[OpenAFS] OpenAFS server behind NAT?

Noel Burton-Krahn noel@bkbox.com
Tue, 20 May 2003 22:03:25 -0700


other way,

The external address of the firewall is 1.2.3.4
The afs server has one interface at 192.168.1.1
The firewall forwards all traffic it receives at 1.2.3.4 to 192.168.1.1

So, should my NetInfo be this
192.168.1.1
f 1.2.3.4


I guess I find the definition of "Fake" a little ambiguous.  Does "fake"
mean:
1. an IP address thaty will be forwarded to the AFS server on this machine,
or
2. an IP address of a local interface which is not visible to external
clients

?

I'll assume 1 for now.

Thanks for your help

--Noel



----- Original Message -----
From: "Todd DeSantis" <atd@us.ibm.com>
To: "Noel Burton-Krahn" <noel@bkbox.com>
Cc: <openafs-info@openafs.org>
Sent: Tuesday, May 20, 2003 8:28 AM
Subject: Re: [OpenAFS] OpenAFS server behind NAT?


>
>
>
>
> Hi Noel:
>
> I do not use NetRestrict.
>
> And you just have to have the server side set in
> /usr/afs/local.
>
> Your NetInfo file
>
> # NetInfo
> 1.2.3.4
> f 192.168.1.1
>
> seems OK.  I am assuming that the 1.2.3.4 is the REAL IP
> address of the fileserver machine.
>
> And then 192.168.1.1 is the dedicated fake IP address
> that the remote clients would use to get to your fileserver.
>
> Thanks
>
> Todd
>
>
>
>
>
>                       "Noel
>                       Burton-Krahn"            To:       Todd
DeSantis/Pittsburgh/IBM@ibmus
>                       <noel@bkbox.com>         cc:
<openafs-info@openafs.org>
>                                                Subject:  Re: [OpenAFS]
OpenAFS server behind NAT?
>                       05/20/2003 10:40

>                       AM
>
>
>
>
>
>
> Thanks for the tip, Todd.  So, let me confirm.  If my NAT firewall has
> address 1.2.3.4, and it forwards to my AFS server at 192.168.1.1, then my
> NetInfo should be:
>
> # NetInfo
> 1.2.3.4
> f 192.168.1.1
>
> and should I have an empty NetRestrict?
>
> Should these files be exactly the same in /usr/afs/etc and
/usr/vice/local?
>
> Thanks again,
> Noel
>
>
> ----- Original Message -----
> From: "Todd DeSantis" <atd@us.ibm.com>
> To: "Noel Burton-Krahn" <noel@bkbox.com>
> Cc: <openafs-info@openafs.org>
> Sent: Tuesday, May 20, 2003 6:09 AM
> Subject: Re: [OpenAFS] OpenAFS server behind NAT?
>
>
> >
> >
> >
> >
> > Hi -
> >
> > Many sites are using AFS behind NAT firewalls.
> >
> > As Derrick mentioned, you need to utilize the NetInfo
> > file on your AFS fileserver.
> >
> > The NetInfo file on the fileserver should contain at
> > least 2 entries
> >       - the real IP
> >       - the (NAT) fake IP, preceded by an "f" for fake
> > This will allow the fileserver to register both IPs in
> > the VLDB and allow clients a path to the fileserver regardless
> > of which side of the NAT they are on.
> >
> > You should also NOT use ifconfig to advertise the fake IP.
> > I have heard that this will cause the NAT to not work.
> >
> > So the NetInfo on the fileserver should be
> >
> > <real.ip>
> > f <fake.ip>
> >
> > The real IP should be listed first so that all volserver
> > admin work can take place on the inside of the NAT.  Most,
> > if not all volserver commands will only work on the first IP.
> > Having fileservers on either side of the NAT and expecting
> > "vos release" to work across the NAT is not an easy thing
> > to get working, so you will want to stay away from this type of
> > setup.
> >
> > Restart the fileserver and it should register itself in the VLDB.
> >
> > You can determine if the VLDB has both IPs by doing
> >
> > # vos listaddrs
> >
> > and this command will list the addresses registered for all
> > fileservers.
> >
> > The remote clients should have the Database Server's "fake ip" listed
> > in their /usr/vice/etc/CellServDB so they know how to get to the
> > vlservers for location information.
> >
> >
> > Thanks
> >
> > Todd
> >
> >
> >
> >
> >
> >                       "Noel Burton-Krahn"
> >                       <noel@bkbox.com>           To:
> <openafs-info@openafs.org>
> >                       Sent by:                   cc:
> >                       openafs-info-admin@        Subject:  [OpenAFS]
> OpenAFS server behind NAT?
> >                       openafs.org
> >
> >
> >                       05/19/2003 01:39 AM
> >
> >
> >
> >
> >
> >
> >
> > Anyone set up an AFS server behind a NAT firewall?   I've had no luck in
> > the
> > archives.  Here's my setup:
> >
> > I've got an AFS server with a 192.168 address behind a NAT firewall with
> a
> > real IP.
> >
> > Internet
> > |
> > |
> > NAT firewall
> > ip.real
> > |
> > |
> > AFS server
> > 192.168.1.1
> >
> > First problem: AFS reports its 192.168.1.1 address to clients, who of
> > course
> > can't connect back.  I fixed that by putting the real IP in NetInfo and
> the
> > fake in NetRestrict.  I also had to add a fake interface on the AFS
> server
> > with the real IP address
> >
> > # /usr/afs/etc/NetInfo
> > ip.real
> >
> > # /usr/vice/local/NetRestrict
> > 192.168.1.1
> >
> > # set up fake interface on AFS server with real IP
> > ifconfig eth0:0 ip.real
> >
> > Now I look at both machines
> > fs getclientaddrs
> > fs getserverprefs
> >
> > and they have only the real IP, good!
> >
> > But, listing my behind-the-fireall AFS server still hangs forever on a
> > remote client.  I've checked out a tcpdump on both client and server
> while
> > the client is hung.  I see that both sides are exchanging
afs3-fileserver
> > and afs3-callback traffic, but the client is missing some fileserver
> > responses.
> >
> >
> > Help!  Is there any way to get an AFS server working behind a NAT
> firewall?
> >
> > Noel Burton-Krahn
> > noel@bkbox.com
> > 250-382-8767
> >
> > BKbox - The total remote office solution
> > http://www.bkbox.com
> >
> >
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> >
> >
> >
>
>
>
>
>