Pooled NAT for 2000 Users

  • Hello,

    I am the network manager for a smallish college with roughly 2000 users on our student network.  I have looked at PFSense off and on for about 3-4 months as a possible solution for me.  I was wondering if there was anyone out there who could provide me with a bit of info, and maybe their opinion as well.

    Over the last 5 years I have used both IPFW/NATd and IPFilter/IPNAT on FreeBSD with varying levels of success to provide Internet access to the students.  The NAT scheme I have used has always been a many-to-one NAT.  This basically means that all connections to/from campus are coming directly through one IP address.

    The IPFW/NATd combo was great until the NATd started seeing too much traffic and the CPU cycles went through the roof.  The prompted me to switch to the kernel-land of IPFilter.  IPFilter has been much better in keeping CPU traffic down, and performance up, but I have had issues with getting the pooled NAT working without the box freezing after a few hours.

    Each year it has been getting more difficult to provide consistent service from a single IP based on the different types of traffic that is being required now for gaming, etc….  More and more often I have seen connection problems to certain games because many servers have problems if two users appear to be coming from behind the same IP.

    Since I have a block of IP's available to me, I'd like to set up a PFSense machine to see if the performance is better on a machine  streamlined for firewall/NATing..

    My NAT rules have always been simple, and are pretty portable to PFSense.

    map em0 -> X.X.117.17 - X.X.117.30/32 portmap tcp/udp auto
    map em0 -> X.x.117.17 - X.X.117.30/32

    Note that the above rulesets work fine for a little while, and then ultimately the box totally freezes.  Since I am using BSD, my concern is that the PFSense machine may be susceptible to the same issues.

    In this scenario, I would like the PFSense box to use any available IP from 117.17-117.30.  This will allow the box to have a greater connection port pool, and at the same time would spread out the source IPs so more than one person could potentially connect to a server at a particular time.  Is this as simple as setting up virtual IP's for each of the IP's, and then building a NAT rule that uses this range of addresses?

    One thing I should mention.  Our Internet Connection is a DS3, and on a daily basis we see an average of about 25MB going through this box at any given time.  I should also mention that NAT is only configured for internet access.  There are no inbound NATs that need to be worried about.

  • That wouldn't even be close to the biggest pfSense install that's out there, so I can't imagine you having any problems. It should work fine, you could 1:1 NAT every machine if you have a large enough public subnet, or map individual subnets to one public IP each if you don't have enough for everything. Lots of options with 1:1 and Advanced Outbound NAT.

    IPF seems to have freezing issues on FreeBSD recently, a number of m0n0wall users have reported solid freezes especially under heavy load. Many have switched to pfsense and the problems went away, though the 1.3 beta m0n0wall version that's FreeBSD 6.2 based also seems to fix these people's issues.

  • Great to hear so far.  I'm about to install this on a permanent box, and I'm hoping for the best.

    I have a range of about 13 IP's or so that I can dedicate to the students, so I may NAT their entire subnet to that range of IP's.

    I'm glad to hear that I'm not crazy and that others have had problems with FreeBSD freezing under heavy IPFilter loads as well.  I thought it was something I was doing wrong.