Re: Large-scale 1-1 NAT



On Monday 24 September 2007, Cristian KLEIN wrote:
Hi,

Christopher Cowart wrote:
Hello,

We're working on expanding our wireless network. Unfortunately, we're
running out of IP addresses (aren't we all). As much as I'd love to
just tell everyone to use IPv6, that isn't gonna fly. The next plan
to consider is using an RFC1918 pool and NATing the traffic.

If only it were that simple. The security folks have mandated that
anyone who can talk to the internet at large must be individually
indentifiable. This means having hundreds of users NATing to a single
internet-routable IP isn't happening.

We used to have this problem too, for some NATed networks. The solution
which has been adopted is to capture the flows on the gateway and send
them the security team. The netflow protocol is very well suited for
this.

The real question is: what's the best way to dynamically update the
NAT table?

You may use IPFW with IPNAT or PF instead. PF is able to reload its
configuration without disruption. Moreover, because the state table is
not flushed during a reload, you can even move NATed clients from one
public IP to another, without them noticing.

In fact pf comes with an almost ready-made sollution. Check out authpf(8)
for details.

--
/"\ Best regards, | mlaier@xxxxxxxxxxx
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News

Attachment: signature.asc
Description: This is a digitally signed message part.



Relevant Pages

  • Re: Large-scale 1-1 NAT
    ... We're working on expanding our wireless network. ... anyone who can talk to the internet at large must be individually ... We used to have this problem too, for some NATed networks. ... PF is able to reload its ...
    (freebsd-net)
  • Re: No internet access oner wireless network after SP2 install
    ... >computer acting as the gateway to an ADSL connection to the internet. ... >will work over the wireless network. ...
    (microsoft.public.windowsxp.general)
  • RE: Port scan and scvhost overload
    ... addresses that are not routable on the Internet). ... pestering them with a ports can for fun. ... what I was able to find out Before the laptop mysteriously shutdown, ... The siblings all use the same wireless network (Wi-Fi processes found in ...
    (Security-Basics)
  • Re: Wireless Linksys Connection Problem to Hot Spots
    ... I was able to connect up to my wireless network ... and I was able to access the Internet through my ... >> with the owner of that connection and have their permission. ... I'm trying to figure out why I can't hook up to the ...
    (microsoft.public.windowsxp.network_web)
  • Re: Suse 9.1 and WLAN Internet access
    ... Control Center / Internet & Network / Wireless Network. ... > The installation went surprisingly smooth - even easier than installing ... > access through the WLAN card of the notebook, ...
    (alt.os.linux.suse)