Reaching the limits of PAT, scaling up with more WAN IP's? (using ProxyARP&VIP)
-
Hey,
The number of users in one of our networks have increased to over 6000 concurrent clients.
We're using Manual Outbound NAT on one WAN IP-address to NAT all these clients at the moment (internal traffic is not NAT:ed though) and of course this will become a problem when there aren't enough ports left to use.We already got a few more unused IP-adresses on the WAN subnet, routed by another router, which I'm ready to setup.
Since it is not possible to have multiple WAN-adresses that share the same gateway/subnet, I have to use Virtual IPs I guess.
I'm not sure how to setup this. I've added two Virtual IP's with Proxy ARP, from the same subnet as the WAN (one of them being the same IP as the WAN IP).
Now, under the NAT Outbound rules, I want to add a "PAT rule" to match all my LANs to my virtual IPs.
But I can only choose ONE virtual IP when configuring Translation, and no way to configure a group of "Virtual IPs"?
And If I add a whole network/subnet with IP-adresses as a Virtual IP, I guess pfSense will try to use all IP-adresses on that subnet even though I only want to use a few IP's from that WAN subnet, not all IP's from the whole subnet.I must be missing something here..
Edit: re-phrased my questions.
-
If you want to point your outbound NAT to a pool, you need to create an alias of hosts, consisting of the public ips you want in the pool. Then use manual outbound nat and change the translation address to the alias. You will be presented with options for the pool. You can also enter a subnet directly, but I haven't tried that method.
-
If you want to point your outbound NAT to a pool, you need to create an alias of hosts, consisting of the public ips you want in the pool. Then use manual outbound nat and change the translation address to the alias. You will be presented with options for the pool. You can also enter a subnet directly, but I haven't tried that method.
Yes, but I don't think I can do that since all the WAN IP's we got are on the same subnet using the same gateway. And its not possible in pfSense to add multiple IP's that are on same subnet even though they are on different interfaces. If you try to add another interface using an IP that are on the same subnet on existing interface, you will get this error message: The following input errors were detected: "IPv4 address 10.1.1.170/28 is being used by or overlaps with: WAN (10.1.1.168/28)."
I tried to setup this using Virtual IPs with ProxyARP but still not sure if that is the way to go since it it rises other questions, like multiple IP's showing up with the same MAC-address (our ARP spoofing surveillance is triggered by this).
-
You didn't mention you were running a double NAT and had multiple interfaces with the same gateway. If you had a wan with a public IP and multiple IPs on the subnet, the instructions I gave would work fine. I doubt if anyone is going to be able help you running a strange config like that. What is the purpose of having multiple interfaces going to the same gateway? AFAIK, you still can't run multiple routing tables in pfSense.
-
You didn't mention you were running a double NAT and had multiple interfaces with the same gateway. If you had a wan with a public IP and multiple IPs on the subnet, the instructions I gave would work fine. I doubt if anyone is going to be able help you running a strange config like that. What is the purpose of having multiple interfaces going to the same gateway? AFAIK, you still can't run multiple routing tables in pfSense.
Sorry, IP-adresses were just an example, not using double NAT.
Anyways, I got this figured out now. I got side-tracked with proxyarp, which is not necessary in this case.
How I solved it?
- Just added more WAN IP's as Virtual IP's with Type Alias (as they can be on the same subnet as the physical WAN).
- Added these Virtual IP's and also the physical WAN IP as an alias group ("ALL_WAN_IPs").
- Added PAT-rule using the "ALL_WAN_IPs" alias. With Round Robin with Sticky Address.
It seems to be pseudo-sticky though. Clients uses different WAN IP's on different connections. My understanding of Sticky Address was that it uses the same WAN IP for the all connections based on the source (client) IP.
One thing that I still don't understand is that the clients never seems use the physical IP-address from the WAN interface, even though it's included in the Host Alias "group".