> Yes - I'm pretty sure you're hitting the maximum of ~4000 state table
> entries. That's the default value for ipfilter, and can unfortunately
> not be changed without recompiling the kernel.
> Since m0n0wall wasn't initially meant for high volume setups like
> yours, the state/NAT hash table sizes and maximums were just left at
Just want to chime in -
I know this wasn't m0n0's original purpose, but it's inclusion of
VLAN support makes it _very_ attractive for the ISP managed
firewall environment. Not many commercial firewalls support
an unlimited number of vlans - and they are pricey.
The other thing m0n0 would need (if I'm understanding the
rulesets right) is having an outbound firewall rule for
'WAN' instead of 'ANY' (ie - to allow isolation between
different OPT interfaces). I would love to see this in the
next beta as it would have other benefits as well.
Fail-over/HA would be nice too ;)