[FUG-BR] IPNAT tuning

Jonatas M. Victor jmvlistas em vetorial.net
Sábado Maio 19 11:28:20 BRT 2007 

  Pessoal,

   Tenho encontrado alguns problemas com NAT em relação a grandes 
quantidades de nat da minha rede. Principalmente com autenticação com 
MSN aparentemente de trás do mesmo ip válido.
   Na minha rede tenho em torno de 2000 máquinas onde faço uma média de 
1 IP valido por cada 50 estações usando um exemplo assim:

map xl0 192.168.10.0/24 -> 200.200.200.132/32 proxy port ftp ftp/tcp
map xl0 192.168.10.0/24 -> 200.200.200.132/32 portmap tcp/udp auto
map xl0 192.168.10.0/24 -> 200.200.200.132/32


server01# ipnat -s
mapped  in      86375104        out     91318147
added   7872766 expired 0
no memory       0       bad nat 4169
inuse   21239
rules   163
wilds   0
server01#


  Eu já habilitei o LARGE_NAT no 
/usr/src/sys/contrib/ipfilter/netinet/ip_nat.h


#define LARGE_NAT       /* define       this if you're setting up a 
system to NAT
                          * LARGE numbers of networks/hosts - i.e. in the
                          * hundreds or thousands.  In such a case, you 
should
                          * also change the RDR_SIZE and NAT_SIZE below 
to more
                          * appropriate sizes.  The figures below were 
used for
                          * a setup with 1000-2000 networks to NAT.


  Passando de undef para define. Melhorou muito o desempenho :

server01# ipf -T list
fr_flags        min 0   max 0xffffffff  current 0
fr_active       min 0   max 0   current 0
fr_control_forwarding   min 0   max 0x1 current 0
fr_update_ipid  min 0   max 0x1 current 0
fr_chksrc       min 0   max 0x1 current 0
fr_minttl       min 0   max 0x1 current 4
fr_icmpminfragmtu       min 0   max 0x1 current 68
fr_pass min 0   max 0xffffffff  current 134217730
fr_tcpidletimeout       min 0x1 max 0x7fffffff  current 864000
fr_tcpclosewait min 0x1 max 0x7fffffff  current 480
fr_tcplastack   min 0x1 max 0x7fffffff  current 480
fr_tcptimeout   min 0x1 max 0x7fffffff  current 480
fr_tcpclosed    min 0x1 max 0x7fffffff  current 120
fr_tcphalfclosed        min 0x1 max 0x7fffffff  current 14400
fr_udptimeout   min 0x1 max 0x7fffffff  current 240
fr_udpacktimeout        min 0x1 max 0x7fffffff  current 24
fr_icmptimeout  min 0x1 max 0x7fffffff  current 120
fr_icmpacktimeout       min 0x1 max 0x7fffffff  current 12
fr_iptimeout    min 0x1 max 0x7fffffff  current 120
fr_statemax     min 0x1 max 0x7fffffff  current 4013
fr_statesize    min 0x1 max 0x7fffffff  current 5737
fr_state_lock   min 0   max 0x1 current 0
fr_state_maxbucket      min 0x1 max 0x7fffffff  current 26
fr_state_maxbucket_reset        min 0   max 0x1 current 1
ipstate_logging min 0   max 0x1 current 0
fr_nat_lock     min 0   max 0x1 current 0
ipf_nattable_sz min 0x1 max 0x7fffffff  current 16383
ipf_nattable_max        min 0x1 max 0x7fffffff  current 180000
ipf_natrules_sz min 0x1 max 0x7fffffff  current 2047
ipf_rdrrules_sz min 0x1 max 0x7fffffff  current 2047
ipf_hostmap_sz  min 0x1 max 0x7fffffff  current 8191
fr_nat_maxbucket        min 0x1 max 0x7fffffff  current 28
fr_nat_maxbucket_reset  min 0   max 0x1 current 1
nat_logging     min 0   max 0x1 current 0
fr_defnatage    min 0x1 max 0x7fffffff  current 1200
fr_defnatipage  min 0x1 max 0x7fffffff  current 120
fr_defnaticmpage        min 0x1 max 0x7fffffff  current 6
ipfr_size       min 0x1 max 0x7fffffff  current 257
fr_ipfrttl      min 0x1 max 0x7fffffff  current 120
ippr_ftp_debug  min 0   max 0xa current 0
server01# 



  Mas ainda encontro esse problema do MSN. Alguem sabe mais algum truque 
aprofundado?


-- 
.:Abraços:.

<<< Jonatas M. Victor >>>
jonatas at vetorial.net
UIN: 138431258
MSN: jonatasmv at msn.com
BSD   User: BSD051240
Linux User: #278922
http://www.vetorial.net

Mais detalhes sobre a lista de discussão freebsd