Indeed worrying too much -- it's working now. My first attempt caused issues where the NAT box's AFS was getting "connection timed out" errors, which was screwing up its ability to act as our CVS interface, so I didn't want to try it again until I was reasonably sure everything else was going to work. (I think the earlier problem was caused by not increasing the udp connection timeout [1]) And if anyone was curious, I did personally verify (using netcat) that iptables sees all network traffic originating on its host, allowing it to remap UDP ports to avoid conflicts. So you can run AFS client on the NAT box itself (as well as multiple clients behind the NAT), with iptables at least. (My concern was if the NAT software only saw incoming traffic, it wouldn't know about potential port conflicts with UDP traffic originating on the host itself) [1] On Fedora Core 3, this entailed: # /sbin/sysctl -w net.ipv4.netfilter.ip_conntrack_udp_timeout=480 # /sbin/sysctl -w net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=900 (the latter probably being the critical one -- 15 minute inactivity timeout before the NAT considers giving the port to a different client) |
- [OpenAFS-devel] Multiple clients behind NAT Ethan Tira-Thompson
- Re: [OpenAFS-devel] Multiple clients behind NA... Jeffrey Altman
- Re: [OpenAFS-devel] Multiple clients behin... Ethan Tira-Thompson
- Re: [OpenAFS-devel] Multiple clients b... Christopher D. Clausen
- Re: [OpenAFS-devel] Multiple clients b... Jeffrey Hutzelman
- Re: [OpenAFS-devel] Multiple clien... Ethan Tira-Thompson
