Date: Mon, 24 Sep 2007 11:58:15 +0300 From: Cristian KLEIN <cristi@net.utcluj.ro> To: freebsd-net@freebsd.org Subject: Re: Large-scale 1-1 NAT Message-ID: <46F77C27.9050400@net.utcluj.ro> In-Reply-To: <20070924072517.GL19429@hal.rescomp.berkeley.edu> References: <20070924072517.GL19429@hal.rescomp.berkeley.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Christopher Cowart wrote: > Hello, > > We're working on expanding our wireless network. Unfortunately, we're > running out of IP addresses (aren't we all). As much as I'd love to just > tell everyone to use IPv6, that isn't gonna fly. The next plan to > consider is using an RFC1918 pool and NATing the traffic. > > If only it were that simple. The security folks have mandated that > anyone who can talk to the internet at large must be individually > indentifiable. This means having hundreds of users NATing to a single > internet-routable IP isn't happening. We used to have this problem too, for some NATed networks. The solution which has been adopted is to capture the flows on the gateway and send them the security team. The netflow protocol is very well suited for this. > The real question is: what's the best way to dynamically update the NAT > table? You may use IPFW with IPNAT or PF instead. PF is able to reload its configuration without disruption. Moreover, because the state table is not flushed during a reload, you can even move NATed clients from one public IP to another, without them noticing.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46F77C27.9050400>