On 03/10/14 19:07, Russell Sutherland wrote:
I am trying to determine whether using an OpenBSD system to perform
institutional NAT for our wireless users would be a viable option.
At the present time we are evaluating the A10 Thunder CGN appliance.
There are a few issues for which I would like to get some input for those
using pf for NAT in large environments ( > 10k users )
* are there problems with arp cache resources ?
* can logging be modified to use radius ? We really need some hooks to
determine who is/was responsible for a given session.
Thanks in advance for any operational experience you may have using pf in a
similar environment.
--
Russell Sutherland I+TS
We're doing NAT at a few thousand users/pcs without any issue.
I don't think 10k or more users will be a problem either. Just use more
than one address in nat-to in order to have enough ports for
translation. You can also use source-hash to ensure that nat address is
the same for a given source IP.
Also check sysctl parameters net.inet.ip.portfirst/net.inet.ip.portlast
In order to determine who is responsible for a given session you
probably need to use netflows/pflow.
Searching the @misc archive for this will give you enough starting help.
You have to combine it with some kind of user authentication at the
point where the user is getting the private IP address (802.1x / VPN etc)
Use radius there to log user<->private IP match.
good luck
G
ps. Searching for arp cache limits didn't give any results. I think you
only have to worry about that if the user's network is directly
connected to your firewall. However I cant find which are the limits for
arp cache/route cache.
