Re: Large-scale 1-1 NAT
- From: Cristian KLEIN <cristi@xxxxxxxxxxxxx>
- Date: Tue, 25 Sep 2007 00:44:47 +0300
Christopher Cowart wrote:
On Mon, Sep 24, 2007 at 11:58:15AM +0300, Cristian KLEIN wrote:
Christopher Cowart wrote:
We're working on expanding our wireless network. Unfortunately, we'reWe used to have this problem too, for some NATed networks. The solution which
running out of IP addresses (aren't we all). As much as I'd love to just
tell everyone to use IPv6, that isn't gonna fly. The next plan to
consider is using an RFC1918 pool and NATing the traffic.
If only it were that simple. The security folks have mandated that
anyone who can talk to the internet at large must be individually
indentifiable. This means having hundreds of users NATing to a single
internet-routable IP isn't happening.
has been adopted is to capture the flows on the gateway and send them the
security team. The netflow protocol is very well suited for this.
We have automated intake and processing for security cases. These often
just contain the IP the bad traffic appeared to be coming from. While we
could probably reconstruct things using netflow, we definitely wouldn't
have the staff time to do so. As such, we'd have to keep this
information in a database, which will add up fast. Keeping track who was
using an IP at a given time is relatively easy. Granted, this places the
complexity in the network and not the security processing, but that's
where we have resources.
I must admit I haven't thought of this. With this new information I am missing a
point. Since you need to make a 1-to-1 association between clients and public
IPs, why do you need the NAT at all. Is this to save public IPs by NOT giving
them to unauthenticated users?
There is another thing I wanted to point out. I remember you used the words
"authentication web page". This made me think you are establishing a captive
portal, which is not secure at all. If I understand well the authpf solution
would be secure, except perhaps a small delay. You might proxy your clients to a
"click here and download this preconfigured PuTTY" page.
The real question is: what's the best way to dynamically update the NATYou may use IPFW with IPNAT or PF instead. PF is able to reload its
table?
configuration without disruption. Moreover, because the state table is not
flushed during a reload, you can even move NATed clients from one public IP to
another, without them noticing.
We would prefer to stick with ipfw. The most common documentation I've
founded is natd+ipfw. I've also seen pf+ipnat. I haven't really seen any
documentation on ipfw+ipnat. Is this possible? Or would we be able to do
ipfw+pf+ipnat? What solution would scale best to 1500-4000 authenticated
users?
I have used ipfw + pf for almost a year, for about 400 clients and I am very
happy with it. Note that I only use ipfw for dummynet. In all other situations I
only use PF.
PF uses a binary tree to store NAT states, so it isn't really affected by the
number of clients. It also features state timeouts reduction based on the number
of NAT states, which is very useful if one Windows station gets a "lets scan the
whole /16" virus.
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: Large-scale 1-1 NAT
- From: Christopher Cowart
- Re: Large-scale 1-1 NAT
- References:
- Large-scale 1-1 NAT
- From: Christopher Cowart
- Re: Large-scale 1-1 NAT
- From: Cristian KLEIN
- Re: Large-scale 1-1 NAT
- From: Christopher Cowart
- Large-scale 1-1 NAT
- Prev by Date: Re: Large-scale 1-1 NAT
- Next by Date: Re: nat and ipfw - divert or builtin
- Previous by thread: Re: Large-scale 1-1 NAT
- Next by thread: Re: Large-scale 1-1 NAT
- Index(es):
Relevant Pages
|
|
