Replies: 4 comments
-
While dsr works for you and me with l2 announcements, it's not a one size fits all solution it's a bit more nuanced than that. If you look thru commits you'll see that it used to default to dsr but was updated to snat, it also used to be configurable. For reasons that escaped me snat seemed to be more safe to use, I can open up the option for this to be configurable again. With l2 announcements, dsr and external traffic policy of Cluster, it should preserve the source IP. With that said I think it might be worth setting the default to dsr again and adding a disclaimer again in the configuration file. |
Beta Was this translation helpful? Give feedback.
-
Fixed in 50b6f98 I am curious on your feedback @B0bby31 ! |
Beta Was this translation helpful? Give feedback.
-
Thanks for the speedy reply and indeed, this is a good solution. However, the externalTrafficPolicy should be Cluster when using l2announcements, so smth like (syntax is probably wrong) :
in the templates. As a reference, you can check out https://docs.cilium.io/en/stable/network/l2-announcements/ and quote the 4th point mentioned in limitations. In addition, adding a disclaimer above the bgp configuration section to always use externalTrafficPolicy Cluster when using l2announcements would be nice (Alternatively, you could add this to the ReadMe somewhere). |
Beta Was this translation helpful? Give feedback.
-
I think |
Beta Was this translation helpful? Give feedback.
-
First off, thank you for making this, it is a great project.
I deployed this without cloudflare and bgp. I ran into an odd issue where I created a loadbalancer service for a pihole deployment and it would work initially (i.e. serve dns requests), but, then, stop working.
As it turned out, the problem was the externalTrafficPolicy I was using. When using l2announcements, you cannot use Local and you have to use Cluster. I set it to Local, because I thought that would preserve the source IP the request came from.
So, I thought it would be helpful to inform people of that particular issue when not using BGP.
Also, I am not even sure the IP would have been preserved, because the default loadbalancer mode is snat. I, also, think it is best to use dsr and in my experience, when the loadbalancer mode is dsr and the loadbalancer serves a single container, it will actually preserve the source IP (Despite the externalTrafficPolicy being Cluster).
Beta Was this translation helpful? Give feedback.
All reactions