Cluster-IP for outgoing appliance traffic
For incoming traffic to an appliance cluster you can use the cluster ip (e.g. traps), but for outgoing traffic the active node ip address is used. This is annoying for configuring ACLs and also for debugging. Some target devices only allow limited ip lists.
It would be great if also for outgoing site traffic the cluster ip is used, thus a cluster has a unified network behavior, regardless of the internal structure.
Comments: 8
Oldest
•
Newest
•
Most likes
•
Fewest likes
-
02 Jun, '22
Robert Sander MergedHighlighted comment
All outgoing connections will be established with the primary IP as the source IP by the linux kernel (if the process does not say otherwise).
We used iptables NAT rules to rewrite the source IP to the cluster IP for all processes running as the site user. -
22 May, '22
Thomas Lippert Admin MergedThe IP address used for SNMP traffic in a cluster setup is the address of the node, nut the cluster. Please change this
-
18 Oct, '23
Martin Hirschvogel Admin MergedHello,
Thank you for your idea. On this portal, we carefully evaluate ideas to ensure that they will benefit a wide range of users. Thus, we close ideas not fulfilling certain criteria:
- Suggestions with low user interest: created more than 1 year ago with 5 votes or less
- Suggestions with no momentum: no votes in the last 6 months
Unfortunately, this suggestion doesn't meet these criteria, so we’re closing it (based on the data available until 2023-10-17). We appreciate your contribution and encourage you to continue to share your ideas. Your input plays a vital role in helping us improve our product for everyone.
Thank you for your understanding and continued support!
Warm regards,
Your Checkmk Team -
21 Dec, '23
JodokIt looks that something like this could be a solution:
```
iptables -t nat -A POSTROUTING -m owner --uid-owner <site-user> -j SNAT --to-source <Cluster_IP-Address>
```
But I am not yet 100% sure about the ProxyPass traffic from the system apache to the site apache. May need some tweaking like:
```
! --in-interface lo
! --out-interface lo
``` -
23 Apr, '24
Lars Sörensen MergedIt would be great if we could configure the IP to be used for outgoing data traffic. This would ensure that all clients are always contacted with the same IP even in the event of a failover.
This would solve all the usual problems that an IP change implies (mk_logwatch,...) as well as considerably simplifying the configuration of firewalls, clients, ACLs etc. in larger environments.
See also these ideas that go in the same direction:
https://ideas.checkmk.com/suggestions/512536/clusterip-for-outgoing-appliance-traffic
https://ideas.checkmk.com/suggestions/301835/use-cluster-ip-address-for-snmp-traffic -
08 Jun, '24
Andy MergedIf would be great if we could desire what IP to bind in distributed monitoring or in omd CONFIG as we might have several interfaces and might not want to use the default, for example when running a site with keepalived.
This is a blocker for us moving to the "cloud" edition and push agent as the IP would change during failover. -
29 Aug, '24
Mohamed Saleh System"Use cluster IP address for SNMP traffic" (suggested by <Hidden> on 2022-05-22), including upvotes (17) and comments (2), was merged into this suggestion.
-
29 Aug, '24
Mohamed Saleh System"Set Cluster-IP to use for outgoing traffic" (suggested by <Hidden> on 2024-04-23), including upvotes (4) and comments (1), was merged into this suggestion.