[edit] Introduction
In some cases, it may be difficult or impossible for you to obtain a publicly routable, static IP address, and your library or organization may be forced to operate behind what is known as a Network Address Translation (NAT) firewall. A NAT firewall has a publicly routable, static IP address facing the Internet, but provides computers behind it with a private network that cannot be reached directly from the Internet. It may still be possible to configure a LOCKSS box to work properly on this private network by following these instructions carefully.
If you are running CD250 or later, after following these instructions your LOCKSS box should be able to participate in polls and preserve content successfully behind a NAT firewall. NAT was not officially supported before CD250 although it could be used via a different mechanism.
[edit] Preparation
Determine whether your network administrators will allow you to forward one TCP port for each LOCKSS box from the publicly routable IP address to the local IP address of your LOCKSS box. If this is allowed, you can run one LOCKSS box for each forwarded port behind the NAT firewall. If not, the LOCKSS box will not be able to work properly. Ideally, the first of the forwarded ports should be 9729. If you need to use a port other than 9729, please contact us.
NOTE: The LOCKSS team will not be able to log into your LOCKSS box or see the admin and status UI unless your network administrators also forward some external TCP ports from your NAT firewall to the ports on your LOCKSS box for SSH (port 22, for log in) and/or TCP port 8081 (for the Admin UI). The external ports forwarded can be assigned at will; please let us know which external ports were assigned if you choose to do this.
Before you begin, in addition to the normal LOCKSS configuration information, you will need the following:
- The publicly routable, static IP address of the NAT firewall.
[edit] Installation
Once you've determined whether you can continue, install and configure your LOCKSS box as normal. When asked for the network configuration, use the real values for your LOCKSS box. These will be the IP address and netmask appropriate for the internal, private network that is behind the NAT firewall.
- When asked, answer Y to the Additional configuration? question.
- If the port that is forwarded is not 9729, make sure you enter that in response to the Configure V3 protocol port (0 to disable)? rather than accepting the default V3 port, and let us know what port was used.
- Then answer Y to the question Is this machine behind NAT?. You will be asked to supply the external IP address of your NAT firewall.
