[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Hynek Cihlar <hynek dot cihlar at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] How to limit max. number of NAT translation (sessions) on m0n0wall to single IP on LAN side
 Date:  Tue, 9 Nov 2004 16:52:40 -0500
On Tue, 9 Nov 2004 16:51:17 +0100, Hynek Cihlar <hynek dot cihlar at gmail dot com> wrote:
> Hi, what would be the symptoms of too many connections from the LAN side?
> 
> We have a small network of around 50 users. On a random basis the
> router doesn't handle routing properly - the speed to WAN isn't fully
> utilized, even packets are lost occasionally (www pages not beeing
> loaded correctly, and so on). I've discovered that when I reset the
> NAT connection table, everything starts working again for a random
> period of time.
> 
> It seems that the same requirement - to limit the number of NAT
> connections - would be beneficial to us as well.

If you exhaust the state table, existing connections will work fine
but no new connections can be established.  Generally you don't see
this unless you have a very large LAN, something infected with a
virus/worm spewing stuff to the internet like mad, or a bunch of
people running things like P2P that create hundreds or thousands of
connections.

I don't know about limiting the state table entries per IP, but the
1.2 beta versions have increased the size of the state table from
4,000 to 30,000.  Might want to try the newest beta.

-Chris