Hey all,
Just a quick question. I've got a crazy client. He has (currently) 616 internal /24's. He wants to map each internal /24 to a specific ip address bound on the external interface of which there too are multiple public class C's. Something like this:
You could imagine, with 600+ internal /24's and a couple of /24's on the external subnet, I'd be looking at a bare minimum of 1800 lines just to handle the NAT. That wouldn't include any stateful rules that would need to be included or anything else this guy wants.
So a simple question is, is there a better way doing this utilizing ipfw that anyone can think of? I'd much rather use a single nat instance to handle the subnet mess, but I don't for the life of me think this is possible. PF is out of the question as well because recent benchmarks I've ran were horrid.
Any help?
Thanks in Advance.
Just a quick question. I've got a crazy client. He has (currently) 616 internal /24's. He wants to map each internal /24 to a specific ip address bound on the external interface of which there too are multiple public class C's. Something like this:
Code:
ipfw nat 1 config ip 143.xx.xx.1 deny_in unreg_only // External ip 1
ipfw nat 2 config ip 143.xx.xx.2 deny_in unreg_only // External ip 2
ipfw nat 3 config ip 143.xx.xx.3 deny_in unreg_only // External ip 3
...
...
<snip>
ipfw add 014 nat 1 ip4 from any to 143.xx.xx.1 in via igb0 // 143.xx.xx.1 -> 10.5.0.x
ipfw add 015 nat 2 ip4 from any to 143.xx.xx.2 in via igb0 // 143.xx.xx.2 -> 10.5.1.x
ipfw add 015 nat 3 ip4 from any to 143.xx.xx.3 in via igb0 // 143.xx.xx.3 -> 10.5.2.x
...
...
<snip>
ipfw add 600 nat 1 ip4 from 10.5.0.0/24 to any out via igb0 // 10.5.0.0/24 -> 143.xx.xx.1
ipfw add 601 nat 2 ip4 from 10.5.1.0/24 to any out via igb0 // 10.5.1.0/24 -> 143.xx.xx.2
ipfw add 602 nat 3 ip4 from 10.5.2.0/24 to any out via igb0 // 10.5.2.0/24 -> 143.xx.xx.3
...
...
So a simple question is, is there a better way doing this utilizing ipfw that anyone can think of? I'd much rather use a single nat instance to handle the subnet mess, but I don't for the life of me think this is possible. PF is out of the question as well because recent benchmarks I've ran were horrid.
Any help?
Thanks in Advance.