[OpenAFS] AFS servers (vl, file, & db) behind NAT

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 13 Jun 2001 02:16:58 -0400 (EDT)

On Mon, 11 Jun 2001, Brett Johnson wrote:

> I had this happen to me when I was doing a test setup also using a
> FireWall-1 4.1.
> Since I used to work in the Check Point support center, here's the official
> can'd answer:
> "A special module for the service in question would have to be written to
> capture and translate the IP address that got through.  Professional
> Services could do this for a fee, or if there is enough demand, it will
> eventually be written in."
> Short answer:  AFS server has to be a routable, non-NAT IP address.  I
> solved my problem by subnetting my class C and putting the AFS servers
> there.
> Just as a side note, I've had fairly good luck with the CLIENT (not server)
> behind translation.
> As NAT is a common setup, this would be a nice Request For Enhancements to
> our programmer friends. :)

There is another way, but it's a bit complicated.  Basically, you need to
make sure that only the translated (external) address of the fileserver
appears in the VLDB.  To do that, create a file /usr/afs/local/NetRestrict
on each fileserver, listing the IP address(es) that should be published
for that server -- namely, the external ones.

For this to work, the addresses you list must be actual addresses of
network interfaces configured on the fileserver machine.  So, you'll have
to configure an address alias or second interface with the external
address -- even though you'll never actually send any traffic via that

Once you've done this, restart the fileserver, and it should register its
new list of addresses with the vlserver.

>From this point forward, only the external address will be used to contact
that fileserver, so it's important that internal clients be able to talk
to those addresses.  If this is a problem, include the internal addresses
in the NetRestrict file (or just omit the file altogether).  That will
cause _both_ addresses to appear in the vldb, which means clients will
have to time out the one that will not work for them.  Once the timeout
happens (for each fileserver), things should work normally.

Note that all of this requires that the external addresses of each
fileserver be fixed.  While modern AFS is capable of dealing with
fileservers whose addresses change with each boot, it only works when the
server actually knows what its address is, which is not the case with a
dynamic external address assigned by some NAT.