1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 <2021> 2022 2023 2024 | Index | 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 <2021> 2022 2023 2024 |
<== Date ==> | <== Thread ==> |
---|
Subject: | RE: Need clarification on UDP Broadcasting to multiple IOCs on same PC |
From: | "Manoussakis, Adamandios via Tech-talk" <tech-talk at aps.anl.gov> |
To: | Ralph Lange <ralph.lange at gmx.de>, tech-talk <tech-talk at aps.anl.gov> |
Date: | Thu, 9 Dec 2021 22:36:41 +0000 |
Thanks Ralph for the explanations, some follow up below: Then if I also have the cagateway setup for EPICS_CA_ADDR_LIST=localhost also shouldn’t the client for the gateway also end up using the firewall iptables rule? Cant seem to
figure out why the client side of the gateway doesn’t seem to use iptables rule then. The firewall rule is server-side and only needed on hosts that run multiple servers (IOCs or Gateways). Nowhere else. If your gateway machine is running a single Gateway instance per network interface the Gateway binds to, it does not need to run the firewall rule. Yes but for this situation I am running phoebus client (or caget) on the same machine as the IOCs (and gateway). If the gateway is binding to say my local ethernet ip 192.168.0.50 and I have phoebus send out its requests to 192.168.0.50
(instead of putting localhost) does the routing go through that interface and trigger the firewall rule or does it just route locally through the loopback and not trigger the rule? What is the difference then between EPICS_CA_ADDR_LIST=192.168.0.255, EPICS_CA_SERVER_PORT=5064 and using the iptables rule of routing all 5064 udp traffic to
192.168.0.255:5064 instead of say localhost:5064? These two things are not directly related as they are happening on two different machines. Your environment settings are for a CA client running on the client host, where the firewall rule does not run. The firewall rule is running on the server (IOC) host and affecting incoming name resolution requests. Also note that the firewall rule trick does not work for CA clients on the same host as the multiple IOCs. In my case I am running the CA Client and Gateway on the same machine for now in development (future iterations will separate these out). I think this is similar to what you mentioned above but I would assume if EPICS_CA_AUTO_ADDR_LIST=NO
and EPICS_CA_ADDR_LIST=192.168.0.50 then this still would not trigger the firewall rule if they were running on the same PC? I did have another related question that I am running into with the broadcasts. If I have multiple PCs running IOCs with the same named records, is the best way to stop the broadcasts from going out to another hosts IOCs to use the
IOC access file? Example Host 1 and Host 2 both are running the same IOC and are on the same subnet 192.168.0.X. Host 1 is sending out a broadcast to 192.168.0.255 to talk to the multiple IOCs on itself but Host 2 is also receiving that broadcast message
and since it has the same IOC record names its responding to the request. Thanks, really starting to understand the routing a lot better. From: Tech-talk <tech-talk-bounces at aps.anl.gov> On Behalf Of
Ralph Lange via Tech-talk
Correct. It works on incoming name resolution requests and just patches the header information.
The best and easiest test is the initial problem: If you have multiple IOCs on the host, a CA client from a different machine doing a unicast name resolution request will see one IOC (rule is not active) or all IOCs (rule is active).
That's correct, but the client will also send broadcasts on all network interfaces (except loopback/localhost) unless EPICS_CA_AUTO_ADDR_LIST is set to NO. EPICS_CA_AUTO_ADDR_LIST is the switch for "broadcast on all interfaces". EPICS_CA_ADDR_LIST contains addresses that are used additionally, which may be unicast or broadcast addresses.
Yes, the caget will use unicasts to localhost - in addition to sending broadcasts on all network interfaces (according to EPICS_CA_AUTO_ADDR_LIST setting).
The firewall rule is server-side and only needed on hosts that run multiple servers (IOCs or Gateways). Nowhere else. If your gateway machine is running a single Gateway instance per network interface the Gateway binds to, it does not need to run the firewall rule.
These two things are not directly related as they are happening on two different machines. Your environment settings are for a CA client running on the client host, where the firewall rule does not run. The firewall rule is running on the server (IOC) host and affecting incoming name resolution requests. Also note that the firewall rule trick does not work for CA clients on the same host as the multiple IOCs. Cheers, |