9.3. NAT Pools

Home Prev	cOS Stream 4.00.03 Administration Guide	Next

Overview

Network Address Translation (NAT) provides a way for many clients and hosts, with unique private IPv4 addresses, to communicate with remote hosts through a single external public IP address (this is discussed in depth in Section 9.2, NAT). When multiple public external IPv4 addresses are available then a NATPool object can be used to allocate new flows across these public addresses.

NAT pools are usually employed when there is a requirement for huge numbers of unique port connections. The port manager has a limit of approximately 65,000 connections for a unique combination of source and destination IP addresses. Where large number of internal clients are using applications such as file sharing software, very large numbers of ports can be required for each client. The situation can be similarly demanding if a large number of clients are accessing the Internet through a proxy-server. The port number limitation is overcome by allocating extra external IP addresses for Internet access and using NATPool objects to allocate new flows across them.

The NAT Pool Type Property

A NAT pool can be one of the following types with each allocating new flows in a different way:

Stateful
Stateless
Fixed
Deterministic

The first three types are discussed further in this section. The Deterministic option is described separately in Section 9.4, Deterministic NAT.

Stateful NAT Pools

When the Stateful option is selected for the Type property, cOS Stream allocates a new flow to the external IP address that currently has the least number of flows routed through it with the assumption that it is the least loaded. cOS Stream keeps a record in memory of all such flows. Subsequent flows involving the same internal client/host will then use the same external IP address.

The advantage of the stateful approach is that it can balance flows across several external ISP links while ensuring that an external host will always communicate back to the same IP address which will be essential with protocols such as HTTP when cookies are involved. The disadvantage is the extra memory required by cOS Stream to track the usage in its state table and the small processing overhead involved in processing a new flow.

To make sure that the state table does not contain dead entries for communications that are no longer active, a StateKeepAlive property can be specified. This is the number of seconds of inactivity that must occur before an entry in the state table is removed. After this period, cOS Stream assumes no more communication will originate from the associated internal host. Once the state is removed then subsequent communication from the host will result in a new state table entry and may be allocated to a different external IP address in the NAT Pool.

The state table itself takes up memory but this memory is limited in size using the MaxStates property in a NAT Pool object. The following should be noted about the MaxStates property:

The MaxStates property does not have a default value and must be specified. It is up to the administrator to decide the appropriate size.
One entry in a state table tracks all the flows for a single host behind the firewall, no matter which external host the flow concerns. As a rule of thumb, the MaxStates value should be at least the number of local hosts or clients that will be expected to connect to the Internet.
The MaxStates value determines the amount of memory the pool will require. Minimizing this is recommended but the value could be the maximum number of addresses in the network if the administrator has insufficient knowledge about the potential number of simultaneous users and hosts.
There is only one state table per NAT pool. This means that if a single pool is reused in multiple NAT IP rules, they will share the same state table.
If the MaxStates value has been reached when adding a new state, an existing state entry with the longest idle time will be replaced. If all entries in the table are active then a random entry will be selected and replaced.

Stateless NAT Pools

If the Stateless option is selected for the Type property, it means that no state table is maintained and the external IP address chosen for each new flow is the one that has the least flows already allocated to it. This means two flows between one internal host to the same external host may use two different external IP addresses.

The advantage of a Stateless pool is that there is a good spread of new flows between external IP addresses with no requirement for memory allocated to a state table and there is less processing time involved in setting up each new flow. The disadvantage is that it is not suitable for communication that requires a constant external IP address.

Fixed NAT Pools

The Fixed option for the Type property means that each internal client or host is allocated one of the external IPv4 addresses through a hashing algorithm. Although the administrator has no control over which external flow will be used, this scheme ensures that a particular internal client or host will always communicate through the same external IPv4 address.

Using Fixed has the advantage of not requiring memory for a state table and provides very fast processing for new flow establishment. Although explicit load balancing is not part of this option, there should be adequate spreading of the load across the external flows due to the random nature of the allocating algorithm. This type option is therefore recommended over the Stateful option if the internal network is extremely large.

Explicitly Enable Proxy ARP

When external routers sends ARP queries to the firewall to resolve any external IPv4 addresses included in a NAT pool, cOS Stream needs to send the correct ARP replies so the external router can correctly build its routing table. This is done by using the proxy ARP feature of cOS Stream.

The administrator must always explicitly enable proxy ARP for the NAT pool addresses on the IP rule's destination interface and any other relevant interfaces. This is done by adding a route for the NAT pool addresses on the core interface (in other words a core route) and enabling proxy ARP for that route on the destination interface or other selected interfaces.

Using NAT Pools with an IP Rule

NAT pools are used in conjunction with a normal NAT IP rule. When defining the NAT IP rule, a NATPool object can be selected by setting the SetSourceAddress property to the value NATPool and assigning the NATPool object to the property NATPool. The example below illustrates this.

	Note: All network addresses are available unless excluded
If the NAT pool is specified as an entire IP network then it should be noted that all addresses in that network can be allocated. For example, if the network 203.0.113.0/24 is used, the addresses 203.0.113.0 and 203.0.113.255 are available for allocation. If this behavior is undesirable and the .0 and .255 IP addresses are to be excluded, this must be done explicitly when the address range is specified. This applies to all NAT pool types, including deterministic NAT pools.

Note: All network addresses are available unless excluded

If the NAT pool is specified as an entire IP network then it should be noted that all addresses in that network can be allocated. For example, if the network 203.0.113.0/24 is used, the addresses 203.0.113.0 and 203.0.113.255 are available for allocation.

If this behavior is undesirable and the .0 and .255 IP addresses are to be excluded, this must be done explicitly when the address range is specified. This applies to all NAT pool types, including deterministic NAT pools.

Example 9.5. Using NAT Pools

This example creates a NAT pool with the external IPv4 address range 10.6.13.10 to 10.16.13.15 which is then used in a NAT IP rule for HTTP traffic coming from the protected network if1_net on the if1 interface destined for the public Internet, which is connected to the if2 interface.

The MaxStates value will be set at 16,384. The administrator might choose a much lower value to minimize memory usage but the value should always accommodate the maximum number of simultaneous users and hosts that are expected.

Command-Line Interface

Create an address book object that specifies the IP range for the pool:

System:/> add Address IPAddress nat_pool_range
			Address=10.6.13.10-10.16.13.15

Add the NATPool object:

System:/> add NATPool my_stateful_natpool
			Type=Stateful
			ExternalIPPool=nat_pool_range
			MaxStates=16384

Change the context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Now, create the IP rule to perform NAT:

System:/IPRuleSet/main> add IPRule
			Action=Allow
			SourceNetwork=if1_net
			SourceInterface=if1
			DestinationNetwork=all-nets-ip4
			DestinationInterface=if2
			Service=http
			SourceTranslation=NAT 
			SetSourceAddress=NATPool
			NATPool=my_stateful_natpool
			Name=lan_to_wan

Restore the default CLI context:

System:/IPRuleSet/main> cc

To add a core route, change the context to be the main routing table:

System:/> cc RoutingTable main

Create the route to add the core route and specify proxy ARP:

System:/RoutingTable/main> add Route
			Interface=core
			Network=nat_pool_range
			ProxyArpInterfaces=if2

Restore the default CLI context:

System:/RoutingTable/main> cc

When defining the route, the property ProxyArpAllInterfaces=Yes could have been used to enable proxy ARP on all interfaces.

The natpool CLI Command

The CLI command natpool can be used to look at the current status of NATPool objects.

Below is some typical output from the command, showing all NAT pool activity.

System:/> natpool
		
NAT Pool summary

Pool     Type   Size   Active  Flows
-------  -----  -----  ------  -------
my_pool  Fixed  65024  45884   1359944

Here, there is only one fixed pool called my_pool configured with 45,884 IPv4 addresses being used out of a possible maximum of 65,024.

The fixed pool in the output above can be examined in depth with the command:

System:/> natpool my_pool
		
NAT Pool External IP usage

External IP Flows
----------- -----
1.2.0.1     193
1.2.0.2     0
1.2.0.3     70
1.2.0.4     88

Here, only four IPv4 addresses are being used from the pool and the total active flows for each IP address is listed.

Note that the output shown above for a single pool can change according to the type of pool.

For example, if the pool type is Stateful then Lingering values will also be shown. This is the number of states in lingering mode for the specified NAT IP. In other words, the number of internal hosts that have had a NAT IP mapping but do not have any active flows.

For a full list of options, see the natpool command entry in the separate Clavister NetShield Firewall CLI Reference Guide.