Hi folks, I finally have a working lab setup that uses LVS-DR to load balance across two zorp proxies. The lab configuration is inspired by the load balanced configuration presented on page 10 of the Zorp Professional 2 Product Description at http://www.balabit.com/dl/zorp2.pdf, and a diagram of my implementation is available at http://starjuice.net/zorp/lab_implementation.png [1]. I'm using Linux LVS-DR with fwmarks for both front and back load balancers; birdy (the front load balancer) uses the SH (source hash) balancing algorithm, while wormy (the back load balancer) uses DH (destination hash). This works okay, but the algorithm doesn't balance very well, and doesn't cope well[2] with node addition and removal of nodes (realservers in LVS jargon). Ideally, what the back load balancer for a Zorp cluster needs to do is this: 1) When a SYN comes in from a Zorp host, create a new connection table entry, including the Layer 2 (Ethernet) address of the packet in the entry. 2) When a packet comes back from the servers and is associated with a connection table entry based on Layer 3 and 4 features, route the packet via the Layer 2 address stored in the entry. I've contacted 3 vendors and an open source group looking for a solution like this. Here are the responses: 1) Cisco say their 650x with Content Switching Module support transparent proxy firewalls, and a friend of mine at Cisco confirms this. 2) Enterasys engineering have confirmed that they have no device that can do this. 3) Alcatel have confirmed that they have no device that can do this. 4) The folks on the LVS mailing list can't think of anything better than the SH/DH approach. Now a Cisco 650x w/ CSM costs more than USD 70,000. That's a lot of money to spend on a load balancer for 4 Zorp boxes! So my question is, has anyone solved the Zorp clustering problem in an affordable way, or is the Product Description just describing a theoretical possibility for marketing purposes? Ciao, Sheldon. [1] Beware of [1] In a simple test of 200 packets with randomly generated IP addresses, zorp01 got 44% and zorp02 got 56%.
2004-04-14, sze keltezéssel 01:17-kor Sheldon Hearn ezt írta:
Ideally, what the back load balancer for a Zorp cluster needs to do is this:
1) When a SYN comes in from a Zorp host, create a new connection table entry, including the Layer 2 (Ethernet) address of the packet in the entry.
2) When a packet comes back from the servers and is associated with a connection table entry based on Layer 3 and 4 features, route the packet via the Layer 2 address stored in the entry.
I've contacted 3 vendors and an open source group looking for a solution like this. Here are the responses:
1) Cisco say their 650x with Content Switching Module support transparent proxy firewalls, and a friend of mine at Cisco confirms this.
We are also using Cisco CSMs for this purpose. They are doing some kind of TCP state tracking (I believe it is a simple timeout) and reply packets are sent back where they came from. The load balancing decision is based on the IP address in our case, but AFAIK they can also do RR, but it makes debugging problems a nightmare.
4) The folks on the LVS mailing list can't think of anything better than the SH/DH approach.
In addition to LVS you can also implement load balancing via iptables conntrack and connmark. When the first packet of a given connection is received at the LB box you mark it with a connection mark, this is the LB decision and you can base it on anything you want to. (for example source port value, but simple RR or random assignment might also work) Decision based on the source port can be done using the u32 match, for RR and random marks you will need to create custom iptables modules. The connmark value selects which Zorp box you are going to use to proxy that specific connection. Then copy this connmark to every packet belonging to the same connection as an fwmark (CONNMARK --save-mark IIRC), then do policy routing based on fwmark, and select different gateways depending on the fwmark.
Now a Cisco 650x w/ CSM costs more than USD 70,000. That's a lot of money to spend on a load balancer for 4 Zorp boxes!
true, Cisco products are exremely expensive. There are other load balancers like radware, bigip or flatiron. They are somewhat cheaper. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
participants (2)
-
Balazs Scheidler
-
Sheldon Hearn