Made some headway, seems like my understanding works. I was able to open multiple shells and export variables so that the IOC would get server port 5064, the ca gateway would get 5068 for server and 5064 for client and then my caget would
use 5068 for CA requests. I would like to keep my IOCs using 5064 as the default UDP port. Is there a way then to make the ca gateway use specific env variables similar to how the IOC has envSet in the iocboot? I wasn’t sure if I could do something like
CONFIG_ENV with ca gateway. I am planning with Phoebus to use the ini file to specify the port to use.
From: Tech-talk <tech-talk-bounces at aps.anl.gov> On Behalf Of
Manoussakis, Adamandios via Tech-talk
Sent: Wednesday, December 1, 2021 5:56 PM
To: EPICS tech-talk <tech-talk at aps.anl.gov>
Subject: RE: CA Gateway same VM as IOCs/Phoebus and Access/PVList Setup
Just to clarify some, how do you handle when you set CAS_SERVER_PORT to something different than CA_SERVER_PORT on the same machine when using CA-GATEWAY.
When I set CAS_SERVER_PORT=5068 for example, the gateway server binds to it but also all IOCs will bind to this server port. Which seems like any client will try to talk to both the gateway and the IOCs if I set CA_SERVER_PORT to say
5068. If I change it to 5064 they wont communicate properly, since the IOCs will be bound to 5068.
Is there a way to make sure that the IOCs all bind to say 5064 and the ca gateway binds to 5068? This seems more simple if I have clients coming from a different subnet and use the gateway to jump the subnet since port 5064 can be used
but with different IPs on the gateway setup. But feels like I am missing something when I try to do it on the same machine. If I am misunderstanding how the networking works any clarification would be helpful.
Thanks
Adam
Hey All,
I am trying to make sure I understand how the CA Gateway networking setup works for running all pieces on the same PC(VM). Below is my ENV variables list that I setup, I am just using the basic access list and pv list examples (although
I did have a question about the access/pvlist)
export EPICS_CA_AUTO_ADDR_LIST=NO
export EPICS_CA_ADDR_LIST=localhost
export EPICS_CA_MAX_ARRAY_BYTES=800000
export EPICS_CAS_INTF_ADDR_LIST=localhost
export EPICS_CA_SERVER_PORT=5064
export EPICS_CAS_SERVER_PORT=5065
My understanding is that the CAS port is listening for requests from a client (in this case Phoebus). I also am running Ralphs script to handle multiple IOCs on the same PC so UDP packets sent to 5064 are being echoed out on all ports
(I think I need to block whichever port the CAS Server Port in this NAT Rule to stop looping). Below is how I think the setup is supposed to work but I am unsure as I havnt been successful yet.
Access/PV List files question:
I am using the example files and for the access file the DEFAULT is where all requests go that aren’t listed as UAG or HAG?
ASG(DEFAULT) {
RULE(1,READ)
}
For the Pvlist, the first 3 regex is this covering any PV name basically? Does the next regex like Beam:.* then subset out from All to only Allowing the Beam 1 user to access these particular ones?
EVALUATION ORDER ALLOW, DENY
[0-9].* ALLOW
[a-z].* ALLOW
[A-Z].* ALLOW
Beam:.* ALLOW Beam 1
PS.* ALLOW PowerSupply 1
gateway:.*Flag ALLOW GatewayAdmin
test.* DENY
ps\([0-9]\) ALIAS PSCurrent\1.ai PowerSupply 1
WARNING: This email violated LLNL's email security policy and has been modified. If you would like a list of blocked file types or for more information please see:
Blocked Email Extensions
An attachment image001.emz,image003.emz,image004.emz,image005.emz,image006.emz,image009.emz,image010.emz,image016.emz
was removed from this document as it constituted a security hazard. If you require this document, please contact the sender and arrange an alternate means of receiving it.