[OpenAFS] AFS, IP-Filters, and NAT

[Charles Clancy]

On 7 Jul 2001, Derek Atkins wrote:

> Charles Clancy <mgrtcc@cs.rose-hulman.edu> writes:
>
> > I'm trying to configure a cluster of Sun machines behind a NAT
> > proxy/firewall using ip-filters.  They all run an AFS client that accesses
> > an AFS server off the NAT.
>
> You do not need to map ports directly.  Just change your UDP timeout
> so that UDP ports originating inside the NAT from port 7001 have NO
> timeout.  That way the NAT box will always remember the mapping for
> those ports.  Alternatively, you can set the UDP timeout to something
> large, like 30 minutes.  That should assure that the mapping is kept
> alive.

I ended up using Win2K's NAT, and changing the UDP timeout from 1 minute
to 1 hour.  While this *seemed* to work, performance was pretty bad.
When looking at the NAT mappings, Win2K would use the same source port
multiple times, provided the destination IP and port were different, so it
could still distinguish incoming packets.  I'm not sure if this could
cause any problems with what the AFS servers' (1 on cell and 3 off cell)
cache of client IP/ports.

Has anyone gotten multiple AFS clients work behind a NAT, and achieved
close to the performance of being connected to a routable subnet?  If so,
what NAT implementation were you using?

I've basically abandoned the project anyway, because it seems NIS+ won't
work behind a NAT due to all of it's RPC stuff.  Maintaining a second NIS+
server inside the NAT is less than an elegant solution.
_________________________________________
Charles Clancy, mgrtcc@cs.rose-hulman.edu
sysadmin emeritus, RHIT Computer Science