4. Usage and maximum number of NAT entries in GUI?

Usage and maximum number of NAT entries in GUI?

  • C

    Hi,

    We have a large LAN network with about 500 users. All these users where going to the Internet using NAT with a single public IP. We changed this now to a /28 public pool of addressing. The reason we did this is because with a single public IP you can only have a maximum of 65.536 (2^16) NAT entries because it uses 16bit for the port number. We think we where hitting this limit but aren't sure. The number of "states" pfsense is using more then doubled after changing from single NAT to a /27 NAT pool.

    The thing is that the number of NAT entries that can be used on a single IP (65.536) isn't displayed anywhere in the pfsense GUI. Only the number of "states". But the maximum number of "states" is based on the amount of memory. PFsense doesn't take into account that you might have reached the maximum of that single IP long before.

    Anybody got more info about this?

    chiel

    0
  • Rebel Alliance Developer Netgate

    I can't find it in the pf docs at the moment but IIRC it uses the source and destination when checking overloaded ports on outbound NAT so it can use the same source port more than once so long as the destination is different so it can discern where to send replies. Using a pool is better as it reduces contention but it's not as critical as it could be. It also makes the kind of statistic you're interested in very hard to calculate.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy