Experimental Physics and
Industrial Control System

Thanks Ralph for the explanations, some follow up below:

Then if I also have the cagateway setup for EPICS_CA_ADDR_LIST=localhost also shouldn’t the client for the gateway also end up using the firewall iptables rule?  Cant seem to figure out why the client side of the gateway doesn’t seem to use iptables rule then.

The firewall rule is server-side and only needed on hosts that run multiple servers (IOCs or Gateways). Nowhere else.

If your gateway machine is running a single Gateway instance per network interface the Gateway binds to, it does not need to run the firewall rule.

Yes but for this situation I am running phoebus client (or caget) on the same machine as the IOCs (and gateway).  If the gateway is binding to say my local ethernet ip 192.168.0.50 and I have phoebus send out its requests to 192.168.0.50 (instead of putting localhost)  does the routing go through that interface and trigger the firewall rule or does it just route locally through the loopback and not trigger the rule?

What is the difference then between EPICS_CA_ADDR_LIST=192.168.0.255, EPICS_CA_SERVER_PORT=5064 and using the iptables rule of routing all 5064 udp traffic to 192.168.0.255:5064 instead of say localhost:5064?

These two things are not directly related as they are happening on two different machines.

Your environment settings are for a CA client running on the client host, where the firewall rule does not run.

The firewall rule is running on the server (IOC) host and affecting incoming name resolution requests.

Also note that the firewall rule trick does not work for CA clients on the same host as the multiple IOCs.

In my case I am running the CA Client and Gateway on the same machine for now in development (future iterations will separate these out).  I think this is similar to what you mentioned above but I would assume if EPICS_CA_AUTO_ADDR_LIST=NO and EPICS_CA_ADDR_LIST=192.168.0.50 then this still would not trigger the firewall rule if they were running on the same PC?

I did have another related question that I am running into with the broadcasts.  If I have multiple PCs running IOCs with the same named records, is the best way to stop the broadcasts from going out to another hosts IOCs to use the IOC access file?

Example Host 1 and Host 2 both are running the same IOC and are on the same subnet 192.168.0.X.  Host 1 is sending out a broadcast to 192.168.0.255 to talk to the multiple IOCs on itself but Host 2 is also receiving that broadcast message and since it has the same IOC record names its responding to the request. 

Thanks, really starting to understand the routing a lot better.