Hey, just a heads up - there is a similar request to yours which came from a different direction. I’ll be making a change which I think will help your situation as well. Stay tuned.
Regards, Klement > On 22 Feb 2021, at 10:00, Юрий Иванов <format_...@outlook.com> wrote: > > Hello Klement, > > Thanks for reply. > Looks like I shold craft this idea by myself ;-) > > The main problem for me - I'm network engeneer for past few years and do not > program much for this time on C, but I try to try craft new patch. > > Thanks in advance. > > От: Klement Sekera -X (ksekera - PANTHEON TECH SRO at Cisco) > <ksek...@cisco.com> > Отправлено: 16 февраля 2021 г. 19:03 > Кому: Юрий Иванов <format_...@outlook.com> > Копия: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > <fiva...@cisco.com>; vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> > Тема: Re: [vpp-dev] NAT44 how to control external address assignment from > pool? > > I see, so you’re not using deterministic NAT. Which NAT flavour are you using? > > I think what you are requesting is not provided by VPP at this moment, but > looking at the allocation algorithm, it might be possible to implement such > behaviour. It should be relatively straightforward in EI NAT and a little bit > more complicated in ED NAT, requiring an extra hash table for user-outside > address mappings as ED NAT has no “user” tracking. > > Another possibility would be to make it completely random - so for every > connection there would be a random address picked, so e.g. user1 might get > 1.0.0.7 for google.com, but 1.0.0.117 for duckduckgo.com. This would be even > easier to implement. > > Would you like to give it a try and submit a patch? I can provide guidance… > > Regards, > Klement > > > On 16 Feb 2021, at 15:22, Юрий Иванов <format_...@outlook.com> wrote: > > > > Thanks Klement, > > > > I want to use #1 option and try to think about #2 with DUT only as > > workaround. > > > > The simple random allocation (option #1) looks acceptable for me but I have > > several issues with it now. > > > > I have big external pool (out network has /24 mask) I want to use all > > addresses more evenly. > > Now if I set pool with vpp# nat44 add address 1.0.0.3-1.0.0.100 > > > > But with such configuration all clients behind NAT will have external > > address 1.0.0.100 until all ports are used up, next will get 1.0.0.99 until > > all ports are used up etc. > > As the result all users gets google reCAPTCHA on most resources (i.e. > > google.com search) because there are too many users are hiding behind the > > same IP while others addresses in pool are not used at all. > > > > Since the standard Linux box can use option "persistent" which gives a > > client random address from snat pool (on first translation) and preservers > > it until the end of the user session I'm interested how to achieve this > > behavior with VPP. > > > > Can I somehow setup pool 1.0.0.3-1.0.0.200. Then first client 10.0.0.1 will > > have random external address, i.e. 1.0.0.7 (I mean random address from the > > pool) and preserve it for all new connections until the end of the session, > > second client 10.0.0.5 -> next random address etc. > > > > Thanks in advance. > > От: Klement Sekera -X (ksekera - PANTHEON TECH SRO at Cisco) > > <ksek...@cisco.com> > > Отправлено: 16 февраля 2021 г. 14:01 > > Кому: Юрий Иванов <format_...@outlook.com> > > Копия: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > > <fiva...@cisco.com>; vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> > > Тема: Re: [vpp-dev] NAT44 how to control external address assignment from > > pool? > > > > Hi, let me chime in and explain a bit more. > > > > DET NAT also known as CGNAT (as in carrier-grade NAT) is designed to > > conform to LI (lawful intercept) requirements. > > > > So, if you, as an internet provider are required by law to be able to > > provide a user identification based on outside address + port made by that > > user, you have two options: > > > > 1.) log every connection and keep the logs > > 2.) make it deterministic, so you can always calculate inside address from > > outside address + port > > > > DET NAT is #2 and thus it cannot be random. > > > > For random allocation, you can use either EI or ED NAT. But these of course > > don’t provide any way to calculate user address from outside address. > > > > What is your use case? > > > > Thanks, > > Klement > > > > > On 10 Feb 2021, at 19:14, Юрий Иванов <format_...@outlook.com> wrote: > > > > > > Hi Filip, > > > > > > Thanks, I understand, det44 plugin is working separately but we should > > > manually manage mapping local network to external IP. > > > > > > But in case we try to use standard nut configuration with pools: > > > vpp# nat44 forwarding enable > > > vpp# set int nat44 in GigabitEthernet0/5/0 out GigabitEthernet0/4/0 > > > vpp# nat44 add address 1.0.0.3-1.0.0.100 > > > > > > All clients will have external address 1.0.0.100 until all ports are used > > > up, next will get 1.0.0.99 until all ports are used up etc. > > > This behaviour leads to showing google reCAPTCHA on most resources (i.e. > > > google.com search) because there are too many users are hiding behind the > > > same IP while others addresses in pool are not used at all. > > > I can afford to use pool with 255 addresses (/24 network), but in this > > > case most of addresses will not be used at all (. > > > > > > I'm interested how to tune vpp to select a random address for every new > > > client and leave this same source-/destination-address for each new > > > connection. This should help more even use of the address pool. > > > The same behavior as nftables do with "ip saddr 10.0.0.0/8 oif "vlan10" > > > snat to 1.0.0.3-1.0.0.100 persistent". > > > > > > Thanks in advance. > > > От: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > > > <fiva...@cisco.com> > > > Отправлено: 10 февраля 2021 г. 14:25 > > > Кому: Юрий Иванов <format_...@outlook.com>; vpp-dev@lists.fd.io > > > <vpp-dev@lists.fd.io> > > > Тема: RE: [vpp-dev] NAT44 how to control external address assignment from > > > pool? > > > > > > Hello, > > > > > > For clarification i will explain how the nat is devided. > > > > > > At this point NAT functionality is devided in multiple sub plugins > > > because of it’s previous complexity and issues with it. > > > We have det44 and nat44 plugins that are completely separate. The whole > > > separation is still in progress. So changes in nat44 like picking up pool > > > allocation algorithm or anything else will not affect det44 plugin. These > > > two plugins operate completely independently and share just some NAT > > > library for common stuff. > > > > > > Regarding the det44 allocation algorithm. No at this point it is not > > > supported to pick up a new randomly selected address as you are asking. > > > Det44 is / should act in predetermined way so logging is not required. > > > > > > I will look further in the code and plugins if i can help you find some > > > solution. > > > > > > Best regards, > > > Filip > > > > > > From: Юрий Иванов <format_...@outlook.com> > > > Sent: Wednesday, February 10, 2021 8:47 AM > > > To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > > > <fiva...@cisco.com>; vpp-dev@lists.fd.io > > > Subject: RE: [vpp-dev] NAT44 how to control external address assignment > > > from pool? > > > Importance: High > > > > > > Hi Filip, thanks for reply. > > > > > > This is only for host mapping and looks that it can be done with det44 > > > plugin - very strange btw that it operates separatly from standard nat44 > > > (meaning that I do need to configure nat at all to use it). > > > > > > My problem is different, when I set pool i.e. 1.0.0.1-1.0.0.100 all > > > clients always get the last address from the pool (.100) until external > > > IP run out of ports and only after that client will get .99 IP untile > > > this IP will run out of ports and etc. > > > > > > Is there way to select new random address from pool for new client and > > > after that use this randomly selected same source-/destination-address > > > for each client connection. > > > > > > Now it leads to problems with Google 'Unusual Traffic' Block/Captcha, > > > because it utilizes several IP addresses where most IP from pool leave > > > unused. > > > > > > От: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) > > > <fiva...@cisco.com> > > > Отправлено: 9 февраля 2021 г. 13:54 > > > Кому: Юрий Иванов <format_...@outlook.com>; vpp-dev@lists.fd.io > > > <vpp-dev@lists.fd.io> > > > Тема: RE: [vpp-dev] NAT44 how to control external address assignment from > > > pool? > > > > > > Hi, > > > > > > If you are looking for option to specify exact outside translation > > > address from a specific pool. You should try : > > > > > > nat44 add static mapping ... exact <pool-addr> > > > > > > Also supported by API. > > > This will give you exact address picked from pool. > > > > > > Best regards, > > > Filip Varga > > > > > > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of ???? ?????? > > > Sent: Monday, February 8, 2021 11:04 AM > > > To: vpp-dev@lists.fd.io > > > Subject: Re: [vpp-dev] NAT44 how to control external address assignment > > > from pool? > > > Importance: High > > > > > > Just an update, to perform manual translation we should do: > > > > > > det44 plugin enable > > > det44 add in 10.0.1.0/29 out 1.0.0.7/32 > > > det44 add in 10.0.1.16/29 out 1.0.0.5/32 > > > ... > > > set interface det44 inside GigabitEthernet0/5/0 outside > > > GigabitEthernet0/4/0 > > > > > > Ignoring specific nat configuration. > > > > > > Nevertheless, maybe there is some option to select different IP addres > > > from pool? > > > От: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> от имени Юрий Иванов > > > <format_...@outlook.com> > > > Отправлено: 7 февраля 2021 г. 12:10 > > > Кому: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> > > > Тема: [vpp-dev] NAT44 how to control external address assignment from > > > pool? > > > > > > Hi, > > > > > > I've got basic nat setup in a lab which works as expected except extarnat > > > IP address allocation. > > > > > > My clients, behind NAT, has addresses: > > > vpp# show ip neighbors > > > Time IP Flags Ethernet > > > Interface > > > 1421.5929 10.0.1.30 D > > > 00:50:79:66:68:00 GigabitEthernet0/5/0 > > > 1424.3609 10.0.1.55 D > > > 00:50:79:66:68:02 GigabitEthernet0/5/0 > > > 1423.1650 10.0.1.41 D > > > 00:50:79:66:68:01 GigabitEthernet0/5/0 > > > 1389.2929 10.0.1.20 D > > > 00:50:79:66:68:04 GigabitEthernet0/5/0 > > > 1377.1449 10.0.1.2 D > > > 00:50:79:66:68:03 GigabitEthernet0/5/0 > > > > > > All can reach external 1.0.0.2 IP which looks good, but for all client > > > external address is 1.0.0.100 (the last IP in a range). > > > I think it will be more better to randomly select different address in > > > range like nftables do with this configuration stranza: > > > "ip saddr 10.0.0.0/8 oif "vlan2" snat to 1.0.0.2-1.0.0.100 persistent" > > > > > > After changing > > > vpp# nat addr-port-assignment-alg map-e psid 10 psid-offset 6 psid-len 6 > > > the only difference that external address become 1.0.0.1 for all clients. > > > > > > I of cource can map host to external address with: > > > vpp# nat44 add static mapping local 10.0.1.2 external 1.0.0.10 > > > But with 30 thousands clients it will very strange idea to map every host > > > route manually. > > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18787): https://lists.fd.io/g/vpp-dev/message/18787 Mute This Topic: https://lists.fd.io/mt/80449794/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
