Hey everyone,
Some time ago I implemented a distributed storage for our network based on OpenAFS and Samba.
The storage space can now be reached via 192.168.6.10 and 192.168.1.2
For users in remote office, they should connect to 192.168.6.10, main office should remain connected to 1.2.
I figure, I just change the DNS name called "server" in the ClearOS Linux router of the remote office to point to 6.10 and done with it... nice and clean yes?
Problem is - some users at some early point may have had DNS issues which they didn't tell me about. Not surprising, since they Must be allowed to hack their machines and network settings around to do their jobs even if they sometimes mess up... You see the guys are engineers, moderately tech-savvy, so when they couldn't reach the share by name, they figures they'd just ignore me completely and ask their colleague in the main office for the IP of the storage server. Veeeeery smart....
(Ok I don't want to sound too critical, because in their defense, I need to say that they had to rely on themselves for 10 years for any IT support before I was hired when it was obvious the company cannot grow beyond a point without complex IT, virtualization, etc... Nevermind...)
So... Then they started remounting network drives based on IP, and for about two years, this went on... big problem is - most documents, links, etc. from these machines are now hard-referencing the share by IP address as a result of working this way. So when I wanted to redirect their traffic to the distributed storage, old stuff keeps reading from the old 1.2 IP directly over VPN.
It's not an option by far, to rename references in those files. Too many. Too big. Too complicated... in some cases even unlawful to modify.
So... I need a solution to redirect any and all Samba traffic that was originally destined to 192.168.1.2 to 192.168.6.10.
So far what I have done is this:
(eth1 - their localnet, 192.168.6.0/24)
Added this to /etc/clearos/firewall.d/local , the custom Iptables rules file of ClearOS:
Code:
#iptables -t nat -A PREROUTING -i eth1 -p tcp -d 192.168.1.2 -j DNAT --to 192.168.6.10
#iptables -t nat -A PREROUTING -i eth1 -p udp -d 192.168.1.2 -j DNAT --to 192.168.6.10
#iptables -t nat -A POSTROUTING -d 192.168.6.10 -j MASQUERADE
... it's commented out for a reason - it's not working.
Or rather it is, but it causes the following effect:
When client connects, it is able to browse the shares. Then at the beginning of the first real file transfer, (then after that in long, random intervals), it will cause the client transfer to go to a hold, then a RST packet comes from Samba and the transfer is aborted.
When I remove this ruleset and address the share directly by name or IP (6.10) everything's fine.
I guess my question is obvious - how can I redirect all traffic that goes to the old IP to the correct IP for the remote office without injecting any routing info, etc. into the client computers (that would be pointless, they mangle their routing table on a daily basis)?
Thank you very much if you can help me with this...
