Large scale NATing for ISP (50k subscribers and 2millions+ sessions)

  • Hi expert,

    We have wireless ISP network, due to shortage IPv4 we are doing NAPT in Juniper
    Firewall. But this box failed to meet current demand.

    We want to try Pfsense NAT functionality to take some portion of NAPT.
    What it is recommendation for hardware, RAM and type of HD, table size to meet
    such big NAT (or PAT) purposes?


  • Rebel Alliance Developer Netgate

    2 million sessions would be ~4 million states. 1KB RAM per state, so >4GB RAM would do it (plus some for the OS of course…)

  • That is an amazing load.

  • Thanks, admin.
    Is there any challenge  to take this BIG LOAD by pfsense?
    May I know any reference ISP or setup with such large NAPT?

  • Rebel Alliance Developer Netgate

    If you have enough RAM, set the state table high enough, have enough CPU power to handle the throughput, and a decent pool of IPs to NAT into, I don't see why not.

  • Thanks for assurance.
    Can I keep log of NAPT sessions? What will be extra cost of load in CPU, RAM enabling log?
    Or Flowing will serve the purposes?

  • While I'd love to see how pfsense would actually perform in such a demanding situation, it would seem to me that if you need to NAT 50k users using a single box (note: not advisable) using pf, you might want to also check pf-SMP which is part of (yet to be released) FreeBSD 10 …

  • i would think with that many sessions you would be looking into some high end equipment from cisco or someone….

    vs open source and a self bought server..

    or are you planning to use some proper "server" grade hardware

Log in to reply