Hello, I apologize in advance if this is the wrong place for this posting.
I am a developer on the circe captive portal system (net-mgmt/circe). Our system currently uses either netgraph or FreeBSD's in-kernel NAT (configurable) as a one-to-one NAT facility to provide access control for wireless clients. IP address pressure has pushed us towards implementing many-to-one NAT. However, the primary deployment of our software here at UC Berkeley requires us to be able to track bandwidth usage, security notices, and copyright takedown requests on a per-client basis. Traditional many-to-one NAT generates an unreasonable amount of logging data for our clients, which we expect to number in the low thousands. To mitigate the logging/accounting burden, we're investigating port block allocation, described in http://tools.ietf.org/html/draft-tsou-behave-natx4-log-reduction-02. By allocating a block of ports for each client, we can drastically reduce the amount of logging that we have to do to be able to uniquely trace a copyright infringement notice back to the individual user. Preliminary investigation of both IPFW's NAT facility and netgraph's ng_nat node did not uncover any trivial method of performing port-block allocation in many-to-one NAT. Has anybody here had any experience implementing a many-to-one NAT box with FreeBSD that made use of port-block allocation? Alternatively, is there any documentation or resources that somebody could point me towards to get started? Thanks in advance for your help. -- Hao "Bryan" Cheng Lead Unix Systems Administrator for Network Access Control Student Affairs- IT UC Berkeley _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
