Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Linux Virtual Server: Users

[lvs-users] Firewall clustering

 

 

Linux Virtual Server users RSS feed   Index | Next | Previous | View Threaded


cer.inet at linuxmail

May 15, 2011, 12:28 PM

Post #1 of 5 (1000 views)
Permalink
[lvs-users] Firewall clustering

Hi there!

I'm looking for some info about building firewall cluster active/active with
load balancing.
I previous worked with corosync+pacemaker+conntrack to get an active/passive
cluster (without load balancing).

Now, that I've started searching for documentation regarding load balancing
I just find LVS stuff, so here I am.

I wonder if someone can give me some clues about where or when or how LVS
get along and/or works with pacemaker's stuff.

Regards!



--
/* Arturo Borrero Gonzalez || cer.inet [at] linuxmail */
/* Use debian gnu/linux! Best OS ever! */
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


david.lang at digitalinsight

May 16, 2011, 11:56 AM

Post #2 of 5 (948 views)
Permalink
Re: [lvs-users] Firewall clustering [In reply to]

take a look at CLUSTERIP with heartbeat/pacemaker, it may be what you really
want

the usual way that LVS is used with pacemaker is that you have a HA pair of LVS
laod balancer boxes that load balance across a farm of additional servers, but
the LVS boxes themselves are active/bassive

David Lang

On Sun, 15 May 2011, CeR wrote:

> Hi there!
>
> I'm looking for some info about building firewall cluster active/active with
> load balancing.
> I previous worked with corosync+pacemaker+conntrack to get an active/passive
> cluster (without load balancing).
>
> Now, that I've started searching for documentation regarding load balancing
> I just find LVS stuff, so here I am.
>
> I wonder if someone can give me some clues about where or when or how LVS
> get along and/or works with pacemaker's stuff.
>
> Regards!
>
>
>
>

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


misch at clusterbau

May 17, 2011, 2:20 AM

Post #3 of 5 (945 views)
Permalink
Re: [lvs-users] Firewall clustering [In reply to]

> take a look at CLUSTERIP with heartbeat/pacemaker, it may be what you
> really want

No. CLUSTERIP only works on the INPUT chain, not on the forward chain.

Believe me that you do not want to setup an active/active firewall, but an
active/passive cluster.

--
Dr. Michael Schwartzkopff
Guardinistr. 63
81375 München

Tel: (0163) 172 50 98
Attachments: signature.asc (0.19 KB)


cer.inet at gmail

May 17, 2011, 4:54 AM

Post #4 of 5 (949 views)
Permalink
Re: [lvs-users] Firewall clustering [In reply to]

>
> the usual way that LVS is used with pacemaker is that you have a HA pair of
> LVS laod balancer boxes that load balance across a farm of additional
> servers, but the LVS boxes themselves are active/bassive
>

Thanks, I will take a look?

No. CLUSTERIP only works on the INPUT chain, not on the forward chain.
> Believe me that you do not want to setup an active/active firewall, but an
> active/passive cluster.
>

What do you mean? Could you be more specific?
OK to not user CLUSTERIP. But what about an active/active cluster for
firewalling? Is there any problem?

--
/* Arturo Borrero González */
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


david.lang at digitalinsight

May 17, 2011, 10:36 AM

Post #5 of 5 (939 views)
Permalink
Re: [lvs-users] Firewall clustering [In reply to]

On Tue, 17 May 2011, CeR wrote:

>> the usual way that LVS is used with pacemaker is that you have a HA pair of
>> LVS laod balancer boxes that load balance across a farm of additional
>> servers, but the LVS boxes themselves are active/bassive
>>
>
> Thanks, I will take a look?
>
> No. CLUSTERIP only works on the INPUT chain, not on the forward chain.

that's unfortunante. there isn't a way to do CLUSTERIP on the prerouteing chain?

but it depends on if the firewall is a packet filter firewall or a proxy
firewall. If it's a proxy firewall CLUSTERIP works just fine.

>> Believe me that you do not want to setup an active/active firewall, but an
>> active/passive cluster.
>>
>
> What do you mean? Could you be more specific?
> OK to not user CLUSTERIP. But what about an active/active cluster for
> firewalling? Is there any problem?

going active/active adds complications (the load sharing mechanism can break,
when something goes wrong and you need to check on it, you need to check two
places, if one of the set is misconfigured you end up with intermittent
problems, or problems that only happen from some locations and not others, you
run the risk of not having enough power to handle the load if one box fails,
...)

as noted by someone else, if you are just doing packet filtering you should not
need active/active. a single, relatively low-spec box (by todays's terms) can
handle multiple Gb/sec worth of traffic without any problems.

if you are doing proxies, you may run into load problems (but even there,
today's hardware can do a LOT on a single box), but there CLUSTERIP will work.

David Lang

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Linux Virtual Server users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.