FreeIPA clients behind NAT - will it cause issues?

Latest response

I have a situation where I need to setup a few IPA-clients behind NAT while the IPA server resides outside this NAT.

Since the IPA-server is outside the NAT:ed network, there will be a potential diff since one server has 1 internal IP and 1 NAT:ed IP as seen from the outside NAT.

Diagram:
[Active Directory] <--- [IPA Server] <--- [NAT:ed IP for srvipaclient001: 10.19.6.7] <--- [router] <--- [srvipaclient001 with IP 10.5.6.7]

Which IP will the ipa server think my ipa-client srvipaclient001 has?

  • IP Behind NAT: 10.19.6.7?
  • The NAT:ed IP: 10.19.6.7?

All requests to the IPA server will of course come from the NAT:ed ip 10.19.6.7.

Will I run into any issues?
Will my ipa client (srvipaclient001 in this example) report 10.5.6.7 to the IPA server as this is the only IP it truly knows about?

Responses

I wouldn't advice it as you will have to manage DNS manually. If you let the IPA manage the DNS, it will map them to IPs that are not reachable to the IPA clients

If you manage DNS manually though, I think it shouldn't be an issue, but don't scale. So if its less than 10 boxes, go ahead. If a substantial number, expect some management pains

Guys, is this supported in RHEL 7.7?

Yes, performing SNAT with multiple clients can cause problems.

If one client has a lower TCP Timestamp value than another, which is likely, then the client with the lower value can appear to come "from the past" and may be ignored.

This is described at: Why does Red Hat Enterprise Linux not respond to SYN requests intermittently?

If you do run into that problem, possible solutions are to disable TCP Timestamps, or to have the SNAT device rewrite timestamps so that no client appears to ever "go back in time".