[OpenAFS] multiple NAT clients, now losing contact

Theo van den Bout theoml@arum.et.tudelft.nl
Mon, 21 Jun 2004 11:58:37 +0200

Matthew Turk wrote:

>>Matthew pointed out that his machine has a
>>net.ipv4.netfilter.ip_conntrack_udp_timeout setting that should be usable
>>for this purpose.
>Having done this, we had no problems for a few hours -- no losing contact
>or anything -- but now the forwarding system begins to have trouble
>contacting file servers (Lost contact with file server xx.xx.xx.xx in cell
>) and has begun commenting that the file server is multi-homed.  However,
>this isn't true -- the file servers it loses contact with is NOT
>Our setup is such -- we have three public servers, one of which acts as a
>gateway to a private subnet (only packets to the other public servers are
>forwarded.)  As soon as attempts are made to access and modify files on
>more than one of the private subnet clients, the entire system begins to
>fail; locks are lost, files aren't synced, etc.  I've tried setting the fs
>checks -interval to very low values -- 30, 15, etc, but it continues to
>fail whenever more than one of the subnet clients tries to access a file.
>Any ideas?
I never did some thorough testing, but my experiences with AFS + NAT are 
all bad.
In the end i resorted to ip-tunneling to make it  work.

What i did is (in short):
* turn one machine into a semi router (interfaces in every relevant VLAN)
* use ip-tunnel to give every server on the public net an extra interface
   with an ip-nummer in the private range.
* use the router machine to connect everything
* on every client, add an extra entry to the routing table to deal with 
the tunnels/router

I still can't issue a 'vos release' on the clients behind NAT, but 
everything else
works  fine.

The tunnel story isn't complete of course, so let me know if you want 
more details.

The best


