Direct Routing aka. Direct Server Return (DSR) aka. N-Path is a great load balancing method. And it is without doubt the fastest method possible.
So, how does Direct Routing work?
First, the incoming traffic from the client hits the Virtual IP (VIP) on the load balancer.
Then the load balancer simply changes the destination MAC address of the packet (to one of the destination real servers in the pool) and flips it back to the switch which duefully delivers the packets to the selected real server:
You can see the problem here can't you?
The packet will say "Hello are you the VIP?"
Then the real server will say, "Get lost, no I'm not!".
Which is clearly not going to work...
So, how do you solve the Direct Routing problem on Windows Server?
Basically, we just need to add a loopback adapter with the VIP address. This then enables the real server can accept the packet...
Hang on, won't that confuse the network?
Yes, it will drive your network mad if you start sending out ARP notifications from multiple machines on the same IP address. This is called the ARP problem:
"THE SERVER MUST NEVER TELL THE NETWORK ABOUT THIS FAKE IP"!
And how do you solve the ARP problem on Windows?
Up to and including Windows 2000 adding a loopback adapter works fine, just set the interface metric to 254 to stop dodgy routing issues.
In Windows 2003 you also need to disable the firewall (or enable rules for the loopback adapter)
In Windows 2008, Windows 2012 & Windows 2016 however:
We have a whole new way of controlling networking, and I must admit it looks like Microsoft finally have a sensible way of controlling network interfaces.
Weak and strong host behavior in Windows:
"Windows XP and Windows Server® 2003 use the weak host model for sends and receives for all IPv4 interfaces and the strong host model for sends and receives for all IPv6 interfaces. You cannot configure this behavior. The Next Generation TCP/IP stack in Windows Vista and Windows Server 2008+ supports strong host sends and receives for both IPv4 and IPv6 by default."
- You still need to configure the loopback adapter with the VIP (but you don't need to set the metric)
- You still need to disable the firewall (or enable traffic to and from the loopback)
But then you MUST use the following command line magic :
netsh interface ipv4 set interface "net" weakhostreceive=enabled
netsh interface ipv4 set interface "loopback" weakhostreceive=enabled
netsh interface ipv4 set interface "loopback" weakhostsend=enabled
Obviously first you will need to rename the specific adapters from the default of "Local Area Network Connection 1" to either "net" or "loopback" respectively i.e.
Or if you want look up the index number instead using the following command:
netsh interface ipv4 show interface
I've still got some more research to do on this but it looks like you can do all sorts of cool routing tricks in the new Windows TCP/IP stack.
Just think if we didn't have Linux to push the boundaries - Microsoft may never have been able to copy the best features so well :-)
The awesome advantages of Direct Routing
How can you use DSR (Direct Server Return) in AWS?
All the Load balancing methods starting with DSR...
Yahoo’s L3 Direct Server Return (DSR)
Solving the ARP problem for Linux or Windows
LVS Project - The ARP problem
One last gotcha, if your server is set to automatically update the DNS server with its IP address then sometimes the DNS server will start giving the IP on the loopback adapter as your primary address! This is not good so disable automatic DNS entries on both the server and in the DNS management console. (We'll do a separate blog on this when I have more test data.)