[OpenAFS] OpenAFS server behind NAT?
Todd DeSantis
atd@us.ibm.com
Tue, 20 May 2003 09:09:59 -0400
Hi -
Many sites are using AFS behind NAT firewalls.
As Derrick mentioned, you need to utilize the NetInfo
file on your AFS fileserver.
The NetInfo file on the fileserver should contain at
least 2 entries
- the real IP
- the (NAT) fake IP, preceded by an "f" for fake
This will allow the fileserver to register both IPs in
the VLDB and allow clients a path to the fileserver regardless
of which side of the NAT they are on.
You should also NOT use ifconfig to advertise the fake IP.
I have heard that this will cause the NAT to not work.
So the NetInfo on the fileserver should be
<real.ip>
f <fake.ip>
The real IP should be listed first so that all volserver
admin work can take place on the inside of the NAT. Most,
if not all volserver commands will only work on the first IP.
Having fileservers on either side of the NAT and expecting
"vos release" to work across the NAT is not an easy thing
to get working, so you will want to stay away from this type of
setup.
Restart the fileserver and it should register itself in the VLDB.
You can determine if the VLDB has both IPs by doing
# vos listaddrs
and this command will list the addresses registered for all
fileservers.
The remote clients should have the Database Server's "fake ip" listed
in their /usr/vice/etc/CellServDB so they know how to get to the
vlservers for location information.
Thanks
Todd
"Noel Burton-Krahn"
<noel@bkbox.com> To: <openafs-info@openafs.org>
Sent by: cc:
openafs-info-admin@ Subject: [OpenAFS] OpenAFS server behind NAT?
openafs.org
05/19/2003 01:39 AM
Anyone set up an AFS server behind a NAT firewall? I've had no luck in
the
archives. Here's my setup:
I've got an AFS server with a 192.168 address behind a NAT firewall with a
real IP.
Internet
|
|
NAT firewall
ip.real
|
|
AFS server
192.168.1.1
First problem: AFS reports its 192.168.1.1 address to clients, who of
course
can't connect back. I fixed that by putting the real IP in NetInfo and the
fake in NetRestrict. I also had to add a fake interface on the AFS server
with the real IP address
# /usr/afs/etc/NetInfo
ip.real
# /usr/vice/local/NetRestrict
192.168.1.1
# set up fake interface on AFS server with real IP
ifconfig eth0:0 ip.real
Now I look at both machines
fs getclientaddrs
fs getserverprefs
and they have only the real IP, good!
But, listing my behind-the-fireall AFS server still hangs forever on a
remote client. I've checked out a tcpdump on both client and server while
the client is hung. I see that both sides are exchanging afs3-fileserver
and afs3-callback traffic, but the client is missing some fileserver
responses.
Help! Is there any way to get an AFS server working behind a NAT firewall?
Noel Burton-Krahn
noel@bkbox.com
250-382-8767
BKbox - The total remote office solution
http://www.bkbox.com
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info