From owner-freebsd-net@FreeBSD.ORG Thu Jun 7 02:28:39 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 08F89106564A; Thu, 7 Jun 2012 02:28:39 +0000 (UTC) (envelope-from prvs=498c8bf01=daved@tamu.edu) Received: from os-mail-3.tamu.edu (os-mail-3.tamu.edu [165.91.23.217]) by mx1.freebsd.org (Postfix) with ESMTP id BF7EF8FC0C; Thu, 7 Jun 2012 02:28:38 +0000 (UTC) X-TAMU-Auth-ID: daved X-TAMU-SenderIP: 71.113.249.248 X-HAT: SG None, P $RELAY, L incoming_auth X-SRBS: None X-EXTLoop1: 71.113.249.248 X-IronPort-AV: E=Sophos;i="4.75,727,1330927200"; d="p7s'?scan'208";a="296793834" Mime-Version: 1.0 (Apple Message framework v1278) Content-Type: multipart/signed; boundary="Apple-Mail=_F81E394A-94A1-4AC0-882F-18FE80AD4BA3"; protocol="application/pkcs7-signature"; micalg=sha1 From: David Duchscher In-Reply-To: <4FCE6C29.3070903@freebsd.org> Date: Wed, 6 Jun 2012 21:27:27 -0500 Message-Id: References: <4FCE6C29.3070903@freebsd.org> To: darrenr@freebsd.org X-Mailer: Apple Mail (2.1278) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org, hgcheng@berkeley.edu Subject: Re: NAT with Port-block Allocation in FreeBSD? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jun 2012 02:28:39 -0000 --Apple-Mail=_F81E394A-94A1-4AC0-882F-18FE80AD4BA3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 On Jun 5, 2012, at 3:29 PM, Darren Reed wrote: > In IPFilter, the "map-block" ipnat rule serves exactly the > purpose that you are looking for. It provides address > translation of network addresses for N:M and uses ports > to multiplex them in. >=20 > Thus a /16 can be nat'd to a /8 with the other 8 bits > used in the port number. >=20 > The results of the NAT'd packets are such that if you are > given an external IP address and port number, you can > calculate which internal IP address was used without having > to know what was the currently active state of the machine. >=20 > A typical rule might look like this: > map-block le0 10.0.0.0/16 -> 203.1.1.0/24 ports auto Darren, This is very interesting. We currently use PF to NAT our wireless = network and we too would like to reduce the logging load. We currently = run around 40-50k state entries per box (4 systems). We are planning on = adding 4 more systems in the next month so we have more room and better = handling of failures. Researching ipnat, I see that modifications to = the ipnat.h header might be needed for it to handle our load. We = currently have 31 vlans with /22 network assigned to the system. Do you = feel ipnat can handle this load? Do you have any recommendations for = the various values? Thanks for your time and help, -- DaveD --Apple-Mail=_F81E394A-94A1-4AC0-882F-18FE80AD4BA3--