NAT with large number of subnets/IPs?

  • Just playing with some ideas at the moment.  Can pfSense handle a large number of virtual IPs for using with NAT?  By large, 650 or so for each side of the NAT.  And if so, can the NAT mappings and rules be created via script rather than through the web interface?

    We have about that number of students and a /22 subnet of routeable addresses.  Currently we have a one-device-per-student policy plus exceptions on request as we don't have enough routeable IPs to allow everyone to have as many devices as they like.  As technology has moved on, we want to be able to allow multiple devices to be registered which is going to mean NAT in the short term.

    If I put everyone behind a single NAT IP gateway then it becomes much, much harder to identify, for instance, owners of malware-infected machines or who is responsible for the Cease&Desist notice received for copyright misuse etc where only the public facing IP is reported.

    So I had the idea of having the registration system assign each user a, for example, /27 RFC1918 subnet which would get NATted to a per-student real IP.  That way we can at least have a pretty solid idea from the externally visible IP which particular student is responsible for whatever has been flagged.

    As a proof of concept, I knocked up a quick script to generate 500 pairs of virtual IPs on a Linux box and could come up with something using iptables to setup the NAT, but I've never really liked iptables rules compared with PF and would like the resilience that CARP and so on would offer to avoid a single point of failure, as well as a decent management interface for configuring things.

    Has anyone ever set up a NAT system of that scale with pfSense?  I could just write a script to call ifconfig and pfctl to add the interfaces but that almost certainly won't set things up in a pfSense-friendly way so at best they won't be manageable, at worst pfSense would then break them…

    Like I say, just considering ideas at the moment..