On 19/03/18 13:51, Mischa wrote: > Hi Giannis, > > From my experience dealing with a lot of load balancers in my time, and also > working for different vendors, the easiest is to use source-nat. > This is just configuration on the relayd itself without making "major" > changes in the rest of the network or servers. Which you would need to do to > when choosing different VLANs or DSR. > > Your concern about source-net and hiding the client IP is valid, but easily > fixed with Client-IP header in http, if http is the protocol, otherwise you > will loose the client IP. ;) > One more thing to remember with source-nat is the maximum amount of > concurrent connections you can handle in a single IP, if that is below 64k > you are fine, otherwise you will have to create a pool of IPs to source-nat > from. > > In my opinion DSR is only relevant for services like FTP and NNTP, where you > have a lot more traffic going out than coming in, so you don't have to put > that burden through the single load balancer interface. > > If you have the ability to change the VLANs that of course the cleanest of > all the option and source-nat the dirtiest, but it's also the simplest. :) > > Good luck! > > Mischa
Thanks for the reply Mischa, Well since most of traffic is not http based I cannot use the headers for client IP :-/ This will also be a problem with firewalling on the real servers as well. So that probably leaves out SNAT and relay proxy. I also agree that DSR is not needed. Yes, multiple VLANs is the cleanest solution. My concern is mainly with 1 VLAN and multiple subnets which does the trick of returning the traffic through the LB as well as keeping the setup simple. Another solution would also be some kind of private vlans with openvswitch thanks, Giannis
