Date: Thu, 07 Jun 2012 17:54:17 +1000 From: Darren Reed <darernr@freebsd.org> To: David Duchscher <daved@tamu.edu> Cc: freebsd-net@freebsd.org, hbcheng@berkeley.edu Subject: Re: NAT with Port-block Allocation in FreeBSD? Message-ID: <4FD05E29.6010303@freebsd.org> In-Reply-To: <A0065E68-B2DC-44E8-A41F-97F3BA3CEACB@tamu.edu> References: <4FCE6C29.3070903@freebsd.org> <A0065E68-B2DC-44E8-A41F-97F3BA3CEACB@tamu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
David Duchscher wrote: > On Jun 5, 2012, at 3:29 PM, Darren Reed wrote: > >> In IPFilter, the "map-block" ipnat rule serves exactly the >> purpose that you are looking for. It provides address >> translation of network addresses for N:M and uses ports >> to multiplex them in. >> >> Thus a /16 can be nat'd to a /8 with the other 8 bits >> used in the port number. >> >> The results of the NAT'd packets are such that if you are >> given an external IP address and port number, you can >> calculate which internal IP address was used without having >> to know what was the currently active state of the machine. >> >> A typical rule might look like this: >> map-block le0 10.0.0.0/16 -> 203.1.1.0/24 ports auto > > > Darren, > > This is very interesting. We currently use PF to NAT our wireless network and we too would like to reduce the logging load. We currently run around 40-50k state entries per box (4 systems). We are planning on adding 4 more systems in the next month so we have more room and better handling of failures. Researching ipnat, I see that modifications to the ipnat.h header might be needed for it to handle our load. We currently have 31 vlans with /22 network assigned to the system. Do you feel ipnat can handle this load? Do you have any recommendations for the various values? The above rule was designed and used to support NAT'ing of hundreds of networks (if not several thousand) on a couple of NAT boxes where the load was about double that you're seeing over 10 years ago with FreeBSD, so I don't think that there will too much trouble with your load today. The constants that you need to tune are: NAT_TABLE_MAX NAT_TABLE_SZ HOSTMAP_SIZE in /usr/src/sys/contrib/ipfilter/netinet/ip_nat.h HOSTMAP_SIZE should be 1.3 * the number of hosts to be NAT'd NAT_TABLE_MAX should be whatever you are setting your pf size to NAT_TABLE_SZ should be a prime number > 1.3 * NAT_TABLE_MAX On another operating system, there are systems using ipfilter today that track over 1 million current NAT sessions, so I don't think the load will be too much of a problem. Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FD05E29.6010303>