Re: [vpp-dev] CGNAT port assignment
Thank you Ole, will check out it. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20287): https://lists.fd.io/g/vpp-dev/message/20287 Mute This Topic: https://lists.fd.io/mt/84825472/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] CGNAT port assignment
Hi Andy, > Is there an equivalent example of snat > (https://wiki.fd.io/view/VPP/Progressive_VPP_Tutorial#Source_NAT) for > nat44-ei in version 21.x? There is a work in progress patch that adds better NAT documentation here: https://gerrit.fd.io/r/c/vpp/+/32091 If you have the opportunity to review and contribute to that, it would be very much appreciated! Best regards, Ole signature.asc Description: Message signed with OpenPGP -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20285): https://lists.fd.io/g/vpp-dev/message/20285 Mute This Topic: https://lists.fd.io/mt/84825472/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] CGNAT port assignment
Thanks Ole, Is there an equivalent example of snat (https://wiki.fd.io/view/VPP/Progressive_VPP_Tutorial#Source_NAT) for nat44-ei in version 21.x ? Best, --Andy -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20284): https://lists.fd.io/g/vpp-dev/message/20284 Mute This Topic: https://lists.fd.io/mt/84825472/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] CGNAT port assignment
Hi, > Any vpp documents I can find to compare the 3 different NAT vpp provided as > plugins (ED, EI and DET), or you can help to tell here? Can any of them be > combined to use? RFC4787 gives a good description about the differences between ED and EI. And RFC7422 for deterministic NAT. Best regards, Ole signature.asc Description: Message signed with OpenPGP -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20282): https://lists.fd.io/g/vpp-dev/message/20282 Mute This Topic: https://lists.fd.io/mt/84825472/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] CGNAT port assignment
Hi Ole, Are these evolutions in the roadmap? Hi Ole and Marcos, Any vpp documents I can find to compare the 3 different NAT vpp provided as plugins (ED, EI and DET), or you can help to tell here? Can any of them be combined to use? Thanks, --Andy -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20259): https://lists.fd.io/g/vpp-dev/message/20259 Mute This Topic: https://lists.fd.io/mt/84825472/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] CGNAT port assignment
Hi Marcos, > Any thoughts ? At least two evolutions I can think of for deterministic NAT: 1) support dynamic sessions either instead of statically pre-allocated or in addition to. within the deterministic address/port range. 2) support "overflow", so that if you run out of ports in the deterministic pool, fall back to using shared ports. Cheers, Ole > -Mensagem original- > De: mar...@mgiga.com.br > Enviada em: quinta-feira, 12 de agosto de 2021 09:40 > Para: 'Ole Troan' > Cc: 'vpp-dev' > Assunto: RES: [vpp-dev] CGNAT port assignment > > Hello Ole, > > Thank you for your attention. > > About your statement "You could try setting the define DET44_SES_PER_USER to > whatever value you like." I don't believe its that simple because it depends > of the size of the public IP address pool. For example: If I have a ratio of > 64 user behind a public address and set the DET44_SES_PER_USER value 2000, > there would not be enough ports for all users. > > So my idea is to alocate 1000 slots per protocol to each user. > > > Best Regards > > Yes, I'm talking about deterministic NAT module -Mensagem original- > De: vpp-dev@lists.fd.io Em nome de Ole Troan Enviada > em: quarta-feira, 11 de agosto de 2021 18:20 > Para: Marcos - Mgiga > Cc: vpp-dev > Assunto: Re: [vpp-dev] CGNAT port assignment > > Marcos, > >> I’m aware that VPP NAT Plugin has a limitation of 1000 ports per inside >> users, but eventually that amount of connections is not enough. >> >> I would like to get some guidance on how to change that VPP logic When >> assigning ports to users when working with deterministic nat, so users can >> get at least 1000 ports per protocol ( 1000 per TCP, 1000 per UDP, 1000 per >> ICMP), of course respecting the size of the public pool. >> >> Have someone ever thought of that? Could someone give me some start point ? >> >> I’ve spend some time looking into NAT plugin files, but there is a large >> amount of types and functions so I decided to come here to see if anybody >> has went throught this before. > > I presume you are talking about the deterministic NAT module. > That one pre-allocates the session table and reserves 1000 slots per user. > The deterministic NAT uses endpoint dependent mapping so number of sessions > per user is somewhat independent of numbers of ports available. > > You could try setting the define DET44_SES_PER_USER to whatever value you > like. > It's a long time since I looked at deterministic NAT so no guarantees. > > What's the use case? > The NAT44-ED module does not have this limit and might be a candidate too. > > Best regards, > Ole > > > > signature.asc Description: Message signed with OpenPGP -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19969): https://lists.fd.io/g/vpp-dev/message/19969 Mute This Topic: https://lists.fd.io/mt/84825472/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] CGNAT port assignment
Hi Ole, Any thoughts ? Best Regards Marcos -Mensagem original- De: mar...@mgiga.com.br Enviada em: quinta-feira, 12 de agosto de 2021 09:40 Para: 'Ole Troan' Cc: 'vpp-dev' Assunto: RES: [vpp-dev] CGNAT port assignment Hello Ole, Thank you for your attention. About your statement "You could try setting the define DET44_SES_PER_USER to whatever value you like." I don't believe its that simple because it depends of the size of the public IP address pool. For example: If I have a ratio of 64 user behind a public address and set the DET44_SES_PER_USER value 2000, there would not be enough ports for all users. So my idea is to alocate 1000 slots per protocol to each user. Best Regards Yes, I'm talking about deterministic NAT module -Mensagem original- De: vpp-dev@lists.fd.io Em nome de Ole Troan Enviada em: quarta-feira, 11 de agosto de 2021 18:20 Para: Marcos - Mgiga Cc: vpp-dev Assunto: Re: [vpp-dev] CGNAT port assignment Marcos, > I’m aware that VPP NAT Plugin has a limitation of 1000 ports per inside > users, but eventually that amount of connections is not enough. > > I would like to get some guidance on how to change that VPP logic When > assigning ports to users when working with deterministic nat, so users can > get at least 1000 ports per protocol ( 1000 per TCP, 1000 per UDP, 1000 per > ICMP), of course respecting the size of the public pool. > > Have someone ever thought of that? Could someone give me some start point ? > > I’ve spend some time looking into NAT plugin files, but there is a large > amount of types and functions so I decided to come here to see if anybody has > went throught this before. I presume you are talking about the deterministic NAT module. That one pre-allocates the session table and reserves 1000 slots per user. The deterministic NAT uses endpoint dependent mapping so number of sessions per user is somewhat independent of numbers of ports available. You could try setting the define DET44_SES_PER_USER to whatever value you like. It's a long time since I looked at deterministic NAT so no guarantees. What's the use case? The NAT44-ED module does not have this limit and might be a candidate too. Best regards, Ole -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19968): https://lists.fd.io/g/vpp-dev/message/19968 Mute This Topic: https://lists.fd.io/mt/84825472/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] CGNAT port assignment
Hello Ole, Thank you for your attention. About your statement "You could try setting the define DET44_SES_PER_USER to whatever value you like." I don't believe its that simple because it depends of the size of the public IP address pool. For example: If I have a ratio of 64 user behind a public address and set the DET44_SES_PER_USER value 2000, there would not be enough ports for all users. So my idea is to alocate 1000 slots per protocol to each user. Best Regards Yes, I'm talking about deterministic NAT module -Mensagem original- De: vpp-dev@lists.fd.io Em nome de Ole Troan Enviada em: quarta-feira, 11 de agosto de 2021 18:20 Para: Marcos - Mgiga Cc: vpp-dev Assunto: Re: [vpp-dev] CGNAT port assignment Marcos, > I’m aware that VPP NAT Plugin has a limitation of 1000 ports per inside > users, but eventually that amount of connections is not enough. > > I would like to get some guidance on how to change that VPP logic When > assigning ports to users when working with deterministic nat, so users can > get at least 1000 ports per protocol ( 1000 per TCP, 1000 per UDP, 1000 per > ICMP), of course respecting the size of the public pool. > > Have someone ever thought of that? Could someone give me some start point ? > > I’ve spend some time looking into NAT plugin files, but there is a large > amount of types and functions so I decided to come here to see if anybody has > went throught this before. I presume you are talking about the deterministic NAT module. That one pre-allocates the session table and reserves 1000 slots per user. The deterministic NAT uses endpoint dependent mapping so number of sessions per user is somewhat independent of numbers of ports available. You could try setting the define DET44_SES_PER_USER to whatever value you like. It's a long time since I looked at deterministic NAT so no guarantees. What's the use case? The NAT44-ED module does not have this limit and might be a candidate too. Best regards, Ole -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19965): https://lists.fd.io/g/vpp-dev/message/19965 Mute This Topic: https://lists.fd.io/mt/84825472/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] CGNAT port assignment
Marcos, > I’m aware that VPP NAT Plugin has a limitation of 1000 ports per inside > users, but eventually that amount of connections is not enough. > > I would like to get some guidance on how to change that VPP logic When > assigning ports to users when working with deterministic nat, so users can > get at least 1000 ports per protocol ( 1000 per TCP, 1000 per UDP, 1000 per > ICMP), of course respecting the size of the public pool. > > Have someone ever thought of that? Could someone give me some start point ? > > I’ve spend some time looking into NAT plugin files, but there is a large > amount of types and functions so I decided to come here to see if anybody has > went throught this before. I presume you are talking about the deterministic NAT module. That one pre-allocates the session table and reserves 1000 slots per user. The deterministic NAT uses endpoint dependent mapping so number of sessions per user is somewhat independent of numbers of ports available. You could try setting the define DET44_SES_PER_USER to whatever value you like. It's a long time since I looked at deterministic NAT so no guarantees. What's the use case? The NAT44-ED module does not have this limit and might be a candidate too. Best regards, Ole signature.asc Description: Message signed with OpenPGP -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19960): https://lists.fd.io/g/vpp-dev/message/19960 Mute This Topic: https://lists.fd.io/mt/84825472/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-