[OpenAFS-devel] Multiple clients behind NAT

Ethan Tira-Thompson ejt@andrew.cmu.edu
Wed, 12 Jul 2006 13:05:32 -0400 

--Apple-Mail-3-470557154
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed

> You are either worrying too much
Indeed worrying too much -- it's working now.
My first attempt caused issues where the NAT box's AFS was getting  
"connection timed out" errors, which was screwing up its ability to  
act as our CVS interface, so I didn't want to try it again until I  
was reasonably sure everything else was going to work.  (I think the  
earlier problem was caused by not increasing the udp connection  
timeout [1])

And if anyone was curious, I did personally verify (using netcat)  
that iptables sees all network traffic originating on its host,  
allowing it to remap UDP ports to avoid conflicts.  So you can run  
AFS client on the NAT box itself (as well as multiple clients behind  
the NAT), with iptables at least.  (My concern was if the NAT  
software only saw incoming traffic, it wouldn't know about potential  
port conflicts with UDP traffic originating on the host itself)

-ethan

[1] On Fedora Core 3, this entailed:
# /sbin/sysctl -w net.ipv4.netfilter.ip_conntrack_udp_timeout=480
# /sbin/sysctl -w net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=900
(the latter probably being the critical one -- 15 minute inactivity  
timeout before the NAT considers giving the port to a different client)


--Apple-Mail-3-470557154
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=ISO-8859-1

<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; "><DIV><BLOCKQUOTE =
type=3D"cite"><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">You are either worrying too =
much<BR></DIV></BLOCKQUOTE><DIV>Indeed worrying too much -- it's working =
now.</DIV><DIV>My first attempt caused issues where the NAT box's AFS =
was getting "connection timed out" errors, which was screwing up its =
ability to act as our CVS interface, so I didn't want to try it again =
until I was reasonably sure everything else was going to work.=A0 (I =
think the earlier problem was caused by not increasing the udp =
connection timeout [1])</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>And if anyone was curious, =
I did personally verify (using netcat) that iptables sees all network =
traffic originating on its host, allowing it to remap UDP ports to avoid =
conflicts.=A0 So you can run AFS client on the NAT box itself (as well =
as multiple clients behind the NAT), with iptables at least.=A0 (My =
concern was if the NAT software only saw incoming traffic, it wouldn't =
know about potential port conflicts with UDP traffic originating on the =
host itself)</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV></DIV>-ethan<BR><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>[1] On Fedora Core 3, this =
entailed:</DIV><DIV><FONT class=3D"Apple-style-span" face=3D"Monaco" =
size=3D"2"><SPAN class=3D"Apple-style-span" style=3D"font-size: =
10px;">#=A0/sbin/sysctl -w =
net.ipv4.netfilter.ip_conntrack_udp_timeout=3D480</SPAN></FONT></DIV><DIV>=
<FONT class=3D"Apple-style-span" face=3D"Monaco" size=3D"2"><SPAN =
class=3D"Apple-style-span" style=3D"font-size: 10px;">#=A0/sbin/sysctl =
-w =
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=3D900</SPAN></FONT></DI=
V><DIV>(the latter probably being the critical one -- 15 minute =
inactivity timeout before the NAT considers giving the port to a =
different client)</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV></BODY></HTML>=

--Apple-Mail-3-470557154--