Usage and maximum number of NAT entries in GUI?



  • Hi,

    We have a large LAN network with about 500 users. All these users where going to the Internet using NAT with a single public IP. We changed this now to a /28 public pool of addressing. The reason we did this is because with a single public IP you can only have a maximum of 65.536 (2^16) NAT entries because it uses 16bit for the port number. We think we where hitting this limit but aren't sure. The number of "states" pfsense is using more then doubled after changing from single NAT to a /27 NAT pool.

    The thing is that the number of NAT entries that can be used on a single IP (65.536) isn't displayed anywhere in the pfsense GUI. Only the number of "states". But the maximum number of "states" is based on the amount of memory. PFsense doesn't take into account that you might have reached the maximum of that single IP long before.

    Anybody got more info about this?

    chiel


  • Rebel Alliance Developer Netgate

    I can't find it in the pf docs at the moment but IIRC it uses the source and destination when checking overloaded ports on outbound NAT so it can use the same source port more than once so long as the destination is different so it can discern where to send replies. Using a pool is better as it reduces contention but it's not as critical as it could be. It also makes the kind of statistic you're interested in very hard to calculate.