NAT Port Forwarding and Resources

[Martin]

Hi all,

we are setting up an iRODS zone in a private IP subnet. We would like to use port forwarding - DNAT from a public IP to the iCAT which has a private IP.

The problem is of course with resources, I have to create a resource which has a certain dns hostname. From the public internet, the hostname points to the public IP. This apparently creates a problem when initiating a transfer on that resource, the iCAT server tries to reach the public IP on port 1247, which essentialy creates a loop in the firewall.

I have tried to override the hostname using /etc/hosts and hosts_config.json on the iCAT server, however it seems that the client initiating the transfer receives the overriden (private) IP of the resource and not the public one.

Is there any official guide how to operate iRODS behind NAT?

Thank you.

Cheers,

Martin

[Terrell Russell]

Hi Martin,

Welcome.

Sorry the hosts_config.json route didn't work - that's been a pretty robust solution for a while...

That said...

Short answer.... No.

Longer answer... Each iRODS server is independently resolving clients and other servers, and since server-server connections are, themselves, just client connections, the hostnames have to align with the IPs.  You've already discovered/realized this.   Due to the redirection model (for point-to-point direct transfers), spanning a NAT does seem tricky/impossible with the current protocol.

Does traversing the NAT work with small files (<32MB)?

What happens if you attempt a transfer using streaming (-N0) for a large file, rather than parallel transfer?

Terrell

--
--
The Integrated Rule-Oriented Data System (iRODS) - https://irods.org
 
iROD-Chat: http://groups.google.com/group/iROD-Chat
---
You received this message because you are subscribed to the Google Groups "iRODS-Chat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irod-chat+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/dda85f97-ba0a-4cbe-bbd6-52ddcc9aba2bn%40googlegroups.com.

[Martin Golasowski]

Thank you for a quick answer. Yes, it works for small files as well as for streaming transfer but not for the parallel transfers.

One solution would probably be to set up a dedicated resource server with its own public IP without NAT, which would then support parallel transfers, if required.

The main reason for doing this is rather limited pool of public IPs we can use and also we’d like to do a fully redundant HAProxy/keepalived setup with single virtual IP (private) which points to multiple iCATs.

I have already tried it and it works with NAT, except for the parallel transfer with the higher ports.

Regards,,

Martin

You received this message because you are subscribed to a topic in the Google Groups "iRODS-Chat" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/irod-chat/GOQ2szx_OXA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to irod-chat+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/CAFaqtebpF4D8STGt8o08y%3Dv318ax%3Dn_4R3GL2U-8U%3Db4r9tADA%40mail.gmail.com.

[Terrell Russell]

Very good - thanks for the confirmation.

Yes, your idea of an 'edge' or 'cache' server with a replica of the data of interest should work - an external client will be able to use parallel transfers with that server.

Please let us know how it goes - we'd be happy to use/convert your use case into documentation for others.

Terrell

To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/F9A06857-73A3-48A4-9466-D71F74A6709F%40gmail.com.

[Martin Golasowski]

Hi,

so in the end, we simply used public IP addresses for our HAProxy cluster and put the iCAT servers behind it. We have two HAProxy servers with a virtual IP moved between them with VRRP using keepalived. The iCAT servers have private addresses and they are set up as backends in the proxy configuration. 

I have used a single unix filesystem resource which points to the public IP of the cluster. Parallel transfer works this way, the only thing I had to modify was to put the virtual public IP as “local” in the hosts_config.json.

Regards,

Martin

To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/CAFaqtea6rmExQKiUk%3DviscUyb12A1VcDxFPtMq7B4_mpa96QvQ%40mail.gmail.com.