[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF limit on number of natted connections ?

On Thu, Jun 13, 2002 at 12:45:02PM -0500, taproot420 wrote:

> If  I remember  correctly you  can only  nat something  like 253
> connections per ip.

You remember  incorrectly. From a  theoretical standpoint,  NAT is
limited  by the  number of  available IP  addresses and  transport
layer ports. You  can NAT  an entire  class A  behind a  single IP
address, but  you're likely to exhaust  available ports first--TCP
and UDP are  limited to 64K total, with  a thousand reserved--call
it well over a hundred  thousand simultaneous combined TCP and UDP
sessions  per IP  address.  Simultaneously  using other  transport
layer  protocols   won't  interfere  (theoretically)   with  those

Looking at  it from a  practical standpoint, your  biggest problem
will be  the number of  packets per  second and the  complexity of
your filter  rules. Throwing more  hardware at  it will  help, but
perhaps not as  much as careful tuning--Google  for what Henning's
done  for  particulars. Few people  have  had  problems with  pf's
performance,  and I'd  wager lunch  that most  of those  have been
configuration problems.

Having  said all  this,  you  almost certainly  don't  want to  do
NAT  for anywhere  near enough  hosts to  approach theoretical  or
practical limits.   Careful use of  proxy servers will give  you a
big boost in  performance and security for  most environments and,
at the same time, nearly eliminate the need for NAT. If that's not
an option, you probably really, really need routable IP addresses.


Ben Goren

[demime 0.98d removed an attachment of type application/pgp-signature]

Visit your host, monkey.org