Hi,
thank you for this information, I definitely have to try this before
rolling it out in a larger scale. So far everything worked as expected
but my director was always reachable so far.
Martin
On 23.12.23 01:08, Justin Case wrote:
Hi Martin,
I am also using this.
The only problem I came across is that the client is reporting tons of
connection failures when the director cannot be reached, even if no job
is running. Also the client does then burden the VM in which it is
running under heavy load until the director is reachable again (there is
an open bug report on this issue).
Let me know whether this also happens for you.
Best,
J/C
On 19. Dec 2023, at 10:56, Martin Reissner <mreiss...@wavecon.de
<mailto:mreiss...@wavecon.de>> wrote:
For future reference I wanted to add that I found the "Client Behind
NAT Support with the Connect To Director Directive" feature today
which was added in Bacula 11 and had so far slipped my attention but
basically this is exactly what I was looking for and I will start to
test this rightaway.
On 19.12.23 08:42, Martin Reissner wrote:
Hey Rob,
thank you for the detailed reply. To be honest I had not thought
about VPN because of performance/throughput concerns but those are
unwarranted as my clients push to s3 via a storage daemon which has a
public ip and can be reached via a gateway and so the main traffic
will not go through the VPN.
For the start, with only a few setups the VPN solution could work,
but I see possible issues when there are more setups, as the ranges
of the local subnets of my setups do not have to be distinct and I
don't see how I could setup routing over VPNs when there are eg. two
192.168.0.0/24 subnets behind two different jumphosts and
unfortunately keeping those subnets distinct is not withing my reach.
Martin
On 15.12.23 18:41, Rob Gerber wrote:
Could you establish a site-to-site VPN link from your director's lan
to the remote lan that is currently only accessible from the jump host?
If you're concerned about the remote site having access to the
central lan with director on it, you could vlan tag all packets from
remote lan VPN and pass tagged traffic to director server,
forbidding other clients.
If need be, maybe modify the idea so that the central director's
server has a site-to-site VPN link to the remote lan. Maybe more
difficult to do if the director doesn't have a public IP (so maybe
the remote VPN server will have difficulty reaching the director to
complete the tunnel?) Also, a network infrastructure link will be
maintained on something that isn't a piece of core network equipment
(director server), hiding the configuration from network admins.
MAYBE, you could give director access to remote lan via standard VPN
(one way, client initiated, road warrior, whichever term means "not
site to site VPN"). You could run into issues with the VPN
connection disconnecting. Maybe solve those issues by having a
runbeforejob script that verifies the tunnel is up, and if it isn't
restarts the VPN connection prior to the backup starting. However,
if there's any instance where the clients would need to reach out to
the director, and if the client initiated VPN proves to be unstable,
you could have an issue. I have no reason to believe that client
initiated VPN is unstable, but I guess it's possible. Also you would
probably need to initiate this connection entirely using command
line tools, which I haven't done but imagine is possible using
openvpn or similar.
I'm sure there might be bacula features that cover these
eventualities, but I'm not a big enough bacula expert to know about
them.
Robert Gerber
402-237-8692
r...@craeon.net <mailto:r...@craeon.net> <mailto:r...@craeon.net
<mailto:r...@craeon.net>>
On Fri, Dec 15, 2023, 3:59 AM Martin Reissner <mreiss...@wavecon.de
<mailto:mreiss...@wavecon.de> <mailto:mreiss...@wavecon.de
<mailto:mreiss...@wavecon.de>>> wrote:
Hello and sorry for the generic subject. My issue is as follows:
I have a centralized director which should be used to backup several
setups with multiple clients/fds in a cloud environment. In those
setups
there is only one gateway/jumphost with a public ip, the actual
clients/fds only have an address in an internal subnet and are
reachable
from outside via ssh-proxyjump from the gw/jumphost or via a
loadbalancer.
So far the only solutions I have come up with are portforwardings on
the
gw eg. port 19102 gets forwarded to client1 port 9102, 29102 to client2
9102 and so on. This works but is kind of tedious with many clients.
I read something about client initiated backups using the tray monitor.
I will look into that but scheduling backups on the clients/fds takes
away one of the main advantages of bacula, which is the centralized
scheduling.
Are there any further options that I might not have found or thought of?
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
<mailto:Bacula-users@lists.sourceforge.net>
<mailto:Bacula-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/bacula-users
<https://lists.sourceforge.net/lists/listinfo/bacula-users>
--
Wavecon GmbH
Anschrift: Thomas-Mann-Straße 16-20, 90471 Nürnberg
Website: www.wavecon.de <http://www.wavecon.de/>
Support: supp...@wavecon.de <mailto:supp...@wavecon.de>
Telefon: +49 (0)911-1206581 (werktags von 9 - 17 Uhr)
Hotline 24/7: 0800-WAVECON
Fax: +49 (0)911-2129233
Registernummer: HBR Nürnberg 41590
GF: Cemil Degirmenci
UstID: DE251398082
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
<mailto:Bacula-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/bacula-users
<https://lists.sourceforge.net/lists/listinfo/bacula-users>
--
Wavecon GmbH
Anschrift: Thomas-Mann-Straße 16-20, 90471 Nürnberg
Website: www.wavecon.de
Support: supp...@wavecon.de
Telefon: +49 (0)911-1206581 (werktags von 9 - 17 Uhr)
Hotline 24/7: 0800-WAVECON
Fax: +49 (0)911-2129233
Registernummer: HBR Nürnberg 41590
GF: Cemil Degirmenci
UstID: DE251398082
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
