Thanks Klement, I want to use #1 option and try to think about #2 with DUT only as workaround.
The simple random allocation (option #1) looks acceptable for me but I have several issues with it now. I have big external pool (out network has /24 mask) I want to use all addresses more evenly. Now if I set pool with vpp# nat44 add address 1.0.0.3-1.0.0.100 But with such configuration all clients behind NAT will have external address 1.0.0.100 until all ports are used up, next will get 1.0.0.99 until all ports are used up etc. As the result all users gets google reCAPTCHA on most resources (i.e. google.com search) because there are too many users are hiding behind the same IP while others addresses in pool are not used at all. Since the standard Linux box can use option "persistent" which gives a client random address from snat pool (on first translation) and preservers it until the end of the user session I'm interested how to achieve this behavior with VPP. Can I somehow setup pool 1.0.0.3-1.0.0.200. Then first client 10.0.0.1 will have random external address, i.e. 1.0.0.7 (I mean random address from the pool) and preserve it for all new connections until the end of the session, second client 10.0.0.5 -> next random address etc. Thanks in advance. ________________________________ От: Klement Sekera -X (ksekera - PANTHEON TECH SRO at Cisco) <ksek...@cisco.com> Отправлено: 16 февраля 2021 г. 14:01 Кому: Юрий Иванов <format_...@outlook.com> Копия: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) <fiva...@cisco.com>; vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> Тема: Re: [vpp-dev] NAT44 how to control external address assignment from pool? Hi, let me chime in and explain a bit more. DET NAT also known as CGNAT (as in carrier-grade NAT) is designed to conform to LI (lawful intercept) requirements. So, if you, as an internet provider are required by law to be able to provide a user identification based on outside address + port made by that user, you have two options: 1.) log every connection and keep the logs 2.) make it deterministic, so you can always calculate inside address from outside address + port DET NAT is #2 and thus it cannot be random. For random allocation, you can use either EI or ED NAT. But these of course don’t provide any way to calculate user address from outside address. What is your use case? Thanks, Klement > On 10 Feb 2021, at 19:14, Юрий Иванов <format_...@outlook.com> wrote: > > Hi Filip, > > Thanks, I understand, det44 plugin is working separately but we should > manually manage mapping local network to external IP. > > But in case we try to use standard nut configuration with pools: > vpp# nat44 forwarding enable > vpp# set int nat44 in GigabitEthernet0/5/0 out GigabitEthernet0/4/0 > vpp# nat44 add address 1.0.0.3-1.0.0.100 > > All clients will have external address 1.0.0.100 until all ports are used up, > next will get 1.0.0.99 until all ports are used up etc. > This behaviour leads to showing google reCAPTCHA on most resources (i.e. > google.com search) because there are too many users are hiding behind the > same IP while others addresses in pool are not used at all. > I can afford to use pool with 255 addresses (/24 network), but in this case > most of addresses will not be used at all (. > > I'm interested how to tune vpp to select a random address for every new > client and leave this same source-/destination-address for each new > connection. This should help more even use of the address pool. > The same behavior as nftables do with "ip saddr 10.0.0.0/8 oif "vlan10" snat > to 1.0.0.3-1.0.0.100 persistent". > > Thanks in advance. > От: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) <fiva...@cisco.com> > Отправлено: 10 февраля 2021 г. 14:25 > Кому: Юрий Иванов <format_...@outlook.com>; vpp-dev@lists.fd.io > <vpp-dev@lists.fd.io> > Тема: RE: [vpp-dev] NAT44 how to control external address assignment from > pool? > > Hello, > > For clarification i will explain how the nat is devided. > > At this point NAT functionality is devided in multiple sub plugins because of > it’s previous complexity and issues with it. > We have det44 and nat44 plugins that are completely separate. The whole > separation is still in progress. So changes in nat44 like picking up pool > allocation algorithm or anything else will not affect det44 plugin. These two > plugins operate completely independently and share just some NAT library for > common stuff. > > Regarding the det44 allocation algorithm. No at this point it is not > supported to pick up a new randomly selected address as you are asking. Det44 > is / should act in predetermined way so logging is not required. > > I will look further in the code and plugins if i can help you find some > solution. > > Best regards, > Filip > > From: Юрий Иванов <format_...@outlook.com> > Sent: Wednesday, February 10, 2021 8:47 AM > To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > <fiva...@cisco.com>; vpp-dev@lists.fd.io > Subject: RE: [vpp-dev] NAT44 how to control external address assignment from > pool? > Importance: High > > Hi Filip, thanks for reply. > > This is only for host mapping and looks that it can be done with det44 plugin > - very strange btw that it operates separatly from standard nat44 (meaning > that I do need to configure nat at all to use it). > > My problem is different, when I set pool i.e. 1.0.0.1-1.0.0.100 all clients > always get the last address from the pool (.100) until external IP run out of > ports and only after that client will get .99 IP untile this IP will run out > of ports and etc. > > Is there way to select new random address from pool for new client and after > that use this randomly selected same source-/destination-address for each > client connection. > > Now it leads to problems with Google 'Unusual Traffic' Block/Captcha, > because it utilizes several IP addresses where most IP from pool leave unused. > > От: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) <fiva...@cisco.com> > Отправлено: 9 февраля 2021 г. 13:54 > Кому: Юрий Иванов <format_...@outlook.com>; vpp-dev@lists.fd.io > <vpp-dev@lists.fd.io> > Тема: RE: [vpp-dev] NAT44 how to control external address assignment from > pool? > > Hi, > > If you are looking for option to specify exact outside translation address > from a specific pool. You should try : > > nat44 add static mapping ... exact <pool-addr> > > Also supported by API. > This will give you exact address picked from pool. > > Best regards, > Filip Varga > > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of ???? ?????? > Sent: Monday, February 8, 2021 11:04 AM > To: vpp-dev@lists.fd.io > Subject: Re: [vpp-dev] NAT44 how to control external address assignment from > pool? > Importance: High > > Just an update, to perform manual translation we should do: > > det44 plugin enable > det44 add in 10.0.1.0/29 out 1.0.0.7/32 > det44 add in 10.0.1.16/29 out 1.0.0.5/32 > ... > set interface det44 inside GigabitEthernet0/5/0 outside GigabitEthernet0/4/0 > > Ignoring specific nat configuration. > > Nevertheless, maybe there is some option to select different IP addres from > pool? > От: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> от имени Юрий Иванов > <format_...@outlook.com> > Отправлено: 7 февраля 2021 г. 12:10 > Кому: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> > Тема: [vpp-dev] NAT44 how to control external address assignment from pool? > > Hi, > > I've got basic nat setup in a lab which works as expected except extarnat IP > address allocation. > > My clients, behind NAT, has addresses: > vpp# show ip neighbors > Time IP Flags Ethernet > Interface > 1421.5929 10.0.1.30 D 00:50:79:66:68:00 > GigabitEthernet0/5/0 > 1424.3609 10.0.1.55 D 00:50:79:66:68:02 > GigabitEthernet0/5/0 > 1423.1650 10.0.1.41 D 00:50:79:66:68:01 > GigabitEthernet0/5/0 > 1389.2929 10.0.1.20 D 00:50:79:66:68:04 > GigabitEthernet0/5/0 > 1377.1449 10.0.1.2 D 00:50:79:66:68:03 > GigabitEthernet0/5/0 > > All can reach external 1.0.0.2 IP which looks good, but for all client > external address is 1.0.0.100 (the last IP in a range). > I think it will be more better to randomly select different address in range > like nftables do with this configuration stranza: > "ip saddr 10.0.0.0/8 oif "vlan2" snat to 1.0.0.2-1.0.0.100 persistent" > > After changing > vpp# nat addr-port-assignment-alg map-e psid 10 psid-offset 6 psid-len 6 > the only difference that external address become 1.0.0.1 for all clients. > > I of cource can map host to external address with: > vpp# nat44 add static mapping local 10.0.1.2 external 1.0.0.10 > But with 30 thousands clients it will very strange idea to map every host > route manually. > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18756): https://lists.fd.io/g/vpp-dev/message/18756 Mute This Topic: https://lists.fd.io/mt/80449794/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
