0

I'm new to this and I have looked through many other similar questions but I couldn't find an answer.

I have two server at SoYouStart and on one server I have a HAProxy VM. Both servers are connected with a Strongswan VPN tunnel. I have also a Failover IP which listens on HAProxy on port 80, 443 and few other.

HAProxy VM1 network configuration:

iface eth0 inet static
    address 192.168.100.2
    netmask 255.255.255.224
    network 192.168.100.0
    broadcast 192.168.100.31
    gateway 192.168.100.30
    post-up ip addr add FAILOVER_IP dev $IFACE
    pre-down ip addr del FAILOVER_IP dev $IFACE

On the host server I use this route to make the Failover IP available on my HAProxy VM.

ip route add FAILOVER_IP/32 via 192.168.100.2 dev vmbr1

Everything is working but now I would like to redirect traffic to this Failover IP through my VPN tunnel for all VMs on server 2.

I have tried these rules but it doesn't work.

Server 2:

iptables -t nat -A PREROUTING -i eth0 -d FAILOVER_IP -m connmark 
         --mark 0xE010E798 -j DNAT --to-destination 192.168.100.2

Server 1:

iptables -t nat -A POSTROUTING -i eth0 -d 192.168.100.2/32 
         --match connmark --mark 0xE010E798 -j SNAT --to-source FAILOVER_IP

Please could someone help me to figure out what I am doing wrong? My goal is to have a second HAProxy instance on server 2 and to redirect internal traffic to the active HAProxy instance.

Thanks.

Cage
  • 1
  • 2

1 Answers1

0

Found the answer. First of all I didn't know that mark only applies to the local machine. Second mistake has been that I have used SNAT on Server 1 which changes the sender address but I needed to change the destination address again and I had to change the interface. My working rules are

Server 2

iptables -t nat -A PREROUTING -i vmbr1 -p tcp -d FAILOVER_IP 
         -j DNAT --to-destination 192.168.100.2

Server 1

iptables -t nat -A PREROUTING -p tcp -d 192.168.100.2 
         -j DNAT --to-destination FAILOVER_IP
Cage
  • 1
  • 2