct 14, 2009, 1:24 PM

Post #8 of 10 (1357 views)
Permalink
Re: [lvs-users] stuck on LVS-TUN, realservers receiving ipip packet, but not doing anything because it think's it's martian. [In reply to]
On Wed, 14 Oct 2009, Vincent Young wrote:

>>> eth0:0 Link encap:Ethernet HWaddr FE:FD:61:6B:82:44
>>> inet addr:192.168.134.109 Bcast:192.168.255.255 Mask:
>>> 255.255.128.0
>>
>> you have a /23 network?
>
>
> This is the settings I was given to add a private ip to eth0:0

well you can telnet to it, so I guess it's OK

>>> tunl0 Link encap:IPIP Tunnel HWaddr
>>> inet addr:97.107.133.234 Mask:255.255.255.255
>>
>> what happened to BROADCAST? it should be 97.107.133.234
>>
> This is on the realhost.
> I bring up the tunl0 on realhost using:
> # /sbin/ifconfig tunl0 97.107.133.234 netmask 255.255.255.255
> broadcast 97.107.133.234

> it doesnt show me anything about broadcast. same thing if
> i use lo:0 as well.

Hmm mine doesn't either. How about that? (I wonder when that
changed, or maybe it's always been that way and I've never
noticed.)

It looks like you've done all the right things. I assume
you're going to have the same problem with LVS-DR if adding
the VIP to lo:0 kills the network.

I would assume there's something wrong with Xen at this
stage. I don't know how many people are using virtualised
servers - there's got to be a few and we aren't hearing
anyone having problems. The only one so far is

http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.virtualised_realservers.html#tcp_checksum_bug

I'm stumped sorry.

Joe
>

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


nard at nard

Oct 14, 2009, 1:42 PM

Post #9 of 10 (1358 views)
Permalink
Re: [lvs-users] stuck on LVS-TUN, realservers receiving ipip packet, but not doing anything because it think's it's martian. [In reply to]
On 2009-10-14, at 4:24 PM, Joseph Mack NA3T wrote:
>
> well you can telnet to it, so I guess it's OK
>
>>>> tunl0 Link encap:IPIP Tunnel HWaddr
>>>> inet addr:97.107.133.234 Mask:255.255.255.255
>>>
>>> what happened to BROADCAST? it should be 97.107.133.234
>>>
>> This is on the realhost.
>> I bring up the tunl0 on realhost using:
>> # /sbin/ifconfig tunl0 97.107.133.234 netmask 255.255.255.255
>> broadcast 97.107.133.234
>
>> it doesnt show me anything about broadcast. same thing if
>> i use lo:0 as well.
>
> Hmm mine doesn't either. How about that? (I wonder when that
> changed, or maybe it's always been that way and I've never
> noticed.)
>
> It looks like you've done all the right things. I assume
> you're going to have the same problem with LVS-DR if adding
> the VIP to lo:0 kills the network.
>
> I would assume there's something wrong with Xen at this
> stage. I don't know how many people are using virtualised
> servers - there's got to be a few and we aren't hearing
> anyone having problems. The only one so far is
>
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.virtualised_realservers.html#tcp_checksum_bug
>
> I'm stumped sorry.

Thanks for all your help Joe,

I finally got it working. it turns out I had to enable a linode ip
failover feature on my realserver. i added the director public ip/vip,
and things started flowing.

the ip failover setting in the control panel on my linode basically
allow multiple linodes to bring up the same IP.

I'll post a summary in this thread later on how i got it working on my
linode/XEN setup, so we can close this thread, and add perhaps add to
the docs.

Thanks,
-Vincent Young
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


jmack at wm7d

Oct 14, 2009, 2:16 PM

Post #10 of 10 (1367 views)
Permalink
Re: [lvs-users] stuck on LVS-TUN, realservers receiving ipip packet, but not doing anything because it think's it's martian. [In reply to]
On Wed, 14 Oct 2009, Vincent Young wrote:

> I finally got it working. it turns out I had to enable a linode ip
> failover feature on my realserver. i added the director public ip/vip,
> and things started flowing.

glad you found it.

> the ip failover setting in the control panel on my linode basically
> allow multiple linodes to bring up the same IP.
>
> I'll post a summary in this thread later on how i got it working on my
> linode/XEN setup, so we can close this thread, and add perhaps add to
> the docs.

Thanks. It would save a whole lot of thrashing around at
this end.

Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Linux Virtual Server users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.