Enterprise LVS load balancing cluster --TUN tunnel mode, NAT mode

A, TUN tunnel mode

1, the working principle TUN tunnel mode

Header IP TUN mode, also called tunnel mode, the tunnel mode is to modify the request message, add a layer of IP header, Advantages: DS and RS need not be the same segment, may be implemented between different access networks.

• IP Tunneling, also known as IP packaging technology, it can The data packets with source and destination IP address with the new source and destination IP encapsulation secondary, So that the message can be sent to a specified destination host.

• LVS client sends to the scheduler (DS) of data packets: Source Address: CIP (Client IP) destination address: VIP (DS server)

• Plus the packet header after: Source Address: DIP (VIP) (DS server) Destination Address: RIP (RS real server)

• Data flow: Client -> DS (scheduler) -> prerouting -> INPUT -> postrouting -> RS (real server) -> lo loopback -> network card eth0 -> Client

2, the characteristic pattern TUN

• In tunnel mode, used between the scheduler and the back-end server group IP tunneling technology, when the request (CIP-> VIP) sent by the client is received Director, = Director modified packet, together with the IP address IP tunnel ends as a new source and destination address == , and forwards the request to the backend of a selected target. When the back-end server receives a packet, it decapsulates the packet original CIP-> VIP, the back-end server is configured found on their VIP tun interface, receiving the packet. When the request processing is complete, the results will not be referred back to the director, butdirectReturned to the client. At this time, the response packet to the source IP VIP, as the destination IP CIP.RIP and Director of DIP do not have the Real Server on the same physical network, and the RIP and the public must be able to network communication. That cluster node can be achieved across the Internet. When the interface must be configured on Real Server tun VIP address for receiving data packets forwarded by director, and as a response message the source IP, Director forwarding tunnel when required by means of a Real Server, the source IP IP tunnel header of the outer layer DIP, a destination IP RIP, in response to the Real Server IP header is based on the client IP tunnel header analysis obtained inner layer, the VIP is the source IP, destination IP is the CIP,Director only process incoming requests, the request completion response realserver themselves.
• Generally, to load schedule TUN mode cache server group, which cache server is generally placed in different network environments, the client can be close to the folded; in the case where the object is not requested Cache hit local server, the server would like to source Cache the server sends a request, the retrieval result, and finally returns the result to the user.

3, to achieve lvs scheduler mode TUN

On the basis of experiments made on the DR mode
1, the upper (server1) scheduler in the LVS,ipvsadm -CClear rules before
2,modprobe PIP Add modules used by the tunnel

• modprobe -r ipip delete tunnel module

3, delete the original VIP card: ip addr del 172.25.7.100/24 dev eth0
Adding to the VIP tunl0: ip addr add 172.25.7.100/24 dev tunl0

4, activation tunl0: ip link set up tunl0
5, add a policy:

ipvsadm -A -t 172.25.7.100:80 -s rr
ipvsadm -a -t 172.25.7.100:80 -r 172.25.7.2:80 -i
ipvsadm -a -t 172.25.7.100:80 -r 172.25.7.3:80 -i	 

6, on server2 and server3 (RS),

1）modprobe ipip					        ##添加tunl模块

2）ip addr del 172.25.7.100/32 dev eth0	

3）ip addr add 172.25.7.100/32 dev tunl0	 ##添加vip到tunl上

4）ip link set up tunl0				    ##激活tunl0

5）sysctl -a | grep rp_filter	##查看反向过滤规则
	sysctl -w net.ipv4.conf.default.rp_filter = 0
	sysctl -w net.ipv4.conf.default.rp_filter=0
	sysctl -w net.ipv4.conf.lo.rp_filter=0
	sysctl -w net.ipv4.conf.eth0.rp_filter=0
	sysctl -w net.ipv4.conf.tunl0.rp_filter=0	
	##关闭反向过滤（如果开启，会对流入的数据包的反向路径进行校验，如果不符合要求，就丢弃，设置为0则不进行校验）
6）sysctl -p  #使生效

• System because the packet will be flowing Reverse path verification, The packet data is 100, if the data packet is not 100, the data will be throw away, So we have to eliminate the influence of inverse filtering, the item = 1 are set to 0.
• Close reverse filtering rules reasons:In order to prevent the web server does not know the source ip after unpacking the incoming data packet lost, resulting in loss web server, the client can not access the data. Because the tunnel mode is implemented in different segments of the host communicate , if the information from the server back to the client, because the client and server are on different network segments, data simply can not get out, so we need to close the reverse parametric test.
• 0: Not open source address check
• 1: Enable reverse path strict check
• For each incoming packet, check the reverse path is the best path. If the reverse path is not the best route, the packet is discarded directly

7, the client test:

Two, NAT mode in the LVS (network address translation mode)

Principle 1, NAT mode

NAT (Network Address Translation, network address translation) ,When some of the internal network host already assigned to the local IP address (i.e., used within the private network-specific address only), but now want and host communication on the Internet (the external network) (not need encryption), the using NAT method.
This method requires a router connected to the Internet NAT software installed in the private network. NAT router with a software called NAT router, which has at least one valid external global IP address. In this way, all hosts using local addresses in and outside communication, the NAT router will be in their local address into a global IP address to the Internet and connection. By thisA few public IP address on behalf of more private IP addresses A way that will contribute to alleviating the depletion of IP address space.

• By means of the NAT, a private (reserved) "internal" network address when sending a packet, the address is converted to a valid private IP address through the router, a LAN IP address only a small amount (even 1) private address can be realized communication needs of all computer and Internet within the network.
• NAT Automatically modify the IP packet's source IP address and destination IP address , The NAT processing Automate IP address check

2, the characteristics of NAT mode

• RIP DIP general and in the same private network segment. But not necessarily,As long as DIP can communicate to RIP and。
• The Gateway at each Realserver DIP So as to ensure a response to the Director.
• The biggest drawback NAT mode: Director is responsible for all incoming and outgoing data: not only to process the request initiated by the client, it is also responsible for transmitting a response to the client. And the response data is typically much larger than the requested data, the scheduler Director prone bottleneck. But this model is simple to configure