[OpenAFS] multiple NAT clients, now losing contact

Theo van den Bout theoml@arum.et.tudelft.nl
Mon, 21 Jun 2004 11:58:37 +0200

Matthew Turk wrote:

>>Matthew pointed out that his machine has a
>>net.ipv4.netfilter.ip_conntrack_udp_timeout setting that should be usable
>>for this purpose.
>Having done this, we had no problems for a few hours -- no losing contact
>or anything -- but now the forwarding system begins to have trouble
>contacting file servers (Lost contact with file server xx.xx.xx.xx in cell
>) and has begun commenting that the file server is multi-homed.  However,
>this isn't true -- the file servers it loses contact with is NOT
>Our setup is such -- we have three public servers, one of which acts as a
>gateway to a private subnet (only packets to the other public servers are
>forwarded.)  As soon as attempts are made to access and modify files on
>more than one of the private subnet clients, the entire system begins to
>fail; locks are lost, files aren't synced, etc.  I've tried setting the fs
>checks -interval to very low values -- 30, 15, etc, but it continues to
>fail whenever more than one of the subnet clients tries to access a file.
>Any ideas?
I never did some thorough testing, but my experiences with AFS + NAT are 
all bad.
In the end i resorted to ip-tunneling to make it  work.

What i did is (in short):
* turn one machine into a semi router (interfaces in every relevant VLAN)
* use ip-tunnel to give every server on the public net an extra interface
   with an ip-nummer in the private range.
* use the router machine to connect everything
* on every client, add an extra entry to the routing table to deal with 
the tunnels/router

I still can't issue a 'vos release' on the clients behind NAT, but 
everything else
works  fine.

The tunnel story isn't complete of course, so let me know if you want 
more details.

The best


Theo van den Bout
WgEP EWI        Tel: 015-2788420
TU-Delft        Fax: 015-2784663
Kluyverweg 6
2629 HT Delft
The Netherlands
Email: tpb@cpmail.twi.tudelft.nl