<div dir="ltr"><div><div>Hello All,<br><br></div>I'm trying to use one of the targets of iptables called CLUSTERIP with KVM (virtualization).<br></div><div>As strongswan does use CLUSTERIP to offer High Availability, I decided to ask upon this list. <br>
</div><div><br>Our testbed consist of two security gateways (SG1
and SG2) offering HA features. They are configured as ACTIVE/PASIVE. Similarly to strongswan, we want the PASIVE SG (SG2) to become ACTIVE
when SG1 is not working anymore (due to errors,overload, maintenance,
etc., reasons). <br><br></div><div>Both SG1 and SG2 are actually two virutal machines (built using KVM). <br><br></div><div>We are having troubles to configure the simplest scenario, for example:<br><br>In SG1:<br>> ip address add <a href="http://10.0.0.3/24">10.0.0.3/24</a> dev eth0 (adds an IP address to eth0)<br>
> iptables -A INPUT -i eth0 -d 10.0.0.3 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5e:00:00:03 --total-nodes 2 --local-node 1 (creates the iptables rule to assign a cluster MAC address to 10.0.0.3)<br>
</div>
<div>> echo "+2" > /proc/net/ipt_CLUSTERIP/<a href="http://10.0.0.3">10.0.0.3</a> (makes SG1 responsible of all incoming traffic)<br></div><div><br>When we try to 'ping' the cluster at 10.0.0.3, the ping is not reaching the Virtual Machine. However, when using wireshark, we can see that ICMPs arrives to the physical interface of the host machine where both Virutal Machines are hosted (SG1 and SG2). Then, when listening to the bridge (br0), we can also see the ICMP packets. Unfortunately, when listening to vnet0 or 10.0.0.3, we see no ICMP packets. <br>
<br></div><div>Does anyone have an idea where the problem is? <br><br></div><div>We are sure that the configuration works, we tested this with physical machines and it worked. But when it comes to Virtual Machines, packets are blocked somewhere.<br>
<br><br></div><div>Thanks you very much for reading my issue,<br></div><div><br></div><div>Regards<br clear="all"></div><div><div><div><div>Daniel Palomares<br><br></div>
</div></div></div></div>