Re: Does OpenBSD support Carrier Grade Nat?
PF's nat is strict, allowing packets only in response to outgoing packets
(i.e. from an IP address you already sent packets to), cgn is more likely
to just pass return packets from any address once the port mapping had been
established.
You could statically allocate a port range per IP with a long config file,
but no way to dynamically extend it if you run out of available ports
beyond what you've configured, and there will be a slowish search through
the config for each new packet that doesn't match an existing state.
--
Sent from a phone, apologies for poor formatting.
On 8 August 2020 21:38:10 Brian Brombacher wrote:
On Aug 8, 2020, at 4:36 AM, Stuart Henderson wrote:
On 2020-08-07, Edward Carver wrote:
Hi Misc,
Does OpenBSD support Carrier Grade Nat (cg-nat)?
Thanks for helping..
What do you mean by 'support'?
Running as a client behind one? Yes, that's transparent anyway (unless
you use vmd with its default "local prefix" address range which was
carefully chosen to conflict with the usual CGN address range).
As a router performing nat for others? Sort-of. Some will just say
that CGN is "NAT done by the ISP" and OpenBSD can do that. Others will
say that more is needed - typically CGN installations will dynamically
block off a range of ports for a user and tie in with logging ("user
x was assigned ports 1024-2047 from time y to z") so you can track
activity to a user without recording every single nat mapping (which
is a lot more intrusive information to store), and often allow all
traffic to that range through to the user regardless of whether
the user initiated a connection to that IP (helps for direct machine
to machine access for online gaming etc), OpenBSD doesn't do either
of those.
Hi Stuart,
All coming from a place of curiosity:
I am definitely not knowledgeable on Carrier Grade NAT; however, regarding
your final two reasons and that OpenBSD may not support this out of the
box: Could a crafty setup accomplish a CGN using PF and other base
utilities plus crafty scripting/API integration with PF?
I can surmise PF rules that cover at least the two final reasons you’ve
mentioned but I’m sure there’s more to it that I’m not understanding.
Thanks,
Brian
Re: Does OpenBSD support Carrier Grade Nat?
>> On Aug 8, 2020, at 4:36 AM, Stuart Henderson wrote:
> On 2020-08-07, Edward Carver wrote:
>> Hi Misc,
>>
>> Does OpenBSD support Carrier Grade Nat (cg-nat)?
>> Thanks for helping..
>
> What do you mean by 'support'?
>
> Running as a client behind one? Yes, that's transparent anyway (unless
> you use vmd with its default "local prefix" address range which was
> carefully chosen to conflict with the usual CGN address range).
>
> As a router performing nat for others? Sort-of. Some will just say
> that CGN is "NAT done by the ISP" and OpenBSD can do that. Others will
> say that more is needed - typically CGN installations will dynamically
> block off a range of ports for a user and tie in with logging ("user
> x was assigned ports 1024-2047 from time y to z") so you can track
> activity to a user without recording every single nat mapping (which
> is a lot more intrusive information to store), and often allow all
> traffic to that range through to the user regardless of whether
> the user initiated a connection to that IP (helps for direct machine
> to machine access for online gaming etc), OpenBSD doesn't do either
> of those.
>
Hi Stuart,
All coming from a place of curiosity:
I am definitely not knowledgeable on Carrier Grade NAT; however, regarding your
final two reasons and that OpenBSD may not support this out of the box: Could a
crafty setup accomplish a CGN using PF and other base utilities plus crafty
scripting/API integration with PF?
I can surmise PF rules that cover at least the two final reasons you’ve
mentioned but I’m sure there’s more to it that I’m not understanding.
Thanks,
Brian
Re: Does OpenBSD support Carrier Grade Nat?
On 2020-08-07, Edward Carver wrote:
> Hi Misc,
>
> Does OpenBSD support Carrier Grade Nat (cg-nat)?
> Thanks for helping..
What do you mean by 'support'?
Running as a client behind one? Yes, that's transparent anyway (unless
you use vmd with its default "local prefix" address range which was
carefully chosen to conflict with the usual CGN address range).
As a router performing nat for others? Sort-of. Some will just say
that CGN is "NAT done by the ISP" and OpenBSD can do that. Others will
say that more is needed - typically CGN installations will dynamically
block off a range of ports for a user and tie in with logging ("user
x was assigned ports 1024-2047 from time y to z") so you can track
activity to a user without recording every single nat mapping (which
is a lot more intrusive information to store), and often allow all
traffic to that range through to the user regardless of whether
the user initiated a connection to that IP (helps for direct machine
to machine access for online gaming etc), OpenBSD doesn't do either
of those.
Re: Does OpenBSD support Carrier Grade Nat?
Can you send me sample config please? Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Friday, August 7, 2020 3:33 PM, Marc Peters wrote: > On Fri, Aug 07, 2020 at 12:12:14PM +, Edward Carver wrote: > > > Does OpenBSD support Carrier Grade Nat (cg-nat)? > > Thanks for helping.. > > My router sits behind one, so yes. > > hth, > Marc
Does OpenBSD support Carrier Grade Nat?
Hi Misc, Does OpenBSD support Carrier Grade Nat (cg-nat)? Thanks for helping.. -- Edward Carver Sent with [ProtonMail](https://protonmail.com) Secure Email.
Re: Does OpenBSD support Carrier Grade Nat?
On Fri, Aug 07, 2020 at 12:46:45PM +, Edward Carver wrote: > Can you send me sample config please? > What kind of config? There's no special config needed, as the IPv4 you get for your external interface is out of the range 100.64.0.0/10. I receive mine via dhcp, but some providers may use pppoe for this. Your router will not be reachable via v4, of course. It's only available via IPv6. Best, Marc
Re: Does OpenBSD support Carrier Grade Nat?
On Fri, Aug 07, 2020 at 12:12:14PM +, Edward Carver wrote: > Does OpenBSD support Carrier Grade Nat (cg-nat)? > Thanks for helping.. My router sits behind one, so yes. hth, Marc
