David Duchscher wrote:
On Jun 5, 2012, at 3:29 PM, Darren Reed wrote:
In IPFilter, the "map-block" ipnat rule serves exactly the
purpose that you are looking for. It provides address
translation of network addresses for N:M and uses ports
to multiplex them in.
Thus a /16 can be nat'd to a /8 with the other 8 bits
used in the port number.
The results of the NAT'd packets are such that if you are
given an external IP address and port number, you can
calculate which internal IP address was used without having
to know what was the currently active state of the machine.
A typical rule might look like this:
map-block le0 10.0.0.0/16 -> 203.1.1.0/24 ports auto
Darren,
This is very interesting. We currently use PF to NAT our wireless network and
we too would like to reduce the logging load. We currently run around 40-50k
state entries per box (4 systems). We are planning on adding 4 more systems in
the next month so we have more room and better handling of failures.
Researching ipnat, I see that modifications to the ipnat.h header might be
needed for it to handle our load. We currently have 31 vlans with /22 network
assigned to the system. Do you feel ipnat can handle this load? Do you have
any recommendations for the various values?
The above rule was designed and used to support NAT'ing of
hundreds of networks (if not several thousand) on a couple
of NAT boxes where the load was about double that you're
seeing over 10 years ago with FreeBSD, so I don't think that
there will too much trouble with your load today.
The constants that you need to tune are:
NAT_TABLE_MAX
NAT_TABLE_SZ
HOSTMAP_SIZE
in /usr/src/sys/contrib/ipfilter/netinet/ip_nat.h
HOSTMAP_SIZE should be 1.3 * the number of hosts to be NAT'd
NAT_TABLE_MAX should be whatever you are setting your pf size to
NAT_TABLE_SZ should be a prime number > 1.3 * NAT_TABLE_MAX
On another operating system, there are systems using ipfilter
today that track over 1 million current NAT sessions,
so I don't think the load will be too much of a problem.
Darren
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
