[ previous ] [ next ] [ threads ]
 
 From:  Hynek Cihlar <hynek dot cihlar at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] How to limit max. number of NAT translation (sessions) on m0n0wall to single IP on LAN side
 Date:  Wed, 10 Nov 2004 00:03:03 +0100
Yes, we've tried the new beta, but with the same problem. 

But you are right, there is too many connections from the LAN side.
When we allow only the basic web services rejecting connections with
nonstandard destination ports, the problem wanishes, everything is
fine.

However I don't think that this is the right solution to this. There
must be a more systematic approach.

Can anyone help with this one?

Thanks a lot, Hynek.

On Tue, 9 Nov 2004 16:52:40 -0500, Chris Buechler <cbuechler at gmail dot com> wrote:
> On Tue, 9 Nov 2004 16:51:17 +0100, Hynek Cihlar <hynek dot cihlar at gmail dot com> wrote:
> 
> 
> > Hi, what would be the symptoms of too many connections from the LAN side?
> >
> > We have a small network of around 50 users. On a random basis the
> > router doesn't handle routing properly - the speed to WAN isn't fully
> > utilized, even packets are lost occasionally (www pages not beeing
> > loaded correctly, and so on). I've discovered that when I reset the
> > NAT connection table, everything starts working again for a random
> > period of time.
> >
> > It seems that the same requirement - to limit the number of NAT
> > connections - would be beneficial to us as well.
> 
> If you exhaust the state table, existing connections will work fine
> but no new connections can be established.  Generally you don't see
> this unless you have a very large LAN, something infected with a
> virus/worm spewing stuff to the internet like mad, or a bunch of
> people running things like P2P that create hundreds or thousands of
> connections.
> 
> I don't know about limiting the state table entries per IP, but the
> 1.2 beta versions have increased the size of the state table from
> 4,000 to 30,000.  Might want to try the newest beta.
> 
> -Chris
> 


-- 
Hynek Cihlar