Date: Mon, 6 Jul 2015 16:33:58 +0200 From: Milan Obuch <freebsd-pf@dino.sk> To: Ian FREISLICH <ian.freislich@capeaugusta.com> Cc: Daniel Hartmeier <daniel@benzedrine.ch>, freebsd-pf@freebsd.org Subject: Re: Large scale NAT with PF - some weird problem Message-ID: <20150706163358.11a67ecf@zeta.dino.sk> In-Reply-To: <20150629125432.7aff9e66@zeta.dino.sk> References: <20150629114506.1cfd6f1b@zeta.dino.sk> <14e119e8fa8.2755.abfb21602af57f30a7457738c46ad3ae@capeaugusta.com> <E1Z6dHz-0000uu-D8@clue.co.za> <E1Z6eVg-0000yz-Ar@clue.co.za> <20150621195753.7b162633@zeta.dino.sk> <E1Z7Ixx-0006K1-5p@clue.co.za> <E1Z7K1Y-0006Ph-ON@clue.co.za> <20150623112331.668395d1@zeta.dino.sk> <20150628100609.635544e0@zeta.dino.sk> <20150629082654.GA22693@insomnia.benzedrine.ch> <20150629105201.7ee24e38@zeta.dino.sk> <20150629092932.GC22693@insomnia.benzedrine.ch> <E1Z9WW6-000PzF-PO@clue.co.za> <20150629125432.7aff9e66@zeta.dino.sk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 29 Jun 2015 12:54:32 +0200 Milan Obuch <freebsd-pf@dino.sk> wrote: > On Mon, 29 Jun 2015 12:42:22 +0200 > Ian FREISLICH <ian.freislich@capeaugusta.com> wrote: > > > Milan Obuch wrote: [ snip ] > > > In cisco speak, there is just > > > > > > ip route x.y.24.0 255.255.252.0 x.y.3.19 > > > > > > statement and that's it. Nothing more. Whole address range from > > > x.y.24.0 to x.y.27.254 is routed here as it should be. For > > > something like this ARP would be really evil solution. > > > > That's OK, as long as the NAT network is routed to your PF box it > > will work. > > > > This was just an explanation, I am sure this is OK, as I have some > network experience already for... well, a ong time. > > > The situation you mentioned in a previous message where you see > > lots and lots of NAT states for a single public IP address is what > > I suspected was happening. When you require more NAT states per > > IP than ephemeral ports you will run into issues because you will > > run out of NAT space. > > > > No, there were not much states per problematic IP, maybe just tens of > them for one or couple internal IPs. That's weird. > > > If the round-robin works with a smaller pool, then I suspect Glebius > > will be interested. > > > > Well, if he chimes in, I would only welcome that. Currently I am > waiting for any signs of troubles with shrinked pool, if there will be > any. > > Milan > For about a week, I did not receive any complaints, so I think it works for now. I still see some hits for src-limit counter in 'pfctl -vs info' output, currently at 347, so it is approx. at 50 hits a day. If there is some good docs on these counters, I surely would like to know. I mean something like 'if this counter reaches 1000 (or 1000 daily or something similar), then it is sign of some problem'. Also, in 'pfctl -sa' output, there are currently three states with states count of 4294967295, 4294967295 and 4294967293, respectively. This one is for me sign of some trouble as it strongly resembles underflow of 32 bit integer counter, interpreted as unsigned number. Regards, Milan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150706163358.11a67ecf>