NAT failing in a network with 800 computers??

EddyCordo · Feb 28, 2009, 7:01 AM

Our pfsense firewall is configured as NAT with a subnet of /22. We have around 800 computers on one network domain. There are times when some computers would subsequently fail to access the internet. The users could not browse, connect to yahoo messenger and IRC. But when I reset the state table, internet connectivity would return to normal. Is it possible that its running out of ports? Any suggestions on how to overcome this?

AhnHEL · Feb 28, 2009, 7:09 AM

Whats your state table size and is it maxed out when your computers are losing connectivity?

You can increase the size of the state table in the GUI:
System/Advanced/Firewall Maximum States

The default is 10,000, try increasing it to 20,000 and see if that helps. Doing so will increase your Memory Usage so if your pfSense box doesnt have much free memory, do so with caution.

EddyCordo · Feb 28, 2009, 7:13 AM

2453/30000

that was the state on the status page. seems ok isn't it? thanks for the quick reply.

AhnHEL · Feb 28, 2009, 7:20 AM

Your usage to actual state table size seems fine.

You could try changing the Firewall Optimization Options to Conservative and see if this helps as well.

System/Advanced/Firewall Optimization Options

EddyCordo · Feb 28, 2009, 7:55 AM

I'll give it a try. But theoretically, there shouldn't be any problem with NATing a /22 subnet, should it?

AhnHEL · Feb 28, 2009, 6:52 PM

What hardware are you using for your pf box and what kind of connection do you have to the internet?

EddyCordo · Mar 1, 2009, 2:35 AM

Our pf box is a supermicro with intel chipset, GB LAN, 2GB RAM, intel core2duo 2.4GHz. We have a 50MB internet connection. We are an internet kiosk hosting 800+ computers.

cmb · Mar 1, 2009, 4:25 AM

With 800 systems, you'll want a bigger state table. While it was fine at the time you posted it, you can very easily exhaust 10,000 states with that many systems. If you have 128 MB RAM, set it to 40,000, with 256 MB RAM set it to 150,000, with 512 MB RAM, set it to 300,000, and with more than that, set it to 500,000.

What you described is exactly what happens when you exhaust the state table.

EddyCordo · Mar 1, 2009, 2:53 PM

i've experienced exhausting our state table before and we have found the culprit. it was a ddos attack on port 445. ever since we disabled port 445 on our windows systems, state exhaution never happened again. it somehow cured the problem but the internet connectivity would still get interrupted occassionally. this gave me doubts on NATing a large network. the only solution i do for now is to reset the state table although it never even consumes half of the maximum that i set.