Tricky situation with rt-mailgate

Hi,

I've got an odd situation, and wanted to see if anyone had a thought

about how to fix.

I'm running RT in a load balanced situation. I've got everything

running it seems from the web side. From the mail side, I’m running into
a problem. Because the mail server is in the same subnet as the load balanced
machines, they can’t talk to each other on the load balanced IP. Well, the
way we have them configured we can’t. If we changed the config, they could…
But then it would appear EVERY hit came from the same IP, and since there are
alot of other sites that need this information, I can’t afford to do it.

Any suggestions??

	Thanks, Tuc

I’ve got an odd situation, and wanted to see if anyone had a thought
about how to fix.

I’m running RT in a load balanced situation. I’ve got everything
running it seems from the web side. From the mail side, I’m running into
a problem. Because the mail server is in the same subnet as the load balanced
machines, they can’t talk to each other on the load balanced IP. Well, the
way we have them configured we can’t. If we changed the config, they could…
But then it would appear EVERY hit came from the same IP, and since there are
alot of other sites that need this information, I can’t afford to do it.

Any suggestions??

Second ethernet interface, private addresses, hosts file entries.

Cheers,
– jra
Jay R. Ashworth jra@baylink.com
Designer Baylink RFC 2100
Ashworth & Associates The Things I Think '87 e24
St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274

  If you can read this... thank a system administrator.  Or two.  --me
Any suggestions??

Second ethernet interface, private addresses, hosts file entries.

Not sure how that'll make a difference, since the ip for 

rt.example.com is 10.0.0.1, which is load balanced against 10.0.0.2 and
10.0.0.3 . If I just put .2 or just .3, then…

	Thanks, Tuc

Hi,

I’ve got an odd situation, and wanted to see if anyone had a thought
about how to fix.

I’m running RT in a load balanced situation. I’ve got everything
running it seems from the web side. From the mail side, I’m running into
a problem. Because the mail server is in the same subnet as the load balanced
machines, they can’t talk to each other on the load balanced IP. Well, the
way we have them configured we can’t. If we changed the config, they could…
But then it would appear EVERY hit came from the same IP, and since there are
alot of other sites that need this information, I can’t afford to do it.

If the load balancer is an F5 BigIP, you need to add a SNAT pool (source
NAT) and add the machines that need to make connections to pools
handled by the same device with the backend servers on the same subnet.
That will nat the source addresses of connections coming from the
listed machines only (not everything like a default SNAT would) so
the return packets come back through the bigip and work correctly.

Otherwise, since the target servers have a route directly back to the
source they try to return packets directly which doesn’t work because
the IP doesn’t match the pool address where the source was trying to
connect.

Les Mikesell
les@futuresource.com

If the load balancer is an F5 BigIP, you need to add a SNAT pool (source
NAT) and add the machines that need to make connections to pools
handled by the same device with the backend servers on the same subnet.
That will nat the source addresses of connections coming from the
listed machines only (not everything like a default SNAT would) so
the return packets come back through the bigip and work correctly.

Its a Foundry, but has the same issue. If I make the change, then

everything will appear to come from the load balancer, which isn’t
acceptable. They didn’t think there was a way since it was in the same
subnet already.

	Thanks, Tuc
Any suggestions??

Second ethernet interface, private addresses, hosts file entries.

Not sure how that’ll make a difference, since the ip for
rt.example.com is 10.0.0.1, which is load balanced against 10.0.0.2 and
10.0.0.3 . If I just put .2 or just .3, then…

Your problem was having the two machines that are the target of the
load-balancing be able to talk to one another without interference,
correct?

To do that, put in a second ethernet interfaces, on a separate private
network than the one behind the load balancer
, and you might have to
play hosts-file name games to force the traffic to use that link.

Sorry I wasn’t sufficiently clear the first go-round.

Cheers,
– jra
Jay R. Ashworth jra@baylink.com
Designer Baylink RFC 2100
Ashworth & Associates The Things I Think '87 e24
St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274

  If you can read this... thank a system administrator.  Or two.  --me

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You could avoid the whole hastle and install an RT instance on your
mailserver that only answers requests on 127.0.0.1.

jbw

Tuc at Beach House wrote:

Hi,

I’ve got an odd situation, and wanted to see if anyone had a thought
about how to fix.

I’m running RT in a load balanced situation. I’ve got everything
running it seems from the web side. From the mail side, I’m running into
a problem. Because the mail server is in the same subnet as the load balanced
machines, they can’t talk to each other on the load balanced IP. Well, the
way we have them configured we can’t. If we changed the config, they could…
But then it would appear EVERY hit came from the same IP, and since there are
alot of other sites that need this information, I can’t afford to do it.

Any suggestions??

  Thanks, Tuc

http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Be sure to check out the RT Wiki at http://wiki.bestpractical.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCdTOMgA0gpghkf88RAns8AJ9mpayLKB0K0++Gdw+OLz1b5071CQCg3HsB
zBCx62GPzl/5PBTMjX3Ml1k=
=UzJQ
-----END PGP SIGNATURE-----

You could avoid the whole hastle and install an RT instance on your
mailserver that only answers requests on 127.0.0.1.

I forgot to mention about that...... Thanks for the reminder.

If I was to change $WebBaseURL and subsequently have it change

$WebURL… Will it cause a problem for something else in the system, or
is that only for the rt-mailgate?

	Thanks, Tuc
Not sure how that'll make a difference, since the ip for 

rt.example.com is 10.0.0.1, which is load balanced against 10.0.0.2 and
10.0.0.3 . If I just put .2 or just .3, then…

Your problem was having the two machines that are the target of the
load-balancing be able to talk to one another without interference,
correct?

No.

There is a 3rd machine, also behind the load balancer because it

is in the same subnet, that accepts the rt-mailgate traffic. Since it is
in the subnet with the load balanced site name, it can not reference the
load balanced name to work. There is a modification that we could make,
but it would then make every hit for EVERY site behind the balancer show
it originated from the same IP, which would be unacceptable.

To do that, put in a second ethernet interfaces, on a separate private
network than the one behind the load balancer
, and you might have to
play hosts-file name games to force the traffic to use that link.

Sorry I wasn’t sufficiently clear the first go-round.

It comes back down to even with a 2nd interface, the load balanced

IP is still in the subnet of the first interface.

	Thanks, Tuc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tuc at Beach House wrote:

You could avoid the whole hastle and install an RT instance on your
mailserver that only answers requests on 127.0.0.1.

I forgot to mention about that… Thanks for the reminder.

If I was to change $WebBaseURL and subsequently have it change
$WebURL… Will it cause a problem for something else in the system, or
is that only for the rt-mailgate?

As far as I know the only thing those variables affect is the creation
of URLs – so you’d want to use the correct values for your web
interface so the emails generated by Scrips include the correct URL.
rt-mailgate requires you to provide a URL, so it doesn’t look at those
values.

jbw
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCdbKqgA0gpghkf88RAgXPAKCsSuOWbGK5QXzKsKTJtSUUVinLnQCdHXIk
ALgfir1GYEttp5bFTzWNqSw=
=iI5K
-----END PGP SIGNATURE-----

If I was to change $WebBaseURL and subsequently have it change

$WebURL… Will it cause a problem for something else in the system, or
is that only for the rt-mailgate?

As far as I know the only thing those variables affect is the creation
of URLs – so you’d want to use the correct values for your web
interface so the emails generated by Scrips include the correct URL.
rt-mailgate requires you to provide a URL, so it doesn’t look at those
values.

So then I'd only need to worry about the --url in the call to

rt-mailgate to tell it where to go?

	Thanks, Tuc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tuc at Beach House wrote:

So then I’d only need to worry about the --url in the call to
rt-mailgate to tell it where to go?

As I understand it, yes.

jbw
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCdb8sgA0gpghkf88RAqS/AKDFG06cEKtgztUQDvfbFD6PqIdjxACfTJBN
3Q1V/sNVSL0qwkrPCuECSd4=
=ltY0
-----END PGP SIGNATURE-----

Date: Fri, 29 Apr 2005 23:11:22 -0400 (EDT)
From: Tuc at Beach House tuc@tucs-beachin-obx-house.com
Subject: [rt-users] Tricky situation with rt-mailgate
I’m running RT in a load balanced situation. I’ve got everything
running it seems from the web side. From the mail side, I’m running into
a problem. Because the mail server is in the same subnet as the load balanced
machines, they can’t talk to each other on the load balanced IP. Well, the
way we have them configured we can’t. If we changed the config, they could…
But then it would appear EVERY hit came from the same IP, and since there are
alot of other sites that need this information, I can’t afford to do it.

My understanding is that rt-mailgate should be given an URL. Can you just
give the URL of a specific box rather than the load balanced URL (I am assuming
the stuff behind the load balancer have distinct IP addresses)? This would
break load-balancing of RT when it comes through the mailgate, but should
allow mailgate to access the RT web site. Can probably hack the mailgate
code to alternate the specific box IPs as well for the URL.

[ me: ]

Your problem was having the two machines that are the target of the
load-balancing be able to talk to one another without interference,
correct?

No.

Oh. :slight_smile:

There is a 3rd machine, also behind the load balancer because it
is in the same subnet, that accepts the rt-mailgate traffic. Since it is
in the subnet with the load balanced site name, it can not reference the
load balanced name to work. There is a modification that we could make,
but it would then make every hit for EVERY site behind the balancer show
it originated from the same IP, which would be unacceptable.

So you’re trying to get the mailgate box to talk to the other two,
without going through the load-balanced IP address for those boxes,
right?

To do that, put in a second ethernet interfaces, on a separate private
network than the one behind the load balancer
, and you might have to
play hosts-file name games to force the traffic to use that link.

Sorry I wasn’t sufficiently clear the first go-round.

It comes back down to even with a 2nd interface, the load balanced
IP is still in the subnet of the first interface.

Yes, but if you lie to the mailgate machine, by putting into it’s hosts
file the name of the other machines, as well as their IP address on
the other private network
(192.168.2/24, for example, where the load
balanced interfaces are on 192.168.1/24), then the mailgate machine
won’t talk to the load balanced IPs.

In other words, set up a “back” network that the loadbalancer has no
knowledge of, and force the mail machine to use it.

Was that clearer, and do you think it will serve?

Cheers,
– jra
Jay R. Ashworth jra@baylink.com
Designer Baylink RFC 2100
Ashworth & Associates The Things I Think '87 e24
St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274

  If you can read this... thank a system administrator.  Or two.  --me
Not sure how that'll make a difference, since the ip for 

rt.example.com is 10.0.0.1, which is load balanced against 10.0.0.2 and
10.0.0.3 . If I just put .2 or just .3, then…

There is a 3rd machine, also behind the load balancer because it
is in the same subnet, that accepts the rt-mailgate traffic. Since it is
in the subnet with the load balanced site name, it can not reference the
load balanced name to work. There is a modification that we could make,
but it would then make every hit for EVERY site behind the balancer show
it originated from the same IP, which would be unacceptable.

The simple fix is a hosts file entry on the mail machine to make it
use just one of the backend servers for the mailgate server instead
of the balanced IP returned by DNS. Or install an RT instance on
the mail server itself connected to the same database and send it
there (which takes care of the fail-over part of the problem).

Les Mikesell
les@futuresource.com

Tuc at Beach House wrote:

So then I’d only need to worry about the --url in the call to
rt-mailgate to tell it where to go?

As I understand it, yes.

Hrm, then in that case I can put it as a link off the base IP of

the machine. I guess I’ll check into this and check back with people.

My understanding is that rt-mailgate should be given an URL. Can you just
give the URL of a specific box rather than the load balanced URL (I am assuming
the stuff behind the load balancer have distinct IP addresses)? This would
break load-balancing of RT when it comes through the mailgate, but should
allow mailgate to access the RT web site. Can probably hack the mailgate
code to alternate the specific box IPs as well for the URL.

My problem with this is that RT's on a VH, so I can't call it 

directly by IP. (Boy, aren’t I just a problem child!)

		Thanks, Tuc

So you’re trying to get the mailgate box to talk to the other two,
without going through the load-balanced IP address for those boxes,
right?

Right, BUT, also be able to deal with one or the other machine

not being there. (All these requirements, I know!)

It comes back down to even with a 2nd interface, the load balanced

IP is still in the subnet of the first interface.

Yes, but if you lie to the mailgate machine, by putting into it’s hosts
file the name of the other machines, as well as their IP address on
the other private network
(192.168.2/24, for example, where the load
balanced interfaces are on 192.168.1/24), then the mailgate machine
won’t talk to the load balanced IPs.

In other words, set up a “back” network that the loadbalancer has no
knowledge of, and force the mail machine to use it.

Was that clearer, and do you think it will serve?

Its clearer... I've got to see what it'll take to implement.

	Thanks, Tuc

My understanding is that rt-mailgate should be given an URL. Can you just
give the URL of a specific box rather than the load balanced URL (I am assuming
the stuff behind the load balancer have distinct IP addresses)? This would
break load-balancing of RT when it comes through the mailgate, but should
allow mailgate to access the RT web site. Can probably hack the mailgate
code to alternate the specific box IPs as well for the URL.

My problem with this is that RT’s on a VH, so I can’t call it
directly by IP. (Boy, aren’t I just a problem child!)

An entry in /etc/hosts on the calling machine lets you keep the
name in the URL but hit the IP of your choice.

Les Mikesell
les@futuresource.com

My understanding is that rt-mailgate should be given an URL. Can you just
give the URL of a specific box rather than the load balanced URL (I am assuming
the stuff behind the load balancer have distinct IP addresses)? This would
break load-balancing of RT when it comes through the mailgate, but should
allow mailgate to access the RT web site. Can probably hack the mailgate
code to alternate the specific box IPs as well for the URL.

My problem with this is that RT's on a VH, so I can't call it 

directly by IP. (Boy, aren’t I just a problem child!)

An entry in /etc/hosts on the calling machine lets you keep the
name in the URL but hit the IP of your choice.

I just ended up creating an rt-mailhost virtual host and DNS entry and

things seems to be working. :slight_smile: (Ok, well, it rejected my ticket, but it
atleast processed it.)

Thanks alot!

		Tuc