In testing, I observed opening a website, for instance cnn.com can cause >200 ports/sessions to fire off. Although, many are short-lived sessions, but, ports requests nonetheless.
Overall, I use about 1,500 public ip's for 50,000 private ip customers I allow 3,000 ports per customer ... 30 blocks of 100 each We started our port blocks at a nice round number, so that each pba dynamic assignment results in nice 100-199, next 200-299 .... good for parsing, grep'ing logs for doing subpoena info look-ups, etc. I see most customers hover well below 1,000 ports/sessions active, and what appear to be misbehaving hosts (malware, infected, bots, etc, unsure) hit up at the 3,000 max and trigger a ports exceeded error message. I see the 3k port limit as putting a cap on free-running suspicious hosts. We can then investigate and contact customer of the concern. -Aaron -----Original Message----- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Robert Blayzor Sent: Wednesday, April 29, 2020 9:14 AM To: nanog@nanog.org Subject: Re: CGNAT Solutions On 4/28/20 11:01 PM, Brandon Martin wrote: > Depending on how many IPs you need to reclaim and what your target > IP:subscriber ratio is, you may be able to eliminate the need for a lot > of logging by assigning a range of TCP/UDP ports to a single inside IP > so that the TCP/UDP port number implies a specific subscriber. > > You can't get rid of all the state tracking without also having the CPE > know which ports to use (in which case you might as well use LW4o6 or > MAP), but at least you can get it down to where you really only need to > log (or block and dole out public IPs as needed) port-less protocols. I'm wondering if there are any real world examples of this, namely in the realm of subscriber to IP and range of ports required, etc. ie: Is is a range of 1000 ports enough for one residential subscriber? How about SMB where no global IP is required. One would think a 1000 ports would be enough, but if you have a dozen devices at home all browsing and doing various things, and with IOT, etc, maybe not? -- inoc.net!rblayzor XMPP: rblayzor.AT.inoc.net PGP: https://pgp.inoc.net/rblayzor/
