Chuck Swiger wrote on 17-9-2007 19:28: >> I'm using pfSense on a Soekris 4801. It works at least reasonable, but >> I've cranked up the NAT state table from the default 10,000 to 100,000 >> slots. So far I've seen > 17,000 slots in use during a 410 kbit/sec pool >> burst. >> >> Of course a stateless setup would be better, but I haven't figured that >> out yet. At least these figures give an idea of what's going on. A >> consumer grade NAT router with 1000 or 4000 slots won't handle this. > > Certainly true, at least if the router insists upon persisting state for > each of these NTP queries. > > It's not a great idea to use NAT in the path to an NTP server; it just > adds load and latency which have a negative effect upon the quality of > the time service being provided. People who want to provide contribute > time services to the pool should make every effort to only use machines > which have statically assigned public IPs which are not behind a NAT > firewall/router.
Sure I would like to give my ntp server its own public address, but it would quadruple the monthly cost of my connection. I'm surely not going to pay that amount of money just to be a pool member. I think the pool would loose a lot of members if it banned NAT routers. In due time IPv6 may solve this issue, but for now NAT is part of life. I see little harm in a stateless NAT setup, no tables to overflow, just the latency of an extra hop. Doesn't have to be more than 0.5 ms, probably even less, and it's symmetrical. That doesn't hurt the quality of the provided time service. What is the rtt to your closest ntp server? Around 14 ms in my case. Jan _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
