I have a situation where I need to mount a few NFS shares on a series of clients on replicated VM networks. So their source IP addresses are not unique. In between the client and the server there is a routing Linux VM, which can do all sorts of things as deemed appropriate. I'm really unsure how best to approach making these shares reachable.
Possible solutions:
- Fully route traffic end to end, with an
iptablesmasquerade on the "router" to Source NAT all client traffic. - Do Masquerading AND Destination NAT on the router, making the internal machines think they are going to the "router" for NFS. This makes routing tables much simpler as everything then appears to be local. Maybe using a secondary IP on the "router" for clarity with all the NFS ports in use.
- Mount and then re-export NFS on the "router" VM. This feels really bad, but would give extra control to only allow certain mounts to be mounted by certain clients. As above, any NAT solution means all end clients look to be the same under NFSv3, which could cause security concerns. This also makes the routing tables a non issue. I think I saw comment that performance would significantly drop this way.
Any other options / thoughts gratefully appreciated.
I believe NFS clients behind a NAT should work just fine without any special gimmicks. You might have problems if you want to do RPC_GSS (Kerberos authentication), since the server will be checking the client's ip address against its host principal, but if you're just doing AUTH_SYS I don't see any reason why it wouldn't work.