[OpenAFS-devel] Rx over TCP to solve some NAT & Firewall issues?

Jimmy Engelbrecht jimmy@e.kth.se
20 Nov 2003 12:41:00 +0100


Erland Lewin <erland@lewin.nu> writes:

>  From my perspecitve, a major hindrance to wider use of AFS is that it
> is difficult to access AFS for users behind a NAT and/or firewall. In
> my case, I want to access my afs shares from my laptop wherever I
> connect to the network.
> 
> If I understand correctly, all AFS communication from server to client
> uses UDP to the callback port 7001 on the client. This is the traffic
> that is most likely to have problems with NAT and firewalls.
> 
> If the client started by making a TCP connection the server on port
> 7001, and the server sent all callback traffic to that client over
> that TCP connection, it seems to me that that would solve a number of
> problems.

I never had problems running AFS behing NAT.
open 7000-7007/UDP in your firewall. And dont close UDP-connections for at
least 2 hours.

or follow instructions in FAQ,  3.17
http://grand.central.org/twiki/bin/view/AFSLore/AdminFAQ

> Possible problems with this approach are:
> - TCP may cause worse performance than UDP.

I do belive that TCP performs better than RX for bulkdata transfer.

> - Can multiple users behind the same NAT be handled?

i see no reason why it shouldnt, but i have never tested.

> - For large servers, the number of TCP connections may become too great

i dont think thats an problem, this was an problem 15 years ago what AFS
was implemented.

> I'm not proposing that this be the default behaviour - but for those
> servers that are prepared to live with the above limitations, it would
> be great to be able to access AFS shares in more situations.

RX-calls over TCP sounds great (however i do not care about NAT-issues at
all) , but who writes the code ?

/Jimmy