Date: Fri, 01 Jun 2012 16:04:24 -0700 From: Hao Bryan Cheng <hbcheng@berkeley.edu> To: freebsd-net@freebsd.org Subject: NAT with Port-block Allocation in FreeBSD? Message-ID: <1338591864.3484.12.camel@Zanzibar-II.gateway.2wire.net>
next in thread | raw e-mail | index | archive | help
Hello, I apologize in advance if this is the wrong place for this posting. I am a developer on the circe captive portal system (net-mgmt/circe). Our system currently uses either netgraph or FreeBSD's in-kernel NAT (configurable) as a one-to-one NAT facility to provide access control for wireless clients. IP address pressure has pushed us towards implementing many-to-one NAT. However, the primary deployment of our software here at UC Berkeley requires us to be able to track bandwidth usage, security notices, and copyright takedown requests on a per-client basis. Traditional many-to-one NAT generates an unreasonable amount of logging data for our clients, which we expect to number in the low thousands. To mitigate the logging/accounting burden, we're investigating port block allocation, described in http://tools.ietf.org/html/draft-tsou-behave-natx4-log-reduction-02. By allocating a block of ports for each client, we can drastically reduce the amount of logging that we have to do to be able to uniquely trace a copyright infringement notice back to the individual user. Preliminary investigation of both IPFW's NAT facility and netgraph's ng_nat node did not uncover any trivial method of performing port-block allocation in many-to-one NAT. Has anybody here had any experience implementing a many-to-one NAT box with FreeBSD that made use of port-block allocation? Alternatively, is there any documentation or resources that somebody could point me towards to get started? Thanks in advance for your help. -- Hao "Bryan" Cheng Lead Unix Systems Administrator for Network Access Control Student Affairs- IT UC Berkeley
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1338591864.3484.12.camel>