Re: [vpp-dev] NAT44 how to control external address assignment from pool?
Awesome! X. Sent with [ProtonMail](https://protonmail.com) Secure Email. ‐‐‐ Original Message ‐‐‐ On Friday, March 19, 2021 11:55 PM, Юрий Иванов wrote: > Hi, > > It is done 18 days ago ;-) > [nat: pick outside addr based on local addr · FDio/vpp@dc243ee · > GitHub](https://github.com/FDio/vpp/commit/dc243ee2bcc4926ec23e71a687bb62b5c52c2fbb#diff-f4fd03f6bc31f1be823a391dcdfbb0024f0ee820a1128ef9d56091cb73e77b57) > > Thanks once more. > > --- > > От: vpp-dev@lists.fd.io от имени Xuo Guoto via > lists.fd.io > Отправлено: 19 марта 2021 г. 19:00 > Кому: ksek...@cisco.com > Копия: vpp-dev@lists.fd.io > Тема: Re: [vpp-dev] NAT44 how to control external address assignment from > pool? > > Hi, > > Just checking if some thing is happening in this direction! > > X. > Original Message > On Tuesday, February 23, 2021 5:50 PM, Klement Sekera via lists.fd.io > wrote: > >> Hey, >> >> just a heads up - there is a similar request to yours which came from a >> different direction. I’ll be making a change which I think will help your >> situation as well. Stay tuned. >> >> Regards, >> Klement -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18983): https://lists.fd.io/g/vpp-dev/message/18983 Mute This Topic: https://lists.fd.io/mt/80449794/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] NAT44 how to control external address assignment from pool?
Hi, It is done 18 days ago ;-) nat: pick outside addr based on local addr ・ FDio/vpp@dc243ee ・ GitHub<https://github.com/FDio/vpp/commit/dc243ee2bcc4926ec23e71a687bb62b5c52c2fbb#diff-f4fd03f6bc31f1be823a391dcdfbb0024f0ee820a1128ef9d56091cb73e77b57> Thanks once more. От: vpp-dev@lists.fd.io от имени Xuo Guoto via lists.fd.io Отправлено: 19 марта 2021 г. 19:00 Кому: ksek...@cisco.com Копия: vpp-dev@lists.fd.io Тема: Re: [vpp-dev] NAT44 how to control external address assignment from pool? Hi, Just checking if some thing is happening in this direction! X. �\�\�\�\�\�\�\ Original Message �\�\�\�\�\�\�\ On Tuesday, February 23, 2021 5:50 PM, Klement Sekera via lists.fd.io wrote: > Hey, > > just a heads up - there is a similar request to yours which came from a > different direction. I’ll be making a change which I think will help your > situation as well. Stay tuned. > > Regards, > Klement -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18979): https://lists.fd.io/g/vpp-dev/message/18979 Mute This Topic: https://lists.fd.io/mt/80449794/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] NAT44 how to control external address assignment from pool?
Hi, Just checking if some thing is happening in this direction! X. ‐‐‐ Original Message ‐‐‐ On Tuesday, February 23, 2021 5:50 PM, Klement Sekera via lists.fd.io wrote: > Hey, > > just a heads up - there is a similar request to yours which came from a > different direction. I’ll be making a change which I think will help your > situation as well. Stay tuned. > > Regards, > Klement -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18978): https://lists.fd.io/g/vpp-dev/message/18978 Mute This Topic: https://lists.fd.io/mt/80449794/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] NAT44 how to control external address assignment from pool?
Hey, just a heads up - there is a similar request to yours which came from a different direction. I’ll be making a change which I think will help your situation as well. Stay tuned. Regards, Klement > On 22 Feb 2021, at 10:00, Юрий Иванов wrote: > > Hello Klement, > > Thanks for reply. > Looks like I shold craft this idea by myself ;-) > > The main problem for me - I'm network engeneer for past few years and do not > program much for this time on C, but I try to try craft new patch. > > Thanks in advance. > > От: Klement Sekera -X (ksekera - PANTHEON TECH SRO at Cisco) > > Отправлено: 16 февраля 2021 г. 19:03 > Кому: Юрий Иванов > Копия: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > ; vpp-dev@lists.fd.io > Тема: Re: [vpp-dev] NAT44 how to control external address assignment from > pool? > > I see, so you’re not using deterministic NAT. Which NAT flavour are you using? > > I think what you are requesting is not provided by VPP at this moment, but > looking at the allocation algorithm, it might be possible to implement such > behaviour. It should be relatively straightforward in EI NAT and a little bit > more complicated in ED NAT, requiring an extra hash table for user-outside > address mappings as ED NAT has no “user” tracking. > > Another possibility would be to make it completely random - so for every > connection there would be a random address picked, so e.g. user1 might get > 1.0.0.7 for google.com, but 1.0.0.117 for duckduckgo.com. This would be even > easier to implement. > > Would you like to give it a try and submit a patch? I can provide guidance… > > Regards, > Klement > > > On 16 Feb 2021, at 15:22, Юрий Иванов wrote: > > > > Thanks Klement, > > > > I want to use #1 option and try to think about #2 with DUT only as > > workaround. > > > > The simple random allocation (option #1) looks acceptable for me but I have > > several issues with it now. > > > > I have big external pool (out network has /24 mask) I want to use all > > addresses more evenly. > > Now if I set pool with vpp# nat44 add address 1.0.0.3-1.0.0.100 > > > > But with such configuration all clients behind NAT will have external > > address 1.0.0.100 until all ports are used up, next will get 1.0.0.99 until > > all ports are used up etc. > > As the result all users gets google reCAPTCHA on most resources (i.e. > > google.com search) because there are too many users are hiding behind the > > same IP while others addresses in pool are not used at all. > > > > Since the standard Linux box can use option "persistent" which gives a > > client random address from snat pool (on first translation) and preservers > > it until the end of the user session I'm interested how to achieve this > > behavior with VPP. > > > > Can I somehow setup pool 1.0.0.3-1.0.0.200. Then first client 10.0.0.1 will > > have random external address, i.e. 1.0.0.7 (I mean random address from the > > pool) and preserve it for all new connections until the end of the session, > > second client 10.0.0.5 -> next random address etc. > > > > Thanks in advance. > > От: Klement Sekera -X (ksekera - PANTHEON TECH SRO at Cisco) > > > > Отправлено: 16 февраля 2021 г. 14:01 > > Кому: Юрий Иванов > > Копия: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > > ; vpp-dev@lists.fd.io > > Тема: Re: [vpp-dev] NAT44 how to control external address assignment from > > pool? > > > > Hi, let me chime in and explain a bit more. > > > > DET NAT also known as CGNAT (as in carrier-grade NAT) is designed to > > conform to LI (lawful intercept) requirements. > > > > So, if you, as an internet provider are required by law to be able to > > provide a user identification based on outside address + port made by that > > user, you have two options: > > > > 1.) log every connection and keep the logs > > 2.) make it deterministic, so you can always calculate inside address from > > outside address + port > > > > DET NAT is #2 and thus it cannot be random. > > > > For random allocation, you can use either EI or ED NAT. But these of course > > don’t provide any way to calculate user address from outside address. > > > > What is your use case? > > > > Thanks, > > Klement > > > > > On 10 Feb 2021, at 19:14, Юрий Иванов wrote: > > > > > > Hi Filip, > > > > > > Thanks, I understand, det44 plugin is working separately but we should > > > manually ma
Re: [vpp-dev] NAT44 how to control external address assignment from pool?
Hello Klement, Thanks for reply. Looks like I shold craft this idea by myself ;-) The main problem for me - I'm network engeneer for past few years and do not program much for this time on C, but I try to try craft new patch. Thanks in advance. От: Klement Sekera -X (ksekera - PANTHEON TECH SRO at Cisco) Отправлено: 16 февраля 2021 г. 19:03 Кому: Юрий Иванов Копия: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) ; vpp-dev@lists.fd.io Тема: Re: [vpp-dev] NAT44 how to control external address assignment from pool? I see, so you’re not using deterministic NAT. Which NAT flavour are you using? I think what you are requesting is not provided by VPP at this moment, but looking at the allocation algorithm, it might be possible to implement such behaviour. It should be relatively straightforward in EI NAT and a little bit more complicated in ED NAT, requiring an extra hash table for user-outside address mappings as ED NAT has no “user” tracking. Another possibility would be to make it completely random - so for every connection there would be a random address picked, so e.g. user1 might get 1.0.0.7 for google.com, but 1.0.0.117 for duckduckgo.com. This would be even easier to implement. Would you like to give it a try and submit a patch? I can provide guidance… Regards, Klement > On 16 Feb 2021, at 15:22, Юрий Иванов wrote: > > Thanks Klement, > > I want to use #1 option and try to think about #2 with DUT only as workaround. > > The simple random allocation (option #1) looks acceptable for me but I have > several issues with it now. > > I have big external pool (out network has /24 mask) I want to use all > addresses more evenly. > Now if I set pool with vpp# nat44 add address 1.0.0.3-1.0.0.100 > > But with such configuration all clients behind NAT will have external address > 1.0.0.100 until all ports are used up, next will get 1.0.0.99 until all ports > are used up etc. > As the result all users gets google reCAPTCHA on most resources (i.e. > google.com search) because there are too many users are hiding behind the > same IP while others addresses in pool are not used at all. > > Since the standard Linux box can use option "persistent" which gives a client > random address from snat pool (on first translation) and preservers it until > the end of the user session I'm interested how to achieve this behavior with > VPP. > > Can I somehow setup pool 1.0.0.3-1.0.0.200. Then first client 10.0.0.1 will > have random external address, i.e. 1.0.0.7 (I mean random address from the > pool) and preserve it for all new connections until the end of the session, > second client 10.0.0.5 -> next random address etc. > > Thanks in advance. > От: Klement Sekera -X (ksekera - PANTHEON TECH SRO at Cisco) > > Отправлено: 16 февраля 2021 г. 14:01 > Кому: Юрий Иванов > Копия: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > ; vpp-dev@lists.fd.io > Тема: Re: [vpp-dev] NAT44 how to control external address assignment from > pool? > > Hi, let me chime in and explain a bit more. > > DET NAT also known as CGNAT (as in carrier-grade NAT) is designed to conform > to LI (lawful intercept) requirements. > > So, if you, as an internet provider are required by law to be able to provide > a user identification based on outside address + port made by that user, you > have two options: > > 1.) log every connection and keep the logs > 2.) make it deterministic, so you can always calculate inside address from > outside address + port > > DET NAT is #2 and thus it cannot be random. > > For random allocation, you can use either EI or ED NAT. But these of course > don’t provide any way to calculate user address from outside address. > > What is your use case? > > Thanks, > Klement > > > On 10 Feb 2021, at 19:14, Юрий Иванов wrote: > > > > Hi Filip, > > > > Thanks, I understand, det44 plugin is working separately but we should > > manually manage mapping local network to external IP. > > > > But in case we try to use standard nut configuration with pools: > > vpp# nat44 forwarding enable > > vpp# set int nat44 in GigabitEthernet0/5/0 out GigabitEthernet0/4/0 > > vpp# nat44 add address 1.0.0.3-1.0.0.100 > > > > All clients will have external address 1.0.0.100 until all ports are used > > up, next will get 1.0.0.99 until all ports are used up etc. > > This behaviour leads to showing google reCAPTCHA on most resources (i.e. > > google.com search) because there are too many users are hiding behind the > > same IP while others addresses in pool are not used at all. > > I can afford to use pool with 255 addresses (/24 network), but in this case > > mo
Re: [vpp-dev] NAT44 how to control external address assignment from pool?
I see, so you’re not using deterministic NAT. Which NAT flavour are you using? I think what you are requesting is not provided by VPP at this moment, but looking at the allocation algorithm, it might be possible to implement such behaviour. It should be relatively straightforward in EI NAT and a little bit more complicated in ED NAT, requiring an extra hash table for user-outside address mappings as ED NAT has no “user” tracking. Another possibility would be to make it completely random - so for every connection there would be a random address picked, so e.g. user1 might get 1.0.0.7 for google.com, but 1.0.0.117 for duckduckgo.com. This would be even easier to implement. Would you like to give it a try and submit a patch? I can provide guidance… Regards, Klement > On 16 Feb 2021, at 15:22, Юрий Иванов wrote: > > Thanks Klement, > > I want to use #1 option and try to think about #2 with DUT only as workaround. > > The simple random allocation (option #1) looks acceptable for me but I have > several issues with it now. > > I have big external pool (out network has /24 mask) I want to use all > addresses more evenly. > Now if I set pool with vpp# nat44 add address 1.0.0.3-1.0.0.100 > > But with such configuration all clients behind NAT will have external address > 1.0.0.100 until all ports are used up, next will get 1.0.0.99 until all ports > are used up etc. > As the result all users gets google reCAPTCHA on most resources (i.e. > google.com search) because there are too many users are hiding behind the > same IP while others addresses in pool are not used at all. > > Since the standard Linux box can use option "persistent" which gives a client > random address from snat pool (on first translation) and preservers it until > the end of the user session I'm interested how to achieve this behavior with > VPP. > > Can I somehow setup pool 1.0.0.3-1.0.0.200. Then first client 10.0.0.1 will > have random external address, i.e. 1.0.0.7 (I mean random address from the > pool) and preserve it for all new connections until the end of the session, > second client 10.0.0.5 -> next random address etc. > > Thanks in advance. > От: Klement Sekera -X (ksekera - PANTHEON TECH SRO at Cisco) > > Отправлено: 16 февраля 2021 г. 14:01 > Кому: Юрий Иванов > Копия: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > ; vpp-dev@lists.fd.io > Тема: Re: [vpp-dev] NAT44 how to control external address assignment from > pool? > > Hi, let me chime in and explain a bit more. > > DET NAT also known as CGNAT (as in carrier-grade NAT) is designed to conform > to LI (lawful intercept) requirements. > > So, if you, as an internet provider are required by law to be able to provide > a user identification based on outside address + port made by that user, you > have two options: > > 1.) log every connection and keep the logs > 2.) make it deterministic, so you can always calculate inside address from > outside address + port > > DET NAT is #2 and thus it cannot be random. > > For random allocation, you can use either EI or ED NAT. But these of course > don’t provide any way to calculate user address from outside address. > > What is your use case? > > Thanks, > Klement > > > On 10 Feb 2021, at 19:14, Юрий Иванов wrote: > > > > Hi Filip, > > > > Thanks, I understand, det44 plugin is working separately but we should > > manually manage mapping local network to external IP. > > > > But in case we try to use standard nut configuration with pools: > > vpp# nat44 forwarding enable > > vpp# set int nat44 in GigabitEthernet0/5/0 out GigabitEthernet0/4/0 > > vpp# nat44 add address 1.0.0.3-1.0.0.100 > > > > All clients will have external address 1.0.0.100 until all ports are used > > up, next will get 1.0.0.99 until all ports are used up etc. > > This behaviour leads to showing google reCAPTCHA on most resources (i.e. > > google.com search) because there are too many users are hiding behind the > > same IP while others addresses in pool are not used at all. > > I can afford to use pool with 255 addresses (/24 network), but in this case > > most of addresses will not be used at all (. > > > > I'm interested how to tune vpp to select a random address for every new > > client and leave this same source-/destination-address for each new > > connection. This should help more even use of the address pool. > > The same behavior as nftables do with "ip saddr 10.0.0.0/8 oif "vlan10" > > snat to 1.0.0.3-1.0.0.100 persistent". > > > > Thanks in advance. > > От: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisc
Re: [vpp-dev] NAT44 how to control external address assignment from pool?
Thanks Klement, I want to use #1 option and try to think about #2 with DUT only as workaround. The simple random allocation (option #1) looks acceptable for me but I have several issues with it now. I have big external pool (out network has /24 mask) I want to use all addresses more evenly. Now if I set pool with vpp# nat44 add address 1.0.0.3-1.0.0.100 But with such configuration all clients behind NAT will have external address 1.0.0.100 until all ports are used up, next will get 1.0.0.99 until all ports are used up etc. As the result all users gets google reCAPTCHA on most resources (i.e. google.com search) because there are too many users are hiding behind the same IP while others addresses in pool are not used at all. Since the standard Linux box can use option "persistent" which gives a client random address from snat pool (on first translation) and preservers it until the end of the user session I'm interested how to achieve this behavior with VPP. Can I somehow setup pool 1.0.0.3-1.0.0.200. Then first client 10.0.0.1 will have random external address, i.e. 1.0.0.7 (I mean random address from the pool) and preserve it for all new connections until the end of the session, second client 10.0.0.5 -> next random address etc. Thanks in advance. От: Klement Sekera -X (ksekera - PANTHEON TECH SRO at Cisco) Отправлено: 16 февраля 2021 г. 14:01 Кому: Юрий Иванов Копия: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) ; vpp-dev@lists.fd.io Тема: Re: [vpp-dev] NAT44 how to control external address assignment from pool? Hi, let me chime in and explain a bit more. DET NAT also known as CGNAT (as in carrier-grade NAT) is designed to conform to LI (lawful intercept) requirements. So, if you, as an internet provider are required by law to be able to provide a user identification based on outside address + port made by that user, you have two options: 1.) log every connection and keep the logs 2.) make it deterministic, so you can always calculate inside address from outside address + port DET NAT is #2 and thus it cannot be random. For random allocation, you can use either EI or ED NAT. But these of course don’t provide any way to calculate user address from outside address. What is your use case? Thanks, Klement > On 10 Feb 2021, at 19:14, Юрий Иванов wrote: > > Hi Filip, > > Thanks, I understand, det44 plugin is working separately but we should > manually manage mapping local network to external IP. > > But in case we try to use standard nut configuration with pools: > vpp# nat44 forwarding enable > vpp# set int nat44 in GigabitEthernet0/5/0 out GigabitEthernet0/4/0 > vpp# nat44 add address 1.0.0.3-1.0.0.100 > > All clients will have external address 1.0.0.100 until all ports are used up, > next will get 1.0.0.99 until all ports are used up etc. > This behaviour leads to showing google reCAPTCHA on most resources (i.e. > google.com search) because there are too many users are hiding behind the > same IP while others addresses in pool are not used at all. > I can afford to use pool with 255 addresses (/24 network), but in this case > most of addresses will not be used at all (. > > I'm interested how to tune vpp to select a random address for every new > client and leave this same source-/destination-address for each new > connection. This should help more even use of the address pool. > The same behavior as nftables do with "ip saddr 10.0.0.0/8 oif "vlan10" snat > to 1.0.0.3-1.0.0.100 persistent". > > Thanks in advance. > От: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > Отправлено: 10 февраля 2021 г. 14:25 > Кому: Юрий Иванов ; vpp-dev@lists.fd.io > > Тема: RE: [vpp-dev] NAT44 how to control external address assignment from > pool? > > Hello, > > For clarification i will explain how the nat is devided. > > At this point NAT functionality is devided in multiple sub plugins because of > it’s previous complexity and issues with it. > We have det44 and nat44 plugins that are completely separate. The whole > separation is still in progress. So changes in nat44 like picking up pool > allocation algorithm or anything else will not affect det44 plugin. These two > plugins operate completely independently and share just some NAT library for > common stuff. > > Regarding the det44 allocation algorithm. No at this point it is not > supported to pick up a new randomly selected address as you are asking. Det44 > is / should act in predetermined way so logging is not required. > > I will look further in the code and plugins if i can help you find some > solution. > > Best regards, > Filip > > From: Юрий Иванов > Sent: Wednesday, February 10, 2021 8:47 AM > To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisc
Re: [vpp-dev] NAT44 how to control external address assignment from pool?
Hi, let me chime in and explain a bit more. DET NAT also known as CGNAT (as in carrier-grade NAT) is designed to conform to LI (lawful intercept) requirements. So, if you, as an internet provider are required by law to be able to provide a user identification based on outside address + port made by that user, you have two options: 1.) log every connection and keep the logs 2.) make it deterministic, so you can always calculate inside address from outside address + port DET NAT is #2 and thus it cannot be random. For random allocation, you can use either EI or ED NAT. But these of course don’t provide any way to calculate user address from outside address. What is your use case? Thanks, Klement > On 10 Feb 2021, at 19:14, Юрий Иванов wrote: > > Hi Filip, > > Thanks, I understand, det44 plugin is working separately but we should > manually manage mapping local network to external IP. > > But in case we try to use standard nut configuration with pools: > vpp# nat44 forwarding enable > vpp# set int nat44 in GigabitEthernet0/5/0 out GigabitEthernet0/4/0 > vpp# nat44 add address 1.0.0.3-1.0.0.100 > > All clients will have external address 1.0.0.100 until all ports are used up, > next will get 1.0.0.99 until all ports are used up etc. > This behaviour leads to showing google reCAPTCHA on most resources (i.e. > google.com search) because there are too many users are hiding behind the > same IP while others addresses in pool are not used at all. > I can afford to use pool with 255 addresses (/24 network), but in this case > most of addresses will not be used at all (. > > I'm interested how to tune vpp to select a random address for every new > client and leave this same source-/destination-address for each new > connection. This should help more even use of the address pool. > The same behavior as nftables do with "ip saddr 10.0.0.0/8 oif "vlan10" snat > to 1.0.0.3-1.0.0.100 persistent". > > Thanks in advance. > От: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > Отправлено: 10 февраля 2021 г. 14:25 > Кому: Юрий Иванов ; vpp-dev@lists.fd.io > > Тема: RE: [vpp-dev] NAT44 how to control external address assignment from > pool? > > Hello, > > For clarification i will explain how the nat is devided. > > At this point NAT functionality is devided in multiple sub plugins because of > it’s previous complexity and issues with it. > We have det44 and nat44 plugins that are completely separate. The whole > separation is still in progress. So changes in nat44 like picking up pool > allocation algorithm or anything else will not affect det44 plugin. These two > plugins operate completely independently and share just some NAT library for > common stuff. > > Regarding the det44 allocation algorithm. No at this point it is not > supported to pick up a new randomly selected address as you are asking. Det44 > is / should act in predetermined way so logging is not required. > > I will look further in the code and plugins if i can help you find some > solution. > > Best regards, > Filip > > From: Юрий Иванов > Sent: Wednesday, February 10, 2021 8:47 AM > To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > ; vpp-dev@lists.fd.io > Subject: RE: [vpp-dev] NAT44 how to control external address assignment from > pool? > Importance: High > > Hi Filip, thanks for reply. > > This is only for host mapping and looks that it can be done with det44 plugin > - very strange btw that it operates separatly from standard nat44 (meaning > that I do need to configure nat at all to use it). > > My problem is different, when I set pool i.e. 1.0.0.1-1.0.0.100 all clients > always get the last address from the pool (.100) until external IP run out of > ports and only after that client will get .99 IP untile this IP will run out > of ports and etc. > > Is there way to select new random address from pool for new client and after > that use this randomly selected same source-/destination-address for each > client connection. > > Now it leads to problems with Google 'Unusual Traffic' Block/Captcha, > because it utilizes several IP addresses where most IP from pool leave unused. > > От: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > Отправлено: 9 февраля 2021 г. 13:54 > Кому: Юрий Иванов ; vpp-dev@lists.fd.io > > Тема: RE: [vpp-dev] NAT44 how to control external address assignment from > pool? > > Hi, > > If you are looking for option to specify exact outside translation address > from a specific pool. You should try : > > nat44 add static mapping ... exact > > Also supported by API. > This will give you exact address picked fro
Re: [vpp-dev] NAT44 how to control external address assignment from pool?
Hi Filip, Thanks, I understand, det44 plugin is working separately but we should manually manage mapping local network to external IP. But in case we try to use standard nut configuration with pools: vpp# nat44 forwarding enable vpp# set int nat44 in GigabitEthernet0/5/0 out GigabitEthernet0/4/0 vpp# nat44 add address 1.0.0.3-1.0.0.100 All clients will have external address 1.0.0.100 until all ports are used up, next will get 1.0.0.99 until all ports are used up etc. This behaviour leads to showing google reCAPTCHA on most resources (i.e. google.com search) because there are too many users are hiding behind the same IP while others addresses in pool are not used at all. I can afford to use pool with 255 addresses (/24 network), but in this case most of addresses will not be used at all (. I'm interested how to tune vpp to select a random address for every new client and leave this same source-/destination-address for each new connection. This should help more even use of the address pool. The same behavior as nftables do with "ip saddr 10.0.0.0/8 oif "vlan10" snat to 1.0.0.3-1.0.0.100 persistent". Thanks in advance. От: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) Отправлено: 10 февраля 2021 г. 14:25 Кому: Юрий Иванов ; vpp-dev@lists.fd.io Тема: RE: [vpp-dev] NAT44 how to control external address assignment from pool? Hello, For clarification i will explain how the nat is devided. At this point NAT functionality is devided in multiple sub plugins because of it’s previous complexity and issues with it. We have det44 and nat44 plugins that are completely separate. The whole separation is still in progress. So changes in nat44 like picking up pool allocation algorithm or anything else will not affect det44 plugin. These two plugins operate completely independently and share just some NAT library for common stuff. Regarding the det44 allocation algorithm. No at this point it is not supported to pick up a new randomly selected address as you are asking. Det44 is / should act in predetermined way so logging is not required. I will look further in the code and plugins if i can help you find some solution. Best regards, Filip From: Юрий Иванов Sent: Wednesday, February 10, 2021 8:47 AM To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) ; vpp-dev@lists.fd.io Subject: RE: [vpp-dev] NAT44 how to control external address assignment from pool? Importance: High Hi Filip, thanks for reply. This is only for host mapping and looks that it can be done with det44 plugin - very strange btw that it operates separatly from standard nat44 (meaning that I do need to configure nat at all to use it). My problem is different, when I set pool i.e. 1.0.0.1-1.0.0.100 all clients always get the last address from the pool (.100) until external IP run out of ports and only after that client will get .99 IP untile this IP will run out of ports and etc. Is there way to select new random address from pool for new client and after that use this randomly selected same source-/destination-address for each client connection. Now it leads to problems with Google 'Unusual Traffic' Block/Captcha, because it utilizes several IP addresses where most IP from pool leave unused. От: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) mailto:fiva...@cisco.com>> Отправлено: 9 февраля 2021 г. 13:54 Кому: Юрий Иванов mailto:format_...@outlook.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> Тема: RE: [vpp-dev] NAT44 how to control external address assignment from pool? Hi, If you are looking for option to specify exact outside translation address from a specific pool. You should try : nat44 add static mapping ... exact Also supported by API. This will give you exact address picked from pool. Best regards, Filip Varga From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> On Behalf Of ?? Sent: Monday, February 8, 2021 11:04 AM To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] NAT44 how to control external address assignment from pool? Importance: High Just an update, to perform manual translation we should do: det44 plugin enable det44 add in 10.0.1.0/29 out 1.0.0.7/32 det44 add in 10.0.1.16/29 out 1.0.0.5/32 ... set interface det44 inside GigabitEthernet0/5/0 outside GigabitEthernet0/4/0 Ignoring specific nat configuration. Nevertheless, maybe there is some option to select different IP addres from pool? От: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> от имени Юрий Иванов mailto:format_...@outlook.com>> Отправлено: 7 февраля 2021 г. 12:10 Кому: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-d
Re: [vpp-dev] NAT44 how to control external address assignment from pool?
Hello, For clarification i will explain how the nat is devided. At this point NAT functionality is devided in multiple sub plugins because of it's previous complexity and issues with it. We have det44 and nat44 plugins that are completely separate. The whole separation is still in progress. So changes in nat44 like picking up pool allocation algorithm or anything else will not affect det44 plugin. These two plugins operate completely independently and share just some NAT library for common stuff. Regarding the det44 allocation algorithm. No at this point it is not supported to pick up a new randomly selected address as you are asking. Det44 is / should act in predetermined way so logging is not required. I will look further in the code and plugins if i can help you find some solution. Best regards, Filip From: Юрий Иванов Sent: Wednesday, February 10, 2021 8:47 AM To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) ; vpp-dev@lists.fd.io Subject: RE: [vpp-dev] NAT44 how to control external address assignment from pool? Importance: High Hi Filip, thanks for reply. This is only for host mapping and looks that it can be done with det44 plugin - very strange btw that it operates separatly from standard nat44 (meaning that I do need to configure nat at all to use it). My problem is different, when I set pool i.e. 1.0.0.1-1.0.0.100 all clients always get the last address from the pool (.100) until external IP run out of ports and only after that client will get .99 IP untile this IP will run out of ports and etc. Is there way to select new random address from pool for new client and after that use this randomly selected same source-/destination-address for each client connection. Now it leads to problems with Google 'Unusual Traffic' Block/Captcha, because it utilizes several IP addresses where most IP from pool leave unused. От: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) mailto:fiva...@cisco.com>> Отправлено: 9 февраля 2021 г. 13:54 Кому: Юрий Иванов mailto:format_...@outlook.com>>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> Тема: RE: [vpp-dev] NAT44 how to control external address assignment from pool? Hi, If you are looking for option to specify exact outside translation address from a specific pool. You should try : nat44 add static mapping ... exact Also supported by API. This will give you exact address picked from pool. Best regards, Filip Varga From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> On Behalf Of ?? Sent: Monday, February 8, 2021 11:04 AM To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] NAT44 how to control external address assignment from pool? Importance: High Just an update, to perform manual translation we should do: det44 plugin enable det44 add in 10.0.1.0/29 out 1.0.0.7/32 det44 add in 10.0.1.16/29 out 1.0.0.5/32 ... set interface det44 inside GigabitEthernet0/5/0 outside GigabitEthernet0/4/0 Ignoring specific nat configuration. Nevertheless, maybe there is some option to select different IP addres from pool? От: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> от имени Юрий Иванов mailto:format_...@outlook.com>> Отправлено: 7 февраля 2021 г. 12:10 Кому: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> Тема: [vpp-dev] NAT44 how to control external address assignment from pool? Hi, I've got basic nat setup in a lab which works as expected except extarnat IP address allocation. My clients, behind NAT, has addresses: vpp# show ip neighbors Time IPFlags Ethernet Interface 1421.592910.0.1.30 D00:50:79:66:68:00 GigabitEthernet0/5/0 1424.360910.0.1.55 D00:50:79:66:68:02 GigabitEthernet0/5/0 1423.165010.0.1.41 D00:50:79:66:68:01 GigabitEthernet0/5/0 1389.292910.0.1.20 D00:50:79:66:68:04 GigabitEthernet0/5/0 1377.144910.0.1.2 D00:50:79:66:68:03 GigabitEthernet0/5/0 All can reach external 1.0.0.2 IP which looks good, but for all client external address is 1.0.0.100 (the last IP in a range). I think it will be more better to randomly select different address in range like nftables do with this configuration stranza: "ip saddr 10.0.0.0/8 oif "vlan2" snat to 1.0.0.2-1.0.0.100 persistent" After changing vpp# nat addr-port-assignment-alg map-e psid 10 psid-offset 6 psid-len 6 the only difference that external address become 1.0.0.1 for all clients. I of cource can map host to external address w
Re: [vpp-dev] NAT44 how to control external address assignment from pool?
Hi Filip, thanks for reply. This is only for host mapping and looks that it can be done with det44 plugin - very strange btw that it operates separatly from standard nat44 (meaning that I do need to configure nat at all to use it). My problem is different, when I set pool i.e. 1.0.0.1-1.0.0.100 all clients always get the last address from the pool (.100) until external IP run out of ports and only after that client will get .99 IP untile this IP will run out of ports and etc. Is there way to select new random address from pool for new client and after that use this randomly selected same source-/destination-address for each client connection. Now it leads to problems with Google 'Unusual Traffic' Block/Captcha, because it utilizes several IP addresses where most IP from pool leave unused. От: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) Отправлено: 9 февраля 2021 г. 13:54 Кому: Юрий Иванов ; vpp-dev@lists.fd.io Тема: RE: [vpp-dev] NAT44 how to control external address assignment from pool? Hi, If you are looking for option to specify exact outside translation address from a specific pool. You should try : nat44 add static mapping ... exact Also supported by API. This will give you exact address picked from pool. Best regards, Filip Varga From: vpp-dev@lists.fd.io On Behalf Of ?? Sent: Monday, February 8, 2021 11:04 AM To: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] NAT44 how to control external address assignment from pool? Importance: High Just an update, to perform manual translation we should do: det44 plugin enable det44 add in 10.0.1.0/29 out 1.0.0.7/32 det44 add in 10.0.1.16/29 out 1.0.0.5/32 ... set interface det44 inside GigabitEthernet0/5/0 outside GigabitEthernet0/4/0 Ignoring specific nat configuration. Nevertheless, maybe there is some option to select different IP addres from pool? От: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> от имени Юрий Иванов mailto:format_...@outlook.com>> Отправлено: 7 февраля 2021 г. 12:10 Кому: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> Тема: [vpp-dev] NAT44 how to control external address assignment from pool? Hi, I've got basic nat setup in a lab which works as expected except extarnat IP address allocation. My clients, behind NAT, has addresses: vpp# show ip neighbors Time IPFlags Ethernet Interface 1421.592910.0.1.30 D00:50:79:66:68:00 GigabitEthernet0/5/0 1424.360910.0.1.55 D00:50:79:66:68:02 GigabitEthernet0/5/0 1423.165010.0.1.41 D00:50:79:66:68:01 GigabitEthernet0/5/0 1389.292910.0.1.20 D00:50:79:66:68:04 GigabitEthernet0/5/0 1377.144910.0.1.2 D00:50:79:66:68:03 GigabitEthernet0/5/0 All can reach external 1.0.0.2 IP which looks good, but for all client external address is 1.0.0.100 (the last IP in a range). I think it will be more better to randomly select different address in range like nftables do with this configuration stranza: "ip saddr 10.0.0.0/8 oif "vlan2" snat to 1.0.0.2-1.0.0.100 persistent" After changing vpp# nat addr-port-assignment-alg map-e psid 10 psid-offset 6 psid-len 6 the only difference that external address become 1.0.0.1 for all clients. I of cource can map host to external address with: vpp# nat44 add static mapping local 10.0.1.2 external 1.0.0.10 But with 30 thousands clients it will very strange idea to map every host route manually. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18713): https://lists.fd.io/g/vpp-dev/message/18713 Mute This Topic: https://lists.fd.io/mt/80449794/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] NAT44 how to control external address assignment from pool?
Hi, If you are looking for option to specify exact outside translation address from a specific pool. You should try : nat44 add static mapping ... exact Also supported by API. This will give you exact address picked from pool. Best regards, Filip Varga From: vpp-dev@lists.fd.io On Behalf Of ?? Sent: Monday, February 8, 2021 11:04 AM To: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] NAT44 how to control external address assignment from pool? Importance: High Just an update, to perform manual translation we should do: det44 plugin enable det44 add in 10.0.1.0/29 out 1.0.0.7/32 det44 add in 10.0.1.16/29 out 1.0.0.5/32 ... set interface det44 inside GigabitEthernet0/5/0 outside GigabitEthernet0/4/0 Ignoring specific nat configuration. Nevertheless, maybe there is some option to select different IP addres from pool? От: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> от имени Юрий Иванов mailto:format_...@outlook.com>> Отправлено: 7 февраля 2021 г. 12:10 Кому: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> Тема: [vpp-dev] NAT44 how to control external address assignment from pool? Hi, I've got basic nat setup in a lab which works as expected except extarnat IP address allocation. My clients, behind NAT, has addresses: vpp# show ip neighbors Time IPFlags Ethernet Interface 1421.592910.0.1.30 D00:50:79:66:68:00 GigabitEthernet0/5/0 1424.360910.0.1.55 D00:50:79:66:68:02 GigabitEthernet0/5/0 1423.165010.0.1.41 D00:50:79:66:68:01 GigabitEthernet0/5/0 1389.292910.0.1.20 D00:50:79:66:68:04 GigabitEthernet0/5/0 1377.144910.0.1.2 D00:50:79:66:68:03 GigabitEthernet0/5/0 All can reach external 1.0.0.2 IP which looks good, but for all client external address is 1.0.0.100 (the last IP in a range). I think it will be more better to randomly select different address in range like nftables do with this configuration stranza: "ip saddr 10.0.0.0/8 oif "vlan2" snat to 1.0.0.2-1.0.0.100 persistent" After changing vpp# nat addr-port-assignment-alg map-e psid 10 psid-offset 6 psid-len 6 the only difference that external address become 1.0.0.1 for all clients. I of cource can map host to external address with: vpp# nat44 add static mapping local 10.0.1.2 external 1.0.0.10 But with 30 thousands clients it will very strange idea to map every host route manually. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18706): https://lists.fd.io/g/vpp-dev/message/18706 Mute This Topic: https://lists.fd.io/mt/80449794/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] NAT44 how to control external address assignment from pool?
Just an update, to perform manual translation we should do: det44 plugin enable det44 add in 10.0.1.0/29 out 1.0.0.7/32 det44 add in 10.0.1.16/29 out 1.0.0.5/32 ... set interface det44 inside GigabitEthernet0/5/0 outside GigabitEthernet0/4/0 Ignoring specific nat configuration. Nevertheless, maybe there is some option to select different IP addres from pool? От: vpp-dev@lists.fd.io от имени Юрий Иванов Отправлено: 7 февраля 2021 г. 12:10 Кому: vpp-dev@lists.fd.io Тема: [vpp-dev] NAT44 how to control external address assignment from pool? Hi, I've got basic nat setup in a lab which works as expected except extarnat IP address allocation. My clients, behind NAT, has addresses: vpp# show ip neighbors Time IPFlags Ethernet Interface 1421.592910.0.1.30 D00:50:79:66:68:00 GigabitEthernet0/5/0 1424.360910.0.1.55 D00:50:79:66:68:02 GigabitEthernet0/5/0 1423.165010.0.1.41 D00:50:79:66:68:01 GigabitEthernet0/5/0 1389.292910.0.1.20 D00:50:79:66:68:04 GigabitEthernet0/5/0 1377.144910.0.1.2 D00:50:79:66:68:03 GigabitEthernet0/5/0 All can reach external 1.0.0.2 IP which looks good, but for all client external address is 1.0.0.100 (the last IP in a range). I think it will be more better to randomly select different address in range like nftables do with this configuration stranza: "ip saddr 10.0.0.0/8 oif "vlan2" snat to 1.0.0.2-1.0.0.100 persistent" After changing vpp# nat addr-port-assignment-alg map-e psid 10 psid-offset 6 psid-len 6 the only difference that external address become 1.0.0.1 for all clients. I of cource can map host to external address with: vpp# nat44 add static mapping local 10.0.1.2 external 1.0.0.10 But with 30 thousands clients it will very strange idea to map every host route manually. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18694): https://lists.fd.io/g/vpp-dev/message/18694 Mute This Topic: https://lists.fd.io/mt/80449794/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[vpp-dev] NAT44 how to control external address assignment from pool?
Hi, I've got basic nat setup in a lab which works as expected except extarnat IP address allocation. My clients, behind NAT, has addresses: vpp# show ip neighbors Time IPFlags Ethernet Interface 1421.592910.0.1.30 D00:50:79:66:68:00 GigabitEthernet0/5/0 1424.360910.0.1.55 D00:50:79:66:68:02 GigabitEthernet0/5/0 1423.165010.0.1.41 D00:50:79:66:68:01 GigabitEthernet0/5/0 1389.292910.0.1.20 D00:50:79:66:68:04 GigabitEthernet0/5/0 1377.144910.0.1.2 D00:50:79:66:68:03 GigabitEthernet0/5/0 All can reach external 1.0.0.2 IP which looks good, but for all client external address is 1.0.0.100 (the last IP in a range). I think it will be more better to randomly select different address in range like nftables do with this configuration stranza: "ip saddr 10.0.0.0/8 oif "vlan2" snat to 1.0.0.2-1.0.0.100 persistent" After changing vpp# nat addr-port-assignment-alg map-e psid 10 psid-offset 6 psid-len 6 the only difference that external address become 1.0.0.1 for all clients. I of cource can map host to external address with: vpp# nat44 add static mapping local 10.0.1.2 external 1.0.0.10 But with 30 thousands clients it will very strange idea to map every host route manually. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18691): https://lists.fd.io/g/vpp-dev/message/18691 Mute This Topic: https://lists.fd.io/mt/80449794/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-