From owner-freebsd-net@FreeBSD.ORG Fri Jun 1 23:04:36 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 43774106564A for ; Fri, 1 Jun 2012 23:04:36 +0000 (UTC) (envelope-from hbcheng@berkeley.edu) Received: from cm03fe.IST.Berkeley.EDU (cm03fe.IST.Berkeley.EDU [169.229.218.144]) by mx1.freebsd.org (Postfix) with ESMTP id 2D5AC8FC0A for ; Fri, 1 Jun 2012 23:04:36 +0000 (UTC) Received: from 99-28-68-143.lightspeed.sndgca.sbcglobal.net ([99.28.68.143] helo=[192.168.1.85]) by cm03fe.ist.berkeley.edu with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (auth plain:hbcheng@berkeley.edu) (envelope-from ) id 1SaatQ-0000iH-Ct for freebsd-net@freebsd.org; Fri, 01 Jun 2012 16:04:30 -0700 Message-ID: <1338591864.3484.12.camel@Zanzibar-II.gateway.2wire.net> From: Hao Bryan Cheng To: freebsd-net@freebsd.org Date: Fri, 01 Jun 2012 16:04:24 -0700 Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.3 (3.2.3-1.fc16) Content-Transfer-Encoding: 7bit Mime-Version: 1.0 Subject: NAT with Port-block Allocation in FreeBSD? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jun 2012 23:04:36 -0000 Hello, I apologize in advance if this is the wrong place for this posting. I am a developer on the circe captive portal system (net-mgmt/circe). Our system currently uses either netgraph or FreeBSD's in-kernel NAT (configurable) as a one-to-one NAT facility to provide access control for wireless clients. IP address pressure has pushed us towards implementing many-to-one NAT. However, the primary deployment of our software here at UC Berkeley requires us to be able to track bandwidth usage, security notices, and copyright takedown requests on a per-client basis. Traditional many-to-one NAT generates an unreasonable amount of logging data for our clients, which we expect to number in the low thousands. To mitigate the logging/accounting burden, we're investigating port block allocation, described in http://tools.ietf.org/html/draft-tsou-behave-natx4-log-reduction-02. By allocating a block of ports for each client, we can drastically reduce the amount of logging that we have to do to be able to uniquely trace a copyright infringement notice back to the individual user. Preliminary investigation of both IPFW's NAT facility and netgraph's ng_nat node did not uncover any trivial method of performing port-block allocation in many-to-one NAT. Has anybody here had any experience implementing a many-to-one NAT box with FreeBSD that made use of port-block allocation? Alternatively, is there any documentation or resources that somebody could point me towards to get started? Thanks in advance for your help. -- Hao "Bryan" Cheng Lead Unix Systems Administrator for Network Access Control Student Affairs- IT UC Berkeley