load balancing between firewall/vpn boxes

hi!

i would like to use lvs to load balance several firewall/vpn boxes. after reading all the excellent documentation on this project i have learnt that in most of the cases lvs is used to do load sharing between a bunch of servers, so you usually have only one lvs director (or 2 for failover) in front of your server cluster.

doing load balancing between firewalls/vpn boxes would require a slightly different setup: one director in front of the cluster and one behind. ok, lets have some ascii art to illustrate this:

________
| |
| host A |
|________| on the internet
|
|
(router)
|
|
__________
| |
| LVS-DR 1 |
|__________|
|
|
-------------------------------------
| | |
| | |
____________ ____________ ____________
| | | | | |
| fw/vpn box | | fw/vpn box | | fw/vpn box |
|____________| |____________| |____________|

         |                |                  |
         |                |                  |
         -------------------------------------
                          |
                          |
                       __________
                      |          |
                      | LVS-DR 2 |
                      |__________|
                          |
                          |             internal network
         -------------------------------------
         |                |                  |
         |                |                  |
      ________
     |        |
     | host B |
     |________|

lets say host A on the internet wants to talk to host B on the internal LAN. in case of a new connection the connection setup traffic would arrive on DR1 which has no table entry for host A yet and hence decides according to the choosen strategy which fw/vpn box is next to use. after the packet has been processed on that fw/vpn box it would arrive on DR 2 which in turn forwards the packet to the internal lan where it reaches host B. now B wants to acknowledge the packet of host A. the response would pass DR2 who thinks that this packet is for a new ip flow and therefor choses one of the boxes according to the configured strategy. and this is definitly _not_ what you want to happen here! the expected behaviour for this setup would be to forward the packet from host B to the box where the traffic from host A arrived in the first place.

is there any way to tell DR2 to remember where the initial packets came from?

and if it's not in the code: would it be much of a hassle to implement this?

there is an additional requirement i should not forget to mention: i want to use _direct routing_ on both of the directors since the other methods (nat and tunneling) would most likely break the vpn software (ipsec) on the boxes. i've already applied julian's martian patch so that i can have the director as a gateway for the return traffic of the boxes.

i hope you can help me out on this issue!
thanks!

best regards

Forums:

Well, you can probably use SH scheduler at DR1 and use DH scheduler at DR2. SH and DH are schedulers of static mapping.

randomness