search

ruby-no-kai / rubykaigi-net

RubyKaigi Infrastructure (Conference Wi-Fi, Network Backbone & Core Services)
MIT License
10 stars 0 forks source link

NAPTパラメータ見直し #69

Closed sorah closed 1 year ago

sorah commented 1 year ago

Image

普通に inside address ごとの max が 200 だともう無理っぽい

sorah commented 1 year ago

IX の設定抜粋。udp-timeout 120 まで減らす?

  ip napt enable
  ip napt translation max-entries 65000
  ip napt translation max-entries per-address 200
  ip napt translation tcp-timeout 600
  ip napt translation udp-timeout 600
  ip napt translation icmp-timeout 10
  ip napt translation dns-timeout 10
  ip napt translation gre-timeout 600
  ip napt translation syn-timeout 300
  ip napt translation finrst-timeout 15
  ip napt translation other-timeout 600
  ip napt translation port-range 1024-65000
sorah commented 1 year ago

IX さん異なる destination に対しては source port の再利用を許す実装になってないかな、と思ったけど FD の 2.19.6. を見る限り MAP-E 限定でそういう挙動が実装されているようだ。

sorah commented 1 year ago

outer IP と max-entries を増やして max-entries per-address 400 くらいまで引き上げ、tcp-timeout, udp-timeout を 120 にするというのでどうだろうか………

sorah commented 1 year ago

ip napt inside って pool の指定はできなくて nacl に基いて使い分けることしかできない。v4 アドレスをランダムアサインになるようにしてACLを2分割するのがよさそう、なんだけど、 https://github.com/ruby-no-kai/rubykaigi-nw/issues/70 がブロッカー

sorah commented 1 year ago

いい感じになったので設定入れた。

ip access-list napt-inside-1 sequence-mode 100
ip access-list napt-inside-1 100 deny ip src any dest 10.33.0.0/16
ip access-list napt-inside-1 210 permit ip src 10.33.1.0/24   dest any
ip access-list napt-inside-1 220 permit ip src 10.33.21.0/24  dest any
ip access-list napt-inside-1 230 permit ip src 10.33.100.0/24 dest any
ip access-list napt-inside-1 240 permit ip src 10.33.64.0/21  dest any
ip access-list napt-inside-2 sequence-mode 100
ip access-list napt-inside-2 100 deny ip src any dest 10.33.0.0/16
ip access-list napt-inside-2 210 permit ip src 10.33.0.0/24 dest any
ip access-list napt-inside-2 220 permit ip src 10.33.2.0/24 dest any
ip access-list napt-inside-2 230 permit ip src 10.33.22.0/24 dest any
ip access-list napt-inside-2 240 permit ip src 10.33.72.0/21 dest any

interface GigaEthernet0.1
  description Upstream: Gi1.1@tun-01.venue (public)
  encapsulation dot1q 10 tpid 8100
  auto-connect
  ip address 10.33.22.33/31
  ip napt enable
  ip napt address 192.50.220.160
  ip napt inside list napt-inside-1
  ip napt translation max-entries 129020
  ip napt translation max-entries per-address 350
  ip napt translation tcp-timeout 120
  ip napt translation udp-timeout 120
  ip napt translation icmp-timeout 10
  ip napt translation dns-timeout 10
  ip napt translation gre-timeout 600
  ip napt translation syn-timeout 300
  ip napt translation finrst-timeout 15
  ip napt translation other-timeout 600
  ip napt translation port-range 1025-65535
  ip napt inside list napt-inside-2 outside 192.50.220.161
  ip napt service ping 10.33.0.21 none icmp any
  ip filter p-icmp 100 in
  ip filter p-link 101 in
  ip filter p-ospf 102 in
  ip filter p-tcpest 8000 in
  ip filter p-udpany 8010 in
  ip filter d-all 9000 in
  ip filter d-op25b 1000 out
  ip filter p-all 9000 out
  ipv6 enable
  ipv6 address 2001:df0:8500:ca22:32::b/124
  ipv6 filter p-icmp 100 in
  ipv6 filter p-link 101 in
  ipv6 filter p-ospf 102 in
  ipv6 filter p-tcpest 8000 in
  ipv6 filter p-udpany 8010 in
  ipv6 filter d-all 9000 in
  ipv6 filter d-op25b 1000 out
  ipv6 filter p-all 9000 out
  ipv6 ospf cost 200
  ipv6 ospf dead-interval 30
  ipv6 ospf hello-interval 6
  no shutdown