NAT is unfortunately not very scalable but also never told is the amount of subs that are being natted and through how many ips. NAT _IS_ an issue. But comes down to business model. Do you spend the time for tech support and issues handling this on an ongoing basis or do you spend the money and buy your own space. Either way will cost you money or do you just borrow space from upstream and go through renumber every time you move to a new provider. If you renumber then it will to cost monies but at least only the few times you change providers which I would think is not very frequently since you probably locked into a one or multi year contract. Also the time (cost) to renumber depends how your delivering ips to your clients (one reason I personally recommend dhcp even if you give your client a "static ip" because if you need to renumber you just change that one ip on your dhcp server and wait a few days. Most of the time the reason your moving from one provider to another is for cheaper bandwidth. But with that in mind you have to look at is it WORTH saving X amount of $ to move and renumber or what not. Say if I got 50Mbit for the same price I was paying for 15Mbit and my 15 was starting to fill up then yes a reasonable amount of renumbering would be well worth it.
There is NOTHING you can do to fix a problem doing a large network NAT to single IP when a website say "sorry to much traffic" because all your clients shows as sending traffic from that single ip. Maybe you could do an agreement with that one website host but that is just an interim solution. If your set on staying with NAT because you think it is the most economical even if that means more tech support time and issues that you have to pay tech support time then well one need to minimize the amount of subs that uses a single IP. With any linux router you can do a src-nat and specify that this group/subnet of IPs should be NAT'd to this public and this group/subnet is NAT'd to this public. I would ASSUME (you know what they say about that) that if you getting the "sorry to much traffic" message that your NATing an entire network behind a single IP on a core router instead of NATing at each individual tower site so that each AP or tower itself is NATted to it's own unique public IP. Later is my own personal preference if NATing needs to be done because if you get a court/RIA or just abuse complaint you at least know which tower is causing the problem so instead of trying to figure out from 2k customers (I think that is what Matt said the other day he had) you now just need to figure out from maybe 50 customer whom is the guilty party. My personal preference is to give public ips combination PPPoE and Hotspot (dhcp server) this way if need renumber all need to do is add a new pool of IP's and change the server which pool to use once client automatically changed over to use the new ips then it's time to retired the old ones and if you end up taking to long you simply start NATing the old ip space behind the new until it can be swapped over. Last time we renumbered it took me 5 hours of work and planning to renumber 3 /24's majority of this time was spent on changing all our servers IP's from old IP to new IP (got almost an entire /24 just for server ip space). Way before this was done I had updated our DNS to a 5min cache setting (TTL) for all our domains (regex sed job that took 15 min to whip up since I also had to make sure the serial was updated). I did this a few weeks before we were ready. I created NAT rule to forward the NEW server ips to my old server IPs on my router once we did took the new link live. Then Started the task to change the server ips. Once a server ip was changed the nat rule was disabled. New pools and networks was created on all our access routers and pppoe concentrators (took longer to break up blocks and figure out what needed to go where then what it took to do the configuration). I could have but didn't changed the DHCP lease times to say 5min to make the swap faster and could have disconnected all PPPoE users to force them to take a new ip. But I rather waited and let it swap normally. Larger network with twice amount of towers and clients I would say might add another couple of hours to my renumbering time. A 2k network assuming "my" approach and setup would probably take around 10 hours (depending on how many servers needed ip changes and updates) without the servers renumber would take probably no more then 5-6 hours. At $150/hr (being generous) at 10 hours it's $1500. I think you are looking at about $3k a year for your own IP space. I'm still a head even if I changed provider yearly. But if I did I would have it down to an art and time frame would probably be lot less in the future. With NATing on a Core I would expect to have almost an single tech guy that would spend most of his time handling those issues and dealing with customers problems from natting and assigning publics. Even if I'm generous and it was only say 2hrs per week say cheap tech labor I would figure cost of $15/hr (salary, unemployment, social and benefits all added up) and that would cost me $1560 a year. To track down someone on an abuse report I would think in a network wide nat behind single ip would in itself take about an hour at least per 200 customers or so. This then blows the above 2 hours per week out of line. We do good firewalling to prevent customers getting infected etc and almost every time we gotten an abuse report it's someones laptop that gotten infected or someone that got a e-mail to their work account they check from how with a infected .exe masquerading as a image file or screen saver or whatever and the customer is themselves behind their own broadband router as well. I figure 1-2 reports a year per 200 so clients. 2k clients I would guess 5-10 reports a year at the least. But if I did that I would probably have it down to an art to detect the offender and have in located within a few hours. But easiest way to solve Matts problem without going public ips is as I already mention before share the load of NATing groups of his clients behind multiple IP's on his core router. Which should be doable with any Linux based system but for sure doable if you have iptables direct access but even if not I know it's doable on numerous platforms such as for example MikroTik where you do not have direct control over iptables. Imagestream and StarOS you write Iptables/ipchains rules so can be done. / Eje -----Original Message----- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Scott Reed Sent: Wednesday, October 28, 2009 1:24 PM To: WISPA General List Subject: Re: [WISPA] NAT issue with Hotmail/Yahoo/Google <RANT> So, as with so much that goes on the lists, not just this one, "oh, you aren't doing it my way so the fix is do it my way." What a bunch of baloney!! There are lots of ways to do almost everything we do as ISPs. What really needs to happen is for people to read the post, think about what the real question is and then, if and only if, the can pose a solution to the real problem, post a suggestion. But, since the only posts I have seen to Matt's is give everyone a public address, I have a few questions: So, who is going to buy Matt a block of IPs to fix this non-NAT issue? I ask, because I do as Matt does and if that is the fix, I need someone to buy me a block as well. But the issue isn't really NAT, is it? The real question is how does he deal with the current issue on his current network? </RANT> Matt Larsen - Lists wrote: > We are having a problem with certain sites that are rejecting our > customers because they say the IP address has sent too much traffic over > the last 24 hours. This is a problem, as 98% of our customers are > behind a single NATted IP address. I am just changing the IP address > of the NAT server every 12 hours now, but am looking for a better > solution. Anyone have any similar issues? > > Matt Larsen > vistabeam.com > > > > ---------------------------------------------------------------------------- ---- > WISPA Wants You! Join today! > http://signup.wispa.org/ > ---------------------------------------------------------------------------- ---- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.423 / Virus Database: 270.14.36/2465 - Release Date: 10/28/09 09:34:00 > > -- Scott Reed Sr. Systems Engineer GAB Midwest 1-800-363-1544 x4000 Cell: 260-273-7239 ---------------------------------------------------------------------------- ---- WISPA Wants You! Join today! http://signup.wispa.org/ ---------------------------------------------------------------------------- ---- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
