Mailing List Archive

[lvs-users] Firewall clustering
Hi there!

I'm looking for some info about building firewall cluster active/active with
load balancing.
I previous worked with corosync+pacemaker+conntrack to get an active/passive
cluster (without load balancing).

Now, that I've started searching for documentation regarding load balancing
I just find LVS stuff, so here I am.

I wonder if someone can give me some clues about where or when or how LVS
get along and/or works with pacemaker's stuff.

Regards!



--
/* Arturo Borrero Gonzalez || cer.inet@linuxmail.org */
/* Use debian gnu/linux! Best OS ever! */
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Firewall clustering [ In reply to ]
take a look at CLUSTERIP with heartbeat/pacemaker, it may be what you really
want

the usual way that LVS is used with pacemaker is that you have a HA pair of LVS
laod balancer boxes that load balance across a farm of additional servers, but
the LVS boxes themselves are active/bassive

David Lang

On Sun, 15 May 2011, CeR wrote:

> Hi there!
>
> I'm looking for some info about building firewall cluster active/active with
> load balancing.
> I previous worked with corosync+pacemaker+conntrack to get an active/passive
> cluster (without load balancing).
>
> Now, that I've started searching for documentation regarding load balancing
> I just find LVS stuff, so here I am.
>
> I wonder if someone can give me some clues about where or when or how LVS
> get along and/or works with pacemaker's stuff.
>
> Regards!
>
>
>
>

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Firewall clustering [ In reply to ]
> take a look at CLUSTERIP with heartbeat/pacemaker, it may be what you
> really want

No. CLUSTERIP only works on the INPUT chain, not on the forward chain.

Believe me that you do not want to setup an active/active firewall, but an
active/passive cluster.

--
Dr. Michael Schwartzkopff
Guardinistr. 63
81375 München

Tel: (0163) 172 50 98
Re: [lvs-users] Firewall clustering [ In reply to ]
>
> the usual way that LVS is used with pacemaker is that you have a HA pair of
> LVS laod balancer boxes that load balance across a farm of additional
> servers, but the LVS boxes themselves are active/bassive
>

Thanks, I will take a look?

No. CLUSTERIP only works on the INPUT chain, not on the forward chain.
> Believe me that you do not want to setup an active/active firewall, but an
> active/passive cluster.
>

What do you mean? Could you be more specific?
OK to not user CLUSTERIP. But what about an active/active cluster for
firewalling? Is there any problem?

--
/* Arturo Borrero González */
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] Firewall clustering [ In reply to ]
On Tue, 17 May 2011, CeR wrote:

>> the usual way that LVS is used with pacemaker is that you have a HA pair of
>> LVS laod balancer boxes that load balance across a farm of additional
>> servers, but the LVS boxes themselves are active/bassive
>>
>
> Thanks, I will take a look?
>
> No. CLUSTERIP only works on the INPUT chain, not on the forward chain.

that's unfortunante. there isn't a way to do CLUSTERIP on the prerouteing chain?

but it depends on if the firewall is a packet filter firewall or a proxy
firewall. If it's a proxy firewall CLUSTERIP works just fine.

>> Believe me that you do not want to setup an active/active firewall, but an
>> active/passive cluster.
>>
>
> What do you mean? Could you be more specific?
> OK to not user CLUSTERIP. But what about an active/active cluster for
> firewalling? Is there any problem?

going active/active adds complications (the load sharing mechanism can break,
when something goes wrong and you need to check on it, you need to check two
places, if one of the set is misconfigured you end up with intermittent
problems, or problems that only happen from some locations and not others, you
run the risk of not having enough power to handle the load if one box fails,
...)

as noted by someone else, if you are just doing packet filtering you should not
need active/active. a single, relatively low-spec box (by todays's terms) can
handle multiple Gb/sec worth of traffic without any problems.

if you are doing proxies, you may run into load problems (but even there,
today's hardware can do a LOT on a single box), but there CLUSTERIP will work.

David Lang

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users