Re: Large-scale 1-1 NAT
- From: Cristian KLEIN <cristi@xxxxxxxxxxxxx>
- Date: Mon, 24 Sep 2007 11:58:15 +0300
Hi,
Christopher Cowart wrote:
Hello,
We're working on expanding our wireless network. Unfortunately, we're
running out of IP addresses (aren't we all). As much as I'd love to just
tell everyone to use IPv6, that isn't gonna fly. The next plan to
consider is using an RFC1918 pool and NATing the traffic.
If only it were that simple. The security folks have mandated that
anyone who can talk to the internet at large must be individually
indentifiable. This means having hundreds of users NATing to a single
internet-routable IP isn't happening.
We used to have this problem too, for some NATed networks. The solution which
has been adopted is to capture the flows on the gateway and send them the
security team. The netflow protocol is very well suited for this.
The real question is: what's the best way to dynamically update the NAT
table?
You may use IPFW with IPNAT or PF instead. PF is able to reload its
configuration without disruption. Moreover, because the state table is not
flushed during a reload, you can even move NATed clients from one public IP to
another, without them noticing.
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: Large-scale 1-1 NAT
- From: Christopher Cowart
- Re: Large-scale 1-1 NAT
- From: Max Laier
- Re: Large-scale 1-1 NAT
- References:
- Large-scale 1-1 NAT
- From: Christopher Cowart
- Large-scale 1-1 NAT
- Prev by Date: Re: Racoon(ipsec-tools) enters sbwait state or 100% CPU utilization quite often on RELENG_1_2
- Next by Date: Re: Quagga as border router
- Previous by thread: Large-scale 1-1 NAT
- Next by thread: Re: Large-scale 1-1 NAT
- Index(es):
Relevant Pages
|
|
