Skip to content

Posts from the ‘Maiznet’ Category

16
Nov

Howto not crash Cisco’s NAT

Maiz is the dormitory of my school, and it hosts around 170 people. As a school of network & telecom, it is only natural that us students manage our own network, and so do we.

However, we suffer from severe bandwidth limitations. Indeed, because of many factors, we can only have a few ADSL lines. Still, we try to give our comrades a decent Internet connection, but with only lousy Netgears modems (see the previous post), it’s quite difficult to get the network to scale up.

So the current challenge is to find modems that will not crash after a few hours/minutes. To give you an order of idea, there is approximately 20 connections opened each second. We have to reboot the Netgear every 20 minutes in order to keep it alive…

Then we tried a Cisco 1700 with a modem card. It goes fine, but however crashed after a few hours. Reason ? Too many NAT entries and no RAM left. And indeed, Cisco’s timeouts are really, really conservative: the default TCP timeout is 24 hours. After setting those to more reasonable values, it seems to work better!

ip nat translation timeout 3
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 120
ip nat translation finrst-timeout 3
ip nat translation syn-timeout 10
ip nat translation dns-timeout 3
ip nat translation icmp-timeout 3
ip nat translation max-entries 30000

You’ll note the last line setting the max-entries. Its purpose is not to limit the users, but to have the router to refuse connections before it gets out of memory.

I can’t wait for IPv6 and for this f*cking NAT to be dead! #optimistic

8
Nov

“Modem” (= bridge) mode on Netgear DG632

Recently I configured a Netgear DG632 in a bridge mode. Initially I was expecting the modem to translate from PPPoE on the LAN port to PPPoA on the WAN port. Wrong :)

In short, the configuration :

                                             ---- Machine 1
((Internet))----[ DG632 ]----[ Gateway ]----|---- Machine 2
                                             ---- Machine N

Actually, it dials the ISP and identifies itself just as in the router mode, but the difference is that it expects to find a computer with the public IP on the LAN port. However the router that you gateway must use is not the one given by IPCP, and rather the management IP of the modem. Here’s the relevant part of my FreeBSD’s rc.conf:

ifconfig_re1="inet 193.251.78.150 netmask 255.255.255.0"
static_routes="adsl"
route_adsl="-host 192.168.1.1 -iface re1"