Send redback-nsp mailing list submissions to redback-nsp@puck.nether.net
To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/redback-nsp or, via email, send a message with subject or body 'help' to redback-nsp-requ...@puck.nether.net You can reach the person managing the list at redback-nsp-ow...@puck.nether.net When replying, please edit your Subject line so it is more specific than "Re: Contents of redback-nsp digest..." Today's Topics: 1. Some problems with NAT enhanced in SE600 (???????? ????? ???????????) 2. Re: Some problems with NAT enhanced in SE600 (Rafal) 3. Re: Some problems with NAT enhanced in SE600 (Dmitry) 4. Re: Some problems with NAT enhanced in SE600 (Dmitry) ---------------------------------------------------------------------- Message: 1 Date: Mon, 07 Nov 2016 11:12:39 +0300 From: ???????? ????? ??????????? <roma...@serdi.ru> To: redback-nsp <redback-nsp@puck.nether.net> Subject: [rbak-nsp] Some problems with NAT enhanced in SE600 Message-ID: <883031478506...@web15m.yandex.ru> Content-Type: text/plain; charset="us-ascii" An HTML attachment was scrubbed... URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20161107/f8b07ff4/attachment-0001.html> ------------------------------ Message: 2 Date: Mon, 7 Nov 2016 10:34:45 +0100 From: Rafal <go...@mtm-info.pl> To: ???????? ????? ??????????? <roma...@serdi.ru>, redback-nsp <redback-nsp@puck.nether.net> Subject: Re: [rbak-nsp] Some problems with NAT enhanced in SE600 Message-ID: <7310727574.20161107103...@mtm-info.pl> Content-Type: text/plain; charset="utf-8" Hello ????????, That's how enhanced NAT works. Because enhanced nat force connection to use router supplied port ranges, some software will not work. I preffer to stick with normal nat. If you need logging, then use single address for each nat subnet, and then add flow profile in subscriber default section, like flow apply ip profile logprofile both and: ! flow collector SubsLog ip-address ipaddress context colectorcontext port mycollectorport export-version v5 transport-protocol udp ip profile logprofile ! ip nat pool ip_lan1_nat napt multibind address publicip/32 port-block 1 to 15 ! nat policy ip_lan1_nat_policy ! Default class ignore endpoint-independent filtering udp inbound-refresh udp icmp-notification ! Named classes access-group NATACL class NAT pool ip_lan1_nat mycontext timeout tcp 6000 endpoint-independent filtering udp inbound-refresh udp icmp-notification class NATLESS ignore inbound-refresh udp icmp-notification ! Put in NATLESS your DNS servers and local network devices you need. Using enhanced NAT you can NAT like 2000 users per single card and then you run out of microblocks on card because every subscriber have reserved port ranges and amount of possible open connection even if he only activate and do nothing. Rafal Monday, November 7, 2016, 9:12:39 AM, you wrote: Here is my NAT config local]Redback#sh configuration nat Building configuration... Current configuration: ! context local ! nat logging-profile NAT_LOG_RUBTSOVSK export-version v9 destination 192.168.0.40 port 9996 ! context local ! ip nat pool NAPT-pool-1 napt paired-mode paired-mode subscriber over-subscription 10 port-limit 6000 address 41.215.233.161 to 41.215.233.190 exclude well-known ! context local ! policy access-list NAT-acl seq 10 permit ip 192.168.128.0 0.0.127.255 any class NATclass1 seq 20 permit ip any any class NO_NAT ! nat policy NAT-1 enhanced connections tcp maximum 2000 connections udp maximum 2000 connections icmp maximum 30 ! Default class ignore timeout tcp 1800 timeout udp 60 timeout fin-reset 60 timeout icmp 30 timeout syn 60 timeout basic 300 timeout abandoned 1800 admission-control tcp admission-control udp admission-control icmp endpoint-independent filtering tcp endpoint-independent filtering udp inbound-refresh udp icmp-notification ! Named classes access-group NAT-acl class NATclass1 pool NAPT-pool-1 local timeout tcp 18000 timeout udp 60 timeout fin-reset 60 timeout icmp 30 timeout syn 60 timeout abandoned 1800 endpoint-independent filtering tcp endpoint-independent filtering udp inbound-refresh udp icmp-notification class NO_NAT ignore inbound-refresh udp icmp-notification ! end With such config we have problem with Skype - no connection - even test connection! problem with online games such as steam, Dota and etc... With public IP (no NAT) everything is ok - Skype. games and so on.... What I have forgotten? ------------------------------------------------ ? ????????? ???????? ????? ??????????? ???????? ??? "????? ???????" ???. +7 87951 35529 +7 9624 335529 ???? ???????? www.serdi.ru -- Best regards, Ozga Rafal mailto:go...@mtm-info.pl -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20161107/63a7e349/attachment-0001.html> ------------------------------ Message: 3 Date: Mon, 7 Nov 2016 12:58:13 +0300 From: Dmitry <dmi...@zhigulinet.ru> To: ???????? ????? ??????????? <roma...@serdi.ru>, redback-nsp <redback-nsp@puck.nether.net> Subject: Re: [rbak-nsp] Some problems with NAT enhanced in SE600 Message-ID: <34a25023-fcdb-4eea-4c4b-8b38b8cd3...@zhigulinet.ru> Content-Type: text/plain; charset="utf-8"; Format="flowed" Hello, show all config and show version On 07.11.2016 11:12, ???????? ????? ??????????? wrote: > > Here is my NAT config > > local]Redback#sh configuration nat > > Building configuration... > > Current configuration: > ! > context local > ! > nat logging-profile NAT_LOG_RUBTSOVSK > export-version v9 > destination 192.168.0.40 port 9996 > ! > context local > ! > ip nat pool NAPT-pool-1 napt paired-mode > paired-mode subscriber over-subscription 10 port-limit 6000 > address 41.215.233.161 to 41.215.233.190 > exclude well-known > ! > context local > ! > policy access-list NAT-acl > seq 10 permit ip 192.168.128.0 0.0.127.255 any class NATclass1 > seq 20 permit ip any any class NO_NAT > ! > *nat policy NAT-1 enhanced* > connections tcp maximum 2000 > connections udp maximum 2000 > connections icmp maximum 30 > ! Default class > ignore > timeout tcp 1800 > timeout udp 60 > timeout fin-reset 60 > timeout icmp 30 > timeout syn 60 > timeout basic 300 > timeout abandoned 1800 > admission-control tcp > admission-control udp > admission-control icmp > *endpoint-independent filtering tcp* > *endpoint-independent filtering udp* > inbound-refresh udp > icmp-notification > ! Named classes > access-group NAT-acl > class NATclass1 > pool NAPT-pool-1 local > timeout tcp 18000 > timeout udp 60 > timeout fin-reset 60 > timeout icmp 30 > timeout syn 60 > timeout abandoned 1800 > *endpoint-independent filtering tcp* > *endpoint-independent filtering udp* > inbound-refresh udp > icmp-notification > class NO_NAT > ignore > inbound-refresh udp > icmp-notification > ! > end > > With such config we have problem with Skype - no connection - even > test connection! > problem with online games such as steam, Dota and etc... > With public IP (no NAT) everything is ok - Skype. games and so on.... > What I have forgotten? > ------------------------------------------------ > ? ????????? ???????? ????? > ??????????? ???????? > ??? "????? ???????" > ???. +7 87951 35529 > +7 9624 335529 > ???? ???????? > www.serdi.ru > > > _______________________________________________ > redback-nsp mailing list > redback-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/redback-nsp -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20161107/2d035dd1/attachment-0001.html> ------------------------------ Message: 4 Date: Mon, 7 Nov 2016 12:58:54 +0300 From: Dmitry <dmi...@zhigulinet.ru> To: ???????? ????? ??????????? <roma...@serdi.ru>, redback-nsp <redback-nsp@puck.nether.net> Subject: Re: [rbak-nsp] Some problems with NAT enhanced in SE600 Message-ID: <82d0ad30-fc5a-cbb4-b36e-ec9b69012...@zhigulinet.ru> Content-Type: text/plain; charset="utf-8"; Format="flowed" and show problem subsriber show subscriber active username test_user On 07.11.2016 11:12, ???????? ????? ??????????? wrote: > > Here is my NAT config > > local]Redback#sh configuration nat > > Building configuration... > > Current configuration: > ! > context local > ! > nat logging-profile NAT_LOG_RUBTSOVSK > export-version v9 > destination 192.168.0.40 port 9996 > ! > context local > ! > ip nat pool NAPT-pool-1 napt paired-mode > paired-mode subscriber over-subscription 10 port-limit 6000 > address 41.215.233.161 to 41.215.233.190 > exclude well-known > ! > context local > ! > policy access-list NAT-acl > seq 10 permit ip 192.168.128.0 0.0.127.255 any class NATclass1 > seq 20 permit ip any any class NO_NAT > ! > *nat policy NAT-1 enhanced* > connections tcp maximum 2000 > connections udp maximum 2000 > connections icmp maximum 30 > ! Default class > ignore > timeout tcp 1800 > timeout udp 60 > timeout fin-reset 60 > timeout icmp 30 > timeout syn 60 > timeout basic 300 > timeout abandoned 1800 > admission-control tcp > admission-control udp > admission-control icmp > *endpoint-independent filtering tcp* > *endpoint-independent filtering udp* > inbound-refresh udp > icmp-notification > ! Named classes > access-group NAT-acl > class NATclass1 > pool NAPT-pool-1 local > timeout tcp 18000 > timeout udp 60 > timeout fin-reset 60 > timeout icmp 30 > timeout syn 60 > timeout abandoned 1800 > *endpoint-independent filtering tcp* > *endpoint-independent filtering udp* > inbound-refresh udp > icmp-notification > class NO_NAT > ignore > inbound-refresh udp > icmp-notification > ! > end > > With such config we have problem with Skype - no connection - even > test connection! > problem with online games such as steam, Dota and etc... > With public IP (no NAT) everything is ok - Skype. games and so on.... > What I have forgotten? > ------------------------------------------------ > ? ????????? ???????? ????? > ??????????? ???????? > ??? "????? ???????" > ???. +7 87951 35529 > +7 9624 335529 > ???? ???????? > www.serdi.ru > > > _______________________________________________ > redback-nsp mailing list > redback-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/redback-nsp -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20161107/0c5bf77b/attachment.html> ------------------------------ Subject: Digest Footer _______________________________________________ redback-nsp mailing list redback-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/redback-nsp ------------------------------ End of redback-nsp Digest, Vol 105, Issue 1 *******************************************