This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Sascha_Bremshey
Contributor
‎2019-02-05 06:46 AM

ConnectControl / Logical Servers within same subnet

Jump to solution

Hi,

currenty I'm experimenting with Logical Servers.

So far it works fine but there is one point on my list I'm unable to resolve.

I need to access my logical server from inside the same subnet as the VIP and the real servers.

I managed to set up proxy arp so reqests are forwardet from GW to destination server(s).
Packets are recevived from server(s) but as the src. address is located in the same subnet the replays are send to src directly.


Aswer packets arrive at the client but with real server IP and not VIP -> packets did not pass trough GW so no reverse NAT happend.


To resolve this I think I only have to src-NAT all my connections if they are from same subnet to an IP which is behind Gateway (from servers view)

BUT as ConnectControl is only a more inteligent destination NAT method working as impied rule (0) my src.Nat rules will never match.

Thank you for reading 🙂

/BR

Sascha

Preview file
51 KB
1 Solution

Accepted Solutions
Sascha_Bremshey
Contributor
‎2019-02-13 01:51 AM
In response to PhoneBoy

Jump to solution

Hi,

"Any" in original was the first attempt I made (CISS)

But install aborts: "Invalid <Any> in Source of Address Translation Rule ##. <Any> is valid only it the matching Translated column is <Original>"

But many thanks to you, your reply pushed me back to test with NAT and I found a solution:

Here is the summary what the tasks are to make an logical-server reachable from the same subnet:

  • Create 2 access-rule for VIP and the corresponding Server-Group (sk87641)
  • Create manual-proxy-arp for VIP (sk30197)
    • In HA-Mode with VMAC use Real-IP of cluster member and VMAC
    • do not use interface otherwise physical MAC of interface will be used)
  • Create NAT rule: "same-subnet" -> "corresponding server-group" => "Cluster-object" (Hide) -> "original" (No sk found)

Thank you very much for spending your time with my problems.

Best regards,

Sascha

 

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2019-02-08 03:37 PM

Jump to solution

What specific NAT rules have you tried?

0 Kudos
Sascha_Bremshey
Contributor
‎2019-02-10 11:21 PM
In response to PhoneBoy

Jump to solution

I've tried:

ORG-SRC;         ORG-DST;    ORG-SRV;    TRA-SRC;                               TRA-DST;      TRA-SRV

Subnet-of-VIP;   VIP;               ANY;             Subnet-of-VIP-GW-IP(Hide);    Original;         Original

In log I can see that NAT rule 0 matched (Which is the Logical-Server magic) but my NAT rule did not match.

PhoneBoy
Admin
Admin
‎2019-02-11 08:49 AM
In response to Sascha_Bremshey

Jump to solution

I think you might have to make Original Source "any" in this context.

0 Kudos
Sascha_Bremshey
Contributor
‎2019-02-13 01:51 AM
In response to PhoneBoy

Jump to solution

Hi,

"Any" in original was the first attempt I made (CISS)

But install aborts: "Invalid <Any> in Source of Address Translation Rule ##. <Any> is valid only it the matching Translated column is <Original>"

But many thanks to you, your reply pushed me back to test with NAT and I found a solution:

Here is the summary what the tasks are to make an logical-server reachable from the same subnet:

  • Create 2 access-rule for VIP and the corresponding Server-Group (sk87641)
  • Create manual-proxy-arp for VIP (sk30197)
    • In HA-Mode with VMAC use Real-IP of cluster member and VMAC
    • do not use interface otherwise physical MAC of interface will be used)
  • Create NAT rule: "same-subnet" -> "corresponding server-group" => "Cluster-object" (Hide) -> "original" (No sk found)

Thank you very much for spending your time with my problems.

Best regards,

Sascha

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-13 11:13 AM
In response to Sascha_Bremshey

Jump to solution

I'm glad you figured it out Smiley Happy

I was actually trying to find how we did this with AWS and ELBs, which also used these objects. 

I believe you need to do something similar with NAT rules there. 

0 Kudos
Labels