<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Exacly that's the problem. It seems like "carrier grade nat" is not
as "carrier" as it should be. We've run out of resources when we
tried to use it. Mainly becouse of small ammount of microblocks
(65536 microblocks is enough for ports from only 32 IP addresses),
using 1:16 ratio its only 512 subscribers, and that true only if i
limit port usage to 4k per user, which is sometimes not enough
either.<br>
<br>
Additionally if u consider small efficiency of resource usage,
caused by:<br>
a) fragmentation (whole 32 port microblock reserved for subscriber
when he needs only one port for one connection)<br>
b) one source port can be used only by one user<br>
<br>
it turns out that it is completely <span id="result_box"
class="short_text" lang="en"><span class="hps">unsuitable for ISP.
It should be enough for larger office, but not ISP :( But i'm
not sure if offices are intersted in buying carrier grade BRAS
:)<br>
<br>
Therefore we're trying to use not enhanced nat, as workaround,
but it does not work either becouse of those p2mp traffic
definition for TCP :(<br>
<br>
I'll be very thankfull for any idea how to overcome this...<br>
<br>
Best regards,<br>
<br>
</span></span>
<pre class="moz-signature" cols="72">--
w0jtas
</pre>
<div class="moz-cite-prefix">W dniu 27.10.2015 o 23:13, Rafal pisze:<br>
</div>
<blockquote cite="mid:1701486123.20151027231320@mtm-info.pl"
type="cite">
<title>Re: [rbak-nsp] Double NAT - strange thing</title>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<span style=" font-family:'Courier New'; font-size: 9pt;">Hello<br>
<br>
This is true, with enhanced nat and endpoint-independent tcp
filter there is no problem with NAT,<br>
but how to make enchanced nat more microblock efficient ?<br>
These 65k card microblocks are used after like 2000 active
subscribers with low tcp/udp timeouts.<br>
Is there any workaround ?<br>
<br>
We have similar problem, and I think all who using nat struggle
with microblocks.<br>
<br>
<br>
Rafal<br>
<br>
<br>
<br>
<br>
<br>
Tuesday, October 27, 2015, 8:06:42 PM, you wrote:<br>
<br>
</span>
<table>
<tbody>
<tr>
<td bgcolor="#0000ff" width="12"><br>
</td>
<td width="1457"><span style=" font-family:'courier new';
font-size: 9pt;">You may try to check "end-point
independent" command under nat policy ... enhanced.
Maybe it is what you're looking for:<br>
<br>
[local]SE1200(config-policy-nat)#?<br>
abort Abort this configuration -
backout from running config<br>
access-group Define access-group to classify
dynamic NAT<br>
admission-control Configure connection admission
control<br>
commit Commit configuration
transactions to running config<br>
connections Define connection admission
control parameters<br>
destination Configure to overwrite
destination IP address<br>
drop Configure to drop not classified
traffic<br>
endpoint-independent Set endpoint-indepenent traffic
mode
<<<<<<<<<<<<<<<<<<<<<br>
<br>
<br>
On Tue, Oct 27, 2015 at 2:47 AM, Wojciech Wrona <<a
moz-do-not-send="true" href="mailto:w0jtas@w0jtas.com">w0jtas@w0jtas.com</a>>
wrote:<br>
UPDATE: This was only half success. Broadcom based
routers on more heavy load will open more than one TCP
connection from the same source port. This will be
dropped by Redback NAT implementation. For now i have do
idea how to deal with it :(<br>
<br>
Best regards,<br>
<span style=" color: #888888;">-- <br>
w0jtas<br>
W dniu 26.10.2015 o 18:38, Wojciech Wrona pisze:<br>
<span style=" color: #000000;">Hi again. <br>
<br>
It seems like i've solved the problem, so i'm
posting it here for future use. Routers like
Pentagram, Netgear and some other clones (mailnly
based on broadcom router on the chip chipset) are
using strange but the most efficient NAT
immplementation. <br>
<br>
If your subscribers are using theese routers as CPE,
and you're NATing them and using not enhanced NAT on
Your redback (becouse of lack of microblocks at the
line cards as we are, or maybe becouse of lack of
license but its less possible i think), you will
have experience the same problem. <br>
<br>
On every "normall" (Linux based) NAT implementation
source ports for outgoing connections are used in
always growing manner. Starting from port 1025 up to
65536 and then again from 1025 .... Broadcom want to
be super efficient (dont know why - its only home
class router), and it is doing it in a different
way. Couple seconds after closing TCP connection,
its source port can be reused again for another one,
it is not waiting with reuse for hitting the 65536
limit. I don't know what is the time limit (if there
is any) for the reuse, but in my tests i didnt see
any port reuse in time shorter than 10-12 seconds. <br>
<br>
The problem is that Redback has default timeout for
FIN-RESET set to 240 seconds. During this time this
connection is considered still open, so any other
SYN packet sent from the same source port is
considered TCP P2MP connection attempt. Which (as u
probably know) is prohibited in not enhanced nat.<br>
<br>
Therefore the only solution for those routers is to
set Redback FIN-RESET timeout to its minimal value
(4 seconds) in nat policy. I'm not sure if it solved
the problem in 100% (still i can imagine port reuse
in 2 or 3 seconds after TCP connection close), but
in my user experience tests (10 firefox tabs
constantly loading, and refreshing pages) everything
worked well. IMO its more than enough :)<br>
<br>
nat policy publicNatPolicy<br>
! Default class<br>
drop<br>
icmp-notification<br>
! Named classes<br>
access-group publicNatAccess<br>
class NAT<br>
pool publicNatIP userAccess<br>
timeout tcp 7200<br>
timeout udp 120<br>
timeout fin-reset 4<br>
endpoint-independent filtering udp<br>
inbound-refresh udp<br>
icmp-notification<br>
class IGNORE<br>
ignore<br>
inbound-refresh udp<br>
icmp-notification<br>
<br>
Best regards,<br>
<br>
-- <br>
w0jtas<br>
W dniu 23.10.2015 o 14:48, Wojciech Wrona pisze:<br>
Hi guys,<br>
I'm struggling for some days with strange issue on
Redback. I have<br>
services configured as CLIPS based on DHCP/Radius
auth. Everything works<br>
fine besides NAT. When the connecting host is normal
single PC (as a<br>
subscriber) it looks ok, but when i connect a router
(some Pentagram<br>
P6362 - becouse those were tested) and that single
PC is connected after<br>
this router, here comes the situation where double
NAT is going on. It<br>
should work fine, when IP addressed in both network
are not overlaping,<br>
and i'm sure that they're not. But when pentagram is
connected there is<br>
a trouble with opening more than few TCP
connections. After opening few<br>
of them (rather random but small value) another SYN
packets are lost<br>
(sent to redback, but no answer is received). It
happens only when using<br>
a harware home router (like pentagram or something
else), but when i<br>
connect in this place another PC with 2 network
interfaces and Linux on<br>
board which is doing as second NAT box, the problem
is not seen.<br>
<br>
What could cause this ? I have no idea where to
start.<br>
My tests i'm doing at biuroInside interface<br>
<br>
<b>My config below:<br>
</b>context userAccess<br>
!<br>
no ip domain-lookup<br>
nat fragments<br>
!<br>
!<br>
ip nat pool publicNatIP napt multibind<br>
address <a moz-do-not-send="true"
href="http://188.122.20.96/32">188.122.20.96/32</a><br>
exclude well-known<br>
!<br>
nat policy publicNatPolicy<br>
! Default class<br>
drop<br>
icmp-notification<br>
! Named classes<br>
access-group publicNatAccess<br>
class NAT<br>
pool publicNatIP userAccess<br>
timeout tcp 7200<br>
timeout udp 60<br>
endpoint-independent filtering udp<br>
inbound-refresh udp<br>
icmp-notification<br>
class IGNORE<br>
ignore<br>
inbound-refresh udp<br>
icmp-notification<br>
!<br>
interface biuroInside multibind<br>
ip address <a moz-do-not-send="true"
href="http://192.168.129.254/24">192.168.129.254/24</a><br>
dhcp server interface<br>
ip access-group vlan2000Security out<br>
!<br>
interface radiusIf<br>
ip address <a moz-do-not-send="true"
href="http://10.0.0.2/30">10.0.0.2/30</a><br>
ip source-address radius<br>
!<br>
interface tichyWiFi multibind<br>
ip address <a moz-do-not-send="true"
href="http://192.168.128.1/26">192.168.128.1/26</a><br>
dhcp server interface<br>
ip arp secured-arp<br>
<br>
no logging console<br>
!<br>
ip access-list adminAccess<br>
seq 10 permit udp any any eq rip<br>
seq 20 permit tcp any any eq bgp<br>
seq 30 permit icmp any<br>
seq 40 permit udp any any eq bootps<br>
seq 50 permit udp any eq 1812 any<br>
seq 60 permit tcp any any established<br>
!<br>
ip access-list vlan2000Security<br>
seq 10 permit ip 188.122.17.32 0.0.0.31 any<br>
seq 20 deny tcp any any eq 135<br>
seq 30 deny tcp any any eq 139<br>
seq 40 deny tcp any any eq 445<br>
seq 50 deny tcp any any eq www<br>
seq 60 deny tcp any any eq 8080<br>
seq 70 deny tcp any any eq 443<br>
seq 80 deny tcp any any eq lpd<br>
seq 90 deny tcp any any eq 631<br>
seq 100 deny tcp any any eq 9100<br>
seq 110 permit ip any any<br>
!<br>
policy access-list publicNatAccess<br>
seq 10 permit ip 192.168.0.0 0.0.63.255 host
188.122.20.1 class IGNORE<br>
seq 20 permit ip 192.168.0.0 0.0.63.255 host
188.122.20.3 class IGNORE<br>
seq 30 permit ip 192.168.129.0 0.0.0.255
192.168.191.0 0.0.0.255 class<br>
IGNORE<br>
seq 40 permit ip 192.168.129.0 0.0.0.255
192.168.192.0 0.0.31.255<br>
class IGNORE<br>
seq 50 permit ip 192.168.129.0 0.0.0.255
188.122.17.32 0.0.0.31 class<br>
IGNORE<br>
seq 60 permit ip 192.168.129.0 0.0.0.255 host
188.122.20.36 class IGNORE<br>
seq 70 permit ip 192.168.129.0 0.0.0.255 host
188.122.20.1 class IGNORE<br>
seq 80 permit ip 192.168.129.0 0.0.0.255 host
188.122.20.12 class IGNORE<br>
seq 90 permit ip 192.168.129.0 0.0.0.255 host
192.168.129.254 class IGNORE<br>
seq 100 permit ip 192.168.129.0 0.0.0.255 host
188.122.18.122 class IGNORE<br>
seq 110 permit ip 192.168.0.0 0.0.255.255 class
NAT<br>
!<br>
aaa authentication administrator local <br>
aaa authentication administrator maximum sessions 1<br>
aaa authentication subscriber radius <br>
ip pool options use-class-c-bcast-addrs<br>
!<br>
radius server 10.0.0.1 encrypted-key
<key_cut_off><br>
radius attribute nas-port-id format physical<br>
!<br>
subscriber default<br>
ip source-validation<br>
nat policy-name publicNatPolicy<br>
!<br>
ip route <a moz-do-not-send="true"
href="http://0.0.0.0/0">0.0.0.0/0</a> context
local<br>
service ftp client<br>
service ssh client<br>
service telnet client<br>
!<br>
admin-access-group adminAccess in<br>
!<br>
dhcp server policy<br>
nak-on-subnet-deletion<br>
option domain-name-server 188.122.20.9 8.8.8.8<br>
option domain-name <a moz-do-not-send="true"
href="http://finemedia.pl">finemedia.pl</a><br>
option ntp-server 188.122.20.1<br>
option tftp-server-name <a moz-do-not-send="true"
href="http://finemedia.pl">finemedia.pl</a><br>
default-lease-time 3600<br>
subnet <a moz-do-not-send="true"
href="http://192.168.128.0/26">192.168.128.0/26</a> name
tichyWiFi<br>
range 192.168.128.2 192.168.128.62<br>
option router 192.168.128.1<br>
subnet <a moz-do-not-send="true"
href="http://192.168.129.0/24">192.168.129.0/24</a> name
biuroInside<br>
range 192.168.129.50 192.168.129.253<br>
option router 192.168.129.254<br>
!<br>
!<br>
!<br>
end<br>
<b>My clips config goes like this:<br>
</b>dot1q profile dot1qCLIPS<br>
radius attribute nas-port-type 15<br>
<br>
port ethernet 1/4<br>
description SE600Downlink_10G<br>
no shutdown<br>
encapsulation dot1q<br>
dot1q pvc 2000 profile dot1qCLIPS<br>
service clips dhcp context userAccess<br>
<br>
Best regards,<br>
<br>
-- <br>
w0jtas<br>
<br>
<br>
<br>
_______________________________________________<br>
redback-nsp mailing list<a moz-do-not-send="true"
href="mailto:redback-nsp@puck.nether.net">redback-nsp@puck.nether.net</a> <a
moz-do-not-send="true"
href="https://puck.nether.net/mailman/listinfo/redback-nsp">https://puck.nether.net/mailman/listinfo/redback-nsp</a> <br>
<br>
<br>
<br>
_______________________________________________<br>
redback-nsp mailing list<a moz-do-not-send="true"
href="mailto:redback-nsp@puck.nether.net">redback-nsp@puck.nether.net</a> <a
moz-do-not-send="true"
href="https://puck.nether.net/mailman/listinfo/redback-nsp">https://puck.nether.net/mailman/listinfo/redback-nsp</a> <br>
<br>
_______________________________________________<br>
redback-nsp mailing list<br>
<a moz-do-not-send="true"
href="mailto:redback-nsp@puck.nether.net">redback-nsp@puck.nether.net</a><br>
<a moz-do-not-send="true"
href="https://puck.nether.net/mailman/listinfo/redback-nsp">https://puck.nether.net/mailman/listinfo/redback-nsp</a><br>
<br>
<br>
<br>
<br>
-- <br>
Best regards,<br>
Yury.</span></span></span></td>
</tr>
</tbody>
</table>
<br>
<br>
<br>
<br>
<span style=" font-family:'arial'; color: #c0c0c0;"><i>-- <br>
Best regards,<br>
Ozga Rafal <a moz-do-not-send="true"
style=" font-style: normal;" href="mailto:golem@mtm-info.pl">mailto:golem@mtm-info.pl</a>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
redback-nsp mailing list
<a class="moz-txt-link-abbreviated" href="mailto:redback-nsp@puck.nether.net">redback-nsp@puck.nether.net</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/redback-nsp">https://puck.nether.net/mailman/listinfo/redback-nsp</a>
</pre>
</i></span></blockquote>
<br>
</body>
</html>