On Jun 5, 2012, at 3:29 PM, Darren Reed wrote: > In IPFilter, the "map-block" ipnat rule serves exactly the > purpose that you are looking for. It provides address > translation of network addresses for N:M and uses ports > to multiplex them in. > > Thus a /16 can be nat'd to a /8 with the other 8 bits > used in the port number. > > The results of the NAT'd packets are such that if you are > given an external IP address and port number, you can > calculate which internal IP address was used without having > to know what was the currently active state of the machine. > > A typical rule might look like this: > map-block le0 10.0.0.0/16 -> 203.1.1.0/24 ports auto
Darren, This is very interesting. We currently use PF to NAT our wireless network and we too would like to reduce the logging load. We currently run around 40-50k state entries per box (4 systems). We are planning on adding 4 more systems in the next month so we have more room and better handling of failures. Researching ipnat, I see that modifications to the ipnat.h header might be needed for it to handle our load. We currently have 31 vlans with /22 network assigned to the system. Do you feel ipnat can handle this load? Do you have any recommendations for the various values? Thanks for your time and help, -- DaveD
