Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 01 Jun 2012 16:04:24 -0700
From:      Hao Bryan Cheng <hbcheng@berkeley.edu>
To:        freebsd-net@freebsd.org
Subject:   NAT with Port-block Allocation in FreeBSD?
Message-ID:  <1338591864.3484.12.camel@Zanzibar-II.gateway.2wire.net>

next in thread | raw e-mail | index | archive | help
Hello,

I apologize in advance if this is the wrong place for this posting.

I am a developer on the circe captive portal system (net-mgmt/circe).
Our system currently uses either netgraph or FreeBSD's in-kernel NAT
(configurable) as a one-to-one NAT facility to provide access control
for wireless clients.

IP address pressure has pushed us towards implementing many-to-one NAT.
However, the primary deployment of our software here at UC Berkeley
requires us to be able to track bandwidth usage, security notices, and
copyright takedown requests on a per-client basis. Traditional
many-to-one NAT generates an unreasonable amount of logging data for our
clients, which we expect to number in the low thousands.

To mitigate the logging/accounting burden, we're investigating port
block allocation, described in
http://tools.ietf.org/html/draft-tsou-behave-natx4-log-reduction-02. By
allocating a block of ports for each client, we can drastically reduce
the amount of logging that we have to do to be able to uniquely trace a
copyright infringement notice back to the individual user. 

Preliminary investigation of both IPFW's NAT facility and netgraph's
ng_nat node did not uncover any trivial method of performing port-block
allocation in many-to-one NAT. 

Has anybody here had any experience implementing a many-to-one NAT box
with FreeBSD that made use of port-block allocation? Alternatively, is
there any documentation or resources that somebody could point me
towards to get started?

Thanks in advance for your help.


-- 
Hao "Bryan" Cheng

Lead Unix Systems Administrator for Network Access Control
Student Affairs- IT
UC Berkeley




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1338591864.3484.12.camel>