Multiple-to-many-NAT: how many external IPs?



  • Hi,
    given are multiple /22 or /23 internal networks. The traffic shall be NATted to the internet. Since a single IP-Address would not be enough I need multiple IP-Adresses for the NAT-pool (by using Proxy ARP and IP Alias).

    But how do I know how many external IP-Adresses I need for the pool? Are there some metrics or system information which show me when I have to add more IP Adresses?



  • With that little information, nobody will have a clue what you're asking for.  What is it that you're trying to accomplish?  You're asking us to tell you how many IP addresses you need without any other context.



  • Hi KoM,
    I was asking if metrics or system information exist which indicates when the current external address pool is overused and I have to add more external addresses.

    I know that the necessary number of external adresses depends on the number of sessions/ports a client uses. And thats hard to predict (BYOD Smartphones and tablets in this case).

    The objective is: There are several /22 and /23 wifi-user internal subnets (-> 500 to 1000 clients per subnet). These clients  have internal IP-Adresses but wants to use internet services without proxy (mainly webbrowsing, mail, apps, YT, social media). Most users are students so they use an unpredictable combination of internet services.



  • when the current external address pool is overused and I have to add more external addresses.

    I am having a hard time wrapping my head around this.  Thousands of clients can be served by a single gateway (access points is another matter entirely), so why is it that you need all these external IPs??

    These clients  have internal IP-Adresses but wants to use internet services without proxy

    That's pretty much the standard use case, and all of this just works right out of the box.

    Are you having any actual problems or is this just a metal exercise?



  • I quote from https://doc.pfsense.org/index.php/Outbound_NAT :

    Address pools allow use of a subnet or list of external IP addresses when performing outbound NAT as opposed to the traditional situation which translates traffic to a single external address. Multiple external addresses can help in situations where the resources of a single external IP may not be enough for a large number of internal users.

    I suppose that a single external IP-Adress might not be enough for 1000 NAT-clients. You can scale CPU power and traffic throughput of a gateway. But not the ports of an single IP-adress.



  • You have to determine how many concurrent connections are likely. The limiting factor is how many port numbers are available per IP address.  There are 64K port numbers, but some may not be available, depending on what services are running.



  • OK, thanks.  Now I see what you're talking about.  I can see how thousands of students all walking around with the phone/PC/Xbox yapping all over the network would saturate the resources of a a single outbound NAT.  Make sure you have enough RAM to manage a state table that large.



  • I will increase state table size according to https://doc.pfsense.org/index.php/How_can_I_increase_the_state_table_size

    Default State Table Size is 406.000 entries (@4GB RAM). Per used NAT-Port I see two entries in state table. So one can assume that if there are f.e. 240k entries in state table, the port numbers of two IP adresses are almost fully used?
    (2 entries per port -> 120.000 ports, about 60.000 ports per IP-address).


  • Netgate

    When you are dealing with overload NAPT you need to have enough IP addresses so you can handle every WAN_IP:PORT+DEST_IP:PORT combination. That increases the number of states a particular WAN_IP can serve dramatically beyond 65535.