From owner-freebsd-net@FreeBSD.ORG Mon Sep 24 08:58:23 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B042C16A418 for ; Mon, 24 Sep 2007 08:58:23 +0000 (UTC) (envelope-from cristi@net.utcluj.ro) Received: from bavaria.utcluj.ro (unknown [IPv6:2001:b30:5000:2:20e:cff:fe4b:ca01]) by mx1.freebsd.org (Postfix) with ESMTP id 1269F13C447 for ; Mon, 24 Sep 2007 08:58:23 +0000 (UTC) (envelope-from cristi@net.utcluj.ro) Received: from localhost (localhost [127.0.0.1]) by bavaria.utcluj.ro (Postfix) with ESMTP id D9E2F50889 for ; Mon, 24 Sep 2007 11:58:21 +0300 (EEST) X-Virus-Scanned: by the daemon playing with your mail on local.mail.utcluj.ro Received: from bavaria.utcluj.ro ([127.0.0.1]) by localhost (bavaria.utcluj.ro [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f5ZNUAvR9m-Z for ; Mon, 24 Sep 2007 11:58:15 +0300 (EEST) Received: from [193.226.5.46] (hades.utcluj.ro [193.226.5.46]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by bavaria.utcluj.ro (Postfix) with ESMTP id D3E0C50884 for ; Mon, 24 Sep 2007 11:58:15 +0300 (EEST) Message-ID: <46F77C27.9050400@net.utcluj.ro> Date: Mon, 24 Sep 2007 11:58:15 +0300 From: Cristian KLEIN User-Agent: Thunderbird 1.5.0.13 (X11/20070824) MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <20070924072517.GL19429@hal.rescomp.berkeley.edu> In-Reply-To: <20070924072517.GL19429@hal.rescomp.berkeley.edu> X-Enigmail-Version: 0.94.2.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: Large-scale 1-1 NAT X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2007 08:58:23 -0000 Hi, Christopher Cowart wrote: > Hello, > > We're working on expanding our wireless network. Unfortunately, we're > running out of IP addresses (aren't we all). As much as I'd love to just > tell everyone to use IPv6, that isn't gonna fly. The next plan to > consider is using an RFC1918 pool and NATing the traffic. > > If only it were that simple. The security folks have mandated that > anyone who can talk to the internet at large must be individually > indentifiable. This means having hundreds of users NATing to a single > internet-routable IP isn't happening. We used to have this problem too, for some NATed networks. The solution which has been adopted is to capture the flows on the gateway and send them the security team. The netflow protocol is very well suited for this. > The real question is: what's the best way to dynamically update the NAT > table? You may use IPFW with IPNAT or PF instead. PF is able to reload its configuration without disruption. Moreover, because the state table is not flushed during a reload, you can even move NATed clients from one public IP to another, without them noticing.