How to configure Keepalived to act as L4 load balancer via direct routing method

Mo Ali

6/30/24, 4:54 PM

Trying to achieve L4 load balancing via Keepalived in front of HAProxy that will act as L7 load balancer. Both Keepalived and HAProxy are on separate machines. I managed to get everything in the below image working but when I try to send a request to the public virtual IP (i.e. 115.101.1.17), the connection always times out.

As per my understanding from the documentation that states:

In order for the real servers to directly respond to the public users’ requests, each real server must use the VIP as its source address when sending replies.

I tried to reset the source IP using SNAT on the HAProxy machine but still the same thing happens.

Rules used for iptables on real servers (HAProxy machines)

iptables \
  -A POSTROUTING \
  -t nat \
  -p tcp \
  --dport 80 \
  -j SNAT \
  --to-source 115.101.1.17

keepalived.conf

vrrp_instance VI_1 {
  state       MASTER     # [1]
  interface   eth0       # [2]
  advert_int  1          # [3]
  priority    100        # [4]

  virtual_router_id  92  # [5]

  # Authentication for VRRP messages
  authentication {
    auth_type  PASS
    auth_pass  pass123
  }

  virtual_ipaddress {
    115.101.1.17 dev eth0  # [6]
  }
}

virtual_server 115.101.1.17 80 {
  lb_algo   rr             # [1]
  lb_kind   DR             # [2]
  protocol  TCP

  delay_loop           10  # [3]
  persistence_timeout  60  # [4]

  # Backend Server (HAProxy LB-01)
  real_server 10.0.1.2 80 {
    weight 100

    TCP_CHECK {
      connect_timeout 5
      nb_get_retry 3
      delay_before_retry 2
    }
  }

  # Backend Server (HAProxy LB-02)
  real_server 10.0.1.3 80 {
    weight 100

    TCP_CHECK {
      connect_timeout 5
      nb_get_retry 3
      delay_before_retry 2
    }
  }
}

sysctl.conf

net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1

Any help will be appreciated.

107

1 + 0

nat

iptables

haproxy

keepalived

Score:0

Server

Malcolm turnbull

7/1/24, 5:02 PM

You are using DR mode , so when the packet arrives at the HAProxy server it will say hi I'm looking for the VIP 115.101.1.17... and HAProxy must respond yes that's me. So it must be bound to that address. and the Linux box it is running on must also be configured to accept traffic to that address. And therefore you will need to solve the arp problem. Try googling Dr mode arp problem Linux.

https://docs.oracle.com/en/operating-systems/oracle-linux/6/admin/section_vmd_ys2_4r.html

Or change the lbkind to NAT mode and just use the keep alive node as your default gateway. Which should be easy as you have two subnets already.

But personally I still agree with Andrews blog about DR mode: https://www.loadbalancer.org/blog/15-years-later-we-still-love-dsr/

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to configure Keepalived to act as L4 load balancer via direct routing method

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.