[OpenAFS] OpenAFS server behind NAT?
Noel Burton-Krahn
noel@bkbox.com
Tue, 20 May 2003 07:40:04 -0700
Thanks for the tip, Todd. So, let me confirm. If my NAT firewall has
address 1.2.3.4, and it forwards to my AFS server at 192.168.1.1, then my
NetInfo should be:
# NetInfo
1.2.3.4
f 192.168.1.1
and should I have an empty NetRestrict?
Should these files be exactly the same in /usr/afs/etc and /usr/vice/local?
Thanks again,
Noel
----- Original Message -----
From: "Todd DeSantis" <atd@us.ibm.com>
To: "Noel Burton-Krahn" <noel@bkbox.com>
Cc: <openafs-info@openafs.org>
Sent: Tuesday, May 20, 2003 6:09 AM
Subject: Re: [OpenAFS] OpenAFS server behind NAT?
>
>
>
>
> Hi -
>
> Many sites are using AFS behind NAT firewalls.
>
> As Derrick mentioned, you need to utilize the NetInfo
> file on your AFS fileserver.
>
> The NetInfo file on the fileserver should contain at
> least 2 entries
> - the real IP
> - the (NAT) fake IP, preceded by an "f" for fake
> This will allow the fileserver to register both IPs in
> the VLDB and allow clients a path to the fileserver regardless
> of which side of the NAT they are on.
>
> You should also NOT use ifconfig to advertise the fake IP.
> I have heard that this will cause the NAT to not work.
>
> So the NetInfo on the fileserver should be
>
> <real.ip>
> f <fake.ip>
>
> The real IP should be listed first so that all volserver
> admin work can take place on the inside of the NAT. Most,
> if not all volserver commands will only work on the first IP.
> Having fileservers on either side of the NAT and expecting
> "vos release" to work across the NAT is not an easy thing
> to get working, so you will want to stay away from this type of
> setup.
>
> Restart the fileserver and it should register itself in the VLDB.
>
> You can determine if the VLDB has both IPs by doing
>
> # vos listaddrs
>
> and this command will list the addresses registered for all
> fileservers.
>
> The remote clients should have the Database Server's "fake ip" listed
> in their /usr/vice/etc/CellServDB so they know how to get to the
> vlservers for location information.
>
>
> Thanks
>
> Todd
>
>
>
>
>
> "Noel Burton-Krahn"
> <noel@bkbox.com> To:
<openafs-info@openafs.org>
> Sent by: cc:
> openafs-info-admin@ Subject: [OpenAFS]
OpenAFS server behind NAT?
> openafs.org
>
>
> 05/19/2003 01:39 AM
>
>
>
>
>
>
>
> Anyone set up an AFS server behind a NAT firewall? I've had no luck in
> the
> archives. Here's my setup:
>
> I've got an AFS server with a 192.168 address behind a NAT firewall with a
> real IP.
>
> Internet
> |
> |
> NAT firewall
> ip.real
> |
> |
> AFS server
> 192.168.1.1
>
> First problem: AFS reports its 192.168.1.1 address to clients, who of
> course
> can't connect back. I fixed that by putting the real IP in NetInfo and
the
> fake in NetRestrict. I also had to add a fake interface on the AFS server
> with the real IP address
>
> # /usr/afs/etc/NetInfo
> ip.real
>
> # /usr/vice/local/NetRestrict
> 192.168.1.1
>
> # set up fake interface on AFS server with real IP
> ifconfig eth0:0 ip.real
>
> Now I look at both machines
> fs getclientaddrs
> fs getserverprefs
>
> and they have only the real IP, good!
>
> But, listing my behind-the-fireall AFS server still hangs forever on a
> remote client. I've checked out a tcpdump on both client and server while
> the client is hung. I see that both sides are exchanging afs3-fileserver
> and afs3-callback traffic, but the client is missing some fileserver
> responses.
>
>
> Help! Is there any way to get an AFS server working behind a NAT
firewall?
>
> Noel Burton-Krahn
> noel@bkbox.com
> 250-382-8767
>
> BKbox - The total remote office solution
> http://www.bkbox.com
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
>
>