Date: Mon, 29 Jun 2015 12:54:32 +0200 From: Milan Obuch <freebsd-pf@dino.sk> To: Ian FREISLICH <ian.freislich@capeaugusta.com> Cc: Daniel Hartmeier <daniel@benzedrine.ch>, freebsd-pf@freebsd.org Subject: Re: Large scale NAT with PF - some weird problem Message-ID: <20150629125432.7aff9e66@zeta.dino.sk> In-Reply-To: <E1Z9WW6-000PzF-PO@clue.co.za> References: <20150629114506.1cfd6f1b@zeta.dino.sk> <14e119e8fa8.2755.abfb21602af57f30a7457738c46ad3ae@capeaugusta.com> <E1Z6dHz-0000uu-D8@clue.co.za> <E1Z6eVg-0000yz-Ar@clue.co.za> <20150621195753.7b162633@zeta.dino.sk> <E1Z7Ixx-0006K1-5p@clue.co.za> <E1Z7K1Y-0006Ph-ON@clue.co.za> <20150623112331.668395d1@zeta.dino.sk> <20150628100609.635544e0@zeta.dino.sk> <20150629082654.GA22693@insomnia.benzedrine.ch> <20150629105201.7ee24e38@zeta.dino.sk> <20150629092932.GC22693@insomnia.benzedrine.ch> <E1Z9WW6-000PzF-PO@clue.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 29 Jun 2015 12:42:22 +0200 Ian FREISLICH <ian.freislich@capeaugusta.com> wrote: > Milan Obuch wrote: > > On Mon, 29 Jun 2015 11:29:32 +0200 > > Daniel Hartmeier <daniel@benzedrine.ch> wrote: > > > > > On Mon, Jun 29, 2015 at 10:52:01AM +0200, Milan Obuch wrote: > > > > > > > Does this answerred your question fully or something more would > > > > be usefull? > > > > > > How are you doing ARP? > > > > > > You're not assigning every address on x.y.26.0/23 as an alias, are > > > you? > > > > > > So who answers ARP requests of the upstream router? > > > > There is no ARP on routed address block. > > > > In cisco speak, there is just > > > > ip route x.y.24.0 255.255.252.0 x.y.3.19 > > > > statement and that's it. Nothing more. Whole address range from > > x.y.24.0 to x.y.27.254 is routed here as it should be. For something > > like this ARP would be really evil solution. > > That's OK, as long as the NAT network is routed to your PF box it > will work. > This was just an explanation, I am sure this is OK, as I have some network experience already for... well, a ong time. > The situation you mentioned in a previous message where you see > lots and lots of NAT states for a single public IP address is what > I suspected was happening. When you require more NAT states per > IP than ephemeral ports you will run into issues because you will > run out of NAT space. > No, there were not much states per problematic IP, maybe just tens of them for one or couple internal IPs. That's weird. > If the round-robin works with a smaller pool, then I suspect Glebius > will be interested. > Well, if he chimes in, I would only welcome that. Currently I am waiting for any signs of troubles with shrinked pool, if there will be any. Milan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150629125432.7aff9e66>