<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE>LVS-HOWTO: VS-Tun</TITLE>
 <LINK HREF="LVS-HOWTO-14.html" REL=next>
 <LINK HREF="LVS-HOWTO-12.html" REL=previous>
 <LINK HREF="LVS-HOWTO.html#toc13" REL=contents>
</HEAD>
<BODY>
<A HREF="LVS-HOWTO-14.html">Next</A>
<A HREF="LVS-HOWTO-12.html">Previous</A>
<A HREF="LVS-HOWTO.html#toc13">Contents</A>
<HR>
<H2><A NAME="s13">13. VS-Tun</A></H2>

<P>
<P>VS-Tun is an LVS original. It is based on VS-DR and has the same
high scalability/throughput of VS-DR.
<P>VS-Tun can be used with real-servers that can tunnel
(==IPIP encapsulation). 
The director encapsulates the request
packet inside an IPIP packet before sending it to the real-server.
The real-server must be able to decapsulate the IPIP packet
(currently linux only).
<P>Unlike VS-DR, with VS-Tun the real-servers can be on a network
remote from the director, and can each be on separate networks.
Thus the real-servers could be in different countries (eg a set of
ftp mirror sites for a project). If this is the case the
real-servers will be generating reply packets with VIP->CIP. 
Not being on the VIP network, the routers for the
real-servers will have to be programmed to accept outgoing packets
with source=VIP. Routers normally drop these packets as an
anti-spoofing measure.
<P>If the real-servers are on the same network as the director, then
VS-DR and VS-Tun are equivalent in terms of performance and ease
of setup
(see the 
<A HREF="http://www.linuxvirtualserver.org/Joseph.Mack/performance/single_realserver_performance.html">performance page</A>)
<P>With VS-DR, the real-servers can have almost any OS.
<P>Here's an example set of IPs for a VS-Tun setup. For (my)
convenience the servers are on the same network as the client.
The only restrictions for VS-Tun with remote hosts are that the
client must be able to route to the director and that the
real-servers must be able to route to the client (the return
packets to the client come directly from the real-servers and do
not go back through the director).
<P>Normally for VS-Tun,the client is on a different network to the
director/server(s), and each server has its own route to the
outside world. In the simple test case below where all machines
are on the 192.168.1.0 network there would be no default route
for the servers, and routing for packets from the servers to the
client would use the device on the 192.168.1.0 network
(presumably eth0). In reallife, the real-servers would have their
own router/connection to the internet and packets returning to
the client would go through this router. In any case reply
packets do not go back through the director.
<P>
<PRE>
Machine                      IP
client                       CIP=192.168.1.254
director                     DIP=192.168.1.1
                             VIP=192.168.1.110 (arps, IP clients connect to)
real-server-1                RIP1=192.168.1.2, VIP (tunl0, non-arping, 192.168.1.110)
real-server-2                RIP2=192.168.1.3, VIP (tunl0, non-arping, 192.168.1.110)
real-server-3                RIP3=192.168.1.4, VIP (tunl0, non-arping, 192.168.1.110)
.
.
real-server-n                RIPn=192.168.1.n+1, VIP (tunl0, non-arping, 192.168.1.110)
</PRE>
<P>
<PRE>
#lvs_tun.conf
LVS_TYPE=VS_TUN
INITIAL_STATE=on  
VIP=eth0:110 192.168.1.110 255.255.255.255 192.168.1.110
DIRECTOR_INSIDEIP=eth0 192.168.1.9 192.168.1.0 255.255.255.0 192.168.1.255
DIRECTOR_DEFAULT_GW=client
SERVICE=t telnet rr real-server1 real-server2 
SERVER_VIP_DEVICE=tunl0
SERVER_NET_DEVICE=eth0
SERVER_DEFAULT_GW=client
#----------end lvs_tun.conf------------------------------------
</PRE>
<P>
<PRE>
                        ________
                       |        |
                       | client |
                       |________|
                       CIP=192.168.1.254
                           |
                           |
                      VIP=192.168.1.110 (eth0:1, arps)
                       __________
                      |          |
                      | director |
                      |__________|
                      DIP=192.168.1.1 (eth0)
                           |
                           |
          -----------------------------------
          |                |                |
          |                |                |
   RIP1=192.168.1.2  RIP2=192.168.1.3   RIP3=192.168.1.4 (eth0)
    _____________     _____________    _____________
   |             |   |             |  |             |
   | real-server |   | real-server |  | real-server |
   |_____________|   |_____________|  |_____________|

   VIP=192.168.1.110 VIP=192.168.1.110 VIP=192.168.1.110 (all tunl0,non-arping)
          |                |                  |
      (router)          (router)           (router)
          |                |                  |
          ----------------------------------------------> to client

</PRE>
<P>
<P>
<H2><A NAME="ss13.1">13.1 How VS-Tun works</A>
</H2>

<P>
<P>Here's part of the rc.lvs_dr script which configures the real-server with
RIP=192.168.1.8
<P>
<PRE>
     #setup servers for telnet
     /sbin/ipvsadm -A -t 192.168.1.110:23 -s rr
     /sbin/ipvsadm -a -t 192.168.1.110:23 -R 192.168.1.1 -i -w 1
</PRE>
<P>With VS-Tun, the target port numbers of incoming
packets cannot be remapped. A request to port 23
on the VIP will be forwarded to port 23 on a real-server,
thus no port number is used for setting up the
IP of the real-server.
<P>
<P>Here's the packet headers as the request is processed by VS-Tun.
<P>
<PRE>
packet                  source        dest         data
1. request from client  CIP:3456      VIP:23       -
2. ipvsadm table:
   director chooses server=RIP1, encapsulates into IPIP packet
                        DIP           RIP1         IP datagram
                                                   source=CIP:3456,
                                                   dest=VIP:23,
                                                   data= -
3. real-server recovers IP datagram
                        CIP:3456      VIP:23       -
4. real-server looks up routing table, finds VIP is local,
   processes request locally, generates reply
                        VIP:23        CIP:3456     "login: "

5. packet leaves real-server via default gw, not via DIP.
</PRE>
<P>For the verbally oriented...
<P>A packet arrives for the VIP. The director looks up its tables
and decides to send the connection to real-server_1. The director
encapsulates the request packet in an IPIP datagram with
DIP->RIP. The packet arrives at real-server1, the
real-server recovers the original IP datagram, looks up its
routing table, finds that the VIP (on an otherwise unused,
non-arping and nonfunctional device) is local and processes the
packet locally. A reply packet is generated with VIP:23->CIP:3456. 
The real-server looks up its routing table and
finds that a packet to CIP goes out its default gw (not to the
DIP).
<P>The tunl0 device does not arp with 2.0.36 kernels, but does with
2.2.x kernels. 
Go look up the section on the 
<A HREF="LVS-HOWTO-3.html#arp_problem">arp problem</A>
to see if you need to patch the kernel on the real-server.
<P>
<H2><A NAME="ss13.2">13.2 Configure VS-Tun</A>
</H2>

<P>
<P>Edit the template lvs_tun.conf and run configure.
<P>$ ./configure_lvs.pl lvs_nat.conf
<P>Load the the parameters into the director and then the
real-servers with the command
<P>$ . ./etc/rc.d/rc.lvs_tun
<P>(the script knows whether it is running on a real-server or the
director).
<P>(later put in /etc/rc.d or /etc/init.d and put mon_xxx.cf in
/etc/mon)
<P>check the output from ipvsadm, ifconfig -a and netstat -rn, to
see that the services/IP's are correct. If not re-edit and re-run
the script(s).
<P>
<H2><A NAME="ss13.3">13.3 Real-servers on different network(s) to director</A>
</H2>

<P>
<P>If the real-server is on a different network to the director, then
it will be replying with packets having a source address of the
VIP. In this case the router will have to be programmed to pass
packets in the outward direction with the source address of the
VIP. This may be a problem with some firewalls as they will
be forwarding packets with a source address not in their network.
<P>
<H2><A NAME="ss13.4">13.4 VS-Tun Questions</A>
</H2>

<P>
<P>
<PRE>
> How does a packet get to a tunl device from a remote machine
> without a MAC address?
</PRE>
<P>(Julian)
<P>tunl, lo and dummy are used just to configure the VIP. We don't
send any packets through these devices. The requests are delivered to the
real servers using their real IP addresses. The director asks only
about their real IP addresses using the VS configuration. Only their
gateway asks about VIP but only the director must reply. When the
packet is received in the real server it is delivered locally (not
forwarded or dropped) due to configured VIP. This is the only role
of these "dummy" interfaces: the kernel to treat the received packet
as it is destined to our host (the real server). Nothing more. No IPIP
encapsulations (for tunl), no MAC address definitions, nothing more.
When we answer the request we use eth0. The tunl/lo/dummy is not
selected as device for the outgoing packets. We have routes for
eth0 (default gateway) which we use for the outgoing traffic.
This is for DROUTE and TUNNEL mode.
<P>
<PRE>
>If two linux boxes (not in an LVS) are joined by an IPIP tunnel and
>there is no MAC address associated with the tunl0 devices at each
>end of the link, then how do the packets get from one machine to
>the other?
</PRE>
<P>Julian
<P>The packets are encapsulated via IPIP and sent to the tunnel ends
real IP where they are decapsulated again and appear on the tunl interface.
You don't need a MAC address for point-to-point links, or 
logical interfaces like tunnels.
<P>
<P>
<HR>
<A HREF="LVS-HOWTO-14.html">Next</A>
<A HREF="LVS-HOWTO-12.html">Previous</A>
<A HREF="LVS-HOWTO.html#toc13">Contents</A>
</BODY>
</HTML>