Re: Large-scale 1-1 NAT



On Monday 24 September 2007, Cristian KLEIN wrote:
Hi,

Christopher Cowart wrote:
Hello,

We're working on expanding our wireless network. Unfortunately, we're
running out of IP addresses (aren't we all). As much as I'd love to
just tell everyone to use IPv6, that isn't gonna fly. The next plan
to consider is using an RFC1918 pool and NATing the traffic.

If only it were that simple. The security folks have mandated that
anyone who can talk to the internet at large must be individually
indentifiable. This means having hundreds of users NATing to a single
internet-routable IP isn't happening.

We used to have this problem too, for some NATed networks. The solution
which has been adopted is to capture the flows on the gateway and send
them the security team. The netflow protocol is very well suited for
this.

The real question is: what's the best way to dynamically update the
NAT table?

You may use IPFW with IPNAT or PF instead. PF is able to reload its
configuration without disruption. Moreover, because the state table is
not flushed during a reload, you can even move NATed clients from one
public IP to another, without them noticing.

In fact pf comes with an almost ready-made sollution. Check out authpf(8)
for details.

--
/"\ Best regards, | mlaier@xxxxxxxxxxx
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News

Attachment: signature.asc
Description: This is a digitally signed message part.