[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PF limit on number of natted connections ?
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: PF limit on number of natted connections ?
- From: Ben Goren <ben_(_at_)_trumpetpower_(_dot_)_com>
- Date: Thu, 13 Jun 2002 12:07:38 -0700
On Thu, Jun 13, 2002 at 12:45:02PM -0500, taproot420 wrote:
> If I remember correctly you can only nat something like 253
> connections per ip.
You remember incorrectly. From a theoretical standpoint, NAT is
limited by the number of available IP addresses and transport
layer ports. You can NAT an entire class A behind a single IP
address, but you're likely to exhaust available ports first--TCP
and UDP are limited to 64K total, with a thousand reserved--call
it well over a hundred thousand simultaneous combined TCP and UDP
sessions per IP address. Simultaneously using other transport
layer protocols won't interfere (theoretically) with those
Looking at it from a practical standpoint, your biggest problem
will be the number of packets per second and the complexity of
your filter rules. Throwing more hardware at it will help, but
perhaps not as much as careful tuning--Google for what Henning's
done for particulars. Few people have had problems with pf's
performance, and I'd wager lunch that most of those have been
Having said all this, you almost certainly don't want to do
NAT for anywhere near enough hosts to approach theoretical or
practical limits. Careful use of proxy servers will give you a
big boost in performance and security for most environments and,
at the same time, nearly eliminate the need for NAT. If that's not
an option, you probably really, really need routable IP addresses.
[demime 0.98d removed an attachment of type application/pgp-signature]