Hi Kristof,
What you might need is different host names and different IPs, public
names and IPs and still behind the NAT machine.
Take a look at this email:
Dan Schrager wrote:
To whom it may concern:
This is a draft report of the network configuration at WEIZMANN-LCG2
============================================
Network constraints: just 4 public IPs available; rest of hosts are NAT-ed.
Network structure: unique firewall for all hosts.
There is a common gateway, GW, with 2 NICs, one public, the other
connected to the private network.
GW does NAT and FW.
It advertises at ARP level for the other three public IPs.
It uses SNAT targets in the POSTROUTING chain for world outgoing packets
for each of the three public IPs respectively and its own public IP for
the remaining hosts (WNs).
It has static routes to the three public IPs via their private IPs.
It filters out any world access except for the public LCG services and
GLOBUS range of ports. It accepts all incoming connections from the
private network, its own lo interface and the other three public IPs.
All the other hosts are in the private network.
It has a DHCPD server (with shared-network) for the private IPs and the
three public IPs.
It also has a NAMED server for the private and public DNS queries.
The WNs have static routes to the three public IPs (via their private
IPs) to avoid an extra hop via default GW.
The three public IPs are for CE, SE and RB (which does MON and BDII too).
Each host has only one NIC with a main public IP (to accommodate the
REDIRECT target of current lcg-bdii service...) and an IPALIAS in the
private network.
While the public network appears to be broken into two noncontiguous
parts, its connectivity is done with three static routes via eth0 for
the three public IPs and a default route to the rest of the public
network via GW (private interface).
As a result of this network configuration the installation and
configuration of all LCG nodes has been done automatically with yaim -
without any manual intervention.
Except for one file, /var/spool/pbs/mom_priv/config, on WN, where the CE
has to be named with its private name instead of the public one.
There is no need to edit /etc/hosts either.
Note that the PBS configuration needs correct ssh(d) host based
authentication and the use of /etc/hosts.equiv (with WNs listed there)
on CE.
A full report will be released soon.
Regards,
Dan
Kristof Doms wrote:
>Hello all,
>
>I was wondering if it's is possible to have both a SE and a CE behind
>the same internet connection using NAT. Looking at the LCG-porttable
>shows me that there are no commonly used ports between CE and SE. But
>because the certificates get checked by their hostnames, would it be
>possible to have 2 canonical DNS names sharing the same IP-address and
>still be OK for the certificate check.
>
>Greetings,
>
>Doms Kristof
>
> +++++++++++++++++++++++++++++++++++++++++++
> This Mail Was Scanned By Mail-seCure System
> at the Tel-Aviv University CC.
>
>
|