• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

NAT with large number of subnets/IPs?

Scheduled Pinned Locked Moved NAT
1 Posts 1 Posters 995 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    sjwk
    last edited by May 22, 2013, 4:13 PM

    Just playing with some ideas at the moment.  Can pfSense handle a large number of virtual IPs for using with NAT?  By large, 650 or so for each side of the NAT.  And if so, can the NAT mappings and rules be created via script rather than through the web interface?

    We have about that number of students and a /22 subnet of routeable addresses.  Currently we have a one-device-per-student policy plus exceptions on request as we don't have enough routeable IPs to allow everyone to have as many devices as they like.  As technology has moved on, we want to be able to allow multiple devices to be registered which is going to mean NAT in the short term.

    If I put everyone behind a single NAT IP gateway then it becomes much, much harder to identify, for instance, owners of malware-infected machines or who is responsible for the Cease&Desist notice received for copyright misuse etc where only the public facing IP is reported.

    So I had the idea of having the registration system assign each user a, for example, /27 RFC1918 subnet which would get NATted to a per-student real IP.  That way we can at least have a pretty solid idea from the externally visible IP which particular student is responsible for whatever has been flagged.

    As a proof of concept, I knocked up a quick script to generate 500 pairs of virtual IPs on a Linux box and could come up with something using iptables to setup the NAT, but I've never really liked iptables rules compared with PF and would like the resilience that CARP and so on would offer to avoid a single point of failure, as well as a decent management interface for configuring things.

    Has anyone ever set up a NAT system of that scale with pfSense?  I could just write a script to call ifconfig and pfctl to add the interfaces but that almost certainly won't set things up in a pfSense-friendly way so at best they won't be manageable, at worst pfSense would then break them…

    Like I say, just considering ideas at the moment..

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received