From owner-freebsd-net@FreeBSD.ORG Thu Jun 7 06:53:43 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D55701065675 for ; Thu, 7 Jun 2012 06:53:43 +0000 (UTC) (envelope-from darernr@freebsd.org) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id 9E9B78FC0A for ; Thu, 7 Jun 2012 06:53:43 +0000 (UTC) Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 763A520EBB; Thu, 7 Jun 2012 02:53:37 -0400 (EDT) Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute3.internal (MEProxy); Thu, 07 Jun 2012 02:53:37 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; s=smtpout; bh=mN+kEYzVCh49YTLJSkSy/M Zv5S8=; b=aWKZnvvmXeer3Ho+juh/uACv0DXjDaWDr2z8YnX2BCSV5CzGywabbW 8FufDr17aUSNJ4vG+8UB9DGSBfkR6dvUA3eM5UCx8Oak/WwTJzFsxzaFZ5b8JGBN F981DB0NIA6SZxIJgljMvpiTM3bO5sshVVs5xbmXz8yPvaN0yLUwE= X-Sasl-enc: yCoF2Tb5wBlnOjc4RB39/HHJsvo48433QN2jwWTaghig 1339052016 Received: from [192.168.1.23] (unknown [202.45.110.141]) by mail.messagingengine.com (Postfix) with ESMTPA id 2016A4836D5; Thu, 7 Jun 2012 02:53:35 -0400 (EDT) Message-ID: <4FD05E29.6010303@freebsd.org> Date: Thu, 07 Jun 2012 17:54:17 +1000 From: Darren Reed User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: David Duchscher References: <4FCE6C29.3070903@freebsd.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, hbcheng@berkeley.edu Subject: Re: NAT with Port-block Allocation in FreeBSD? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jun 2012 06:53:43 -0000 David Duchscher wrote: > On Jun 5, 2012, at 3:29 PM, Darren Reed wrote: > >> In IPFilter, the "map-block" ipnat rule serves exactly the >> purpose that you are looking for. It provides address >> translation of network addresses for N:M and uses ports >> to multiplex them in. >> >> Thus a /16 can be nat'd to a /8 with the other 8 bits >> used in the port number. >> >> The results of the NAT'd packets are such that if you are >> given an external IP address and port number, you can >> calculate which internal IP address was used without having >> to know what was the currently active state of the machine. >> >> A typical rule might look like this: >> map-block le0 10.0.0.0/16 -> 203.1.1.0/24 ports auto > > > Darren, > > This is very interesting. We currently use PF to NAT our wireless network and we too would like to reduce the logging load. We currently run around 40-50k state entries per box (4 systems). We are planning on adding 4 more systems in the next month so we have more room and better handling of failures. Researching ipnat, I see that modifications to the ipnat.h header might be needed for it to handle our load. We currently have 31 vlans with /22 network assigned to the system. Do you feel ipnat can handle this load? Do you have any recommendations for the various values? The above rule was designed and used to support NAT'ing of hundreds of networks (if not several thousand) on a couple of NAT boxes where the load was about double that you're seeing over 10 years ago with FreeBSD, so I don't think that there will too much trouble with your load today. The constants that you need to tune are: NAT_TABLE_MAX NAT_TABLE_SZ HOSTMAP_SIZE in /usr/src/sys/contrib/ipfilter/netinet/ip_nat.h HOSTMAP_SIZE should be 1.3 * the number of hosts to be NAT'd NAT_TABLE_MAX should be whatever you are setting your pf size to NAT_TABLE_SZ should be a prime number > 1.3 * NAT_TABLE_MAX On another operating system, there are systems using ipfilter today that track over 1 million current NAT sessions, so I don't think the load will be too much of a problem. Darren